You are on page 1of 344

Kaspersky Technical Training

KL 002.11.1

Kaspersky
Endpoint Security
and Management

Student Guide
Kaspersky Lab
www.kaspersky.com
Unit I. Deployment
Introduction .................................................................................................................... 4
Basics of Kaspersky Endpoint Security for Business ................................................................................................... 4
Which products this course covers ......................................................................................................................... 4
What constitutes Kaspersky Security Center .......................................................................................................... 5
What constitutes Kaspersky Endpoint Security ...................................................................................................... 5
How Kaspersky Security Center manages computers ............................................................................................ 7
How the administrator manages protection via the Console ................................................................................. 9
How policies are applied to computers ................................................................................................................ 10
How policies work in groups................................................................................................................................ 10
How tasks are applied to computers .................................................................................................................... 11
How tasks work in groups .................................................................................................................................... 12
How Kaspersky Endpoint Security for Business is licensed ................................................................................. 13
What this course is about ............................................................................................................................................ 15
What we will tell you in this course and what not ................................................................................................ 15
Where to learn more about the products that fall out of this course scope .......................................................... 16
What this course includes .................................................................................................................................... 17

Chapter 1. How to deploy Kaspersky Endpoint Security for Business........................ 18


1.1 What to install and in what order .......................................................................................................................... 18
1.2 How to organize the process ................................................................................................................................. 19

Chapter 2. How to install Kaspersky Security Center ................................................. 20


2.1 Requirements for the Administration Server ........................................................................................................ 20
Support for server versions of Windows .............................................................................................................. 20
Support for Windows workstations ...................................................................................................................... 21
Virtualization support .......................................................................................................................................... 21
Support for database management servers .......................................................................................................... 22
Additional software requirements ........................................................................................................................ 22
Minimum hardware requirements ........................................................................................................................ 23
2.2 Installation of the Administration Server .............................................................................................................. 23
Where to get the Kaspersky Security Center distribution .................................................................................... 23
Kaspersky Security Center installation shell........................................................................................................ 24
What you need to know before the installation .................................................................................................... 24
Setup wizard ......................................................................................................................................................... 25
Additional consoles and plugins .......................................................................................................................... 36
Installation results ............................................................................................................................................... 37
2.3 Installation of Kaspersky Security Center Web Console ...................................................................................... 39
Setup Wizard ........................................................................................................................................................ 39
Web Console services........................................................................................................................................... 42
Interaction with Kaspersky Security Center......................................................................................................... 43
Connecting to several Administration Servers ..................................................................................................... 43
Requirements for browsers .................................................................................................................................. 44
I-2 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

2.4 Quick Start Wizard................................................................................................................................................ 45


Tutorial................................................................................................................................................................. 45
Configuring proxy server for Internet access ....................................................................................................... 46
Downloading information about plugins.............................................................................................................. 46
License installation .............................................................................................................................................. 47
Installing plugins .................................................................................................................................................. 49
Kaspersky Security Network ................................................................................................................................. 50
Creating tasks and policies .................................................................................................................................. 51
Network polling .................................................................................................................................................... 52
Configuring email notification ............................................................................................................................. 53
What to do next..................................................................................................................................................... 53
Automatic license distribution .............................................................................................................................. 54

Chapter 3. How to install Kaspersky Endpoint Security on computers ...................... 55


3.1 Requirements for client computers ....................................................................................................................... 55
Kaspersky Endpoint Security 11 requirements for the operating system ............................................................. 55
The virtual platforms supported by Kaspersky Endpoint Security ....................................................................... 56
Minimum hardware requirements ........................................................................................................................ 57
Requirements for the Network Agent .................................................................................................................... 57
3.2 How to change KES components .......................................................................................................................... 58
Installation packages............................................................................................................................................ 58
Settings of a Kaspersky Endpoint Security package ............................................................................................. 59
Network Agent package parameters ..................................................................................................................... 64
3.3 How to create a new installation package ............................................................................................................. 66
Why create installation packages ......................................................................................................................... 66
Package creation wizard ...................................................................................................................................... 67
3.4 How to create an installation package for KSWS ................................................................................................. 70
Which other protection applications are available for Windows Servers ............................................................ 70
Advantages of Kaspersky Security 10.1 for Windows Server ............................................................................... 71
Specifics of Kaspersky Security 10.1 for Windows Server ................................................................................... 72
Download the distribution of Kaspersky Security for Windows Server from the official support website ........... 73
Unpack the KSWS distribution on the administrator’s workstation ..................................................................... 74
Create an installation package of Kaspersky Security for Windows Server ........................................................ 74
Package creation wizard ...................................................................................................................................... 75
Components of Kaspersky Security 10.1 for Windows Server .............................................................................. 77
Additional settings of the Kaspersky Security 10.1 for Windows Server package ................................................ 78
3.5 Installation methods .............................................................................................................................................. 79
What to do prior to the installation ...................................................................................................................... 79
Available installation methods ............................................................................................................................. 80
3.6 How to remotely install Network Agent and Kaspersky Endpoint Security ......................................................... 81
Information on the main page of the management console .................................................................................. 81
Remote installation wizard ................................................................................................................................... 83
Where to monitor the installation ......................................................................................................................... 90
Installation results ................................................................................................................................................ 91
3.7 How to simplify local installation ......................................................................................................................... 92
Why install locally ................................................................................................................................................ 92
Standalone installation packages ......................................................................................................................... 92
How to create a standalone package.................................................................................................................... 93
What to do with standalone packages .................................................................................................................. 94
I-3
Introduction

3.8 How to install the Network Agent via Active Directory ....................................................................................... 96
How to install applications via Active Directory ................................................................................................. 96
How to publish the Network Agent package in Active Directory using a task ..................................................... 97
What the task changes in Active Directory .......................................................................................................... 98
3.9 How to uninstall incompatible applications .......................................................................................................... 99
Which programs are incompatible and why uninstall them ................................................................................. 99
What if there are incompatible applications? .................................................................................................... 100
How to find out if there are any incompatible applications ............................................................................... 102
How to uninstall incompatible applications that have not been found .............................................................. 103
How to display computers with an incompatible application ............................................................................ 105
How to uninstall incompatible applications using a task................................................................................... 106

Chapter 4. How to organize computers into groups .................................................. 110


4.1 How to understand that the deployment has been completed ............................................................................. 110
Where to look for information about the deployment......................................................................................... 110
Global statuses ................................................................................................................................................... 111
Device selections ................................................................................................................................................ 112
Reports ............................................................................................................................................................... 112
4.2 How the Administration Server discovers computers ......................................................................................... 114
Polling types....................................................................................................................................................... 114
Where to configure polling................................................................................................................................. 114
Windows network polling ................................................................................................................................... 115
Active Directory polling ..................................................................................................................................... 117
IP range polling ................................................................................................................................................. 119
Where to monitor network polling ..................................................................................................................... 121
How to find out that the Server has discovered new computers ......................................................................... 122
4.3 How to create or import groups .......................................................................................................................... 123
Why create groups ............................................................................................................................................. 123
How to add a group ........................................................................................................................................... 124
Navigation within the group structure ............................................................................................................... 125
How to add a computer to a group .................................................................................................................... 125
How to import a group structure ....................................................................................................................... 126
4.4 How to add computers to groups automatically .................................................................................................. 128
Computer relocation rules ................................................................................................................................. 128
Configuring relocation rules .............................................................................................................................. 129
Conditions in relocation rules ............................................................................................................................ 130
How to synchronize groups with Active Directory ............................................................................................. 132
Tags .................................................................................................................................................................... 133
Rule application order ....................................................................................................................................... 134
I-4 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Introduction

First of all, let us introduce the course and tell you which topics it covers and which it omits. You will also learn
which solutions and products are studied in this course, what they consist of, how they interact and how they are
licensed.

Basics of Kaspersky Endpoint Security for Business

Which products this course covers


I-5
Introduction

This course describes the Kaspersky Endpoint Security for Business solution that includes several Kaspersky Lab
products. This course does not cover all products; it tells only about those that can help to protect a not-too-large
Windows network.

In our course, a not-too-large network means up to approximately 1,000 endpoints in a single location. Endpoints in
this course are servers and workstations running Windows.

To protect such a network, two Kaspersky Endpoint Security for Business products are necessary:

— Kaspersky Endpoint Security for Windows—to protect computers against threats


— Kaspersky Security Center—to centrally manage the protection

Kaspersky Endpoint Security is an application that not only protects against malware and hackers, but also can
control the users’ actions and encrypt files and drives.

What constitutes Kaspersky Security Center

Kaspersky Security Center consists of several programs:

— Kaspersky Security Center Administration Server (“Administration Server”, “KSC Server” or simply
“Server” wherever sounds unambiguous) stores all the settings, collects events, draws up reports, etc. It is
the Server that manages protection on the administrator’s command.

— The database server maintains the database where the KSC Server stores events and some of the settings.
Other settings are stored on the drive among KSC Server installation files.

— Kaspersky Security Center Network Agents (we will call them Network Agents, or simply Agents)
connect Kaspersky Endpoint Security to the Administration Server: Receive settings for Kaspersky
Endpoint Security from the Server, and send events to the server

— Kaspersky Security Center Administration Console provides a management system interface for the
administrator; the administrator configures parameters in the console, consults reports and events, and
manages protection in general Two consoles are available: Traditional MMC and the new Web Console.

What constitutes Kaspersky Endpoint Security

Kaspersky Endpoint Security is a single application that includes numerous components.


I-6 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Protection components

Kaspersky Requests the reputation of programs and web pages from Kaspersky Lab servers, provides the
Security Network latest information about threats, protects against zero-day attacks and false positives

Monitors what applications do, but analyzes what a program does in general rather than its
Behavior
individual actions. Stops applications that behave as malware. In particular, stops programs that
Detection
try to encrypt files

Exploit Monitors which files start vulnerable programs, and blocks attempts to start executable files
Prevention unless initiated by the user

Also monitors software activities on the computer. Does not allow programs that have bad or
Host Intrusion
unknown reputation to change system settings and user’s files. Prevents them from fiddling
Prevention
around with the operating system and other software

Logs changes to the operating system and rolls back any changes performed by suspicious
Remediation
programs that have been detected by Behavior Detection, Exploit Prevention, or File Threat
Engine
Protection

File Threat Scans files whenever the user or a program creates, changes, copies, or starts one.
Protection Blocks operations with malicious files, and quarantines these files

Web Threat Scans web pages and files that the user or programs download from the Internet. Blocks
Protection dangerous and phishing websites, prohibits downloading malicious files

Mail Threat Intercepts email messages, scans their text and attachments, deletes malicious files from
Protection messages

Controls the connections established by the programs running on the computer, and the packets
Firewall they receive or send. Blocks packets according to the configured rules. Does not allow an
unknown program or a program that has bad reputation to establish connections

Network Threat Scans network packets that the computer receives. Blocks a connection if detects indications of
Protection a network attack

Does not permit connecting new input devices (keyboards, etc.) to the computer without the
BadUSB Attack
user’s consent. Protects against USB devices that pretend to be keyboards and send malicious
Prevention
commands to the computer

Is responsible for integration with Antimalware Scan Interface (AMSI) in Windows 10 and
AMSI Protection Windows Server 2016. AMSI is a Windows component that acts as an intermediary between
Provider applications and an antivirus solution. It enables scanning files, links, and scripts, even those
that run in the memory without being saved to a hard drive

Control components

Application Blocks program start according to the configured rules. Can freeze a computer’s state and block
Control any new applications.

Device Blocks access to devices according to the configured rules. The administrator can prohibit access
Control to all or some of removable drives, Wi-Fi adapters, or modems

Blocks access to web pages according to the configured rules. The administrator can prohibit
Web Control
access to social networks, job search and news websites, torrent trackers, etc.

Contains a set of heuristics for monitoring dangerous behavior that is characteristic of malware.
Adaptive Permits blocking suspicious activities non-typical of each specific computer. By default, the
Anomaly component runs in the 2-week training mode: It monitors activities, informs the administrator
Control about them, and it is the administrator who makes the decision whether an activity is characteristic
of a computer or not.
I-7
Introduction

Encryption components

Full Disk Encryption Encrypts all drives’ contents. Protects files on notebooks, which may be lost or stolen

File Level Encrypts individual files and folders according to the rules. Protects files on notebooks,
Encryption which may be lost or stolen

BitLocker Manages disk encryption via Microsoft BitLocker. Protects files on notebooks, which may
Management be lost or stolen

Other components and tasks

Virus Scan Scans files on the specified schedule. Performs this more thoroughly than File Threat
Protection.

Update Downloads descriptions of threats and file reputations to the computers, provides protection
when Kaspersky Security Network is inaccessible

Endpoint Sensor Informs the Central Node of Kaspersky Anti-Targeted Attack Platform about the programs’
activities on the computers, helps to detect Advanced Persistent Threats

Integrity check Ensures that nobody can modify Kaspersky Endpoint Security files

Checking connection Checks KSN accessibility from endpoints


with KSN

For more details about the components and their settings, refer to Units II and III.

How Kaspersky Security Center manages computers

Let’s see how all components of Kaspersky Endpoint Security for Business interact.

In a protected network, two programs are installed on each computer:

— Kaspersky Endpoint Security, for protection


— Kaspersky Security Center Network Agent, for management
I-8 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The Network Agent connects to the Administration Server on the specified schedule, and also if necessary. By
default, a so-called synchronization takes place every 15 minutes.

What the Server receives from computers

For the administrator to see what’s happening in the network, Network Agent sends the following data to the server:

When Kaspersky Endpoint Security finds malware, cannot


Events As soon as logged
download updates, cannot start components, etc.

Kaspersky Endpoint Security is not running


Databases are out of date
Statuses As soon as logged
KSN is inaccessible
There are dangerous unprocessed objects

List of known executable files


List of vulnerable programs
Once per List of quarantined malicious objects
Lists
synchronization interval List of unprocessed threats
List of hardware
List of installed software

Kaspersky Endpoint During a


Security settings synchronization

Typically, Agents send only changes in the lists to the server. Once every several hours (3 hours for some lists, 12
hours for others), the Server completely synchronizes the lists with the computers.

Administration Server accepts connections from the Network Agents on TCP port 13000. Agents establish TLS/SSL
connections; they encrypt and compress data using the Administration Server certificate.

What computers download from the Server

For Kaspersky Endpoint Security to protect a computer in a way the administrator wants, the Network Agent
downloads settings for Kaspersky Endpoint Security in the form of policies and tasks from the Server.

During a synchronization, Network Agent compares tasks and policies on the computer with those of the
Administration Server, and if the administrator has changed something on the server, the Agent downloads new
tasks and policies.

Usually, computers receive tasks and policies earlier than at a planned synchronization. Network Agents accept
packets on UDP port 15000. If the Server wants an Agent to urgently connect to the Server, it sends a special signal
to this port. When the administrator modifies a task or policy, the Administration Server contacts Agents on all
computers to which this task or policy pertains. During a synchronization, policies are downloaded only by those
computers that have not received the signal from the Server.

The administrator can also send a synchronization request manually, via a computer’s shortcut menu in the
Administration Console.

Additionally, Agents connect to the Server to download updates for Kaspersky Endpoint Security. For this purpose,
they also connect to port 13000 over an SSL connection.
I-9
Introduction

How the administrator manages protection via the


Console

The events and statuses sent by the Network Agents help the administrator understand what is happening in the
network. The Administration Server summarizes statuses of individual computers and displays them on the main
page of the Administration Console—the Monitoring tab of the Administration Server node.

To better understand what is going on, the administrator can consult reports, which the Administration Server draws
up based on events. There are many search and filter tools in the console that help to arrange events and computers
according to various parameters.

To specify settings for computer protection, the administrator creates tasks and policies in the console:

— Tasks—for operations that have a logical termination. For example, update completes when Kaspersky
Endpoint Security receives all new threat descriptions, virus scanning completes when all files in the scan
scope have been scanned. That is why updates and virus scanning are configured as tasks, which have
schedules

— Policies—for all the other parameters: how to scan files that the user downloads from the Internet or
receives by email, how to scan files opened by programs, which network connections to allow and which to
block. These settings are to be applied permanently to protect the computer, that is why they are specified
in a policy

If different computers need different settings, the administrator organizes computers into groups and creates
individual policies or tasks within each group. For example, to perform virus scanning on servers at weekends, and
on workstations in the background mode during a business day, the administrator can create two groups (for servers
and workstations) and create virus scan tasks with different schedules for them.
I-10 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How policies are applied to computers

A policy contains the same parameters as the local settings of Kaspersky Endpoint Security. When the administrator
configures a policy, the local protection settings are changed.

In a policy, each parameter or a group of parameters has the lock button.

If the button appears pressed and the lock is closed, the parameters are applied to the computers where the policy is
enforced. The user cannot modify the values of these parameters in the local interface of Kaspersky Endpoint
Security.

If the button appears released and the lock is open, the computer considers that this parameter has not been specified
in the policy. The user can change these parameters in the local interface.

The settings whose lock is closed are compulsory.

How policies work in groups


I-11
Introduction

Policies are applied to computer groups.

Even if the user has not created any groups, there is the root group on the Administration Server, which is named
Managed devices. If the user wants to create custom groups, they are created as subgroups within the Managed
devices group.

Policies conform to the following rules:

— There may be policies for different applications in a group, for example, the Network Agent policy and the
Kaspersky Endpoint Security policy

— There can be a few policies for the same application in a group, but only one of them can be active.

The Active policy is the policy that the Administration Server sends to the computers.
An Inactive policy does not influence anything, but the administrator can make it active at any moment and
thus quickly reconfigure settings on the target computers.
If the administrator makes a policy active, the policy that has been active so far becomes inactive
automatically.

— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where there is no Kaspersky
Endpoint Security policy, the parent group’s policy is applied to the subgroup’s computers as well

— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where another Kaspersky
Endpoint Security policy is configured, the subgroup’s computers receive the policy configured within their
subgroup. However, required (locked) parameters from the parental policy are enforced on the subgroup’s
policy, and the administrator cannot modify them. In a child policy, the administrator can edit only the
parameters that are not locked in the parent group’s policy

— The administrator can choose not to apply a group policy to subgroups: in the subgroup’s policy, clear the
check box that regulates inheriting parameters from the parental policy. After that, the administrator will be
able to edit all parameters in the child policy

How tasks are applied to computers

The administrator manages update and virus scan settings via tasks rather than the policy.
I-12 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

While there can be only one type of Kaspersky Endpoint Security policy1, there are many various task types in
Kaspersky Endpoint Security:

— Virus Scan
— Update
— Rollback
— Inventory
— Add key
— Integrity check
— Change application components
— Checking connection with KSN
— Manage Authentication Agent accounts

Each task type has its own characteristic settings. For example, a virus scan task has its scope and file scan settings,
an update task has an update source and instructions which updates to download.

Every task has a schedule.

Unlike policies, tasks have no locks. All task settings are enforced on the computers and the user cannot modify
them.

Tasks can be created not only by the administrator on the Administration Server, but also by the user in the local
interface. However, if a policy is configured on the Administration Server and enforced on a computer, it will use
only the Administration Server’s tasks. Local tasks will be neither run nor even displayed in the interface, and the
user will not be able to create new local tasks.

How tasks work in groups

The administrator creates tasks in groups for regular activities, such as virus scanning or downloading updates.

Similar to group policies, group tasks have their rules:

— If there is a subgroup in a group, a group task is applied to the subgroup’s computers

1One for one or a few product versions. For example, Kaspersky Endpoint Security 10 SP2 has its own policy type, and Kaspersky Endpoint
Security 11 has another. Two policies of a single Kaspersky Endpoint Security version contain the same parameters, only the values of these
parameters differ.
I-13
Introduction

— There can be several tasks of each type in a group, for example, a few virus scan tasks. They may differ in
the scope and schedule, for example, one of the tasks may scan the whole computer once a week, and
another one, only critical areas but daily.

— If you want to scan for viruses the same scope with different schedules on different computers, organize
computers into respective groups and create individual tasks within each group. For example, you can run
full scan on servers during the weekends, and on workstations, during business hours in background mode.

— If there is a task in a group, and there is a subgroup with a task of the same type, the subgroup’s computers
will be running both tasks. Usually, this means that the administrator has not thought over thoroughly
enough which tasks are really needed.

You must be especially careful with update tasks. To update Kaspersky Endpoint Security on a computer,
there must be one update task. If an update task is configured within a group and another one in its
subgroup, both will be applied to the computers that comprise the subgroup. If an update task is running
already, another one will return an error if started in the meanwhile. Consequently, the administrator will
keep receiving update errors due to a configuration error while updates will work correctly.

— Subgroups can be excluded from a task scope. Then the subgroup’s computers will receive only the
subgroup’s task, and the parental task will not be used

Unlike a policy, a task can be created not only for a group. It can be created for any list of computers, from a single
computer to an arbitrary set of computers belonging to different groups.

How Kaspersky Endpoint Security for Business is


licensed

Which licenses are available for Kaspersky Endpoint Security for Business

We’ve studied how the components of Kaspersky Endpoint Security for Business interact, and how the
administrator manages them.

Now let us find out which licenses are available for Kaspersky Endpoint Security for Business, and what makes
them different.
I-14 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

There are several levels of licenses in Kaspersky Endpoint Security for Business:

— Cloud
A cloud solution that permits managing security of workstations, servers, and mobile devices via a web
browser. The Administration Server is hosted in Microsoft Azure and it is Kaspersky Lab that takes care of
the infrastructure; the administrator only deploys and manages protection. Technical training KL 040
Kaspersky Endpoint Security Cloud tells about this solution in detail.
— Select
— Advanced

The last two types of licenses are designed for the on-premises products that we will cover in this course.

Different licenses permit using different Kaspersky Lab products and different functions within these products.

What licenses activate in Kaspersky Endpoint Security for Business

You do not need to activate Kaspersky Security Center to use it. Everything which is necessary for managing
workstation protection is available without a license.

KESB Select permits protecting workstations, servers and mobile devices.

In Kaspersky Endpoint Security, a KESB Select license activates the protection and control components.

In Kaspersky Security Center, a KESB Select license activates the mobile device management functionality. You do
not need to activate Kaspersky Security Center to be able to manage only the protection and control on workstations
and servers.

Kaspersky Endpoint Security for Business Advanced permits protecting the same types of endpoints: Workstations,
servers and mobile devices, but activates more functions encryption.

In Kaspersky Endpoint Security for Windows, a KESB Advanced license permits using encryption.

In Kaspersky Security Center, a KESB Advanced license allows the customer to use Systems Management;
specifically, automatically download and install software fixes and updates, create and deploy images of operating
systems with pre-installed applications, etc.

Targeted licenses

If a customer does not need all KESB Advanced functions, licenses for individual functions are also available:

— Encryption
— Mobile Device Management
— Systems Management

Except for the functionality, these licenses have a limitation on the number of endpoints to be protected. For
example, a customer purchases a license for 100 nodes, and if later wants to protect more devices, purchases a new
license for, say, 150 or 200 nodes.

All the abovementioned licenses are usually valid for a year. After that, the customer renews the license for another
year, and so on.

Subscription licenses

Additionally, Kaspersky Lab supports subscription licenses. These licenses are purchased from special partners, and
the customer pays monthly. The customer can suspend a subscription and resume it later.
I-15
Introduction

With a subscription license, the customer can select which functionality level to use and change the number of nodes
every month if necessary: expand or cut down depending on the current needs.

What this course is about

What we will tell you in this course and what not

Kaspersky Endpoint Security for Business includes many products and capabilities. This course does not try to
cover all of them. It only talks about how to protect a not-too-large network of computers running Windows
operating systems.

That is why this course does not describe all the products that belong to Kaspersky Endpoint Security for Business;
instead, it focuses on:
— Kaspersky Endpoint Security for Windows
— Kaspersky Security Center
— And a little bit about Kaspersky Security for Windows Server

The following products are out of the course scope:


— Kaspersky Endpoint Security for Linux
— Kaspersky Endpoint Security for Mac
— Kaspersky Embedded Systems Security
— Kaspersky Endpoint Security for Android
— Safe Browser for iOS
— Kaspersky Security for Virtualization
— Kaspersky Anti-Targeted Attack Platform / Kaspersky Endpoint Detection and Response

Also, the course does not talk about all the capabilities of Kaspersky Endpoint Security for Windows and Kaspersky
Security Center, but concentrates on how to:
— Install protection on the computers
— Manage computer protection
— Manage the Control components
— Use a single Kaspersky Security Center Administration Server
I-16 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The following topics fall outside the framework of this course:


— Encryption management
— Third-party vulnerability and patch management
— Creation and deployment of disks with computer images
— Protection of large, complex, and distributed networks using Distribution Points, Connection Gateways, or
several Kaspersky Security Center Administration Servers

Where to learn more about the products that fall out of


this course scope

The following courses, which are devoted to other products and technologies, are available:

How to protect Linux workstations KL 013 1 day

How to protect Linux servers KL 007 1 day

How to protect Mac workstations KL 011 1 day

How to protect Windows servers using Kaspersky Security for Windows Servers KL 005 1.5 days

How to protect devices running embedded versions of Windows KL 037 1 day

How to manage mobile devices KL 010 1 day

How to manage encryption KL 008 1 day

How to fix vulnerabilities and install updates on third-party software KL 009 1 day

How to manage protection in large, complex and distributed networks KL 302 2 days

How to protect virtual machines using Kaspersky Security for Virtualization. Agentless KL 014 1 day

How to protect virtual machines using Kaspersky Security for Virtualization. Light Agent KL 031 1 day

Troubleshooting KL 016 1 day

How to implement a Default Deny policy KL 032 1 day

KATA/KEDR KL 025 2 days


I-17
Introduction

What this course includes

This course consists of presentations and labs, which alternate. The instructor first explains every topic with slides,
and then the students put theory into practice in lab experience.

The Student Guide includes all slides and elaborates on all the topics and product settings.

What to do during the labs is described in detail in the Lab Guide.

The students complete hands-on exercises using virtual machines. The virtual environment depends on the class: It
can be VMware Workstation, VMware vSphere, Microsoft Hyper-V, etc. The Lab Guide is designed for VMware
Workstation.

Students use five virtual machines, which perform the following roles in the labs:

DC Provides AD domain services, DNS, file access

Security-Center It is the Kaspersky Security Center Administration Server, where the administrator manages
protection from

Alex-Desktop Represents a typical desktop computer in a corporate network

Tom-Laptop Represents a notebook that may be taken outside the corporate network for some time

Kali Linux Provides software for attacking organization’s computers


I-18 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Chapter 1. How to deploy Kaspersky Endpoint


Security for Business

1.1 What to install and in what order

In a deployment, all network computers must be protected, and the administrator must be able to manage protection
centrally. To achieve this, you need to install Kaspersky Security Center 11 (KSC 11) and Kaspersky Endpoint
Security 11.1 for Windows (KES 11.1) on the computers.

First, install the Kaspersky Security Center Administration Server. The Administration Server centrally manages
protection, and helps to install other components.

The MMC Kaspersky Administration Console is installed automatically along with the Administration Server. To
manage the server remotely, use remote desktop, or install Kaspersky Security Center Administration Console on
the administrator’s computer.

Web Console can also be installed automatically together with the Administration Server; when the installation
completes, the administrator is prompted which Administration Console to start.

In order to protect the network, install Kaspersky Endpoint Security on every computer. Kaspersky Endpoint
Security alone cannot interact with Kaspersky Security Center; install the Network Agent on every computer to
make centralized management possible.

If you need to enforce different settings on different computers, organize the computers into groups. Do not create
more groups than necessary. To be able to easily find computers, import the structure from Active Directory.

To sum up, deploy protection as follows:

1. Install the Kaspersky Security Center Administration Server


2. Install Kaspersky Security Center Network Agent and Kaspersky Endpoint Security
3. Organize computers into groups
I-19
Introduction

1.2 How to organize the process

You do not need much time to install all components of Kaspersky Endpoint Security for Business. What consumes
time is troubleshooting.

To save time, do your homework. Try what you want to implement in a test environment. If you encounter issues,
think how to solve them, or find a workaround to use in case the issue arises on the network computers.

However, you are unlikely to stumble upon every possible issue in a test environment. Therefore, in your real
network, start with a small number of computers: 10–20. Try to select different computers to come upon as many
potential issues as possible. If you encounter new issues, return to the test environment, reproduce them and come
up with a solution or a workaround.

Stage the deployment: for example, 100 computers at a time. This way, you will discover new issues gradually, and
the number of problem computers will always be small.

To sum up, deploy as follows:

1. Install software in a test environment


2. Install software on 10-20 typical computers
3. Install software on all computers, by stages, 100 computers at a time

At each step, plan some extra time for troubleshooting. Do not proceed to the following step until you decide how to
solve or get around all issues. Whenever possible, solve issues in a test environment rather than on the network
computers.

Today, an IT test environment is usually made of virtual machines. If virtual machines appear to be a luxury, use the
administrators’ computers for testing.
I-20 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Chapter 2. How to install Kaspersky Security


Center

2.1 Requirements for the Administration Server

To install the Kaspersky Security Center Administration Server, prepare a computer that meets the system
requirements.

If there are fewer than 1000 endpoints in the network, the Administration Server and the database server will easily
share a single computer. If nodes are more numerous, use a more powerful computer or use a dedicated computer
for the database server.

The Administration Server computer can be either physical or virtual. If you are using a virtual Server, make sure
that the virtual environment meets the system requirements.

Support for server versions of Windows

The complete list of supported server operating systems is as follows:

— Microsoft Small Business Server 2008 Standard / Premium 64-bit


— Microsoft Small Business Server 2011 Essentials / Standard / Premium Add-on 64-bit
— Windows Storage Server 2008 R2 / 2012 / 2012 R2 / 2016 64-bit
— Microsoft Windows Server 2008 SP2 (all editions)
— Microsoft Windows Server 2008 Foundation SP2 32-bit / 64-bit
— Microsoft Windows Server 2008 R2 Standard SP1 64-bit
— Microsoft Windows Server 2012 Server Core / Foundation / Essentials / Standard / Datacenter 32-bit / 64-
bit
— Microsoft Windows Server 2012 R2 Server Core / Foundation / Essentials / Standard / Datacenter
— Microsoft Windows Server 2016 Server Core / Standard / Datacenter
— Microsoft Windows Server 2019 Standard / Datacenter
I-21
Introduction

Support for Windows workstations

It is better to use server hosts for the Administration Server. However, in small networks (up to a couple of hundred
computers), a powerful workstation will do. Also, you can use a workstation in a test environment.

The Administration Server can be installed on the following non-server versions of Windows:

— Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS5 32-bit / 64-bit


— Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS4 32-bit / 64-bit
— Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS3 32-bit / 64-bit
— Microsoft Windows 10 Pro for Workstations RS3 / RS4 / RS5
— Microsoft Windows 10 Enterprise 2015 LTSC 32-bit / 64-bit
— Microsoft Windows 10 Enterprise 2016 LTSC 32-bit / 64-bit
— Microsoft Windows 8.1 Pro / Enterprise 32-bit / 64-bit
— Microsoft Windows 8 Pro / Enterprise 32-bit / 64-bit
— Microsoft Windows 7 Professional / Enterprise / Ultimate SP1 32-bit / 64-bit

Virtualization support

To install the Administration Server on a virtual machine, use one of the following virtualization platforms:

— VMware vSphere
— 6 / 6.5
— VMware Workstation 14 Pro
— Microsoft Hyper-V Server
— 2008 / 2008 R2 / 2008 R2 SP1 / 2012 / 2012 R2 / 2016
— Citrix XenServer
— 7 / 7.1 LTSR
— Parallels Desktop 11
— Oracle VM VirtualBox 5.x (Windows guest operating systems are supported)

A virtual machine must meet the operating system, software and hardware requirements.
I-22 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Support for database management servers

Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers
are supported:

— Microsoft SQL Server


— Microsoft SQL Server 2008 Express 32-bit
— Microsoft SQL 2008 R2 Express 64-bit
— Microsoft SQL 2012 Express 64-bit
— Microsoft SQL 2014 Express 64-bit
— Microsoft SQL Server 2008 (all editions) 32-bit / 64-bit
— Microsoft SQL Server 2008 R2 (all editions) 64-bit
— Microsoft SQL Server 2008 R2 Service Pack 2 64-bit
— Microsoft SQL Server 2012 (all editions) 64-bit
— Microsoft SQL Server 2014 (all editions) 64-bit
— Microsoft SQL Server 2016 (all editions) 64-bit
— MySQL
— MySQL Standard Edition 32-bit / 64-bit
— 5.6 / 5.7
— MySQL Enterprise Edition 32-bit / 64-bit
— 5.6 / 5.7
— Microsoft Azure SQL Database
— Amazon RDS
— Microsoft SQL

Microsoft SQL Server Express is not included with Kaspersky Security Center distribution anymore.

Starting with Kaspersky Security Center version 10 SPЗ, administrators are to download and install Microsoft SQL
Server Express manually. Remember that Express editions have their limitations and must not be used for managing
a large number of computers (more than 5000). Detailed information about this is provided in course KL 302.

SQL server can be installed either on the same computer as the Administration Server or on any other network
computer. The Administration Server must have Read and Write access to the SQL database. If the Administration
Server and SQL server are installed on the same computer, access issues do not arise.

Additional software requirements

In addition to the operating system, the following software must be installed on the computer:
I-23
Introduction

— Microsoft .NET Framework 4 (install as a Windows component)


— Windows Data Access Components 6.0
— Windows Installer 4.5 (is included with the distribution)

Allocate a new computer for the Administration Server. If it is impossible, make sure that Kaspersky Security
Center Network Agent is not installed on the computer. The installer automatically detects previous versions
of Network Agent and prompts the administrator to uninstall it.

Minimum hardware requirements

Minimum hardware requirements are as follows:

— 1 GHz or higher processor (1.4 GHz for 64-bit systems)


— 4 GB of RAM
— 10 GB of free hard drive space (if you plan to use the Systems Management functionality, at least 100 GB
of free hard drive space will be necessary)

A more powerful server is required for any significant number of clients. Recommendations are available in the
Implementation Guide. Practical experience of using the Administration Server in large networks is summarized in
course KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”.

2.2 Installation of the Administration Server

Where to get the Kaspersky Security Center distribution

To install Kaspersky Security Center, run the installer.

Prior to installing Kaspersky Security Center, you should install and configure a database server.

You can download the installer for Kaspersky Security Center 11 from the Kaspersky Lab website
(https://www.kaspersky.com/small-to-medium-business-security/downloads/security-center) or from the product
page on the technical support website (http://support.kaspersky.com/ksc11#downloads).
I-24 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

There are two installers:

— ksc_11_<version>_full_en.exe—the full distribution of Kaspersky Security Center 11 that includes


a complete set of its own components, installation packages of Network Agent and Kaspersky Endpoint
Security 11.1 for Windows, Microsoft .NET Framework, and other software, as well as the management
plugins for all supported products. The size of this distribution is about 1 GB

— ksc_11_<version>_lite_ru.exe—the lite version of the distribution that lacks the installation packages of
Kaspersky Endpoint Security 11.1 for Windows, Microsoft .NET Framework, and some other software; as
far as management plugins are concerned, only those of Kaspersky Security Center 11 components are
included. The size of this distribution is about 140 MB. This distribution comes in handy when upgrading
Kaspersky Security Center components

Kaspersky Security Center installation shell

When the full distribution version is run, the installation shell starts. The installation shell permits selecting
the components to install, for example, the Administration Server or the Administration Console. You can also
extract installation files of the selected components into the specified folder.

The following products are available within the installation shell:

— Kaspersky Security Center Administration Server


— Kaspersky Security Center Administration Console
— Kaspersky Security Center Network Agent
— Kaspersky Endpoint Security for Windows (extract only)
— iOS MDM Server (a component of Kaspersky Security Center for managing mobile devices)
— Kaspersky Endpoint Security for Android (extract only)
— Microsoft Exchange Mobile Devices Server (a component of Kaspersky Security Center for managing
mobile devices)
— Application management plugins

This course covers only Server, Console, Network Agent, and Kaspersky Endpoint Security.

What you need to know before the installation

During the installation, the administrator selects:

— Kaspersky Security Center components (including the new Web Console)


— Installation folder
— SQL server type and connection parameters
— Path to the Administration Server shared folder
— Ports and connection address of the Administration Server
— Management plugins for the products

Almost all of these values can be changed after the installation. Only the SQL server type cannot be modified. If you
select Microsoft SQL, you will not be able to switch to MySQL without losing data.

You can switch to another SQL server of the same type without losing data, but it is not easy. You will need to back
up the Administration Server data, reinstall the Administration Server, select another SQL server, and after that,
restore the data from the backup copy.
I-25
Introduction

Setup wizard

Installation types

Installation of the Administration Server can be either custom or standard2.

During the standard installation, the administrator is prompted to:

— Accept the license agreement for Kaspersky Security Center


— Specify the network size
— Select a database server type
— Configure the database server connection parameters
Kaspersky Security Center distribution does not include a Microsoft SQL server anymore. You should deploy and
configure a Microsoft SQL or MySQL database server in the network prior to installing Administration Server

2 On Windows Server Core, only custom installation is available.


I-26 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If you select Custom installation and leave all the default settings, the result will be exactly the same as after the
Standard installation.

Components and installation paths

You can install the following components together with the Administration Server:

— SNMP agent
— Packages for mobile device support

The SNMP agent is necessary if you want the Administration Server to send notifications over SNMP. This
component requires the SNMP service (a Windows component) to be installed on the computer. If the SNMP
service is absent, the SNMP agent will not be shown in the list of Administration Server components during the
installation.

The option Install packages for mobile device support adds the components necessary for managing Kaspersky
Endpoint Security for Mobile via Kaspersky Security Center. Detailed information is available in course KL 010.

Under the list of components, you can change the location of Administration Server program files. If you want to
move files because drive C: lacks space, consider moving only the shared folder of the Administration Server. It can
be relocated independently of the program files, and it takes up much more space than the other program files. The
path to the shared folder will be configured later in the installation wizard.

Remember that backup copies of the Administration Server are stored to the %ProgramData%\KasperskySC folder
by default. These copies consume much space, up to several gigabytes, depending on the number of endpoints.

Web Сonsole

Web Console is an application that you can install either together with Kaspersky Security Center or on another
computer.

Web Console is included with the distribution of Kaspersky Security Center 11 and the installation wizard prompts
you to specify whether you want to install Web Console together with the Kaspersky Security Center. If you do not
change anything, the Web Console will be installed with the default parameters; in particular, port 8080 will be used
for connections.
I-27
Introduction

Network size

Four options are represented for the network size:

— Fewer than 100 networked devices


— From 100 to 1,000 networked devices
— From 1,000 to 5,000 networked devices
— More than 5,000 networked devices

The following Administration Server parameters depend on the selected option:

From 100 From 1,000


Number of computers in the network Fewer than 100 More than 5,000
to 1,000 to 5,000

Automatically randomize task start – + + +

Display slave Administration Servers – – + +

Display security settings – – + +


I-28 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Automatic randomization of the task start applies to the schedules of virus scan, update, vulnerability search, and
other group tasks.

If a task starts simultaneously on many computers, the load on the network and Administration Server drastically
increases. To even out the peak, tasks can start on the computers with a random delay.

The administrator can enable randomization and then specify the randomization range manually or select automatic
randomization. On each computer, the delay is selected randomly within the specified or automatically chosen range.

How automatic randomization works

If automatic randomization is used, the randomization range depends on the number of computers where the task
starts:

The number of computers Randomization range

0–200 0 minutes

200-500 5 minutes

500-1,000 10 minutes

1,000-2,000 15 minutes

2,000-5,000 20 minutes

5,000-10,000 In 30 minutes

10,000-20,000 1 hour

20,000-50,000 2 hours

50,000+ 3 hours

Slave Administration Servers and security parameters are described in course KL 302 “Kaspersky Endpoint Security
and Management. Advanced Skills”. These functions are rarely used in small and middle-size networks.

The default settings are the same when the administrator selects either “From 1,000 to 5,000” or “More than 5,000
networked devices.” If you select the “More than 5,000 computers on network” option, the installation wizard will
recommend that you do not use the free version of Microsoft SQL server. Detailed information about large networks
is provided in technical training KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”.

The network size selection only influences a couple of interface settings, which can easily be modified after
the installation. The threshold value that actually makes the difference is 1,000 computers. Administration Server
operation parameters do not depend on the selected network size.

Selecting the SQL server type

The Administration Server stores events, information about computers and a part of the settings in the SQL database.

The Administration Server can store the database in either of the following types of SQL servers:

— Microsoft SQL Server


— MySQL

The choice depends on the company’s and the administrator’s preferences.

Microsoft SQL Server is an industry standard and is recommended for large networks (5,000 endpoints or more).
I-29
Introduction

MySQL server has open source code and can run on a Linux operating system. That is why MySQL is sometimes
preferred by state institutions.

Starting with version 10 SP3, Kaspersky Security Center distribution does not include Microsoft SQL Server
Express. The administrator is to install and configure an SQL server unassisted. We recommend that you do it
before you start the Kaspersky Security Center installer.

How to specify a Microsoft SQL server

If you decide to use a Microsoft SQL server, specify the full name of the instance and the name of the database
designed for the Administration Server.

To find the necessary instance in the network, click the button Browse. If it does not show, make sure that SQL
Server Browser service is running on the SQL server. It is disabled by default.
I-30 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If you have not installed a Microsoft SQL server in advance, you can do it without interrupting the KSC installation
wizard. The SQL server settings page provides two links to Microsoft webpages:

— Microsoft SQL Server 2014 SP2 Express download link (a free version recommended for small networks
up to 5000 endpoints)

— A link to descriptions of Microsoft SQL Server editions, where you will be able to select what you need

How to connect to your Microsoft SQL server

The database for the Administration Server is created by the installer. Later, the Administration Server will connect
to the database to record and extract events.

The installer needs the permission to create a database. The Administration Server will need the write and read
permissions for the database.

If the Microsoft Windows Authentication Mode is selected, the installer connects to the SQL server under the
current Windows user account. Meanwhile, the Administration Server will connect to the database under the
account of its service: KL-AK-<*> by default, or the one selected by the administrator at a previous step.

The current user must have the right to create a database on the SQL server.

If the Kaspersky Security Center administrator does not have permissions to create a database on the SQL server,
the SQL server administrator should create an empty database, and the Kaspersky Security Center administrator is to
specify the names of the instance and database in the installation wizard.

The KL-AK-<*> account (or another one specified by the administrator) must have the read and write permissions
for the database. You cannot check this before the installation, but you can grant the selected account these
permissions afterwards, or even specify another account for the Administration Server service.

If you select the SQL Server Authentication Mode, specify an SQL server account rather than a Windows account.
Both the installer and the Administration Server will use this account to create the database and record events there.

By default, the SQL Server Authentication Mode is disabled in all supported versions of SQL server. It is considered
to be obsolete and unsafe. Microsoft and Kaspersky Lab recommend to use Microsoft Windows Authentication
Mode.

If the SQL server instance is located on another computer, make sure that SQL server allows remote connections,
and that ports are not blocked by the firewall.
I-31
Introduction

How to specify a mySQL server

If you selected MySQL server, specify the database server address, port (typically, 3306), and database name.

The database page does not offer a download link for MySQL. You can find MySQL products on the website
www.mysql.org

How to connect to the mySQL server

Specify the username and password to connect to MySQL server. These name and password will be used by both
the installer to create the database, and by the Administration Server to write into it.

In the latest versions of MySQL server, to enable an account to connect to the server, you need to allow a specific
address or computer name to use it on the SQL server side. See the MySQL documentation for details.

When you click Next, the wizard attempts to connect to the specified server under this account. If the connection
fails, the wizard returns an error that describes the issue it encountered.
I-32 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Administration Server service account

By default, the installer creates a new account named KL-AK-<alphanumeric combination> for starting
the Administration Server service. It is a local account, which is not included in the computer administrators’ group,
but has the same permissions as administrators.

Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of
the Administration Server. For security reasons, this account cannot log on to the system locally.

If the administrator decides to use another account, he or she must grant it all the necessary permissions.

The Administration Server service account must have administrator permissions on the computer selected for
the installation.

If the database is planned to be located on a remote SQL server, the account must have Read and Write access to
the Administration Server database on the SQL server.

If the Administration Server account has domain administrator permissions, some operations are simplified, for
example, remote installation.

Account for accessory services

The KL-AK-* account starts only the Administration Server service: Kaspersky Security Center Administration
Server. The Administration Server also has other services:

— Kaspersky Activation Proxy


— Kaspersky Lab Web Server
— Kaspersky Security Network Proxy
— Kaspersky Security Center Network Agent
— Kaspersky Security Center automation object

The first three services are started under another service account created by the installer: KlScSvc. This account has
the same rights as KL-AK-*: The permissions are equivalent to administrative less the right to log on locally.

The Network Agent and the automation object operate under the Local System account. On some operating systems,
the automation object operates under the Network Service account.

The installation wizard permits selecting another account instead of KlScSvc. For example, if the company already
has a service account for this purpose.
I-33
Introduction

The shared folder of the Administration Server

The shared folder stores signature updates and the installation files for applications, specifically, Network Agent and
Kaspersky Security Center.

By default, the installer creates the shared folder of the Administration Server in the folder with program files.
The local name of this folder is Share, and the network name is KLSHARE.

Right after the installation and initial setup, the shared folder takes up about 300 MB. It may grow up to several
gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place
the shared folder of the Administration Server on a drive other than the system one. The location of the shared folder
can be changed later via the Administration Console.

Connection ports of the Administration Server

Administration Server accepts connections from Network Agents on two TCP ports:
— 13000 for SSL connections
— 14000 for non-SSL connections
I-34 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

By default, all connections are encrypted in Kaspersky Security Center, so only SSL port 13000 is used. Port 14000
might be used only if the administrator disables connection encrypting for troubleshooting.

If you want to use other ports, make this decision beforehand and specify them in the installation wizard.

To modify the ports after the Administration Server has been installed, you will have to edit them in several places
in the Console. And to modify the ports after Network Agents have been installed on the network computers, you
will have to use a special task or reinstall the Agents.

In older versions of Kaspersky Security Center, Administration Consoles connect to port 13000. In the recent
versions, KSC Consoles connect on TCP port 13291. You cannot select this port in the installation wizard, but you
can easily modify it later via the Administration Console.

Web server and activation proxy server services use 4 more ports, which can also be reconfigured in the console.

To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years
during the installation. To save and restore the certificate after failures or after reinstalling the Administration Server,
use the backup procedure (see Unit IV “Maintenance” for details).

Administration Server address for Network Agents

The client computers where the Network Agent is installed will connect to the Administration Server using
the address and port specified during the installation.

You can specify the Server address in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice
depends on the network configuration. Even though an IPv6 address can’t be specified, Network Agents can connect
to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name.

If the Administration Server has a static IP address that will not be changed in the foreseeable future, it is the best
choice. In this case, the ability to connect depends only on the routers, rather than on the name resolution system.

If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection
address, because you will have to modify the client connection settings often. To avoid the trouble, it is better to
specify the server name: Either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS
name since DNS name resolution is not usually blocked by local firewalls.

NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls.
Therefore, the NetBIOS name should only be used for connections if the other methods cannot be used.
I-35
Introduction

After the installation, the Server connection address and ports can be changed in the properties of Network Agent
installation package.

Management plugins for the programs

The distribution kit of Kaspersky Security Center includes the management plugins for all current versions of
Kaspersky Lab products. The custom installation enables the administrator to select the plugins of the products that
are used or will be used in the network. The plugins can also be installed later from the Kaspersky Security Center
installation shell. Plugin installers are also included with the distributions of the corresponding products.

Every plugin is installed by its own short installation wizard. Some plugins are installed automatically, while others
prompt the administrator to accept the license agreement.

If you upgrade a product to a new version with a new plugin, uninstall the old plugin. The following knowledgebase
article explains how to remove unnecessary plugins: https://support.kaspersky.com/9303

During the standard installation, management plugins for Kaspersky Security Center 11 components and Kaspersky
Endpoint Security 11.1 for Windows are installed, as well as mobile device management plugins. Plugins are
installed at the very end of the Administration Server installation. After the Kaspersky Endpoint Security 11.1
I-36 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

plugin is installed, the installation is finished. On the last page, the administrator can select whether to start the
Administration Console.

Completing the installation

On the last page, the wizard offers to start the local ММС Administration Console or the Web Console immediately
and proceed with the setup in the Administration Server Quick Start Wizard. By default, Web Console will start if it
has been installed.

Usually, Administration Server needs a few minutes to start working and accept connections.

Additional consoles and plugins

If you need plugins for other Kaspersky Lab products, you can install them from the installation shell.

To be able to manage the Administration Server remotely in a way other than via RDP or the Web Console, install a
remote MМС Administration Console. The console has a very simple installation wizard without settings. Plugins
I-37
Introduction

for the console can also be installed from the same installation shell. Plugins are to be installed on each console
rather than on the Administration Server. If the console lacks a plugin, the administrator will not able to open tasks
and policies of the corresponding program and the console will display an error message. To fix this, simply install
the necessary plugin.

Full-fledged management of the Administration Server and other Kaspersky Lab products is possible only via the
MMC console. The first release of the new Web Console does not permit managing encryption, for example, and
does not support any protection products but Kaspersky Endpoint Security for Windows. Also, the new Web
Console does not support Mobile Device Management or Vulnerability Assessment and Patch Management so far.

Installation results

If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages,
the result will be the same as with the Standard option:

Administration Server
Network Agent
Components
MMC Administration Console
Web Сonsole

%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center—program files


Installation %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console 11—program files
paths %ProgramData%\KasperskyLab\adminkit—settings
%ProgramData%\KasperskySC\SC_Backup—the folder for backup copies

Kaspersky Security Center Administration Server


Kaspersky Security Center Network Agent
Kaspersky Security Center automation object
Kaspersky Security Network proxy server
Services Kaspersky Lab Web Server
Kaspersky Activation Proxy
Kaspersky Security Center 11 Management Service
Kaspersky Security Center 11 Web Console
Kaspersky Security Center 11 Web Console Message Queue

Shared KLSHARE
folder Its local path is %ProgramData%\KasperskyLab\adminkit\1093\.working\Share
I-38 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

KLAdmins
User groups KLOperators
(see course KL 302 for details)

KL-AK-<*>—starts the service of the Kaspersky Security Center Administration Server


KlScSvc—starts the services of the Kaspersky Activation Proxy, Kaspersky Security Network Proxy
Server, and Kaspersky Lab Web Server
Accounts
The KL-AK-<*> and KlScSvc accounts have the same permissions as the local administrator, but
are not included in the computer built-in administrators group
KlPxeUser—a user account for the PXE server (see course KL 009 for details)

8060—http port of Kaspersky Lab Web Server


8061—https port of Kaspersky Lab Web Server
13000—for SSL connections of Network Agents
Connection 14000—for non-SSL connections of Network Agents and Administration Consoles
ports 13291—for SSL connections of Administration Consoles
13111—port of Kaspersky Security Network proxy server service
17000—port of Kaspersky Activation Proxy
13299—for SSL connections of Kaspersky Security Center Web Console

SQL server Database name: KAV

Connection
DNS name of the server
address

Kaspersky Security Center 11 (11.0) Administration Server


Kaspersky Security Center 11 (11.0) Network Agent
Plugins
Kaspersky Endpoint Security 11.1 for Windows
Kaspersky Mobile Device Management 11

Kaspersky Endpoint Security 11.1 for Windows


Installation Kaspersky Security Center 11 (11.0) Network Agent
packages Microsoft Exchange Mobile device server
iOS MDM Server
I-39
Introduction

Most of these settings can be modified either during the custom installation, or in the product settings after
the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is
installed; some others are very difficult to change. You should consider the following very carefully before
the installation:
1. The path to data files cannot be modified at all, which complies with Microsoft requirements
2. To modify the path to the program files, as well as the SQL server address, you will have to reinstall
Kaspersky Security Center
3. The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way.

2.3 Installation of Kaspersky Security Center Web


Console

Setup Wizard

Selecting the installation language

Web Console is not required to be installed together with Kaspersky Security Center, you can install it on any other
computer like an ordinary application. The Web Console’s distribution is located in the unpacked Administration
Server folder: Server\Packages\Web Console.

Run the installer and select the language for the installation wizard.
I-40 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

License agreement and the list of Web Console localizations

Installation path and connection address

We recommend that you use the default installation path.

If necessary, change the port for connecting to the Web Console. UDP port 8080 is used by default.

Account and certificate

Web Console installs several services in the system; at this step, you are prompted to select the accounts under
which the services will be started. We recommend that you use the default accounts. In this case, the Web Console’s
services will start under Local System and Network Service.

Now, decide which certificate to use: The installation wizard can generate a self-signed certificate automatically;
alternatively, you can specify another one.
I-41
Introduction

Connecting to Kaspersky Security Center

The most important step is adding a trusted Administration Server. At this step, the administrator specifies
Kaspersky Security Centers with which the Web Console will be able to interact.

If Web Console is installed on a computer where Kaspersky Security Center is installed already, this server will be
added to the list of Trusted Administration Servers automatically. Otherwise, you will need to manually add the
server: Its address, port, and, last but not least, the path to the Administration Server certificate. This certificate will
then be copied to the Web Console installation folder.

Web Console uses port 13299 to connect to Kaspersky Security Center by default, but if necessary, you can change
it in the Administration Server properties.

Installation and finishing the wizard

Click the Install button to start the installation and wait for completion (5-7 minutes).
I-42 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Now, you can either finish the wizard, or start the Web Console using the respective link. To connect to the console
from the administrator’s workstation or any other remote machine, open a browser and go to https://<IP
address>:8080 (or the port that you specified during the installation).

Web Console services

Web Console’s architecture includes numerous components and processes which are hidden from the user; it does
not make any sense to tell about them in detail either. The main component is Server Web Console that is based on
Node.js; it runs as a separate node.exe process. There are also other components that run in other node.exe
processes, for example, each plugin has a dedicated process.

Separate processes are also used for the message queue processing (nsqd.exe) and logging (nsq_to_file.exe)
subsystems.

The standard Node.js process manager monitors and manages processes. Because of the operating system limitations,
the process manager starts processes under the same account under which it is running. For this reason, two
instances of the process manager run: One under the Local System, and the other under the Network Service account.
Limited permissions are sufficient for most processes; but some scenarios require elevated privileges.
I-43
Introduction

Now let us see which services Web Сonsole installs in the system:

— Kaspersky Security Center Web Console Management Service—SrvLauncher.exe—this service is used


solely to start the process manager under the Local System account

— Kaspersky Security Center Web Console—SrvLauncher.exe—this service is used solely to start the
process manager under the Network Service account

— Kaspersky Security Center Web Console Message Queue—nsqd.exe—NSQ-based distributed messaging


platform

Interaction with Kaspersky Security Center

The Web Console is a Node.js web server. The server part of the Web Console connects to Kaspersky Security
Center over a new protocol KSC Open API based on HTTPs.

The client part of the Web Console is a Single Page Application (SPA). In its most basic form, SPA is a web
application that literally has only one page, which loads content dynamically. Meaning, when you click an interface
element in the Web Console, a Javascript runs that loads the respective modules and visualizes the requested content.
For the user, it looks like a new page has opened.

Connecting to several Administration Servers

What if we have several Administration Servers at the company and want to connect to all of them via a browser?

The simplest option is to install a dedicated Web Console on each Kaspersky Security Center and work with
different Administration Servers from different browser tabs.

However, you can also use a single Web Console as an entry point for managing several Administration Servers. To
implement this scenario, add several Trusted Administration Servers to the Web Console.

Two methods can help to achieve this:

— Either click Change | Update in Programs and Features (this is the recommended way)

— Or manually edit the сonfig.json configuration file in the Web Console installation folder (a less
recommended method)
I-44 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If the Web Console has several Trusted Administration Servers, the login page will display an additional field,
‘Server name’.

The administrator will need to select which Administration Server to connect to.

Requirements for browsers

You can work with the Web Console via the following browsers:

— Google Chrome version 62 or higher

— Mozilla Firefox version 60 or higher

— Safari version 12

Note that Internet Explorer is not supported.


I-45
Introduction

2.4 Quick Start Wizard

Tutorial

When you connect to the Web Console for the first time, Tutorial opens. It is a small demo that tells what is where
in the Web Console interface.

If you have previously used the MMC console, the Web Console will be very unfamiliar to work with at first, and
we strongly recommend that you read the Tutorial to acquire basic information.

If you’ve closed Tutorial accidentally or want to re-read it, there is the Show Tutorial link at the bottom of the main
window.

At the first connection, after you pass or close the Tutorial, the Quick Start Wizard will open.
I-46 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The Quick Start Wizard prepares the Server:

— Downloads the necessary plugins


— Creates policies and tasks
— Downloads updates to the Administration Server repository

The wizard prompts the administrator to:

— Configure the proxy server for Internet access


— Add a license
— Enable Kaspersky Security Network
— Configure email notification and reporting

Configuring proxy server for Internet access

The next step prompts to configure proxy server connection parameters for Internet access. The Administration
Server connects to the Internet to download updates and communicate with KSN servers of Kaspersky Lab. Both
features use common proxy server parameters.

The settings are rather typical: Address, port, optional user name and password for authorization, and an option to
bypass proxy server for local addresses.

Downloading information about plugins

The wizard connects to Kaspersky Lab servers and checks information about plugins available for the Web Сonsole.
I-47
Introduction

License installation

The next step is product activation. Most Kaspersky Lab products require activation and some, particularly
Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different levels of functionality.
That is, depending on the license, some functions may be unavailable.

Activation keys and codes

To activate a product, you need a key or a code. Both can represent the customer’s license with all relevant
restrictions.

A key is a file and the product can verify its validity and restrictions locally. A code is just a string and the product
needs to connect to Kaspersky Lab Activation service online to verify its validity and restrictions.

Old versions of Kaspersky Lab products can be activated only with a key. All recent versions can be activated with
either a key or a code.
I-48 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Codes are more useful, because a single code can activate all products that you have purchased. With key activation,
a license often includes several different key files. A key designed for Kaspersky Security Center cannot activate
Kaspersky Endpoint Security, and vice versa. Meanwhile, a single code can activate both.

Keys are indispensable when you need to activate a product on a computer without access to the Internet. If you
have only a code rather than keys, add it to the license storage on the Administration Server (Operations |
Licensing | Kaspersky Lab Licenses in the Web Console). The Server will automatically download the
corresponding keys, which you will be able to export into files.

If computers have no Internet access but are connected to the Administration Server, which does have access, the
products on the computers can be activated with a code. The products will verify the code via the Administration
Server service, Kaspersky Activation Proxy.

Activation with a code

In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all simple, just
choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to
connect to the Internet at this stage.

For more details about how to activate Kaspersky Endpoint Security on the client computers, refer to Chapter 3 of
this Unit.

Activation with a key

If you have a key, than most probably you have more than one of them, and you need to decide which one to feed to
the wizard.

It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it
is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be
added later either in the properties of the Administration Server or on the Operations | Licensing | Kaspersky Lab
Licenses tab in the Web Console.

You can select to install a code (or key) to the client computers automatically. For this purpose, open its properties
and select to Deploy key automatically. If the Administration Server detects a managed computer where Kaspersky
Endpoint Security is not activated, it will automatically send the key selected for automatic installation there.
I-49
Introduction

Installing plugins

The list of plugins

By default, the Web Console is installed with two plugins:

— For the Administration Server

— For the Network Agent

Plugin for Kaspersky Endpoint Security 11.1 is to be added manually. If you click Add, the list of plugins available
for the Web Console will open; this list is downloaded from Kaspersky Lab servers.

Also, the Quick Start Wizard can check whether new versions are available for the existing plugins. In the list of
new plugins, the wizard shows the program version managed via the plugin, the version of the installed plugin, and
the version of the latest available plugin.

The Web Console, unlike the MMC console, permits uninstalling a plugin by clicking a single button.
I-50 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If you use both the MMC console and Web Console, take care that versions of plugins for Kaspersky Endpoint
Security 11.1 coincide; otherwise, it may happen that an earlier plugin is not able to work with a policy created
using a later plugin. The same is true for tasks.

Adding plugins from a file

Sometimes, a plugin is designed for testing or to solve some specific issue of a particular company; in this case, it is
sent in an archive to the user instead of being published on Kaspersky Lab servers. To install such a plugin, carry
out the command Add from file and specify the path to the archive and the file with the checksum.

Kaspersky Security Network

The wizard prompts the administrator to accept the Kaspersky Security Network (KSN) statement. KSN is the name
of the cloud-assisted protection technologies of Kaspersky Lab.

KSN provides extra protection for the computers by receiving the latest information about new threats before this
information is added into the traditional anti-malware signatures. In return, Kaspersky Lab will receive anonymous
I-51
Introduction

information about the files and URL addresses processed on the client computers. The KSN service is described in
more detail in the Introduction and in Unit II “Protection Management”.

If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are
activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be disabled in
the Kaspersky Endpoint Security 11.1 policy; the use of KSN proxy will be enabled nevertheless.

The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server.
The KSN proxy function is implemented as a service named Kaspersky Security Network proxy server in
the Administration Server. It is enabled by default.

Creating tasks and policies

At this stage, the Quick Start wizard creates the policies and tasks necessary for endpoint protection. The following
policies and tasks are always created:

Administration Server tasks


I-52 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Task Scope Schedule Parameters

Download updates to the Source:


Administration Server Hourly
repository Kaspersky Lab update servers

Optimizes the database without


Database maintenance Administration Server Saturday at 1:00 a.m.
shrinking it

Backup of Administration Every other day Stores the 3 latest copies, the
Administration Server
Server data at 2:00 a.m. password is not specified

Policies

Policy Scope

Kaspersky Endpoint Security 11.1 for Windows The “Managed devices” group

Kaspersky Security Center 11 Network Agent The “Managed devices” group

Tasks

Task Scope Schedule Parameters

Managed When new updates are downloaded to the Source: Administration Server
Update
devices repository Installs only approved module updates

Note that the group Quick Virus Scan task is not created by default anymore. Instead, Background Scanning is
enabled, which scans system areas while a computer is locked. This option is available in the policy, in Application
Settings | Local Tasks.

If you want to manage on-demand scanning to the full extent, you will have to create a group scan task with the
necessary settings manually.

Network polling
I-53
Introduction

The next step is to poll the network using Windows tools. This type of scanning works via network neighborhood in
Windows Explorer, which is disabled in the operating system by default.

Configuring email notification

The next step is to set up email notification and delivery of reports. To have notifications about important events
sent to the administrator’s mailbox, specify the email address and SMTP server parameters (address, port and, if
necessary, authorization data). These parameters will be used when sending notifications and reports.

By default, event notifications are not sent. To receive the information about events by email, turn on notifications
in the event properties. The parameters of Kaspersky Security Center events are configured in the Administration
Server properties; and parameters of Kaspersky Endpoint Security events, in the Kaspersky Endpoint Security
policy.

The wizard does not check the correctness of the specified settings, but allows the administrator to do it with the
Send test message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the
SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to
check the inbox and make sure that the message is actually there.

What to do next

The last page of the Quick Start wizard displays the check box that allows you to start the remote installation wizard
for deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it
is preferable to adopt a deployment plan and stick to it rather than rush into action:

1. Let the Server discover network computers

2. Check the settings of installation packages to install exactly what is necessary

3. Try various installation methods in a test environment

If necessary, the administrator can start the Quick Start wizard again. In this case, the wizard will create only
the tasks and policies that are missing.
I-54 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Automatic license distribution

If you’ve added an activation code to the Quick Start Wizard, we recommend that you enable automatic distribution
as soon as the wizard completes, while you still remember about it.
I-55
Introduction

Chapter 3. How to install Kaspersky Endpoint


Security on computers

3.1 Requirements for client computers

Kaspersky Endpoint Security 11 requirements for the


operating system

Kaspersky Endpoint Security can be installed on the following Microsoft Windows operating systems:

Client

— Windows 10 Pro x86 / x64 (all editions)3


— Windows 10 Education x86 / x64 (all editions)3
— Windows 10 Enterprise x86 / x64 (all editions)3
— Windows 8.1 Enterprise x86 / x64
— Windows 8 Pro x86 / x64
— Windows 8 Enterprise x86 / x64
— Windows 7 Professional SP1 x86 / x64
— Windows 7 Enterprise SP1 x86 / x64
— Windows 7 Ultimate SP1 x86 / x64

3The limitations concerning the latest versions of Windows 10 are described in Kaspersky knowledgebase at
https://support.kaspersky.com/13036
I-56 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Server

— Microsoft Windows Server 2019


— Microsoft Windows Server 2016
— Microsoft Windows Server 2012 R2 Foundation / Essential / Standard
— Microsoft Windows Server 2012 Foundation / Essential / Standard x64
— Microsoft Small Business Server 2011 Essential / Standard x64
— Microsoft Windows Server 2008 R2 SP1 Standard / Enterprise x64 SP1
— Microsoft Windows Server 2008 SP2 Standard / Enterprise x86 / x64

An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky
Security for Windows Server is designed for their protection.

The list of operating systems includes most Windows versions from Windows 7 / Windows Server 2008 R2 to
Windows 10 RS5 / Windows Server 2019.

The virtual platforms supported by Kaspersky Endpoint


Security

Kaspersky Endpoint Security 11.1 for Windows can be installed on the following virtualization platforms:

— VMware Workstation 14
— VMware ESXi 6.5
— Microsoft Hyper-V 2016
— Citrix XenServer 7.2
— Citrix XenDesktop 7.14
— Citrix Provisioning Services 7.14

On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command
line switch. In Kaspersky Endpoint Security 11.1 for Windows, this parameter can also be enabled in the installation
package properties rather than only via the command line.

To install Kaspersky Endpoint Security, administrative permissions are necessary.


I-57
Introduction

Minimum hardware requirements

General hardware requirements for Kaspersky Endpoint Security 11.1 are as follows:

— A 1 GHz processor (that supports SSE2 instructions)


— 1 GB of RAM4
— 2 GB of free drive space

Requirements for the Network Agent

The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint
Security 11.1 for Windows.

Hardware requirements for Network Agent installation are as follows:

— Processor:
— 1 GHz or higher for 32-bit systems
— 1.4 GHz or higher for 64-bit systems
— Memory: 512 MB
— Hard drive space: 1 GB

RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less
memory.

4 The minimum RAM with which the application can be installed is 768 MB
I-58 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

3.2 How to change KES components

Installation packages

In Kaspersky Security Center, installation packages are ready to be installed. A package includes installation files
along with the installation parameters and some product setup parameters. Installation package parameters in a sense
replace the local installation wizard and local setup wizard. Every product has its own settings. As you know,
installation packages are used in the remote installation wizards and tasks, and for creating standalone installation
packages.

Kaspersky Security Center includes all packages necessary for deploying the protection system:

— Network Agent
— Kaspersky Endpoint Security for Windows
— iOS MDM Server
— Microsoft Exchange Mobile Devices Server

The list of available packages is displayed on the Operations | Repositories | Installation Packages page.
The following information is available for each package: Name, language, and version of the product, as well as
the unique name of the package. In the package properties, you can also find its size, which is the total size of all its
files.

Packages can be created, modified and removed. If a package is used in an installation task, it cannot be removed
until the associated task is deleted. First, delete all tasks that use the package, and then delete the package.

You can create various installation packages in Kaspersky Security Center. You can use them to install operating
systems, third-party programs, updates and critical fixes for third-party applications, and also to run various scripts
and utilities on the computers. This is described in more detail in KL 009 “Systems Management” course. Within
the framework of this chapter, we describe only the installation packages created for Kaspersky Lab programs.
I-59
Introduction

Settings of a Kaspersky Endpoint Security package

General properties

Each package has general properties and settings that depend on the program for which the package was created. To
be able to review the package settings, the application plugin must be installed in the console. You can download the
plugin right from the Web Console interface: At the top of the page, click Console settings | Plug-ins.

The General section of the package properties shows the program version and file size, and also the path to
the package file in the shared folder of the Administration Server. If necessary, an IT employee can download
the installation files over the network and install the application locally.

How to update databases in a package

There is the button Update databases in the general properties of a Kaspersky Endpoint Security package. It
updates the signature database within the package.
I-60 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes
antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky
Endpoint Security is installed, the update task starts and downloads the new databases.

Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may
take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that
the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more
important, since it may constitute tens of megabytes if the package contains outdated databases.

In this case, databases can be updated in the package prior to the installation. The date of the last update,
unfortunately, is not visible in the Web Console, but it is shown in the MMC console, in the general package
properties, in the Databases updated field.

The Update databases button copies a complete set of databases from the Server storage to the Kaspersky Endpoint
Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After
an update using the Update databases button, the archive is replaced with a folder named bases. The folder’s
volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed.

Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to
the repository. However, this is performed only once for each package. If databases have ever been updated
automatically in a package, they will not be updated automatically any more.

In fact, the Kaspersky Endpoint Security package that is added to the storage during the server installation is
updated automatically shortly after the installation, and any other newly created Kaspersky Endpoint Security
package will be updated soon after it is created.

How to select components in a package

Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters.
The main parameters are the list of components and the program files folder.

The list of components available for installation is as follows:

— Advanced Threat Protection

— Behavior Detection
— Exploit Prevention
— Remediation Engine
— Host Intrusion Prevention *
I-61
Introduction

— Essential Threat Protection

— File Threat Protection


— Web Threat Protection *
— Mail Threat Protection *
— Network Threat Protection
— Firewall
— BadUSB Attack Prevention
— AMSI Protection Provider

— Security Controls

— Web Control *
— Application Control
— Device Control *
— Adaptive Anomaly Control *

— Data Encryption

— File Level Encryption *


— Full Disk Encryption *
— Bitlocker Management

— Endpoint Sensor

— Endpoint Sensor

By default, mainly the components included in the Select license are installed. Remember that some of
the components only work on workstations, while a package can be installed on any supported operating system. On
server systems, only the following components can be installed:

— Behavior Detection
— Exploit Prevention
— Remediation Engine
— File Threat Protection
— Network Threat Protection
— Firewall
— BadUSB Attack Prevention
— AMSI Protection Provider
— Application Control
— Bitlocker Management
— Endpoint Sensor

Although Host Intrusion Prevention settings will also show up in Kaspersky Endpoint Security on servers,
the component will not be actually installed. Kaspersky Endpoint Security won’t control application privileges on
servers, e.g., it won’t block Untrusted applications on servers. The reason why Host Intrusion Prevention settings
are visible on servers is that a part of these settings are also used by the Firewall component. Host Intrusion
Prevention and Firewall are described in more detail in Unit II of this course.

In addition to the components, local tasks are installed. They cannot be deselected in the package properties and are
installed on all operating systems:

— Update
— Rollback
— Integrity check
— Virus scan
— Full scan
— Critical areas scan
— Custom scan
— The scan task that users can run from an object’s shortcut menu
I-62 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Compatibility settings

By default, the Kaspersky Endpoint Security components are installed to:

%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Endpoint Security for Windows

If necessary, the administrator can modify this path.

Those administrators who often use the command line interface can select to automatically add the installation
folder to the %PATH% environment variable. Then they will be able to carry out product management commands
via avp.com without specifying the complete path.

The package has two additional parameters that provide compatibility settings. One of them, Do not protect
the installation process, disables self-defense during the installation. Self-defense prevents applications (primarily
malicious) from modifying Kaspersky Endpoint Security installation files. It also blocks access to the folder where
Kaspersky Endpoint Security files are installed, and to the registry keys of Kaspersky Lab software. Sometimes,
self-defense conflicts with third-party applications, for example, with backup agents. That is why it can be disabled.

Another parameter provides compatibility with Citrix Provisioning Services. If you want to install Kaspersky
Endpoint Security on a virtual machine image in Citrix PVS environment, enable this option.

How to add a configuration file to a package

One more parameter is the Configuration file. This file defines the configuration settings that Kaspersky Endpoint
Security will use after the installation.

The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If a configuration file is not
specified, the product will use the default settings. However, as soon as the Network Agent connects to the Server,
the Kaspersky Endpoint Security policy will be enforced, which will override the protection settings. So,
the configuration file is necessary if the policy does not regulate some of the product settings, or for unmanaged
devices.

To create a configuration file, install Kaspersky Endpoint Security on a computer, but do not connect it to the
Administration Server; otherwise, the group policy will not allow you to modify the local settings.

Configure Kaspersky Endpoint Security via the local interface as necessary, and save these settings into a file. The
Save button is located in the Settings window, in the General Settings | Manage Settings section.
I-63
Introduction

How to add a key to a package

Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code
or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed
product. One of them is to specify the key file in the installation package properties.

In the package properties, you can add only a key, a code cannot be added.

Also, a key or code can be distributed to the selected computers by a special task.

The third option is to select the check box Automatically deployed key in the properties of key or code on the
Operations | Licensing | Kaspersky Lab Licenses page of the Web Console.

As a last resort, a code or key can be added via the local interface of Kaspersky Endpoint Security.
I-64 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to disable uninstallation of incompatible applications

By default, the Kaspersky Endpoint Security installer looks for and uninstalls incompatible applications: third-party
antiviruses and firewalls.

The list of programs that Kaspersky Endpoint Security can uninstall is rather large, but it is not exhaustive. Usually,
it does not include the most recent versions of protection solutions by other manufacturers, or uncommon software.
How to uninstall applications that Kaspersky Endpoint Security failed to detect is described at the end of this chapter.

If Kaspersky Endpoint Security uninstalls an incompatible application incorrectly, disable automatic uninstallation
and remove the program manually.

Network Agent package parameters


I-65
Introduction

Installation path

The General section of the Network Agent package is the same as that of Kaspersky Endpoint Security, but without
the button Update databases. The Network Agent has no databases.

The Settings section allows changing the installation folder and also setting the uninstallation password. If
the Network Agent installation folder is not specified explicitly, the standard path is used:

%ProgramFiles%\Kaspersky Lab\NetworkAgent

Password protection

Agent uninstallation can be protected with a password that can be specified in the package properties. Even users
with administrator permissions will not be able to uninstall the Agent using regular tools unless they know
the password. However, users with administrator permissions can make the Agent inoperative if they really want to.

If you have not enabled password protection in the Network Agent installation package, enable it in the Agent
policy, where it is also available.

Administration Server connection parameters

The Connection section of the Network Agent installation package properties contains the Administration Server
connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive
installation.

The main connection parameters are the Administration Server address and ports. Initially, they take the values
specified during the Administration Server installation. If the client computers and Administration Server belong to
different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation
package properties. These standard parameters include the proxy server address and port, and also the user name and
password for authentication. Remember that these parameters will be used by Network Agents when connecting to
the Server, not the other way round.

When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP
port. To prevent Windows Firewall from blocking requests on this port, the Network Agent can automatically create
the necessary exclusions. To modify this behavior, clear the Open Network Agent ports in Microsoft Windows
Firewall check box. By default, the Network Agent accepts connections on UDP port 15000. This value can be
changed both in the package properties and later in the Network Agent policy.
I-66 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted
connections to the Server. SSL is enabled by default. Network Agents automatically download and use
the Administration Server certificate. In networks with strict security requirements, the certificate can be specified
manually to prevent substitution.

The advanced parameters of the Network Agent installation package are useful in networks with a complicated
infrastructure. These are described in the courses KL 009 “Systems Management” and KL 302 “Kaspersky Endpoint
Security and Management. Advanced Skills”.

3.3 How to create a new installation package

Why create installation packages


I-67
Introduction

Installation packages included in Kaspersky Security Center are usually enough for protecting most networks.
Additional packages can be necessary in the following cases:

— A new version of Kaspersky Endpoint Security has been released. For an upgrade, just like for the initial
installation, an installation package is necessary. The administrator can either create the package manually
or download the new version of Kaspersky Security Center that includes a new package version and
reinstall Administration Server over the old one (all settings will be saved).

— You need to remotely install a Kaspersky Lab product that is not included in the distribution of Kaspersky
Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to be created
manually.

— Different parameters are needed in several network parts. For example, according to the deployment plan,
some computers do not need Web Threat Protection and Mail Threat Protection components. To be able to
deploy the system simultaneously on both categories of computers, create an additional installation package
with those non-standard settings.

Package creation wizard

Selecting the package

The administrator does not need to search for installation files or download them manually. Kaspersky Security
Center monitors current versions of the Kaspersky Security Center, Kaspersky Endpoint Security, Kaspersky
Security for Windows Server, etc. and allows the administrator to create installation packages right from
the distributions available on Kaspersky Lab servers.

To create an installation package, on the Operations | Repositories | Installation Packages page, click the Add
button. This will open the list of available distributions for various versions and localizations.

To search for the necessary application among others, the best choice is to use the filter, where you can specify at
least name and language.

The administrator just selects the necessary distribution and clicks the Download distribution package button; and
the Administration Server automatically completes the job: Downloads the files and creates an installation package
from them.
I-68 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Kaspersky Security Center manages numerous programs by Kaspersky Lab. The list of updates contains not only
new program versions, but also updates for them, new versions of plugins, and various localizations of the same
applications. As a result, the list is rather long.

To find what you need, use a filter. In the filter, you can select:

— Components:

— Controls—Kaspersky Security Center components


— Workstations—applications for workstation protection, including Kaspersky Endpoint Security for
Windows
— File Servers and Storage—programs for protecting servers and storages, for example, Kaspersky
Security for Windows Server
— Virtualization—various versions of Kaspersky Security for Virtualization
— Mobile—applications by Kaspersky Lab for Android and iOS smartphones and tablets
— Embedded Systems—Kaspersky Embedded Systems Security (protection for ATMs and POS systems)

— Update type:

— Application distribution packages


— Management plugins
— Patches

— Updates to display:

— Only the latest versions


— Only updates for software versions in use
— Only updates for software with plugins installed in the Administration Console

— Language:

— All languages
— Administration Console language or basic set (English, German, French)
— Administration Console language and the language selected on the list

After you apply the filter, the window will show only the updates that meet the specified conditions. You can also
sort the contents by name, type, language and other parameters.

Select the necessary package and click Download and create installation package.
I-69
Introduction

License agreement

The progress bar will stop at approximately 85% and will be waiting for you to accept the license agreement.
I-70 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The Accept button appears dimmed by default; to have it highlighted, scroll the license agreement to the end

3.4 How to create an installation package for KSWS

Which other protection applications are available for


Windows Servers

Not everybody knows that Kaspersky Lab offers several applications for protecting Windows servers. Kaspersky
Endpoint Security is all right, but there is also another product named Kaspersky Security for Windows Server that
was developed taking into account special requirements for server protection.
I-71
Introduction

For crucial servers, stability is often a number-one priority. Administrators sometimes prefer to risk server security
rather than stability. After all, critical servers are usually located in a well-protected internal network, where
malware and criminals are not likely to get. On the other hand, various attacks are aimed exactly at these servers.

It is clear that any additional software, especially cyberprotection solutions, can affect server stability and
performance. When we are talking about protection of critical servers, an antivirus must provide strong protection
on the one hand, and have minimal impact on the server on the other.

Main capabilities of Kaspersky Security for Windows Server:

— It protects the server file system


— Controls the programs started on the server
— Controls connection of devices to the server
— Protects remote desktop sessions
— Protects storages against malware and file-encrypting ransomware
— Analyzes operating system logs and monitors file operations
— Sends events to SIEM

Advantages of Kaspersky Security 10.1 for Windows


Server

Why is Kaspersky Security for Windows Server the best choice for server protection, especially in a large company?

Because large companies require the following:

— Stability

We’ve mentioned already that servers must operate stably and uninterruptedly. Kaspersky Security for Windows
Server was thoroughly tested on various server configurations,

which is confirmed by software manufacturers’ certificates, including Microsoft, Citrix, and VMware.

Neither installation nor uninstallation nor module updates of Kaspersky Security for Windows Server require a
restart. The same is true for upgrading the application from Kaspersky Security 10 for Windows Server to
Kaspersky Security 10.1 for Windows Server.
I-72 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— Performance

Another important factor is performance. During the installation, the administrator can select which components to
install, and thus minimize the load on the server’s system resources.

Since Kaspersky Security for Windows Server is designed for server operating systems, the developers optimized it
accordingly.

Kaspersky Security for Windows Server provides flexible configuration tools for real-time and on-demand
protection.

— Various corporate scenarios are supported

Kaspersky Security for Windows Server, unlike ordinary antiviruses, provides additional capabilities for the
scenarios often encountered in large organizations, to name a few:

— Installation on Windows Server in the Core Mode


— Seamless operation on servers with the Remote Desktop Services (Terminal Services) role
— Operation on a failover cluster
— Protection for storages
— SMNP support

Specifics of Kaspersky Security 10.1 for Windows Server

Kaspersky Lab offers two solutions for protecting servers that run Microsoft Windows Server:

— Kaspersky Endpoint Security


— Kaspersky Security 10.1 for Windows Server

Both products protect against malware, and the question is when it is desirable to use Kaspersky Security for
Windows Server, and when Kaspersky Endpoint Security.

Let’s think it over. You can install Kaspersky Endpoint Security on an ordinary server, but cannot use it on a cluster,
or on a Core server, or on a terminal server. Kaspersky Endpoint Security has more components and drivers, which
increases the probability of potential conflicts. Kaspersky Endpoint Security may require a restart.

The following conclusions can be made. You can use Kaspersky Endpoint Security in small companies, where
administrators are few, and servers do not perform any complicated tasks and can be restarted periodically.
I-73
Introduction

Kaspersky Security for Windows Server is a better choice for large companies, where every administrator has
specific responsibilities, where there are many servers and each runs a particular role, and where fault tolerance is
important.

Here are some of the unique capabilities of Kaspersky Security for Windows Server compared to Kaspersky
Endpoint Security:

— Kaspersky Security 10.1 for Windows Server is installed without an interface by default; to manage it, you
can use: Kaspersky Security 10.1 Console, Kaspersky Security Center, or the command line management
utility kavshell.exe. This permits you to install Kaspersky Security for Windows Server on Windows Server
Core

— Kaspersky Security 10.1 for Windows Server has a component that looks out for encryption activities in
server shared folder and NetApp storages

— Kaspersky Security for Windows Server can block remote computers that try to copy malicious files to the
server shared folders or encrypt files there

— Kaspersky Security for Windows Server can correctly recognize terminal and remote desktop sessions and
send a notification to the specific user if a threat is detected

— On a failover cluster, Kaspersky Security for Windows Server can correctly understand the active node
change, and apply the same scanning parameters to the shared cluster resources involved in the failover

— Kaspersky Security for Windows Server can protect NAS (Network Attached Storages) that often run their
own proprietary operating systems and connect to the server over specific protocols, which makes them
incompatible with ordinary antivirus tools.

Download the distribution of Kaspersky Security for


Windows Server from the official support website

You can download the distribution of Kaspersky Security for Windows Server from the official technical support
website, https://support.kaspersky.com/ksws10#downloads

Documentation is also available there, as well as the plugin for managing the product via Kaspersky Security Center.

Kaspersky Security for Windows Server and the documentation are localized; language versions include English,
Russian, German, French, and Japanese.
I-74 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Unpack the KSWS distribution on the administrator’s


workstation

The distribution of Kaspersky Security for Windows Server is supplied in a self-extracting archive, which is to be
unpacked to begin with. If the administrator manages Kaspersky Security Center from the workstation, the
distribution should be unpacked there.

By default, the archive is unpacked to the folder C:\ks4ws\<version>\english\.

Create an installation package of Kaspersky Security for


Windows Server

Now we need to create an installation package of Kaspersky Security for Windows Server in Kaspersky Security
Center. It is best to do it from the MMC console, because you cannot manage Kaspersky Security 10.1 for Windows
Server from the KSC Web Console as of now.
I-75
Introduction

By default, Kaspersky Security Center has a few ready installation packages, but the package of Kaspersky Security
for Windows Server is to be created manually. To create an installation package, go to the Advanced | Remote
installation | Installation packages container and click the respective link.

Package creation wizard

Package type

The New Package Wizard of Kaspersky Security Center prompts you to select one of the three types of installation
packages. For Kaspersky Security 10.1 for Windows Server, select Create an installation package for Kaspersky
Lab application.

Package name

Type a name for the installation package. You can specify any name. To avoid confusion if you use several similar
installation packages, we recommend that you briefly describe configuration specifics in each package name.
I-76 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Files for creating a package

In the package creation wizard, specify the ks4ws.kud file, which is located in the Server folder. After that, the
Wizard will generate the installation package.

License agreement

Accept the license agreement and the Privacy Policy that describes the handling of data.

Automatic plugin installation

If the wizard fails to find the plugin of Kaspersky Security 10.1 for Windows Server when loading the installation
package to the repository, it will automatically initiate its installation.
I-77
Introduction

Completion

All you have to do is to wait for the package to load to the repository and finish the wizard.

Components of Kaspersky Security 10.1 for Windows


Server

In the installation package properties, the administrator can select which of the Kaspersky Security for Windows
Server protection components are to be installed:

You can always edit an installation package and add or delete components that you do not plan to install. Only two
components cannot be deselected during the installation through Kaspersky Security Center: Integration with
Kaspersky Security Center and On-Demand Scan. By default, the following components: Script Monitoring and
Firewall Management are not installed.
I-78 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

In the real world, it is hard to imagine a situation when one would carefully select the components to be installed.
We recommend that you install the whole set of components, and then regulate whether to use them through the
policy.

Additional settings of the Kaspersky Security 10.1 for


Windows Server package

In the package properties, you can specify additional settings to be used during the installation:

— Scan computer for viruses before installation—this option is disabled by default, because scanning will
take additional time. If you enable it, only the server’s system memory will be scanned rather than all the
drives and boot sectors. We recommend that you use this parameter if the server has been running without
an antivirus, an antivirus by another manufacturer has been installed, or you suspect that the computer is
infected.
— Enable real-time protection after installation of application—whether to start real-time file protection.
If you select this check box, real-time protection will be applied to all server drives, which is not always
desirable. Instead, you can opt out of starting it immediately, adjust its scope and protection parameters and
start later. By default, file protection starts immediately.
I-79
Introduction

Add Microsoft recommended files to exclusions list—in the Microsoft Knowledge Base, many articles
are published with recommendations on how to configure antivirus software installed under various
versions of Windows together with various Microsoft server products (Exchange, Forefront TMG, etc.). If
this option is selected, the corresponding exclusions are automatically created in the Trusted Zone of
Kaspersky Security for Windows Server.
— Add Kaspersky Lab recommended files to exclusions list—Kaspersky Lab provides analogous
recommendations. They concern co-existence of the File Anti-Virus and the antivirus products that protect
Microsoft server applications (Exchange, Forefront TMG, etc.) For example, it is recommended to exclude
temporary catalogs of Kaspersky Security for Microsoft Exchange Servers from the File Anti-Virus scan
scope.

These parameters replicate the installation parameters available in the local installation wizard.

3.5 Installation methods

What to do prior to the installation

Prior to installing Kaspersky Endpoint Security on the computers, prepare the following:

What to do Why

Let the Administration Server


You will not have to look for and enter names or addresses
discover network computers

Prepare an independent list of The server may fail to discover all of the computers; it is best to have a reference
computers list at hand, where you will be able to check the progress

If the Administration Server has not discovered a computer, but you know its
Find out computer addresses
address, you will be able to start remote installation nevertheless

If there is a domain, the domain administrator password is sufficient


Find out usernames and
For non-domain computers, you need to know the administrator’s password
passwords of the administrators
regardless of whether the installation is remote or local
I-80 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Find out whether there are


Kaspersky Endpoint Security may fail to detect and uninstall antiviruses by other
third-party antiviruses on the
manufacturers, in which case you will have to remove them manually
computers, and which ones

If there are many computers, The more computers, the more issues you will encounter, the longer it will take
phase the installation you to solve them, and the longer the total downtime will be

You will encounter at least some of the issues that can arise in the network, and
Try to test various installation
you will be able to decide how to avoid or quickly solve them
methods in a test environment
Select the installation method that is the least troublesome

Start

Available installation methods

Kaspersky Endpoint Security can be installed in various ways, each with its own specifics and advantages.

You do not need to go to each computer, you can run the installation on many computers
Remote simultaneously, which saves time
installation using Installation can be started at any time and you will start receiving results in mere minutes.
Kaspersky However, you need to know the administrators’ passwords on the computers, and the
Security Center computers’ shared folders must be accessible over the network. Often, firewalls or Windows
security settings block access to shared folders

Again, you do not need to go to the computers and the installation can be run on many
computers simultaneously.
Moreover, you do not need to ensure access to the computers’ shared folders or know the
computer administrators’ passwords. The computers will download and install the programs
Installation via
themselves.
Active Directory
On the other hand, the computers must be joined to the domain and the administrator must have
enough permissions within the domain to be able to publish the package. A computer does not
begin the installation immediately; everything starts only the next time it connects to the
domain, meaning, after a restart.

The administrators do not only install Kaspersky Endpoint Security, and they may have third-
Installation using party software installation and management tools.
third-party tools Specifics depend on the tool, but usually the administrator can install applications remotely on
many computers at a time.
I-81
Introduction

None of the remote installation methods guarantees 100% success. Computers may not be
joined to the domain, their shared folders may be blocked by the firewall, and the administrator
may have no third-party computer management tools.
Local installation
Sometimes, it is easier to go to the computer and install an application locally than troubleshoot
from a standalone
a remote installation.
package
Standalone packages that are generated in the Kaspersky Security Center save time during a
local installation: The administrator does not need to pass through the installation wizard and
configure parameters. All he or she is to do is to simply run the installer and wait

For remote installation, use a method that fits your network best.

On the computers where remote installation fails, install the products locally using standalone packages.

3.6 How to remotely install Network Agent and


Kaspersky Endpoint Security

Information on the main page of the management console

MMC console

There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on
the same mechanism. The difference is in the location of their starting points in the Console and the number of
available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard.
Its typical use is described below.

The Administration Server detects computers where protection solutions are not installed. This information is
displayed on the Monitoring tab of the Administration Server node, in the Deployment area: The indicator is
yellow and a warning is shown. To fix this, the administrator can click the Enable protection link.
I-82 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Web Сonsole

Unfortunately, the main page of the Web Console represents minimal information when compared with the the
MMC console: It is impossible to tell whether protection is installed everywhere and how many devices are
unassigned.

There are a few ways to start the remote installation wizard:

— Discovery & Deployment | Deployment & Assignment | Protection Deployment Wizard


— Go to Discovery & Deployment | Deployment & Assignment | Installation Packages, select the
necessary package, and click Deploy
— Go to the Devices | Tasks tab, click Add, and select the Install application remotely task type

Alternatively, you can use automatic installation available within the administration groups.
I-83
Introduction

Remote installation wizard

Select the installation package

The product to be installed is selected from the list of available installation packages. The standard distribution of
Kaspersky Security Center contains the installation packages of the current versions of Network Agent and
Kaspersky Endpoint Security for Windows.

If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network
Agent. The wizard not only installs the selected package, but also connects the computers to the Administration
Server by installing the Network Agent on them. If the computers are already connected, the Network Agent will not
be reinstalled.

Installation packages of Kaspersky Endpoint Security for Windows and Network Agent can be installed on any
supported operating system: Server or Workstation, 32-bit or 64-bit. Due to this universality, the installation
package of Kaspersky Endpoint Security 11 is relatively large, just under 200 MB. There are no supported ways to
reduce the size. The Network Agent package is much smaller: about 40 MB.
I-84 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Adding a license

Kaspersky Endpoint Security, unlike the Network Agent, needs to be activated to operate properly. In
the installation wizard, you can explicitly select which code or key should be used to activate the product from
the list of codes and keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary,
you can add another code or key to the storage without quitting the wizard.

Select a key. The wizard will not just use the selected key for this installation, but also save it in the properties of the
Kaspersky Endpoint Security package. The plugin of Kaspersky Endpoint Security does not support activation codes
in the installation package properties.

To activate Kaspersky Endpoint Security with a code rather than key, do not select anything in the installation
wizard. Instead, open the activation code properties and enable the option Automatically deployed key.
I-85
Introduction

Select the Agent installation package

Even if you want to install only Kaspersky Endpoint Security, you must select the Network Agent package as well,
you cannot leave it out. However, if the Network Agent is installed already, it will not be reinstalled

Selecting the computers

After the package, select the target computers.You can select managed computers, groups of computers, or
individual computers in the wizard.

If you start the wizard right after the Administration Server has been installed, there is only one computer in the
groups, the Administration Server itself. All the other computers discovered by the Administration Server are on the
Unassigned devices page. The Administration Server may fail to detect some computers: They will be absent from
the console.

Why does the wizard suggest selecting groups if there are no computers there? For example, if prior to deploying
protection you’ve imported the computers’ structure from Active Directory. Then you already have groups filled
I-86 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

with computers, and you can install Kaspersky Endpoint Security by groups. How to import groups and computers
from Active Directory is explained in the Chapter 4 of this Unit.

Let’s now get back to the scenario of when you have no groups. To select computers from the Unassigned devices
list or specify addresses of undiscovered computers, switch to the option Select devices for installation.

As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If
a group is selected, the wizard will create a group task; if computers, a task for specific computers.

If you choose Select devices for installation | Devices, the wizard will show all discovered computers: Those that
have already been added to the Managed devices groups, and those that are in the Unassigned devices node so far.
In the Unassigned devices node, computers are grouped by domains and workgroups.

Select the target computers. If you select a group, domain or a top-level node, you will select all computers within
that group, domain or node.

To install Kaspersky Endpoint Security on the computers that Administration Server has not discovered, add them
manually using their IP addresses or names. To add many addresses at once, you can specify a range of addresses.

Importing a list of names or IP addresses from a text file is available only in the MMC console. The wizard will add
all the addresses you’ve entered, and select them automatically.

Installation method

At the following step, the wizard prompts how to perform remote installation. There are two methods:

Network Agent must already be installed on the computer and must be connected to the
current Server.
Using Network The Server sends a command to the Agent, the Agent downloads packages to a temporary
Agent folder and performs the installation under the Local System account.
The administrator’s name and password do not need to be specified, access to the
computer’s shared folders is not required.

Network access to the computer’s shared folders is required.


The Administration Server copies package files to the system shared folder \\<computer
Using operating name>\admin$. Then the server uses Remote Procedure Call (RPC) protocol to remotely
system tools start a service process that will perform the installation and inform the server of the results.
To copy files and start the installation, you need to specify the username and password of
the computer administrator.
I-87
Introduction

The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on
the computer, installation using Windows tools is tried.

If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs
the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 11 using the Network
Agent.

Computer restart

The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky
Endpoint Security 11 installation requires restarting the computer. The Network Agent installation almost never
requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection
program has been installed on the computer.

The default choice, Prompt user for action, works well for workstations. When installing the product on servers,
we recommend that you select not to restart the computer. At a server, a user is unlikely present and no one will
react to the prompt.
I-88 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

For the user not to postpone the restart for too long, the task displays a warning every 5 minutes by default and
forces computer restart in 30 minutes. The administrator can modify these settings and the message text.

Uninstalling incompatible applications

The Kaspersky Endpoint Security 11 installer can detect and uninstall incompatible applications (various protection
solutions, including anti-viruses, firewalls, etc.), which are not recommended to be used concurrently with
Kaspersky Endpoint Security, because this may result in serious problems for users and computers.

The administrator usually knows which potentially incompatible protection solutions are installed in the network
and should uninstall them beforehand. The programs are recommended to be uninstalled either by their built-in
uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer should
be regarded only as a contingency measure.

Detection of incompatible applications cannot be disabled5, since it is intended to prevent conflicts. You can modify
uninstallation settings in the remote installation wizard; this is described in detail at the end of this chapter.

Where to place computers after the installation

As a result of installing the Network Agent and protection software, computers should become manageable: Use the
settings of policies and tasks specified on the Administration Server. To actually achieve this, computers must
belong to Managed devices rather than Unassigned devices.

If a computer has the Network Agent installed, but is not included in an administration group, it will neither send its
events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified
by the administrator. It is manageable only locally.

If the administrator selects computers rather than groups, the wizard will ask whether it is necessary to relocate
the computers to an administration group, and if yes, into which one.

The selection affects only unassigned computers. If both unassigned and managed computers are on the installation
list, the managed ones will remain in their original groups. This step is displayed only if Network Agent is installed
together with Kaspersky Endpoint Security.

5Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible applications; if
necessary, it can be added to the package description file for remote installations.
I-89
Introduction

Administrator account

Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers.
The deployment wizard allows you to specify several accounts, in case different administrator passwords are used
on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges,
the next one is tried, and so on.

Before trying the specified accounts, the installer attempts to act under the Administration Server service account,
which you don’t actually see on the list. However, if the administrator used the default settings when installing the
server, the server service account cannot be used for remote installations. As a result of an installation with the
default settings, the server service starts under the KL-AK account that is created automatically and receives
the rights of a local administrator (not literally, but effectively the same). It has no rights on remote computers.

So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain
environment, a domain administrator account is the best choice for remote installations. In large companies, there is
usually a special account for remote installations, or the IT personnel accounts have the necessary rights.
I-90 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Finishing the wizard

At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are going to do.
To start the task, select the check box Run task after Wizard finishes.

Where to monitor the installation

Installation task

The installation wizard uses the settings specified by the administrator to create and immediately start the product
installation task on the selected computers. After that, it automatically opens the task page in the Web Console.

The task page displays the task progress on the selected computers. An installation can be ready for execution,
running, waiting for reboot, completed successfully, or return an error. The number of computers in every status is
displayed on the pie chart and in the table.
I-91
Introduction

Task log

To check progress on each individual computer, use the Device history command.

The task log shows the history of each task status change on the computer. The status can be the same, while its
description may vary. For example, an installation task log usually contains several records of the Running status,
where the first one informs of starting file copying to the remote computer; the second one, of starting the installer;
and the third one, of the installation completion.

A typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky
Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer. After the
Agent is installed, the Administration Server waits for it to connect and start the installation of Kaspersky Endpoint
Security.

Installation results
I-92 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Although a single Kaspersky Endpoint Security package fits all Windows versions, installation results differ on the
servers and workstations.

— On workstations, all components selected in the installation package properties are installed.
— On servers, only the following components (if selected in the package):
— Behavior Detection
— Exploit Prevention
— Remediation Engine
— File Threat Protection
— Network Threat Protection
— Firewall
— BadUSB Attack Prevention
— AMSI Protection Provider
— Application Control
— BitLocker Management
— Endpoint Sensor

3.7 How to simplify local installation

Why install locally

If remote installation fails, it often makes sense to simply go to the computer and install the applications locally
instead of troubleshooting. Especially if such computers are comparatively few.

If you use an ordinary installer, you have to complete the installation wizard. Although it doesn’t take long, it is
boring, and you may easily mistype the Administration Server address. It is best to prepare a standalone package
with all the settings, and install from it.

Standalone installation packages

A standalone package in Kaspersky Security Center is a single setup.exe file that includes the installation files and
installation parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can
include Network Agent installation files and the Administration Server connection parameters.
I-93
Introduction

This package is designed for local installation by the IT employees, administrators or users who have sufficient
rights. It saves time and reduces the number of errors.

An extremely simple installation procedure is an advantage of standalone packages. No parameters need to be


specified during the installation, as they are already included in the package. This helps to save time and prevent
errors, for example, when specifying the Server connection address.

Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This
eliminates the risk of missing some files, and reduces the overall installation time.

How to create a standalone package

As of now, standalone packages can be created in the MMC console only. Standalone or ‘1–click’ packages are
created from regular installation packages available in the Advanced | Remote installation | Installation packages
node of the Administration Server. A special wizard is used that prompts for the installation parameters.

When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include
the Network Agent, so that the target computer could immediately connect to the Administration Server.
I-94 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Just like with a remote installation, computers can be moved into the managed category right after the installation.
Leaving protected computers in the unassigned category does not make any sense.

This step appears in the wizard if the Network Agent is installed together with the main package.

If you need to modify the default settings of Kaspersky Endpoint Security or select specific components to be
installed, do it within the properties of the regular installation package before starting the standalone package wizard.
The parameters of the installation packages are described earlier in this chapter.

After all the parameters are specified, the wizard generates the setup.exe installation file and places it to the PkgInst
subdirectory of the shared folder on the Administration Server. The folder that contains the setup.exe file is named
after the package. You can find the package later at the following network path: \\<Administration Server
name>\KLSHARE\PkgInst\<standalone package name>\setup.exe.

The Administration Server signs standalone packages with its certificate by default. This certificate is self-signed,
and Windows will display a warning when the package is run. The administrator can select to sign packages with
another certificate. Specify the necessary certificate in the properties of the Installation packages node, in the
Signing stand-alone packages section.

What to do with standalone packages

The wizard suggests that the administrator takes one of the following actions:

— Open folder—for example, to copy it to a flash drive

— Sample HTML code for link publication on a website—a text window opens, which contains HTML
code of the link to the package that can be added to a web page
I-95
Introduction

— Email link to standalone installation package—the Administration Server starts the default email client
and automatically fills in the message subject and body providing a link to the package located in
the shared folder; the only thing the administrator has to do is to specify the recipients’ addresses

Later, you can click View the list of standalone packages button in the Installation packages node to open the list
of created standalone packages. You can delete unnecessary packages or send another email message to users.

The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server.
If non-domain users whose accounts have not been added to the Administration Server try to click it, they will not
be able to access the resource.

Replace the link to the network folder with the http link to the package, which can be copied from its properties.
There is a built-in web server on the Administration Server where any user can download the package from. Each
standalone package gets a unique http link based on the package id. The administrator can find the link in
the package properties in the list of all standalone packages.

If standalone package creation wizard is started for a package repeatedly, the administrator can either re-create
the standalone package or create another one.
I-96 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

3.8 How to install the Network Agent via Active


Directory

How to install applications via Active Directory

You can also install programs using Active Directory group policies without Kaspersky Security Center.
The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared
folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to
a group policy that is applied to the domain computers. When a client computer starts and logs into the domain,
the policy is applied and the installation package is installed automatically, even before the user logs on to
the system.
This installation method can be comparatively easy when implemented manually. Kaspersky Security Center makes
it even more convenient.
I-97
Introduction

How to publish the Network Agent package in Active


Directory using a task

To publish the Network Agent package to a domain group policy, in the task (or in the installation wizard), select
Assign Network Agent installation in the Active Directory group policies.

This method is applicable to the Network Agent only, because after the Agent is installed, other programs are
supposed to be installed using the Agent.

Installations using AD group policies are performed during a restart

For the task to complete successfully, remember to run it under a domain administrator account. For this purpose,
add the domain administrator account to the Account section of the task settings.
I-98 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

What the task changes in Active Directory

The group of target computers

If the above-mentioned option is selected, the Administration Server creates a new group named
Kaspersky_AK{GUID} in Active Directory and includes in it the accounts of the computers to which the task
applies to.

Group policy object

Also, the Administration Server creates a new group policy object at the domain level that is named
Kaspersky_AK{the same GUID} in Active Directory and assigns within it the installation of the Network Agent
MSI package located in the shared folder on the server.

The permission to apply the policy is granted only to the created group which contains the accounts of the target
computers. So, the domain level policy will be applied to the selected domain computers rather than to all domain
computers.
I-99
Introduction

Group policy object parameters

After this, the installation is performed as per usual. The policy eventually applies to the computers. At the next
restart, computers download the Network Agent MSI package from the shared folder on the Administration Server
and install it. The installation parameters, which include server address and ports, are taken from the answer file
located in the same folder as the MSI package. Thus computers automatically connect to the Administration Server.

If the task is configured to install not only the Agent, but also another program, for example, Kaspersky Endpoint
Security, the installation will resume after the Agent connects to the Server.

The security group and group policy object created by the task persist in the Active Directory until the task is
removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory
group policies option is cleared in the task properties.

3.9 How to uninstall incompatible applications

Which programs are incompatible and why uninstall them

Kaspersky Endpoint Security is not compatible with other protection solutions. Before the installation,
the conflicting programs must be uninstalled. If you do not do this, the computer may operate slowly and unstably.
In the worst-case scenario, though rare, the computer may hang, restart spontaneously, and display a blue screen.

Protection solutions co-exist poorly because of the drivers that they install to intercept file operations, network
connections, and system calls. The Network Agent does not install any drivers, and therefore does not conflict with
third-party protection tools.
I-100 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to uninstall incompatible applications

To uninstall protection solutions by other manufacturers, it is best to use regular tools:

— The applications that have their own centralized management system should be removed via this system
— If possible, uninstall third-party protection using Windows tools

If the incompatible applications cannot be uninstalled using regular tools, the administrator may use the Kaspersky
Security Center functionality for this purpose:

— The Uninstall incompatible applications automatically option in the installation package of Kaspersky
Endpoint Security, or

— The Administration Server’s task Uninstall application remotely

The former option is always enabled in the installation package and reliably uninstalls many widespread versions of
third-party antiviruses and firewalls. However, if you have an uncommon antivirus or a recently released version,
Kaspersky Endpoint Security installer may fail to detect it.

Besides, some of the incompatible applications can be detected by the installer, but cannot be uninstalled.

What if there are incompatible applications?

Kaspersky Endpoint Security found and uninstalled incompatible applications

If the installer has detected and uninstalled incompatible applications, it will require restarting the computer to
complete the installation of Kaspersky Endpoint Security. It is the only difference compared to a typical installation.
If there are no incompatible applications on the computer, the installer will install everything without a restart.

The installation task has restart parameters for such cases. By default, the task will show the user a message that the
computer needs to be restarted every 5 minutes, and will force a restart after 30 minutes. The administrator can
adjust all these intervals in the remote installation task properties.
I-101
Introduction

Kaspersky Endpoint Security found incompatible applications, but failed to


uninstall them

If uninstallation of incompatible applications is disabled and a conflicting application is found during the Kaspersky
Endpoint Security 11 installation, the installer returns an error. The error description explains that the product cannot
be installed if incompatible applications are installed on the computer. The administrator needs to uninstall
the conflicting programs and re-start the installation.

If it is a task that installs Kaspersky Endpoint Security together with Network Agent, it will install the Network
Agent and only after that inform about the error. This is handy, because you can use the Agent to uninstall
incompatible applications by a special task.

Kaspersky Endpoint Security failed to find the installed incompatible


applications

If there are incompatible applications on the computer, but the installer fails to detect them, it will complete the
installation as if they did not exist. In this case, the administrator may not know for quite a while about the conflict.
I-102 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Eventually, the users will complain that a computer works slowly or malfunctions. When investigating the issue, the
administrator will discover that there are several protection applications on the computer.

How to find out if there are any incompatible applications

The administrator can learn that there are third-party protection applications on the computers from the
Administration Console. Network Agents send lists of installed programs to the server, and you can find the
aggregate list in the Web Console, on the Operations | Third-Party Applications | Applications Registry page. If
the administrator suspects that there may be protection tools by other manufacturers in the network, it makes sense
to search for them on the list by the manufacturer name. For example, Symantec, McAfee, etc.

The list of computers where the program is installed is available in its properties. After that, the administrator will
only need to uninstall it.

There is an Administration Server’s task that serves this purpose: Uninstall application remotely. However, it will
not be of any help immediately. The list of applications that the Agent can uninstall usually coincides with the list of
programs that can be removed by the Kaspersky Endpoint Security installer. This list is updated only when a new
version or service pack is released, and new versions and service packs for Kaspersky Endpoint Security and
Kaspersky Security Center are almost always released simultaneously.
I-103
Introduction

How to uninstall incompatible applications that have not


been found

What to do

For each program on the list, there is an INI file, which tells how to detect and uninstall it.

To uninstall an application that is not included in the list, send the program distribution to KL technical support and
request an INI file for it. Kaspersky Lab experts will need some time to study the application and develop an INI file
for it. This service is available only for comparatively large customers.

Copy the received INI file to the folder with other INI files on the Administration
Server: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Data\Cleaner. After that, restart the
Administration Server service.

Now the Network Agent’s Uninstall application remotely task will be able to remove this program. Run the task to
uninstall all incompatible applications on all computers. Or, to save resources, make a selection of only those
computers where the incompatible application is installed, and run the uninstallation task there for only this
particular incompatible application.

How to contact technical support

To contact technical support, use the companyaccount.kaspersky.com portal. To sign up, specify your email address
and license: Activation key or code.
I-104 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

To request an INI file, create a new request and select the category Make a request for Tech Support.
I-105
Introduction

In the request, select

— Scope—for workstations
— Product name and version—Kaspersky Endpoint Security for Windows 11.x.x.xxxx
— Request type and subtype—Installation and Incompatible Software

Then describe the situation and do not forget to attach to the request the installer of the third-party program that you
want to uninstall.

How to display computers with an incompatible


application

How to create a selection

To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where
these programs are installed.

To display computers where an incompatible application is installed, create a computer selection on the Discovery
& Deployment | Device Selections page. There are also pre-configured selections that show problem computers:

— Distribution points
— Databases are outdated
— Virus Scan has not been performed in a long time
— Not connected in a long time
— Active threats are detected
— Too many viruses detected
— Protection is disabled
— No security application is installed
— Unassigned devices with Network Agent
— New networked devices found
— Data encryption errors
— Device has become unmanaged
— Devices with Critical status
— Devices with Warning status
— Devices with Warning and Critical statuses due to vulnerabilities
I-106 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

These selections are hard-coded: They can neither be modified, nor deleted. There is no selection of computers with
incompatible software among them.

To create a selection, click the Add button.

In a selection, you can select to search:


— Among all computers
— Only among managed
— Only among unassigned

Unassigned devices do not transfer lists of installed programs to the server. That is why you should search for
computers with incompatible applications either among managed, or among all computers.

By default, a selection does not have any conditions, and it finds all the computers within the specified scope.

Selection parameters

To find computers with an incompatible application, change the conditions.

By default, each selection has a macrocondition with numerous microconditions. All microconditions within the
macrocondition are combined with logical AND. Macroconditions are combined with logical OR.

To find computers with an incompatible application, one macrocondition is enough. Open its properties and switch
to the Third-party software details section. Select the program name in the list Incompatible security application
name. Save the condition and the selection. The computer selection results will contain only the computers where
this program has been detected.

To display computers with various incompatible applications in a single selection, add macroconditions and specify
the other incompatible applications there.

How to uninstall incompatible applications using a task

Where to create tasks in the console

Now, create an uninstallation task for this selection. Start the task creation wizard on the Devices | Tasks page, and
when prompted for the target computers, choose the created selection. Every time the task runs it will check the
contents of the selection and update the list of target computers.
I-107
Introduction

Task types

The wizard shows all the tasks you can create. Each plugin installed in the console adds tasks of the respective
application to the list. After the standard installation of the Administration Server, you will be able to create tasks
for Kaspersky Security Center and Kaspersky Endpoint Security. The remote installation and uninstallation tasks are
the tasks of Kaspersky Security Center.

To uninstall incompatible applications, select Kaspersky Security Center | Uninstall application remotely in the
task creation wizard.

By default, the wizard offers the task name that coincides with the task type: Uninstall application remotely. If you
are uninstalling a single program, specify its name in the task name. This way, in the future you will be able to
quickly understand whether this task is still necessary, or you can delete it.

Select the target computers: The available options include:

— Specifying a computer group name


— Picking computers from the Managed devices group and the Unassigned devices node
— Specifying a computer selection name
I-108 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers
where incompatible applications have been detected.

Selecting the computers

Choose the necessary selection; when started, the task will receive up-to-the-minute list of devices where the
respective incompatible applications are installed.

Selecting the program

After that, specify the name of the incompatible application to be uninstalled. You can select several programs or
even all the applications that are included in the list. Selecting more than one program increases the task run time
though, because such a task executes, step by step, the uninstall scripts for all the selected programs.
I-109
Introduction

Account

The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because the
Network Agent is already installed on the computers and will run the uninstallation task under the local system
account. The account must be specified if the task is run either on computers without a Network Agent, or on
computers where the Network Agent has no administrator permissions.

Finishing the wizard

At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are going to do.
To start the task, select the check box Run task after Wizard finishes.
I-110 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Chapter 4. How to organize computers into


groups

4.1 How to understand that the deployment has


been completed

Now you know everything to be able to install protection on all network computers:

— How to select components and installation parameters for Kaspersky Endpoint Security
— How to install Kaspersky Endpoint Security and Network Agent remotely
— How to install Kaspersky Endpoint Security and Network Agent using Active Directory
— How to create a standalone package for local installation
— How to create several different packages with different parameters
— How to install on discovered and undiscovered computers

Handy monitoring tools supplement this list:

— How to understand which programs are installed on which computers


— How to understand that installation has been completed in the network

For this purpose, you can use the installation task results, as well as reports, computer selections and event
selections.

Where to look for information about the deployment

Task results and the information available on the Managed devices group do not always provide comprehensive
information on the protection deployment in the network. Deployment by a single task on all computers, as well as
managing all computers within one group, is characteristic of small networks only.
I-111
Introduction

For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are:
— Incompatible applications report
— Kaspersky Lab software version report
— Protection Deployment Report

The following selections are also very useful at the deployment stage:
— New networked devices found
— Security application is not installed
— Unassigned devices with Network Agent

Global statuses

In the MMC console, information about the protection deployment is available on the Monitoring tab of the
Administration Server node. The Deployment area contains the number of managed computers where Kaspersky
Endpoint Security is not installed. If it is non-zero, a link to the selection that includes all these computers is also
displayed.
I-112 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If there are any computers with the Network Agent in the Unassigned devices node, this will be reflected in
the Management scheme area with another link to the corresponding selection of computers.

In the Web Console, unfortunately, the information represented on the main page is rather limited. You cannot
quickly understand on which managed devices Kaspersky Endpoint Security is installed, and which lack it.

There are only lists of managed devices distributed by statuses. However, the Critical status may include devices
where Kaspersky Endpoint Security is not installed as well as devices where Kaspersky Endpoint Security is
installed, but is not running for some reason.

The only advantage is that you can immediately open the list of devices with non-OK statuses and study them in
more detail.

Device selections

Computers with the Network Agent must be located within the Managed devices node. If they are located in the
Unassigned devices node, they neither send events to the Administration Server nor receive tasks and policies from
the Server.

That is why the Administration Server displays such computers on the Monitoring page of the MMC console and in
the corresponding selection.

Reports

Where to look for reports

Reports are available on the Monitoring & Reporting | Reportspage.

Kaspersky Lab software version report

The software version report shows the number of Kaspersky Lab programs installed on managed computers. In
particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security
instances.
I-113
Introduction

Various versions (builds) of the products are represented separately, which is convenient when upgrading
the products. The report shows how many computers use the current versions of the programs, and how many run
older versions.

The graphic part of the report illustrates the statistics table, which lists all versions of managed products and
the number of installations for each of them.

The Details table gives information on every computer: Which products are installed, which versions, etc.

Protection deployment report

This report shows three categories:

— Computers with the Network Agent and a security application


— Computers with Network Agent, but without a security application
— Computers without Network Agent

Computers with a protection application, but without the Network Agent are included in the last category. If the
Network Agent is not installed, the Administration Server does not know whether protection is installed on the
computer. This category also includes the computers where the Network Agent is installed, but is not connected to
the Administration Server. For example, computers where Agents use an incorrect server address.

The chart and the Summary table show the number of computers in every category. The Details table, just like in
the software version report, shows the version of the Network Agent and Kaspersky Endpoint Security on every
computer.

This report is especially useful if the administrator first moves all of the computers into the Managed devices group,
and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed computers
are not connected to the server, and how many of those connected are not yet protected with Kaspersky Endpoint
Security.

If the administrator uses the remote installation wizard for the deployment and always selects the computers from
unassigned devices area, this report is less useful as it does not cover unassigned devices.
I-114 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

4.2 How the Administration Server discovers


computers

Polling types

In the deployment wizard or when creating a deployment task, the administrator can select computers from a list.
The Administration Server makes up this list by polling the network. Polls are performed periodically in several
different ways:

— Windows network polling


— Active Directory polling
— IP subnet polling
The network is polled by the service of the Network Agent installed on the Administration Server rather than by the
Administration Server service. The Network Agents installed on ordinary network computers do not poll the
network.

Where to configure polling

Polling results are shown on the Discovery & Deployment | Discovery tab separately for each discovery method:

— IP subnets—IP subnets are represented as folders

— Domains—computers detected during Windows network polling; workgroups and domains are represented
as folders containing computers

— Active Directory—domains and organizational units are represented as folders containing computers

The discovered computers are also displayed on the Discovery & Deployment | Unassigned Devices page.

A computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its
address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in
the corresponding folders.
I-115
Introduction

To modify the poll settings for every method, go to Discovery & Deployment | Discovery, select the necessary
method and click Properties. You can also start any type of polling manually on the respective page.

Windows network polling

What a quick poll does

The Administration Server collects the list of Windows network computers just like the operating system itself.
When a user opens the computer’s network places, the list of neighborhood computers grouped by domains and
workgroups is shown. The Administration Server can acquire the same list.

This polling method is called quick Windows network polling. It hardly places any extra load on the network.
The Computer Browser service is responsible for making up and representing the list of computers. In every
network segment there is the main computer that stores the general list and provides it when requested. To receive
the list, Administration Server only needs to send a request.

In the latest versions of Windows, the Computer Browser service is disabled by default or is not installed at all. If
the Administration Server cannot receive the list of computers from the Computer Browser service, it sends a
request to Active Directory and tries to receive a list of computers from it. Certainly, only if the Administration
Server is on an Active Directory domain.

Quick poll is performed every 15 minutes. After a quick poll, the Server receives the list of NetBIOS names of
computers, domains and workgroups.

What a full poll does

During a full poll, the Administration Server tries to receive as much information as possible about each computer
from the quick poll results.

For each name, the Server resolves the name into the IP address using NetBIOS, DNS and LLMNR protocols. For
the received addresses, the server performs a reverse resolution into the name, and if this name does not coincide
with the original one, receives the IP address for the new name.
The Server checks whether the IP addresses are accessible using ICMP requests and finally tries to connect to the
computers using SMB and RPC protocols to find out the operating system.
I-116 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

All these numerous requests are necessary because names and addresses of the computers may change. The
Administration Server uses direct and reverse resolution of names and IP addresses to distinguish new network
computers from the old ones that just changed the name or IP address.

As the number of requests is proportionate to the number of computers, the network activity is much higher than
with a quick poll. That is why full poll is performed hourly by default.

How the server displays polling results

In polling results, the Server shows everything it was able to find out about a computer: Its name, address, operating
system, etc.

Windows network polling parameters

For each poll type, the administrator can:

— Enable or disable polling completely


— Enable or disable polling for a part of the network (what “a part of the network” is depends on the polling
type)
— Select the polling schedule
— Select when polling data becomes obsolete

Polling schedule is defined as a start time and a timespan. A timespan can be as small as a few minutes or as large as
several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but will
be useful if polling is performed once a week or a month.

Computer information lifetime

Additionally, for Windows network polling the administrator can specify the life span for the information on
the discovered computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by
Windows network polling, the information about this computer is deleted from the server database.

This interval can be specified independently for every domain or workgroup. Also, you can specify a common life
span and use it for the whole Windows network.

Additionally, you can disable polling of a domain or a workgroup in its properties.


I-117
Introduction

Active Directory polling

What Active Directory polling does

The Administration Server requests from Active Directory the structure of containers (units) and the list of
computers for each of them.

Additionally, the Administration Server requests the list of users and security groups. Working with AD users falls
outside the scope of this course. See courses KL 010 and KL 302 for details.

In a large network, the total volume of all lists (computers, users, groups) may be very large, and that is why Active
Directory polling is performed every 60 minutes by default.
I-118 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Active Directory polling parameters

Polling parameters for Active Directory are similar to those for Windows network polling. There is an option to turn
off this polling method entirely and a schedule.

There is no explicit lifetime parameter for the polling results. Each polling replaces the previous results:

— Adds missing units and computers


— Deletes the computers and units that have been removed from Active Directory

In the Advanced polling parameters, the administrator can select the polling scope:

— The Active Directory domain to which the Administration Server belongs (the default choice)
— The domain forest to which the Administration Server belongs
— The specified list of Active Directory domains

To add a domain to the polling scope, specify the address of the domain controller, and the name and password of
the account for accessing it.

You can selectively disable polling for some organizational units in their properties.

When the administrator changes the polling scope, after the next polling, the Server will show only the new scope
contents. For example, if the administrator has disabled polling within a unit, after the next polling, the
Administration Server will delete all the information about the contents of this unit from its database. Also, if the
Server scanned several domains previously and the administrator deletes one of the domains from the list, after the
next polling, the Server will delete all data about this domain from its database.
I-119
Introduction

IP range polling

What IP subnet polling does

IP range polling works similarly to full Windows network polling. However, the original list of computers is not
received as a result of quick polling; it is the list of IP addresses from the IP ranges specified by the administrator.

The server tries to resolve each address into a name, and the name into an address again; then checks whether the
address answers ICMP ECHO REQUESTs, etc.
To find out the device type, the Server also sends SNMP requests.

The polling results include only those computers that answered the ICMP request.

IP subnet polling parameters


I-120 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is
installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0,
the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses
from 192.168.0.1 to 192.168.0.254.

IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When
this polling method is enabled, the default period is 420 minutes (7 hours).

How to add a network to be polled

In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually.
You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also,
the name of the subnet should be specified.

The life span for the polling results is 24 hours by default. If an IP address is not verified by polling in 24 hours, it is
removed from the results. Such a short life span tries to account for dynamic IP addresses (assigned over DHCP
protocol), which can change frequently. When modifying the settings, make sure that the information life time
exceeds the polling interval.

How to modify ranges in an IP subnet

One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas
named subnets are not allowed to overlap, Ranges may overlap within a subnet.

You can enable and disable scanning independently for every subnet.
I-121
Introduction

Where to monitor network polling

If you want to monitor polling, you can do it only in the MMC console. When the network is being polled, the
Advanced | Network poll page displays the progress. Detailed information is available in the Administration Server
statistics (Administration Server properties: Advanced | Administration Server operation statistics). There you can
find the time of the last poll performed by each method, polling progress percentage and the name of the polled
domain for Windows network polling.
I-122 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to find out that the Server has discovered new


computers

The administrator can configure notifications about new computers found in the network. The corresponding event
is available in the properties of the Administration Server, and you can enable email notification in the event
properties.

To receive information about new computers, open the Event configuration tab in the Administration Server
properties. Find the event New device has been detected in the Info section. Open the event properties and enable
the option Notify by email.

For notifications, the Server uses the parameters that you specified in the Quick Start wizard when installing the
Administration Server. If you are not sure that the correct parameters have been specified, check them in the server
properties, in the Notification section of the General tab.
I-123
Introduction

4.3 How to create or import groups

Why create groups

After the initial installation, there is only one group on the Administration Server—Managed devices. With a single
group, the same protection policy and task schedule is applied to all computers, which is not always preferred.

Even in small networks, it may be necessary to use different protection settings for servers and workstations. In
large networks, where different groups of users need various types of software, the capability to create policies with
different exclusions for different users is extremely useful. The computers must be placed into different groups to be
able to apply different policies6.

From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into
the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. This
way, the administrator can quickly understand where the computer is located to send an IT employee there.

There are also other examples of group use. Often, especially in large networks, the administrators create groups to
organize the deployment process. Computers without the Agent or a protection application are placed into the
Deploy Agent group, where the Network Agent automatic installation task is created. The computers with installed
Agent are moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible
applications is configured. The computers without incompatible applications are moved into the Deploy KES group,
where the task of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected
computers are moved into the permanent management structure.

6Starting with version 10 Service Pack 1, Kaspersky Security Center provides the capability to apply different configuration profiles to
different computers within the same group. For more details, refer to course KL 302.
I-124 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to add a group

Unlike the MMC console, where groups are created as simply as folders in Windows Explorer, Web Console can be
a bit challenging. First, groups are created within the Managed devices node. Then you can create new groups
either in the same node or inside the created groups.

To create a new group in Web Console, click Devices | Edit Groups. Then select the level where you want to create
a group and click Add.

Enter the name of the group in the displayed dialog window: It will then appear as a subfolder in the structure of
managed devices.

If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or
subgroups.

Groups can be moved within the hierarchy of managed devices. For example, if the structure of groups reflects
physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup can be
easily relocated together with its computers from the group Building 1 to the group Building 2. For this purpose,
select the group that you want to move, click Move, and specify the group into which you want to move it.
I-125
Introduction

Another method of creating a subgroup is to open the properties of the parent group. On the General tab, there is the
Add button that creates a subgroup.

Navigation within the group structure

At first sight, it is not quite clear how to navigate within the group structure in the Web Console. However, there is
an almost imperceptible navigation button: Devices | Groups, which displays the existing group structure, and when
you select a group, the list of its policies opens. The Change Structure button redirects you to the Edit Groups tab.

How to add a computer to a group

In the Web Administration Console, you can move computers using one method only, which is applicable to
managed and unassigned devices. Select one or several computers, click Move to Group, and specify the target
group.
I-126 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to import a group structure

If the network is large enough and the planned structure of managed devices requires a large number of groups,
creating a hierarchy using the methods described above can be very labor-intensive. Sometimes it is easier to import
a group structure from the network polling results or from a text file.

If administrators want to arrange the managed devices in the exact same order as their network, to combine them
into the same workgroups or domains and subdivisions, they can use the structure import functionality.

You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In
the first two cases you may import either the entire structure (groups including computers) or just groups. When
importing the topology from a text file, only groups can be created.

Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit
that is being imported are already present in a group of managed devices, the wizard will not relocate them.

To start the wizard, select the Managed devices group and click Import. In the wizard, specify the structure to be
imported and the destination group. You can also import only a structure from Windows network or Active
Directory, and disable importing the computers.
I-127
Introduction

Windows network topology and a structure defined in a text file are always imported completely. When importing
an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be
ignored.

The wizard is designed for initial creation of the structure of managed devices. It is not intended for regular
synchronization of structures of Kaspersky Security Center, with, for example, Active Directory. If you need to
synchronize, configure the computer relocation rules.

A structure import via a text file must be prepared manually. Every group or subgroup must be specified on
a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters,
for example:

Office1\Subdivision1\Department1
Office1\Subdivision1\Department2
Office2
Office3\Subdivision1

If a subgroup path contains groups that do not exist yet, they are created.
I-128 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Groups created during the import procedure are completely identical to the groups created manually. You can
rename, move, delete them, etc.

4.4 How to add computers to groups automatically

Computer relocation rules

If groups in Kaspersky Security Center are to reproduce IP subnets or Active Directory units, the administrator can
easily automate the computers’ distribution into the groups. Computer relocation rules serve this purpose.

The list of relocation rules is available on the Discovery & Deployment | Deployment & Assignment | Moving
Rules page

Rules created by tasks

In some cases, computer relocation rules are created automatically in the Kaspersky Security Center. For example,
when the administrator selects to move unassigned devices into a group in the remote installation wizard or when
creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can
be viewed on the list and can be disabled, but cannot be deleted or edited. The server deletes them automatically
when the corresponding task or standalone package is deleted.
I-129
Introduction

Configuring relocation rules

A relocation rule consists of the following basic settings:


— What to move—a set of conditions a computer must meet to be relocated
— Where to move—the name of the group in the structure of managed devices where the hosts matching the
rule conditions will be relocated
— When to move—the conditions that will trigger automatic relocation

When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on
the rule list. Also, you will need to select the destination group—where to move the computers.

When to apply the rules

Afterwards, decide when to apply the rule to the computers. Three capabilities are available:
— Run once for each device—as soon as the rule is created, it will be applied to all computers in the server
database, and then it will be applied only to new computers when they are discovered
I-130 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— Run once for each device, then at every Network Agent reinstallation—is similar to the previous option, but
if the Network Agent is reinstalled on a computer, the rule will be reapplied to such a host
— Rule works permanently—the rule is permanent; if a computer matching its conditions is manually moved
to another group, the Administration Server will immediately return it to the location specified in the rule.
If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will
not

The rules created by the Administration Server for installation tasks and standalone packages Run once for each
device, then at every Network Agent reinstallation.

Permanent rules are more convenient in a sense, but create a persistent computational load on the Administration
Server.

Conditions in relocation rules

Move managed devices

Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is
located in the General section and is named Move only devices that do not belong to an administration group.

With this option selected, a rule—even a permanent one—will not hamper the administrator to manually move
computers in the groups. It affects only unassigned devices. To apply such a rule to a computer within a group, just
delete the computer from the group. When deleted from the managed devices structure, the computer becomes
unassigned and the rule will apply to it.

If the Move only devices that do not belong to an administration group check box is cleared, the rule applies to
all computers in the server database and the corresponding computers are moved into the specified group no matter
what happens. This does not prevent the administrator from deleting these computers from the Administration
Server database, though.

Other conditions are located in additional sections of the rule properties.

Move computers by names and IP addresses


I-131
Introduction

Many of the relocation conditions are related to the network attributes of the computers:

— NetBIOS name
— Name of the domain or workgroup
— DNS name
— DNS domain
— IP address
— Server connection IP address (if a computer is behind a NAT gateway, the connection address is
the gateway address)

To apply a rule to several computers, you can specify IP addresses as ranges, and names can be specified as masks
with “*” and “?” wildcards. If these options are insufficient, you can always create several rules with different
conditions that will move computers to the same group.

Move computers by operating systems

Conditions for devices may include operating system version, architecture and currently installed Service Pack.
Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers
into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions
used in the network. For example, Windows Server 2008 R2 and Windows Server 2012 R2.

Also, there is the Network Agent is running condition. This condition can separate the computers already
connected to the Administration Server from those that need to be connected.

Other conditions

A relocation rule has a condition for virtual machines. Virtual machines running on different virtualization platforms
can be moved into different groups. Protection of virtual machines is described in courses KL 014 Kaspersky
Security for Virtualization. Agentless and KL 031 Kaspersky Security for Virtualization. Light Agent.

If these conditions are not enough, computers can be tagged and you can configure conditions using the tags. For
more details, refer to course KL 302.
I-132 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to synchronize groups with Active Directory

There are similar conditions for the computers within the Active Directory structure:
— Active Directory unit name
— Active Directory group name

Relocation rules permit configuring synchronization with Active Directory. For this purpose, enable additional
options under the condition Apply the rule to Active Directory organization unit:

— Including child organization units—if the selected unit has child units, computers within them will be
moved into the destination group

— Move computers from child organizational units to corresponding subgroups—if the selected unit has
child units, and the destination group has the corresponding subgroups, computers from the child units will
be moved into the corresponding subgroups

— Create missing subgroups—if the selected unit has child units, and the destination group has no
corresponding subgroups, the Administration Server will create these subgroups and move the computers of
the child unit there

— Delete subgroups that are not present in the Active directory—the opposite of the previous option.
When an organizational unit is deleted from the Active Directory, this option will remove the respective
group from the Kaspersky Security Center.

If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination
group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another,
Kaspersky Security Center will automatically repeat these changes in its group structure.

In addition to units, Active Directory has groups, which may contain computer accounts. To move computers into
groups according to the domain groups, select the condition The device is member of Active Directory group and
specify the group name.
I-133
Introduction

Tags

A tag is an additional attribute that the administrator can assign to devices and use it to configure relocation rules
more flexibly. The administrator can assign tags manually to each device individually or several devices at once, or
configure automatic tag allocation rules. A device can have several tags assigned.

Relocation rules may be applied to devices without the specified tags or to the devices that have at least one of the
specified tags.

To assign tags, select one or several devices, open the properties window and switch to the Tags tab. There is also a
link there: Set up automatic tagging rules. Automatic tag allocation rules can also be configured on the Devices |
Tags | Auto-Tagging Rules tab.

In some cases, it makes sense to assign tags automatically when deploying the protection application. You can also
do it in the Network Agent package properties. To assign different tags to computers during the installation, create
several installation packages for the Network Agent, specify the necessary tag within each package, and use
different packages for different computers.

Regardless of how a tag was added to the system or assigned to a device, you will be able to assign it to any other
device as well afterwards.
I-134 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Rule application order

The created rules are organized into a list where their order makes a difference. Permanent rules have priority over
the others. Among rules of the same type, the higher the rule is on the list, the higher its priority. In other words, if
a computer meets the conditions of several rules, only the top one is applied.

Rule order can be changed using the arrows. Also, a rule can be applied manually using the Force button at
the bottom of the window. This permits re-applying a non-permanent rule. For the permanent rules, the button does
nothing, since permanent rules are constantly forced anyway.

The Rule execution wizard prompts for the group where the rule is to be applied, and moves the computers that meet
the rule conditions from the selected group to the group specified in the rule. There is an option that permits
skipping the computers to which this rule has already been applied and only force the rule on new computers.
II–1
Unit II. Protection management

Unit II. Protection


Management
Chapter 1. How Kaspersky Endpoint Security 11 protects computers ......................... 4
1.1 How criminals attack a computer............................................................................................................................ 4
How malware gets on a computer .......................................................................................................................... 4
How malware causes harm .................................................................................................................................... 7
1.2 How Kaspersky Endpoint Security counters attacks............................................................................................... 9
How Kaspersky Endpoint Security repels threats .................................................................................................. 9
How Kaspersky Security Network helps to repel threats ..................................................................................... 10
Where are Kaspersky Endpoint Security settings located .................................................................................... 12

Chapter 2. How to configure file protection ................................................................ 13


2.1 How Kaspersky Endpoint Security protects files.................................................................................................. 13
2.2 What and how to configure in File Threat Protection ........................................................................................... 14
Configure File Threat Protection......................................................................................................................... 15
2.3 What to do if File Threat Protection slows down the computer ............................................................................ 19
How to exclude an application’s folder ............................................................................................................... 20
How to exclude files that a process accesses ....................................................................................................... 21
How not to scan network drives ........................................................................................................................... 22
How to apply settings to computers ..................................................................................................................... 22
2.4 How and why configure scheduled file scanning ................................................................................................. 23
Why scan for malware after the File Threat Protection?..................................................................................... 23
What and how to scan for threats ........................................................................................................................ 24
How to select an optimal schedule ....................................................................................................................... 25
2.5 What to do with false positives ............................................................................................................................. 27
How to configure an exclusion for an incorrect verdict....................................................................................... 27
Exclusions by checksum ....................................................................................................................................... 28
Exclusion by certificate ........................................................................................................................................ 28
2.6 File protection: Summary ..................................................................................................................................... 29

Chapter 3. How to configure protection against network threats .............................. 31


3.1 How network protection works ............................................................................................................................. 31
What network components do .............................................................................................................................. 31
How Kaspersky Endpoint Security intercepts traffic ........................................................................................... 32
How Kaspersky Endpoint Security scans encrypted traffic .................................................................................. 33
II–2 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

3.2 Mail Threat Protection .......................................................................................................................................... 35


What Mail Threat Protection does ....................................................................................................................... 35
Configuring Mail Threat Protection .................................................................................................................... 36
Attachment filter ................................................................................................................................................... 37
Exclusions for false positives ............................................................................................................................... 38
3.3 Web Threat Protection .......................................................................................................................................... 38
What Web Threat Protection does........................................................................................................................ 38
Configuring Web Threat Protection ..................................................................................................................... 39
How to make a website trusted ............................................................................................................................. 39
3.4 How not to intercept the whole traffic of a program ............................................................................................. 40
3.5 Protection for network connections: Summary ..................................................................................................... 41

Chapter 4. How to configure protection against sophisticated threats ...................... 42


4.1 How Kaspersky Endpoint Security protects against new threats .......................................................................... 42
4.2 Detection technologies used in Kaspersky Endpoint Security .............................................................................. 43
4.3 What Advanced Threat Protection does ................................................................................................................ 44
How Behavior Detection protects against new threats ........................................................................................ 44
How Exploit Prevention protects against new threats ......................................................................................... 45
How Remediation Engine protects against new threats ....................................................................................... 46
How Host Intrusion Prevention stops new threats ............................................................................................... 47
How to configure Host Intrusion Prevention to stop ransomware ....................................................................... 50
How AMSI Protection Provider stops new threats ............................................................................................... 51
4.4 How to exclude a program from monitoring ......................................................................................................... 52
What to do if KES hampers a program ................................................................................................................ 52
How to modify a program’s trust category .......................................................................................................... 52
How to make a program trusted for Behavior Detection and Intrusion Prevention ............................................ 55
4.5 Protection against new and sophisticated threats: Summary ................................................................................. 56

Chapter 5. How to control network connections ......................................................... 57


5.1 How Firewall protects against threats ................................................................................................................... 57
5.2 How Firewall works in KES ................................................................................................................................. 57
How Firewall analyzes packets and connections ................................................................................................. 58
How Firewall decides which networks are local.................................................................................................. 59
How Firewall restricts programs ......................................................................................................................... 61
5.3 What Firewall does under default settings ............................................................................................................ 62
Default network packet rules ................................................................................................................................ 62
What it means for applications on the computer .................................................................................................. 63
What if the Firewall impedes an application........................................................................................................ 64
5.4 Why Network Threat Protection is necessary ....................................................................................................... 65
What Network Threat Protection does ................................................................................................................. 65
What the Protection from MAC Spoofing does .................................................................................................... 66
How to unblock a blocked computer .................................................................................................................... 66
5.5 Network protection: Summary .............................................................................................................................. 68

Chapter 6. How to protect a computer outside the network ....................................... 69


6.1 Which local networks to trust ............................................................................................................................... 69
6.2 How to create a policy for computers outside the office ....................................................................................... 69
How to create a policy for computers outside the office ...................................................................................... 70
When computers switch to the out-of-office policy ............................................................................................... 71
How to set conditions for switching to the out-of-office policy ............................................................................ 72
6.3 Which settings computers should use outside the office ....................................................................................... 73
6.4 Out-of-office policies: Summary .......................................................................................................................... 74
II–3
Unit II. Protection management

Chapter 7. What else is there in protection and why? ................................................ 75


7.1 What Self-Defense does and why it is necessary .................................................................................................. 75
What Self-Defense does ........................................................................................................................................ 75
How to manage KES over Remote Desktop ......................................................................................................... 76
What BadUSB Attack Prevention does................................................................................................................. 77
7.2 How to protect Kaspersky Endpoint Security from the user ................................................................................. 78
How the user can stop protection......................................................................................................................... 78
How to enable password protection ..................................................................................................................... 79
Configuring password protection for Network Agent .......................................................................................... 80
7.3 Which other protection settings are available ....................................................................................................... 81
Actions ................................................................................................................................................................. 81
Other settings ....................................................................................................................................................... 81
Computer protection: Summary ........................................................................................................................... 84
II–4 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Chapter 1. How Kaspersky Endpoint Security 11.1


protects computers

1.1 How criminals attack a computer

How malware gets on a computer

Malware gets on a computer via everything that connects the computer to the external world. Specifically, via
network connections and removable drives. Let us examine typical scenarios of how malware penetrates a computer,
and how to prevent this.

Via a browser

A vulnerable web browser

The user has installed a vulnerable browser. A web page may use a vulnerability to make the browser download and
run any software on the computer. The user opens a dubious website, and the website starts malware on the user’s
computer. Malicious code can reside in the ad blocks that the website receives from other sites rather than on its
own pages.

To protect against such an attack:

— Install updates for web browsers


— Do not allow the users to start whichever browsers
— Do not allow the users to open whichever web pages
— Do not allow the users to open known infected websites
— Do not allow web browsers to start child processes
II–5
Unit II. Protection management

An infected file

The user looks for free software on the internet. For example, a handy free utility, or a pirate version of an expensive
program, or a key generator for an expensive application. Finds, downloads, and starts it on the computer. The
program turns out to be malicious.

Maybe the user has downloaded a seemingly appropriate file from an “Internet garbage”. Or maybe criminals have
altered freeware code or cracked the site and replaced the program.

To protect against such an attack:

— Do not allow the users to open whichever web pages


— Do not allow the users to open websites that are known for distributing malware
— Scan the files that the users download from the Internet by protection software

Via email

The user receives an email message that looks like a message from a bank, shop, delivery service, from a partner,
acquaintance, etc. The message prompts to click a link or open an attachment. The link leads to a malicious or
phishing website. The attachment contains malware or a document with embedded malware.

To protect against such an attack:

— Filter email by antispam tools (software that protects against anonymous bulk unsolicited emailing)
— Scan files attached to email messages by protection software
— Do not allow the users to save executable files from email messages to the drive
— Protect against links in the messages the same way as against attacks via web browsers

From other computers over the network

From a shared folder

The user copied a program from a shared folder on another computer and started it. The program turned out to be
malicious.

The user opened a document from a shared folder on another computer. The document contained malicious code.

To protect against such an attack:

— Install protection tools on all computers


— Scan the files that the users copy, open or start

A network attack

There is a vulnerability in the operating system on the user's computer. If a special sequence of packets is sent to a
specific port, one can make the vulnerable service run the code within these packets. An infected computer will also
attack the vulnerable service on all other network computer and infect them.

To protect against such an attack:

— Install security updates for operating systems


— Prohibit connections to the ports that the users do not need for their work
— Use protection software to check inbound packets for network attacks
II–6 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

From external media

A user’s USB memory drive

The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains malware
that uses a vulnerability in the operating system to automatically run on the computer.

Or the user simply connected a USB flash drive to find out what it contains, found a document or an executable file
with an intriguing name and decided to open it. The file turned out to be infected.

To protect against such an attack:

— Do not allow the users to connect unknown (or all) USB flash drives to the computers
— Scan files on USB drives by protection software
— Install security updates for operating systems

BadUSB

The user connected a USB device that looks like a USB flash drive to the computer. The device registered with the
operating system as a USB flash drive and as a keyboard. After a while, the device started to execute commands on
the computer by sending keystrokes.

To protect against such an attack:

— Use protection against BadUSB attacks

How to protect against threats

All threat prevention methods can be grouped as follows:

Eliminate potential attack targets


Install security updates for operating systems
Install updates for web browsers and other programs
Do not allow the users to start whichever browsers
Do not allow the users to open whichever web pages
Do not allow web browsers to start child processes
Do not allow the users to save executable files from email messages to the drive
Prohibit connections to the ports that the users do not need for their work
Do not allow the users to connect unknown (or any) USB flash drives to the computers
Use protection tools to detect attacks
Install protection on all computers
Scan the files that the users copy, open or start
Scan files on USB drives by protection software
Scan files attached to email messages by protection software
Scan files that the users download from the Internet by protection software
Do not allow the users to open known infected websites
Do not allow the users to open websites that are known of distributing malware
Use protection software to check inbound packets for network attacks
Use protection against BadUSB attacks
II–7
Unit II. Protection management

How malware causes harm

No protection tool can protect against 100% of threats. Criminals may always be half a step ahead since they:

— Register new domains and websites


— Write new malware
— Use zero-day vulnerabilities for which updates have not been issued yet

Even if protection works properly, there is always risk that a computer may be infected with a new malware. If
protection is not installed on some computers, if databases are outdated on computers, if important protection
components are disabled, the risk grows.

Let us study the harm that malware can cause and how it can be decreased.

Ransomware

Ransomware encrypts documents and other files on the computer and in shared folders, and demands money in
return for the encryption key. The key is stored on the criminals’ server. Malware either downloads the key from the
server, encrypts files and deletes the key; or generates a random key, sends it to the server, encrypts files and deletes
the key. Anyway, ransomware connects to its server over the network.

To protect against such an attack:

— Regularly back up all important files


— Do not allow unknown programs to establish and accept network connections
— Use protection tools that detect encryption heuristically

Spyware

Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on the drive.
Malware intercepts everything the user enters, takes screenshots and shoots through the web camera. The program
sends all this to the criminals’ server.

To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections


— Use protection tools that detect spying heuristically
II–8 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Network malware

Malware writes itself to the USB flash drives connected to a computer and to shared folders over the network.
Malware infects neighbor computers via vulnerable services. Malware sends spam and participates in DDOS attacks
at a control center’s command.

To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections


— Use protection tools that heuristically detect dangerous activities

Loaders

Criminals often use very simple files, which do not impose any direct threat, to get around protection tools and
infect a computer. But these files may download additional malicious files, which can encrypt documents, steal
passwords, etc.

To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections

Low-grade malware

Malware makes other programs hang or malfunction, a computer run really slow, spontaneously restart, or display a
blue screen.

To protect against such an attack:

— Regularly scan files on the computer by protection software

How to reduce losses

The loss reduction methods may be grouped similarly to attack prevention methods:

Eliminate potential attack targets

Do not allow unknown programs to establish and accept network connections

Use protection tools to detect attacks

Use protection tools that heuristically detect dangerous activities

Regularly scan files on the computer by protection software


II–9
Unit II. Protection management

1.2 How Kaspersky Endpoint Security counters


attacks

How Kaspersky Endpoint Security repels threats

Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect against attacks
and prevent losses:

Eliminate potential attack targets

Install security updates for operating systems Kaspersky Security Center (see course
KL 009)

Install updates for web browsers and other programs Kaspersky Security Center (see course
KL 009)

Do not allow the users to start whichever browsers Application Control

Do not allow the users to open whichever web pages Web Control

Do not allow web browsers to start child processes Behavior Detection


Exploit Prevention

Do not allow the users to save executable files from email messages to Mail Threat Protection
the drive

Prohibit connections to the ports that the users do not need for their Firewall
work

Do not allow the users to connect unknown (or any) USB flash drives Device Control
to the computers

Do not allow unknown programs to establish and accept network Firewall


connections
II–10 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Use protection tools to detect attacks

Install protection on all computers Kaspersky Security Center (see Unit I)

Scan the files that the users copy, open or start File Threat Protection
Host Intrusion Prevention

Scan files on USB drives by protection software Virus scanning

Scan files attached to email messages by protection software Mail Threat Protection

Scan files that the users download from the Internet by protection Web Threat Protection
software

Do not allow the users to open known infected and phishing websites Web Threat Protection

Do not allow the users to open websites that are known for distributing Web Threat Protection
malware

Use protection software to check inbound packets for network attacks Network Threat Protection

Do not allow the users to automatically connect any USB devices as a BadUSB Attack Prevention
keyboard

Use protection tools that heuristically detect dangerous activities Behavior Detection
Host Intrusion Prevention

Regularly scan files on the computer by protection software Virus scanning

This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack surface, or
actively scan, detect and block threats.

Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To protect against
spam, use Kaspersky Lab products for mail systems:

— Kaspersky Security for Microsoft Exchange Servers


— Kaspersky Secure Mail Gateway

How Kaspersky Security Network helps to repel threats


II–11
Unit II. Protection management

To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to regularly
update the signature databases.

It is also important to allow Kaspersky Endpoint Security to use the Kaspersky Security Network.

Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all
protection components.

Kaspersky Security Network servers collect information about files on the protected computers, analyze it using
machine learning technologies, consider when a file was detected for the first time, whether it is widespread, in
which regions, whether the users of personal versions of Kaspersky Security trust the file, whether the file is signed
with a certificate and which one, etc. Suspicious files are additionally analyzed by Kaspersky Lab experts.

After that, Kaspersky Security Network assigns a trust group to the file:

— Trusted
— Low Restricted
— High Restricted
— Untrusted

For each trust group, Kaspersky Lab analysts have developed scenarios that describe what files are allowed to do
and what is prohibited depending on the assigned trust group reputation).

This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to the
network, which programs may install drivers, and which of the trusted programs are to be scanned especially
thoroughly, because they may contain vulnerabilities.

Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky Lab receives
checksums of reference files from many known software manufacturers, such as Microsoft, Adobe, Google, etc.
That is why Kaspersky Endpoint Security components know which files are not infected for sure and do not hamper
the respective programs.

Except for files, Kaspersky Security Network forms reputation for web pages and software activity patterns.

If Kaspersky Lab detects a new threat, checksums of all malicious files and web pages get to the Kaspersky Security
Network in a split second and are available to all products that use the Kaspersky Security Network. Products learn
about new threats via Kaspersky Security Network a few hours earlier than the threat signatures that are downloaded
with updates.

The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and
anonymous. The complete list can be found in the Kaspersky Security Network agreement that the administrator
must accept prior to enabling Kaspersky Security Network in the Kaspersky Endpoint Security policy.

To be able to use Kaspersky Security Network without sending anything to Kaspersky Lab, there is the Kaspersky
Private Security Network service.
II–12 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Where are Kaspersky Endpoint Security settings located

In this chapter, we will study which settings are available in the Kaspersky Endpoint Security components:

— The default values


— How the parameters influence the components’ behavior
— When and how to modify settings to improve computer protection or user experience

Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example, scheduled virus
scan or update settings, are set up in tasks.
II–13
Unit II. Protection management

Chapter 2. How to configure file protection

2.1 How Kaspersky Endpoint Security protects files

File Threat Protection intercepts all file operations (such as reading, copying, executing) using the klif.sys driver
and scans the files being accessed. By default, if the file is infected, the operation will be blocked, and the file will
be either disinfected or deleted.

Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malicious files on
the computer drive. And even those attacks that start with executing code in the memory, can load only small
amount of code there and use it as the first step of the attack, which then downloads additional modules in files and
saves them to the drive.

Even if Mail Threat Protection and Web Threat Protection are disabled, the user will not be able to start an infected
file received by email or downloaded from the internet, because a file cannot be started either from an attachment or
from a web page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and
blocked by the File Threat Protection.

This makes File Threat Protection an important component of Kaspersky Endpoint Security.

File Threat Protection scans for malware using:

— Malware signatures—a signature database is a “black list” of known malicious files. If a file does not match
any of the database records, it is not malicious. A complete black list, where each known malicious or
infected file is described thoroughly, requires too much space; that is why a signature database is optimized
and narrowed down to a size that can be easily downloaded to a computer. Each record identifies a family
of similar threats.

— Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which change
their code during the execution, and which are therefore difficult to detect using signatures. File Threat
Protection starts executable files in a special isolated environment and checks whether code changes in the
memory to match a signature.
II–14 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— KSN checks—File Threat Protection sends the file checksum to KSN and receives an answer: Whether
such a file is found in the KSN database, and what reputation it has. The KSN database is a huge list of all
files (to be more exact, their checksums) known to Kaspersky Lab. This list includes files with an untrusted
reputation. It is a black list, and File Threat Protection blocks such files. There are also files with a trusted
reputation. It is a white list, which includes known harmless files of operating systems and widespread
software. File Threat Protection does not block these files even if they match malware signatures. KSN
verdict has higher priority, because KSN contains more information than a local signature database.

To receive a verdict from KSN, a computer needs a connection to the internet, which may be unreliable. For this
reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature database and
emulation.

KSN verdicts may change with time. A file that has just appeared on the internet has no reputation at first.
Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes and may
become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the KSN verdict at
each file operation. But it would scale up the computer’s network traffic. Besides, sending a request and receiving
an answer takes time, which depends on the quality of communication channel.

To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN verdicts in the
local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky Endpoint Security re-
check the verdict often. For the files that have long been known, this time is large.

To avoid slowing down the computer, File Threat Protection does not scan all files; it scans only those files that may
infect a computer. For example, File Threat Protection does not scan archives, because files must be extracted prior
to being started. It is either the user who extracts the file from the archive, or the operating system does this for the
user. Anyway, File Threat Protection will scan the extracted files (and block them if necessary).

Scan the files that are not scanned by File Threat Protection by virus scan tasks. Virus scanning checks files within
the specified scope and uses the same methods as File Threat Protection.

2.2 What and how to configure in File Threat


Protection
II–15
Unit II. Protection management

Configure File Threat Protection

File Threat Protection, as well as Kaspersky Endpoint Security in general, solves two tasks:

— Prevent malware from causing harm


— Not to hamper the user or legitimate software

The more files File Threat Protection scans, the better it solves the former task, and the worse the latter, and vice
versa. The default settings balance protection and performance. By adjusting the settings, the administrator can tilt
the balance one way or the other.

You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are located in the
respective sections: File Threat Protection, in Essential Threat Protection on the Application Settings tab.

Let us first talk about the parameters that should not be changed and explain why.

File Threat Protection does not scan all file types

Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may contain
executable code (macros), which can be malicious. Even documents without code, some graphic files for example,
may use vulnerabilities of the applications that open them and make these programs run a part of the file as code.

By default, File Threat Protection scans files by format. This way, Kaspersky Endpoint Security reliably protects the
computer, because it scans all dangerous files, but does not slow down the computer, since it does not scan all the
files.

Scanning files by extension only is dangerous. For example, a malicious Word document may have extension .123,
which is not included in the scan list, but the user can open it nevertheless via its shortcut menu (Open with). Also,
scanning by extension is not significantly faster than scanning by format. The user will not perceive any difference
in performance.

If the administrator wants to improve performance of slow computers, better start with exclusions for the programs
with which users work. How to create exclusions is explained at the end of this section.

The list of scanned extensions:

com Program executable file whose size does not exceed 64 KB


exe Executable file, self-extracting archive
sys System file of Microsoft Windows
prg Text of the dBase™, Clipper or Microsoft Visual FoxPro® application, a program from WAVmaker
suite
bin Binary file
bat File that contains one or more commands
cmd Command file of Microsoft Windows NT (a counterpart of a bat file for DOS), OS/2
dpl Packed Borland Delphi library
dll Dynamic-link library
scr Microsoft Windows screen saver file
cpl Control panel module in Microsoft Windows
ocx Microsoft OLE object (Object Linking and Embedding)
tsp Time-shared program
drv Device driver
vxd Driver of a Microsoft Windows virtual device
pif File with information about a program
lnk Link file in Microsoft Windows
reg File for importing and exporting Microsoft Windows registry keys
ini Configuration file that contains settings for Microsoft Windows, Windows NT and some other software
cla Java class
vbs Visual Basic script
II–16 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

vbe Video BIOS Extension


js, jse JavaScript source text
htm Hypertext document
htt Microsoft Windows hypertext template file
hta Hypertext program for Microsoft Internet Explorer
asp Active Server Pages script
chm Compiled HTML file
pht HTML file with built-in PHP scripts
php Script built into an HTML file
wsh Microsoft Windows Script Host file
wsf Microsoft Windows script
the Screensaver file for Microsoft Windows 95 desktop
hlp Help file in Win Help format
eml Microsoft Outlook Express message
nws Microsoft Outlook Express news message file
msg Microsoft Mail email message
plg Email message
mbx Extension for a saved message of Microsoft Office Outlook
doс* Microsoft Office Word document, such as:
doс Microsoft Office Word document
docx XML-based Microsoft Office Word 2007 document
docm Macro-enabled Microsoft Office Word 2007 document
dot* Microsoft Office Word 2007 document template
dot Microsoft Office Word document template
dotx Microsoft Office Word 2007 document template
dotm Microsoft Office Word 2007 macro-enabled document template
fpm Database program, a startup file of Microsoft Visual FoxPro
rtf Document in the Rich Text Format
shs Windows Shell Scrap Object Handler file
dwg AutoCAD drawing database
msi Microsoft Windows Installer package
otm VBA project for Microsoft Office Outlook
pdf Adobe Acrobat document
swf Shockwave Flash object
jpg, Graphic file for storing compressed images
jpeg
emf Enhanced Metafile. The next generation of Microsoft Windows operating system metafiles. EMF files
are not supported in 16-bit Microsoft Windows
ico Icon
ov? Microsoft Office Word executable files
xl* Microsoft Office Excel documents and files, such as:
xla Microsoft Office Excel add-in
xlc Microsoft Office Excel chart
xlt Microsoft Office Excel template
xlsx Microsoft Office Excel 2007 workbook
xltm Microsoft Office Excel 2007 macro-enabled workbook
xlsb Microsoft Office Excel 2007 workbook in binary (non-XML) format
xltx Microsoft Office Excel 2007 template
xlsm Microsoft Office Excel 2007 macro-enabled template
xlam Microsoft Office Excel 2007 macro-enabled add-in
pp* Microsoft Office PowerPoint documents, such as:
pps Microsoft Office PowerPoint slide
ppt Microsoft Office PowerPoint presentation
pptx Microsoft Office PowerPoint 2007 presentation
pptm Microsoft Office PowerPoint 2007 macro-enabled presentation
potx Microsoft Office PowerPoint 2007 presentation template
potm Microsoft Office PowerPoint 2007 macro-enabled presentation template
ppsx Microsoft Office PowerPoint 2007 slide show
ppsm Microsoft Office PowerPoint 2007 macro-enabled slide show
ppam Microsoft Office PowerPoint 2007 macro-enabled add-in
II–17
Unit II. Protection management

md* Microsoft Office Access documents, such as:


mda Microsoft Office Access workgroup
mdb Microsoft Office Access database
sldx Microsoft Office PowerPoint 2007 slide
sldm Microsoft Office PowerPoint 2007 macro-enabled slide
thmx Microsoft Office 2007 theme

Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment and
watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can change its code
during the execution.

When criminals email new malware, or upload a new version of a malicious module to an infected computer, they
may generate a file with a unique checksum for each computer or addressee. Signatures and even Kaspersky
Security Network will not help in this case. But heuristic analysis clearly shows that all these versions restore the
same malicious code when running.

File Threat Protection does not scan files that have already been scanned

Most of the files a rarely changed on the computer, and if File Threat Protection scans only new and changed files, it
almost does not load the computer. In the first few days, while all files are new for Kaspersky Endpoint Security, the
user may feel that the computer works slower. But File Threat Protection stops influencing performance soon.

Do not turn off the option Scan only new and changed files in File Threat Protection, it will slow down the
computer.

How does Kaspersky Endpoint Security learn which files have been changed and
which have not?

The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of these
records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file modification date.

FAT32 file system cannot log the modification date; neither can it protect the modification date against unsolicited
changes. Malware may modify a file, and then assign any modification date to it. For this reason, Kaspersky
Endpoint Security saves checksums of scanned files into a special database for FAT32 drives. When the file is
accessed next time, Kaspersky Endpoint Security re-calculates the checksum and compares it with that saved. If the
sums differ, the file has been changed, and File Threat Protection scans it.

Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint Security
receives its signatures, File Threat Protection will scan it, consider to be clean, and will not scan at the next start.

To prevent this, even if the option Scan only new and changed files is enabled, File Threat Protection scans all
new files repeatedly, at least twice, or even several times.

For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file was
scanned fist and last. If a file has been scanned only once, or if the current version of signatures was issued less than
24 hours after that with which the file was scanned for the first time, File Threat Protection re-scans the file.

What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides, except for
signatures, Kaspersky Endpoint Security uses data from Kaspersky Security Network, which contains most recent
information about threats.

To further reduce the risk, use a virus scan task to check all files on the computer, including those that have not been
changed, and which File Threat Protection scanned already.
II–18 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

File Threat Protection does not scan compound files (archives, etc.)

Application Settings | Essential Threat Protection | File Threat Protection | Scan archives

Enabled File Threat Protection scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE
archives. For this purpose, File Threat Protection unpacks an archive into a temporary folder
or into the memory

Disabled File Threat Protection neither unpacks archives nor scans files within them
(by default)

To scan archived files, File Threat Protection unpacks the archive, which consumes considerable computer
resources. Archives are not dangerous as they are. A malicious file cannot be started from the archive. The user
either unpacks the archive manually, or the operating system does this for the user. Anyway, a malicious file gets on
a drive prior to run, and File Threat Protection scans it as any other file.

Do not enable the Scan archives option in File Threat Protection. It will slow down the computer, but will not
improve protection

Application Settings | Essential Threat Protection | File Threat Protection | Scan distribution packages

Enabled File Threat Protection scans files within self-extracting archives and installation packages,
such as MSI. For this purpose, File Threat Protection unpacks an archive into a temporary
folder or into the memory

Disabled File Threat Protection does not scan self-extracting archives and installation packages
(by default)

Installation packages are executable files, and File Threat Protection scans their executable part anyway. However, a
large part of data within an installation package consists of archived files of the program to be installed by the
package. To scan them, File Threat Protection extracts them from the package, similar to archives.

Installation packages do not need to be scanned by File Threat Protection. If the user copies a package, it cannot
infect the computer. If the user starts a package, it will extract files itself and save them on the drive, where they will
be scanned by File Threat Protection.

Application Settings | Essential Threat Protection | File Threat Protection | Scan Office formats

Enabled (by File Threat Protection scans executable parts not only within Microsoft Office documents, but
default) also in the objects embedded into them

Disabled File Threat Protection scans executable parts only within Microsoft Office documents, and
skips embedded objects

Microsoft Office files have a complicated structure. We can even say that there is a file system with additional files
within a Microsoft Office document. When the user pastes an Excel chart into a Word document, Microsoft Office
can add the whole Excel document to the Word document, with all its data, formulas and macros.

Do not disable scanning for office documents. Not scanning objects embedded in office documents is dangerous.
They may contain malicious macros, which Office programs can start without saving to the drive.

Archive scan settings

If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the operation will
not start until File Threat Protection unpacks the archive and scans all files within it. Meanwhile, the user cannot do
anything with the archive.
II–19
Unit II. Protection management

If the administrator wants to scan archives, the user experience can be improved by changing additional archive scan
settings.

Do not unpack large File Threat Protection will scan only those archives that are less than the Maximum file
compound files size
Maximum file size: 8 MB by default.
Unpack compound File Threat Protection will detain operations with small archives only. If the user opens a
files in the background large archive, File Threat Protection will allow access, but at the same time will unpack
mode the archive and scan the files. The user will not have to wait. Large archives are those that
are larger than the Minimum file size value

Minimum file size By default, is not specified. Meaning, if you select to unpack compound files in the
background, File Threat Protection will scan all archives in the background mode

File Threat Protection has detected and deleted the malware

Malware detected by File Threat Protection should not be left unprocessed, and the settings that regulate File Threat
Protection actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete
infected files. Most of the malicious files cannot be disinfected, because they contain nothing but the infected code.

Before a file is disinfected or deleted, its copy is placed into the Backup repository. In case a file contains important
information or is deleted because of a false positive, it can be recovered.

If the Remediation Engine component is enabled in Advanced Threat Protection, Kaspersky Endpoint Security not
only deletes malicious files, but also rolls back their actions1.

2.3 What to do if File Threat Protection slows down


the computer

1
The rollback procedure is described in Chapter 4 of this Unit.
II–20 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

First, find out whether File Threat Protection actually slows down the computer (or a program):

— Find the computer that works slowly


— Disable the policy on it (see the section How to Protect Kaspersky Endpoint Security from the User)
— Stop (disable) File Threat Protection
— Check whether the computer (program) works any faster

Even if programs work faster on the computer without File Threat Protection, do not leave File Threat Protection
disabled. Configure exclusions for applications. Try various exclusion types:

— If all program files are located in a single folder, exclude the program’s folder from scanning

— If the program works with files in various folders or in a temporary folder, make the executable file of the
program trusted

Never exclude the operating system’s temporary folder from scanning. Malware is often started from it.

— If the program works with files in shared folders, try to disable scanning of network drives

— For the programs that start on the specified schedule during off business hours, pause File Threat Protection
while the program runs

How to exclude an application’s folder

Exclusions are configured in Kaspersky Endpoint Security policy: Open Application Settings | General Settings
and click the Exclusions link.

To set up exclusions for folders, click the Scan exclusions link. They will apply to all protection components. A scan
exclusion consists of three attributes:

— File or folder—the name of the file or folder to which the exclusion applies. The name of the object may
include environment variables (%systemroot%, %userprofile% and others) and also “*” and “?” wildcard
characters

— Object name—the name of the threat to be ignored (usually corresponds to a malware name), which can
also be specified using wildcard characters

— Object hash—checksum (SHA-256) of the file to which the exclusion applies.


II–21
Unit II. Protection management

— Protection components—the list of protection components to which the rule applies

Of the four attributes, any of the first three and the last one must be specified. You can create a scan exclusion for
a file or folder without specifying the threat type; then the selected components will ignore any threats in
the specified file or folder. Alternatively, you can create a scan exclusion for a threat type, for example, for
the UltraVNC remote administration tool, so that the selected protection components would not respond to this
threat regardless of where it is detected.

All attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for
widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object
(typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security
would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from
another folder, Kaspersky Endpoint Security would consider it a threat.

How to exclude files that a process accesses

If the computer runs resource-consuming programs, their operation can be slowed down by the File Threat
Protection. This is especially true for the programs that perform numerous file operations, for example, backup
copying or defragmentation. To avoid slowdowns, make these applications trusted.

For this purpose, in the exclusion settings window, add the executable file to the Trusted applications list. Within
the Application window, specify the path to the executable file, and select the Do not scan opened files action.
The path may contain environment variables and “*”, “?” wildcards.
II–22 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How not to scan network drives

Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that protection
tools are installed on all network computers. Do not disable network drive scanning “just in case”; do it only if it
solves the users’ issues

To exclude network drives from scanning, edit the protection scope in the security level settings.

By default, Protection scope of the File Threat Protection includes:

— All removable drives


— All hard drives
— All network drives

In other words, all drives from which malware can be run. A protection area allows adding individual drives and
folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection
level.

How to apply settings to computers

Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers.

Since all locks are closed in a policy by default, the administrator may not even notice them. While you edit settings
without touching the locks, all settings remain required and are enforced on the computers.

However, you should remember that if locks are open, the configured settings are not applied. If you have changed
settings in a policy, and they have not changed on the computers, check the locks in the policy.
II–23
Unit II. Protection management

2.4 How and why configure scheduled file scanning

Why scan for malware after the File Threat Protection?

How can virus scanning help if File Threat Protection scans all dangerous files anyway? Virus Scan:

— Prevents users from spreading archived malware

— Updates caches of KSN and information about files’ checksums, after which File Threat Protection can
scan fewer files

— Scans files that have not been changed. The File Threat Protection does not scan such files, which may be
dangerous

Virus scan tasks check objects using the same methods as File Threat Protection: signature and heuristic analysis
and KSN. The difference is that File Threat Protection checks files on-the-fly when they are accessed while virus
scan tasks inspect the files by schedule or on demand.

File Threat Protection works with the user. The more actively work the user’s applications, the more files are
scanned by the File Threat Protection and the more resources it consumes. Therefore, the File Threat Protection
settings are optimized to ensure protection against immediate threats only. If the user copies an archive, there is no
immediate infection risk, and the archive does not need to be scanned.

Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be
performed. That is why the scan task will wait for the answer from KSN before returning the final verdict,
regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from
the scan scope of the File Threat Protection—archives, installation packages, files in non-infectable formats, etc.

A virus scan task can be configured to check the processes in the memory and be scheduled to run after each
successful database update.
II–24 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

What and how to scan for threats

Configure malware scan settings in virus scan tasks. The administrator is to manually create a virus scan task in the
Managed devices group.

Starting with Kaspersky Security Center version eleven, the Quick Start Wizard does not create a Quick Virus Scan
task anymore. By default, computers are scanned for viruses by a special local Background scan task.

Background scanning is less resource-intensive when compared with an ordinary virus scan task. It is performed
while the computer is locked, does not display any notifications to the use; however, it does not reset the Not
scanned for a long time status either. You cannot modify scan settings or scope of this task.

If you want to use a custom virus scan task, we recommend that you disable background scanning. To disable the
Background scan task, in the properties of Kaspersky Endpoint Security policy, open Application Settings | Local
Tasks | Background scan and clear the check box Scan when the computer is idling.

Scan scope

Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for
example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select
whether to scan all the contents, including subfolders. If subfolders are not selected to be scanned, the object icon is
marked with the little red "minus" sign.

In addition to files and directories, the following scan objects can be specified:

— My email—Outlook data files (.pst and .ost)


— Kernel Memory—the kernel memory of the operating system
— Running processes and Startup Objects—the memory area allocated for processes and executable files
of applications that start at the operating system start. Additionally, if this object is selected in the task
properties, rootkit scanning will also be performed (rootkits are hidden objects of the file system)
— Disc boot sectors—boot sectors of hard and removable drives
— System Backup—System Volume Information folders
— All removable drives—the removable drives connected to the computer at the moment
— All hard drives—computer hard drives
— All network drives—all network drives connected to the computer

Create a task that scans the whole computer weekly or every other week. If you cannot find proper time for such a
task, scan at least critical areas:
II–25
Unit II. Protection management

— Kernel Memory
— Running processes and Startup Objects
— Disk boot sectors
— %systemroot%\
— %systemroot%\system\
— %systemroot%\system32\
— %systemroot%\system32\drivers\
— %systemroot%\syswow64\
— %systemroot%\syswow64\drivers\

Account

By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes
network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem,
specify an account that has the necessary rights within the task properties.

How to select an optimal schedule

Virus scan tasks can use any regular schedule: every N days, weekly, monthly. They can also be started once: either
automatically at the specified time, or manually.

In addition, special schedule types are available:

— After application update—the task will start after new threat signatures are downloaded and applied. This
is convenient for the scanning of memory and other locations where active threats may appear

— Start in N minutes after application startup—the task will start in a few minutes after the launch of
Kaspersky Endpoint Security. This is another opportunity for the scanning of the most vulnerable computer
areas

— On completing another task—a universal schedule that allows arranging tasks into a chain. From
the practical viewpoint, the best approach would be to link virus scan to update completion, but there is
already a special schedule option for that purpose

There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task
will start as soon as the computer is switched on. Use this option cautiously. If virus scanning starts in the morning
when the user turns on the computer, scanning will hamper the user.
II–26 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The mode Use automatically randomized delay for task starts makes more sense for an update task than for a
virus scan task. See Unit IV for details.

The Additional task settings area contains a few other useful settings:

— Activate the device before the task is started through Wake-On-LAN (min)—the option allows you to
schedule scan start for the night time or weekends without needing to worry whether the computer is on.
However, to use this feature, you need to enable its support in the BIOS settings of the target computers

— Turn off device after task completion—the option may supplement the previous one. If scanning is
scheduled for the night or weekend, the computer can be turned off afterwards

— Stop task if it has been running longer than (min)—the option allows guaranteed task completion before
the working day begins, so that it does not interfere with the user’s activity

On servers, perform virus scanning on weekends, when they are less loaded.

On workstations, try to find such a time when computers are on, but virus scanning will not hamper the users:

— Quick virus scanning can be performed during the lunchtime


— Full scanning should run at night. Explain the users which day of the week they should not shut down their
computers

What if none schedule is optimal

If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the computers
at night and run the virus scan task. If this capability cannot be used either, use so-called idle scanning.

To enable idle scanning, open the Application Settings tab in the task properties and under Advanced Settings,
select Scan when the computer is idling. In this mode, virus scanning will be performed only when the computer is
locked; while the user is working, the task will be Paused.

Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than not to scan a
computer at all.
II–27
Unit II. Protection management

2.5 What to do with false positives

How to configure an exclusion for an incorrect verdict

If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false positive.

False positives hamper work considerably. Kaspersky Lab very thoroughly tests new signatures on a huge number
of files of operating systems and popular software to prevent false positives. During a scanning, Kaspersky Endpoint
Security checks files against Kaspersky Security Network and ignores threats in the files which KSN considers to be
trusted.

False positives happen extremely rarely, and usually concern files of infrequent software, for example, homeware.

If File Threat Protection or a virus scan task finds a threat in a clean file, create an exclusion for it:
II–28 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings | General
Settings | Exclusions | Scan exclusions

2. Add the file that gets a false positive to the Scan exclusions list. Select the File or folder check box. Click
the link select file or folder in the lower part of the window to specify the complete path to the file. Use
environment variables, for example, %ProgramFiles%

It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected erroneously rather
than exclude the file entirely. For this purpose:

3. Select the check box Object name in the exclusion window. Click the link enter object name in the lower
part of the window to specify the threat name. The threat name can be found in the event about detected
threat by Kaspersky Endpoint Security in the Description field.

Exclusions by checksum

What to do if a file for which you need to configure an exclusion may be installed into different directories on
different computers?

If the same file version is used on all computers, use the file checksum:

1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings | General
Settings | Exclusions | Scan exclusions

2. Add the file that gets a false positive to the Scan exclusions list. Select the Object hash check box Specify
the file checksum in the Object hash field in the lower part of the window. You can calculate the file’s
checksum and add it manually, or copy it from a detection event.

Kaspersky Endpoint Security calculates checksums of the scanned files and displays them in the detection events.

Exclusion by certificate

What to do if you configured an exclusion, but a new program version has been issued with new names of the folder
and executable file, which also gets a false positive?
II–29
Unit II. Protection management

If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of symbols,
and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask matches all files
whose names start with “file” and have the .exe extension.

If file names are entirely different, but all files are signed by a certificate, place the certificates to the certificate store
on the computers where the program is used and configure Kaspersky Endpoint Security to trust these certificates:

1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings | General
Settings | Exclusions

2. Select the check box Use trusted system certificate store and select a store. The default choice is
Enterprise Trust

3. Place the certificate(s) with which program files are signed to the selected store on the client computer.
You can use, for example, Active Directory group policies for this.

Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint Security
trusts only the certificates that are located in the computer’s store

For homeware, you can use even self-signed certificates.

2.6 File protection: Summary

File Threat Protection scans files on the drive that the user, operating system, and programs access. To avoid
slowing down the computer, File Threat Protection scans only those files that pose an immediate threat. However, it
does not prevent the user from copying archived malicious files.

Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for example,
archived malicious files.

If you cannot figure out a suitable schedule for running the scan task, use idle scanning.

If File Threat Protection slows down the computer or programs:

— Schedule virus scanning. It updates the cache of scanned files and permits File Threat Protection not to scan
them repeatedly if they have not been changed
II–30 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— Configure exclusions for applications: For folders, executable files, or certificates

— If files (for example, user profiles) load slowly over the network, and protection is installed on network
servers, do not scan network drives

— As a last resort, pause File Threat Protection while a resource-consuming program runs

Do not disable File Threat Protection. Schedule virus scanning on computers


II–31
Unit II. Protection management

Chapter 3. How to configure protection against


network threats

3.1 How network protection works

What network components do

A network is one of the main ways of malware spreading. That is why network protection and network traffic
scanning are so important for computer security. In Kaspersky Endpoint Security, Mail Threat Protection and Web
Threat Protection components are responsible for anti-malware scanning of network traffic:

Mail Threat Protection Deletes malicious code from email messages and attachments
Renames potentially dangerous attachments

Web Threat Protection Blocks attempts to download malicious files


Does not permit visiting malicious and phishing websites
II–32 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How Kaspersky Endpoint Security intercepts traffic

Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts outbound
connections from the computer programs and transfers packets to the network protection components. Kaspersky
Endpoint Security detects the connection protocol and transfers packets to the corresponding component:

HTTP, HTTPS, FTP Web Threat Protection, Web Control

SMTP, POP3, POP3S IMAP, NNTP Mail Threat Protection

Other packets are sent directly to the programs and applications for which they are destined.

Kaspersky Endpoint Security can scan secure connections (SSL/TLS)

Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the outbound
connections. To configure this, in the Kaspersky Endpoint Security policy, open Application Settings | General
Settings | Network Settings and in the Monitored ports area, select Monitor selected ports only. Click the link 37
ports selected and specify the ports that are to be controlled.

If you do not know which ports a program uses, select the check box Monitor all ports for specified applications,
and add the path to program’s executable file to the list.

Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or programs are used,
add them to the list.
II–33
Unit II. Protection management

How Kaspersky Endpoint Security scans encrypted traffic

During the installation, Kaspersky Endpoint Security creates a self-signed certificate—Kaspersky Endpoint Security
Personal Root Certificate—and saves it to the local Trusted Root Certification Authorities store. At each start, KES
checks whether the certificate is still there, and if no, restores it.

To scan encrypted traffic (SSL/TLS), Kaspersky Endpoint Security replaces the certificate. Kaspersky Endpoint
Security intercepts an outbound connection from an application to a server, receives the server’s certificate,
generates a similar session certificate signed with Kaspersky Endpoint Security Personal Root Certificate, and gives
it to the client application. This permits intercepting the symmetric encryption key and decrypting the whole
communication session.

The web browser will not show any warnings because Kaspersky Endpoint Security Personal Root Certificate is
located in the trusted certificate store.

Encrypted traffic scanning is enabled by default and pertains to the following components:

— Web Threat Protection


— Mail Threat Protection
— Web Control

SSL/TLS protocols support three authentication modes: Mutual authentication, anonymous client–server
authentication, and complete anonymity.

For example, when the user connects over https to a web server, in most cases, the second authentication mode is
used: Anonymous client–server authentication. In this case, the certificate is easy to replace.

If the first authentication mode is used, mutual authentication. For example, if a banking application client or cloud
storage client rejects the substituted certificate, the encrypted connection will not be scanned.

With the default settings, if errors arise when scanning a secure connection, the domain will be automatically added
to the list of Domains with scan errors and its whole traffic will be skipped without scanning. An individual list is
drawn up for each computer; it is stored locally and is not sent to the Kaspersky Security Center. To consult its
contents, in the local KES interface, open Settings | General settings | Network settings | Advanced Settings; then
click the link Domains with scan errors list.
II–34 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If necessary, you can reset the local lists of Domains with scan errors. For this purpose, in the Kaspersky Endpoint
Security policy, open Application Settings | General Settings | Network settings, under When secure connection
scan errors occur, select to Break connection, save the changes, and wait for the policy to be applied to the
computers. Then restore the initial value of the parameter When secure connection scan errors occur: Add
domain to exclusions, and apply the policy again. As a result, the local lists of Domains with scan errors will be
cleaned out.

If something is wrong with the web server’s certificate, for example, it has expired, the web browser will not be able
to inform the user about this, because KES certificate is used within the session, which is all right. It is KES that
informs the user about connecting to a domain with untrusted certificate and prompts whether to connect to the
domain.

If necessary, the administrator can prohibit connecting to domains with untrusted certificates. For this purpose, set
the option When visiting a domain with an untrusted certificate to Block.

Most websites use secure connections, and we recommend that you do not disable scanning secure connections
entirely. If secure connection scanning hampers a program, configure exclusions.
II–35
Unit II. Protection management

In the Kaspersky Endpoint Security policy, open Application Settings | General Settings | Network settings.
There are two links for configuring exclusions in the Encrypted connections scan area: Trusted domains and
Trusted applications.

If secure connection scanning hampers opening a website, add the website address to the trust list:

1. Click the link Trusted domains


2. Add the website address to the list. To specify a mask, use “*” and “?” wildcards

Certificate will not be substituted for the listed websites.

If you have a program that conflicts with secure connection scanning, disable encrypted traffic scanning for it:

1. Click the link Trusted applications

2. Add the application executable file to the Applications tab: Specify the full path to the file. You can use
environment variables, such as %SystemRoot%.

3. Select the check box Do not scan network traffic, then select Encrypted traffic only, and clear the other
checkboxes

4. If servers with which a program works have permanent addresses (or a range of addresses) and ports,
specify them in the lower part of the window: It is safer this way

This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control components.

3.2 Mail Threat Protection

What Mail Threat Protection does

The Mail Threat Protection protects from email threats. Messages are intercepted at the protocol level (POP3,
SMTP, IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI).
II–36 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Mail Threat Protection detects and deletes malware using malware signatures, heuristic analysis and Kaspersky
Security Network. Additionally, Mail Threat Protection can block or rename email attachments that match the
specified masks.

Mail Threat Protection changes the subject of infected messages. The action taken is described in the message
subject.

Configuring Mail Threat Protection

Protection scope

Security settings, among other options, determine the Protection scope. Mail Threat Protection can scan either

— Incoming and outgoing messages


— Incoming messages only

To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing messages can
prevent inadvertent sending of an archived infected file and save the embarrassment. Additionally, you can select to
scan outgoing messages if you want to block attachments of certain types, for example, music or videos.

By default, incoming and outgoing messages are scanned. You can modify the protection scope only in the MMC
Administration Console.

Connectivity

The Connectivity group of settings more precisely defines the protection scope:

— POP3/SMTP/NNTP/IMAP traffic—enables scanning of mail and news messages transferred over


the specified protocols
II–37
Unit II. Protection management

— Additional: Microsoft Office Outlook extension—scan objects2 when they are received, read and sent at
the level of Microsoft Office Outlook client.

Scanning at the protocol level operates independent of the mail clients used. However, messages transferred over
unsupported protocols (for example, through Microsoft Exchange or Lotus Notes servers) will not be scanned.

Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of
supported mail clients is rather limited.

Scanning methods

These settings concern attached compound files.

If archives are attached, they can be unpacked and scanned. This behavior is controlled with the following settings:

— Scan attached archives—this setting allows the administrator to fully disable archive scanning. As a rule,
it is better to leave this check box selected and to scan archives “on the fly” using Mail Threat Protection. It
is much easier not to allow any infected archive to penetrate into the mail database than to remove it from
the database later using a virus scan task

— Scan attached Office formats

You can disable these parameters only in the MMC Administration Console. Do not turn off these
parameters. Malicious files are often spread in attached archives and office documents

— Do not scan archives larger than NN MB—limits the volume of archives or office files to be scanned.
Malware is rarely spread in big files. Enable this limitation to avoid waiting too long when receiving large
compound files

— Do not scan archives for more than NN sec.—this option implements protection against “archive bombs”
whose scanning requires a very long time and a lot of resources, which slows down the computer.

Attachment filter

These settings concern only attached files. You can:

— Disable filtering—let through all kinds of non-malicious attachments

— Rename specified attachment types3—is used by default and renames attachments of executable types
(.exe, .bat, .cmd, etc.) This is a preventive measure against unknown malware. The user will not be able to
start an attached file without consciously renaming it.

If archive scanning is enabled, Mail Threat Protection will rename archived files with the specified
extensions.

This option can also be used to fight outbreaks of new malware. If names of the attachments used by
the malware are known, they can be added to the list and then renamed so that the users are unable to open
these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless
attachment matches the specified mask, renaming would not cause any serious problems. The user can
consult the administrator and receive instructions on how to rename the file back

2
Not only mail messages are scanned, but also the objects within Public folders and Calendar: any objects received over MAPI
from the Microsoft Exchange storage.
3
Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes
file.ex_
II–38 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— Delete specified attachment types is a safe way to prevent infections, which can also be used to prevent
exchange of files of certain types, for example, music or video files

If archive scanning is enabled, Mail Threat Protection will delete files of the specified types from attached
archives

By default, the list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-
defined masks can contain parts of names. “*” and “?” wildcard characters can be used. The added masks will go to
the beginning of the list and will be enabled immediately.

Exclusions for false positives

Exclusions for Mail Threat Protection are configured the same way as for File Threat Protection: In the Application
Settings | General Settings | Exclusions | Scan exclusions. For the File or folder, you can specify a name or mask
to exclude all matching files from scanning. The same exclusion must be configured for File Threat Protection, or
else the received attachments will not be saved or opened.

3.3 Web Threat Protection

What Web Threat Protection does

The Web Threat Protection component performs two important functions:

— Analyzes addresses of web pages opened by the user or applications, and blocks access to phishing and
malware-spreading sites

— Scans objects downloaded over HTTP, HTTPS, and FTP protocols, and blocks malicious files.

Four technologies are used for scanning the links:

— Check against the database of malicious web addresses—compare the address of the site to be opened with
the addresses of the websites known for hosting malware, attacking computers, or other harmful activities
II–39
Unit II. Protection management

— Check against the database of phishing web addresses—is similar to the previous check, but against the
database of sites on which phishing pages have been detected

— Heuristic analysis for detecting phishing links—analysis of the site contents for HTML code characteristic
of phishing

— KSN check—addresses of the opened sites are checked against KSN. Dangerous links are blocked. The
received answer is saved in the local cache and is used for further checks.

Downloaded files are scanned using all the available methods: signature and heuristic analysis, as well as KSN.

Configuring Web Threat Protection

Actions

You can select the action to be taken against all detected dangerous objects:

— Block download,
or
— Inform

You should select the Block download action in the policy and lock it so that the users are not able to download
hazardous objects or visit hazardous websites.

When the user attempts to open a black-listed website or download an infected object, a notification will be
displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.

How to make a website trusted

If Web Threat Protection erroneously considers a website to be malicious or phishing, add its address to the trust
list:

1. In Essential Threat Protection, click the link Web Threat Protection


2. Select the check box Do not scan web traffic from trusted web addresses
3. Add the website address to the list. To specify a mask, use “*” and “?” wildcards
II–40 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

The listed sites and the objects downloaded from them will not be scanned by Web Threat Protection.

If Web Threat Protection erroneously considers a file that a user downloads from a website to be malicious, make an
exclusion for the file in Application Settings | General Settings | Exclusions. Apply the exclusion at least to Web
Threat Protection, File Threat Protection and Virus scan.

3.4 How not to intercept the whole traffic of a


program

Starting with version eleven, Kaspersky Endpoint Security uses a driver that does not disrupt the connection; it uses
the operating system functions to receive access to all packets.

This interception method usually does not affect network applications4.

If you have a program that conflicts with the new interception method too, disable traffic interception for it:

1. In Kaspersky Endpoint Security policy, open the Application Settings | General Settings | Exclusions,
and click the link Trusted applications.

2. Add the application executable file to the list of Trusted applications: Specify the full path to the file. You
can use environment variables, such as %SystemRoot%.

3. Select the check box Do not scan network traffic and clear the other check boxes

4. If servers with which a program works have permanent addresses (or a range of addresses) and ports,
specify them in the lower part of the window: It is safer this way

4
In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2), the driver that intercepts connections for network
protection components acts as a local proxy.
When a program establishes connection to a remote server, Kaspersky Endpoint Security replaces the server address with its own address to receive the
packets, and then establishes another connection to the remote server to send the scanned packets. The answer packets from the server are processed in a
similar manner: First through the connection established by Kaspersky Endpoint Security, and then from Kaspersky Endpoint Security to the program.
Some network programs are incompatible with this interception method.
II–41
Unit II. Protection management

This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control components.

3.5 Protection for network connections: Summary

The network components Mail Threat Protection and Web Threat Protection consume few resources. On the
contrary, they enable File Threat Protection to scan fewer files, and improve computer performance.

Web Threat Protection is the only component that protects against phishing. It also protects against new threats that
are spread through known malicious websites.

Do not turn off network protection components, it will not improve performance, but will affect protection

If Web Threat Protection or Mail Threat Protection erroneously delete files, block safe websites or hamper network
programs, configure exclusions:

— Exclusions for websites in the Web Threat Protection settings


— Exclusions for programs in General Settings | Exclusions
— Exclusions for ports in General Settings | Exclusions
II–42 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Chapter 4. How to configure protection against


sophisticated threats

4.1 How Kaspersky Endpoint Security protects


against new threats

Criminals continually create new malicious files. Kaspersky Lab is famous for detecting new threats and adding
their signatures to the database very quickly. Checksums of malicious files get to Kaspersky Security Network even
more promptly. However, criminals are still half a step ahead. How does Kaspersky Endpoint Security protect
against new threats and especially against ransomware?

Ransomware that encrypts documents and demands money in return for the key cause immediate and direct harm

Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack:

Criminals publish malware on websites. Often these Web Threat Protection uses the database of known
websites have also been used previously malicious websites and websites’ reputation in KSN
and prevents the users from opening them

Criminals email new malware Mail Threat Protection renames executable


attachments, including archived ones

Criminals use software vulnerabilities to run malicious Exploit Prevention blocks attempts to infect the
code machine through known and some unknown
application vulnerabilities

New malware have different code to get round Behavior Detection monitors what a programs does,
signature scanning, but behave similarly to other and detects new malware by behavior
malware
II–43
Unit II. Protection management

Encrypted data are statistically homogeneous, as if Behavior Detection uses heuristic and statistical
produced by a random-number generator. This makes analysis as well as machine learning technologies to
them different from most ordinary files detect encryption in files

New malware does not have any reputation in KSN Host Intrusion Prevention does not allow the programs
without a reputation to use many of the operating
system functions

New threats are mainly opposed by Behavior Detection, Exploit Prevention, and Host Intrusion Prevention, with the
help of Kaspersky Security Network.

4.2 Detection technologies used in Kaspersky


Endpoint Security

Kaspersky Endpoint Security components can be broken down into three groups: Components that provide static
protection, components that provide dynamic protection, and additional components.

The File / Web / Mail Threat Protection components provide static protection for a device: Scan objects before they
run, block start and download of dangerous objects.

The Behavior Detection, Exploit Prevention, and Rollback components provide dynamic protection: Monitor
objects’ actions, analyze, detect, and block dangerous behavior.

The third group includes Host Intrusion Prevention, Firewall, and Network Attack Blocker: Their task is to decrease
the attack surface on the protected devices by limiting untrusted programs’ start and network access. This helps to
partly take a load off dynamic and static protection.

Kaspersky Endpoint Security components scan objects using the antivirus engine, information from KSN, and
various technologies. Some of the detection technologies are implemented on the client side, meaning, in the engine
(signature analysis, heuristic analysis, behavior analysis). Some, on the Kaspersky Lab side (expert analysis,
machine learning, reputation service). KES receives only the results: Signature updates, program reputations,
dangerous activity patterns, machine learning models, etc.

A detection event displays the name of the component and technology that pinpointed the threat.
II–44 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

In the local Kaspersky Endpoint Security interface, detection technologies display the source from which they
received information about the threat:

— Automatic analysis—data about the threat were received from the automatic object analysis system.
Object analysis is automated at Kaspersky Lab. The automatic object analysis system processes all objects
that KL receives, returns verdicts and generates signatures. If the system cannot process an object, it sends
it to virus analysts
— Expert analysis—data about the threat were added by virus analysts of Kaspersky Lab. Virus analysts are
experts who develop not only threat signatures, but also dangerous activity patterns, machine learning
models, etc.
— Behavior analysis—data about the threat were received upon analyzing the object’s behavior
— Cloud analysis—data about the threat were received from the Astraea technology, a part of KSN. Astraea
is a big data processing system; it receives data from all sources of KSN requests, analyzes, ranges validity,
and evaluates the threat
— Machine learning—data about the threat were received from a machine learning model. A machine
learning model is developed at Kaspersky Lab. Then the model learns on a large array of data received
from KSN and the Astraea system. Then KES uses the model along with other technologies when hunting
for threats.
Since the threat landscape changes continually, the model is regularly improved and learns incrementally
on the Kaspersky Lab side. Updates to the machine learning model are supplied to KES periodically the
same way as threat signatures

4.3 What Advanced Threat Protection does

The components and technologies that help to counter new malware not yet added to the signature databases or
minimize their impact are called proactive defense.

Heuristic analysis which we’ve studied already is an example of a proactive defense technology. However, the main
role in this protection aspect belongs to Behavior Detection, Exploit Prevention, Remediation Engine, Host Intrusion
Prevention, and to some extent to the Control components and Firewall.

How Behavior Detection protects against new threats


II–45
Unit II. Protection management

Behavior Detection performs several functions:

— Logs application activity for comparison with the behavior signatures database
— Detects malware and blocks their actions
— Protects shared folders against external encryption

Malware detection is the main task. For this purpose, Behavior Detection monitors program actions and compares
them with dangerous activity patterns. The application activity log includes file access operations, established
network connections, and system function calls.

The database of patterns is updatable, but updates are rarely issued for it. Efficiency of the Behavior Detection
almost does not depend on the databases’ update regularity.

Settings

Behavior Detection settings are few: in substance, you can only enable or disable the entire component, or
protection of shared folders against external encryption.

Actions

If Behavior Detection detects malicious behavior, it stops the program, deletes its executable file, and moves it into
the Backup repository.

Other possible actions:

— Inform—do nothing, only log the detection of malicious activity

— Terminate the program—stop the malware and unload it from the memory

— Delete file—stop the program, delete the malicious file, and place its copy into the Quarantine repository

If Protection of shared folders against external encryption detects an attempt to encrypt files in a shared folder over
the network, it blocks the write and delete operations for this session for 60 minutes. Then it tries to restore non-
encrypted file versions from a backup copy using the Remediation Engine component.

Do not disable Behavior Detection. It protects against threats that other components may fail to counter.

To prevent false positives or improve performance, create exclusions.

How Exploit Prevention protects against new threats

Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative permissions in
the system or conceal code execution.

Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or service,
which processes them and therefore executes some parameters as code. Specifically, such attacks against system
services running under the local system account enable criminals to receive administrative permissions on the
computer.

Typically, malware tries to start itself under the administrator account as a result of such an attack. When this option
is enabled, start operations are being monitored and if a vulnerable program starts another program without the
user’s explicit command, the start is blocked.
II–46 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How Remediation Engine protects against new threats

Remediation Engine—rolls back actions taken by the programs deleted by File Threat Protection, Virus Scan tasks,
and Behavior Detection.

Actions to be rolled back are any changes made to the file system (creating, relocating, renaming files) or registry
keys (the records created by the malware are deleted). Also, a backup copy of some files and keys is created at the
time of the system start, which allows rolling back to this version if malware changes these files and keys. These
special objects include hosts and boot.ini files and registry keys responsible for starting programs and services
during the system start.

This option also restores files encrypted by ransomware, which encrypt files on drives and in shared folders, and
then demand a ransom.

Remediation Engine uses the application activity log written by the Behavior Detection component.
II–47
Unit II. Protection management

How Host Intrusion Prevention stops new threats

The main purpose of the Host Intrusion Prevention is to regulate the activities of the running programs, namely,
access to the file system and registry as well as interaction with other programs.

How Host Intrusion Prevention calculates a program’s reputation

Host Intrusion Prevention categorizes applications into trust groups, for which limitations are specified. Every
program receives one of the four trust levels:

— Trusted
— Low Restricted
— High Restricted
— Untrusted

Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time. The main
categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program,
the assigned category depends on the policy settings:

— If a trust group cannot be defined, automatically move applications to—this setting permits the
administrator to select which category to assign to the programs that do not yet have a reputation.
The administrator can select High Restricted, Low Restricted, or Untrusted

— Trust applications that have a digital signature—if this parameter is enabled, the programs signed by
trusted certificates will be automatically placed in the Trusted group

Trusted certificates are certificates that Kaspersky Security Network trusts.

The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted
depending on the following settings:

— Update rights for previously unknown applications from KSN database—program’s trust group will be
changed automatically if it appears in the KSN

— Delete rights for applications that are not started for more than N days—allows wiping out the trust
group information for the programs that have not been started for a long time. The lifetime is adjustable
II–48 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— Applications launched before Kaspersky Endpoint Security for Windows are automatically moved to
the trust group— permits configuring the trust group for programs that start earlier than Kaspersky
Endpoint Security5

How Host Intrusion Prevention limits applications

Host Intrusion Prevention limits interaction with other programs and operating system services depending on the
trust group. Generally, the default restrictions for trust categories are as follows:

Trusted No limits

Low Low Restricted—almost everything is allowed, except for building into operating system
Restricted modules and accessing recorders (web cams and microphones)

High Interaction with operating system modules and other programs is prohibited. A program is
Restricted allowed to work only with its own segment of the system memory

Untrusted The program is prohibited even from starting

Host Intrusion Prevention helps limit access to files, folders and registry keys on the hard drives. Host Intrusion
Prevention has a list of protected resources. They are grouped into two categories:

— Operating system
— Personal data

Each category has its subcategories and resource descriptions: Paths to folders, file masks, registry key masks.
Initially, the list of protected resources contains groups of most important files and registry keys. For example, the
Operating system category has a subcategory Startup settings, which lists all registry keys related to startup.

Rights to access groups of resources are defined for operations: Read, Write, Remove and Create.

By default, Host Intrusion Prevention protects resources as follows:

Operating System Personal data

Trusted Full access Full access

Low Restricted Full access to everything except critical operating Full access
system files
For critical operating system files, Read only

High Restricted Read only Full access

Untrusted No access No access

Program limitations automatically apply to its child processes. If a program with limitations starts a trusted program,
this trusted program will also be restricted. If a trusted application is started by the user or another trusted program,
there will be no limits

How to configure Host Intrusion Prevention

The administrator can modify limitations for any trust group and even for any individual program.

5
Drivers of the Firewall and Intrusion Prevention start before any other software, while the Kaspersky Endpoint Security module responsible for the
reputation of executable files, later. To protect the computer while the reputation module is not running, drivers apply the limitations of the specified trust
group to all programs.
II–49
Unit II. Protection management

Do not change the Host Intrusion Prevention settings unless you know precisely what you are doing

To find the trust groups and their limitations:

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
Security policy
2. Click the link Application rights and protected resources
3. Switch to the Application rights tab
4. Select the trust group in the left pane
5. At the top of the right pane, in the drop-down list, select Rights

The administrator can limit or extend rights for a program having the selected reputation here. For example, you can
allow low restricted programs to access the web cam.

To view protected resources:

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
Security policy
2. Click the link Application rights and protected resources
II–50 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

To protect other files or registry keys, add them to the list. Keep your resources in an individual category.

To add your own protected resources:

1. Click the Add button to create your categories and resource descriptions
2. Configure access rights for the resource in the table on the right

To be informed when Host Intrusion Prevention blocks an operation, enable logging. For this purpose, right-click an
action in the table and select Log events. You can log allow events of Host Intrusion Prevention6 to understand
which programs work with a resource.

Note: The limitations configured for a program are inherited by all its child processes, even if their executable files
are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions by
using the privileges of programs having higher trust levels.

How to configure Host Intrusion Prevention to stop


ransomware

With the default settings, Host Intrusion Prevention protects the operating system and other software on the
computer against programs that have a bad reputation.

The administrator can also easily protect users’ files against unknown programs. This way, they will be protected
against ransomware that encrypt documents.

The idea is simple. Ransomware:

— Either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit starting it

— Or does not have any reputation in KSN and Host Intrusion Prevention will make it Low Restricted (by
default) or High Restricted, depending on the administrator’s choice

Programs designed for working with documents, such as Microsoft Office, are well-known and have a Trusted
reputation.

Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose:

1. In the Kaspersky Endpoint Security policy, open Advanced Threat Protection | Host Intrusion
Prevention and click the link Application rights and protected resources

2. Add documents to the list of protected resources in Host Intrusion Prevention: In the list on the left, select
the category Personal data| User files and add a new category named Documents

3. Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose, add File or
folder to the category and specify the extension in the Path field. Repeat for all extensions

4. Prohibit restricted applications from editing documents. For this purpose, select the category in the list on
the left and change the rights in the table on the right: Prohibit High Restricted and Low Restricted
applications from Writing and Deleting

6
Be careful not to create an overwhelming stream of events from computers to the Administration Server. If you need to analyze access allow events, save
them only into the local log of Kaspersky Endpoint Security rather than sending to the Administration Server
II–51
Unit II. Protection management

How AMSI Protection Provider stops new threats

Antimalware Scan Interface (AMSI) is an open API developed by Microsoft that permits antivirus and other security
solutions synchronously scan macros and other scripts and block execution of malicious code within applications.

The AMSI Protection Provider component permits Kaspersky Endpoint Security better interact with AMSI and
thus improve detection of various attack types, for example, fileless attacks.

Fileless attacks are based on the following idea: Why develop malware if you can use existing legitimate tools to
achieve your aim? (For example, PowerShell, JavaScript, VBScript etc.) The criminals’ aim when organizing a
fileless attack is to intercept management of a process, run your code in its memory, and use this code to start other
tools available on the device. (For example, PowerShell.exe, or wmic.exe.)

Such an attack is difficult to detect, because criminals do not need to save their applications that may be recognized
as malicious on the device. Additionally, various masquerade techniques are often used. For example, code
obfuscation, which complicates code analysis, and evasion techniques, which permit transferring the necessary
information to the computer.

How interaction is organized

Let us explain operation of AMSI Protection Provider through the example of an attack that is becoming
increasingly widespread nowadays: Running PowerShell interpreter from a macro in document and executing a
malicious script in PowerShell.

When an application opens a document, before running the script, it transfers it to ASMI for scanning and waits for
the verdict. AMSI protocols the script’s actions and sends its commands via AMSI Protection Provider to the
antivirus provider: Kaspersky Endpoint Security. This permits antivirus provider to access the commands that the
script has compiled on the fly in the memory. Kaspersky Endpoint Security scans commands generated by the script
and returns a verdict. Depending on the received verdict, AMSI instructs the application whether to run the script.
This schema is implemented for Microsoft applications, and can also be implemented for any application that
supports AMSI.

Except for scripts, applications can transfer distribution plugins for scanning prior to installation, and archives.
II–52 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

4.4 How to exclude a program from monitoring

What to do if KES hampers a program

Almost any heuristic analysis returns false positives. To reduce them, exclude known clean programs from analysis:

— Programs that are considered to be trusted in Kaspersky Security Network


— Programs signed with trusted certificates

To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed programs,
use the following Host Intrusion Prevention setting: Application processing rules | Trust applications that have a
digital signature.

Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates rather than
all of them. Trusted certificates are those issued by trusted certification centers.

Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates in the local
store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky Endpoint Security
learns about this from Kaspersky Security Network, and will not trust files signed with this certificate.

Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software with a self-
signed certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as described in “Exclusion
by certificate”, in section 2.6.

If a program does not have a digital signature, you can manually add it to the Trusted group in the Host Intrusion
Prevention policy. Alternatively, you can completely exclude a program from scanning by Behavior Detection and
Host Intrusion Prevention. How to do it will be explained later.

How to modify a program’s trust category

Most of the widespread commercial programs have a Trusted reputation. However, some open-source programs
have a Low Restricted reputation. Homeware may not have any reputation in KSN, and may receive a Low
Restricted reputation (or High Restricted, depending on the policy settings).
II–53
Unit II. Protection management

If the reputation hampers working with a program, change its reputation in the Kaspersky Endpoint Security policy:

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
Security policy
2. Click the link Application rights and protected resources
3. Switch to the Application rights tab
4. Click Add above the list of application categories
5. Select the group to which you want to move the file: Trusted, Low Restricted, etc., and click Next
6. Click Filtering, and filter the list of applications by executable file name.
7. Select the executable file in the filtering results and click OK

If the administrator has selected a reputation for a file in the policy, Host Intrusion Prevention will use this
reputation on the computers instead of the KSN reputation. Reputation from KSN is used only for files that are not
explicitly specified in the policy. Meaning, for most files, because by default the policy has only reputation groups,
and no files.

If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its restrictions as
desired. For example, the administrator can add a program to the Trusted group, but then open its rights and prohibit
it from accessing the web cam.

What to do if the list of known programs is empty in the policy

If you use policies with the default settings, the list of executable files is likely to be empty in the policy.

Kaspersky Endpoint Security intercepts all executable files on the computers, and Host Intrusion Prevention assigns
a reputation to all of them. However, this data is not sent to the Administration Server by default. And the policy
shows only those executable files about which Kaspersky Endpoint Security has informed the Administration
Server.

To make Kaspersky Endpoint Security send lists of executable files to the server, create and run an Inventory task,
or enable the Application Control component and run the necessary application.

The lists of computer executable files are rather large. If all managed computers send them to the server, it will
increase the load on the network considerably. Usually, this is not necessary. Do not run the Inventory task on all
computers. Do not enable Application Control for the computers where you are not planning to use it to regulate
applications’ start. To receive only the files that you need, create an Inventory task for specific computers.
II–54 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to get the list of applications from a computer

We recommend that you do not collect lists of files from all computers. Administrators often have test computers
where all typical programs are installed. If you have such computers, gather lists of executable files from them. To
fill the local list of known programs on a test computer, do not start all the programs manually, use the Inventory
task.

The Inventory task scans files in the specified folders, finds the executable files, adds them to the local list of known
executable files, and activates data transfer to the Administration Server. To have scanning results sent to the server,
select the check box Inform Administration Server about started applications in the Kaspersky Endpoint
Security policy.

To create an inventory task, run the task creation wizard on the Devices | Tasks tab. Select the Inventory task type
under Kaspersky Endpoint Security 11 for Windows. If it is a task for a test computer, after creating the task, open it
properties and include All hard drives in the scope. Assign the task to individual test computers.
II–55
Unit II. Protection management

How to make a program trusted for Behavior Detection


and Intrusion Prevention

If the limitations set by the Host Intrusion Prevention still block a necessary program, you can configure
the corresponding exclusion. There are two types of exclusions in Host Intrusion Prevention:

— Exclusions for resources—allow any program to perform any operation with the specified group of
resources (is not available in the web console)

— Exclusions for programs—allow the specified programs to perform any operation

Exclusions for resources are configured in the properties of Host Intrusion Prevention, on the Protected resources
tab. You can configure exclusions for folders, files and registry keys.

Exclusions for programs are configured in the Trusted applications, and provide several additional capabilities:

— Do not monitor application activity—disable all restrictions for the specified program

— Do not inherit restrictions of the parent process (application)—disable the limitations inherited from
the process that started the program and the parent processes of higher levels

— Do not monitor child application activity—disable the restrictions for the processes started by
the program for which the exclusion is created

These exclusions apply to Behavior Detection and Host Intrusion Prevention.


II–56 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

4.5 Protection against new and sophisticated


threats: Summary

Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily Behavior
Detection and Host Intrusion Prevention. Both components monitor the operations performed by the programs.

Host Intrusion Prevention calculates the reputation of executable files and limits actions of programs that have bad
or unknown reputations. Program reputation is supplied by Kaspersky Security Network, or the administrator
specifies it in the policy settings.

Behavior Detection monitors what programs do in general rather than their individual actions. For this purpose, it
logs everything that programs do and then checks whether sequences of actions resemble malicious activities.
Remediation Engine uses the log of actions to roll back malicious activities.

Behavior Detection has special heuristics that permit detecting ransomware (malware that encrypts documents and
demands a ransom). In many cases, Behavior Detection can recover encrypted documents with the help of
Remediation Engine.

To better protect against ransomware, configure Host Intrusion Prevention to block access to documents for
programs that have a bad reputation.

Do not disable Behavior Detection and Host Intrusion Prevention. These components implement state-of-the-art
technologies that protect against most sophisticated threats
II–57
Unit II. Protection management

Chapter 5. How to control network connections

5.1 How Firewall protects against threats

From the security point of view, the Firewall performs two functions:

— Block unauthorized network connections to the computer, thus decreasing the infection probability

— Block unauthorized network activity of the programs on the client computer. This decreases the risk of
an outbreak, and also limits actions of the users that consciously or unconsciously violate the security
policy

The Firewall is tightly integrated with Host Intrusion Prevention. Host Intrusion Prevention does not limit programs’
access to the settings of the operating system, other programs and user files. Firewall checks the program reputation
and limits its access to the network. This way, the Firewall prevents already running malware from causing harm:
for example, sending the user’s passwords to criminals.

The Network Threat Protection component complements the Firewall and analyzes packets. While Firewall uses
relatively simple rules to block packets and connections, Network Threat Protection checks sequences of packets for
signs of a network attack, for example, buffer overflow attack via known vulnerabilities, and blocks connections
through which an attack is performed.

5.2 How Firewall works in KES


Firewall controls connections at the network and transport level using packet rules. It analyzes inbound and
outbound packets, compares them with the rules and takes one of the two actions:

— Allow
— Block
II–58 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How Firewall analyzes packets and connections

The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it, open the
Firewall section in the Kaspersky Endpoint Security policy and in the Firewall rules area, click the second Settings
button.

A packet rule consists of the following attributes:

Action Allow, Block or According to the application rule


According to the application rule means that Firewall will look for an appropriate rule in the
settings of the program to which the packet pertains, and if this program has no settings, in the
settings of the reputation group to which the program belongs

Protocol TCP, UDP, ICMP, ICMPv6, IGMP, GRE

Direction Inbound (packet)—applies to all inbound packets


Inbound—applies to all packets within inbound connections
Inbound/outbound—applies to all packets
Outbound (packet)—applies to all outbound packets
Outbound—applies to all packets within outbound connections
The TCP protocol establishes connections; use the directions Inbound, Outbound and
Inbound/Outbound together with the TCP protocol
Other protocols do not establish connections; they send packets. Use Inbound (packet),
Outbound (packet) and Inbound/Outbound with them

Remote ports Ports on a remote computer


Can be specified for TCP and UDP protocols
To specify several ports, separate them by comma, for example: 25, 110
To specify a range, use a hyphen: 0-1024

Local ports Ports on the local computer


Can be specified for TCP and UDP protocols

ICMP type Echo, Echo Reply, Time Exceeded, Destination Unreachable, etc.
Can be selected for ICMP and ICMPv6 protocols
II–59
Unit II. Protection management

ICMP code Code for some ICMP types. You can select code 0, 1 or 2
For example, for a Destination Unreachable ICMP packet, code 0 means Net Unreachable,
code 1—Host Unreachable, code 2—Protocol Unreachable7

Network Permits specifying the network adapter by Interface type, IP address and MAC address
adapters Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP
connection, PPPoE connection, VPN connection, Modem connection

TTL Packet lifetime

Remote Addresses of remote computers, which can be specified directly or indirectly


addresses To specify addresses directly, select Addresses from the list and fill the list of IP addresses
To specify addresses indirectly, select Any address or Subnet addresses. Subnet addresses
are: Trusted networks, Local networks or Public networks

Local Addresses of a local computer (a computer can have many addresses)


addresses You can select either Any address, or Addresses from the list, and fill the list

Both IPv4 and IPv6 can be specified for IP addresses

The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports, direction,
network adapter, local address, remote address), applies the action specified in the rule.

Rule application will be registered in the Firewall log if the Log events check box is selected.

The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules, select a rule
and move it using the Up and Down buttons.

A default policy contains a list of packet rules that provides reasonable security for computers both on and off
the corporate network. The standard settings are described in detail in the end of this chapter.

Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. For
convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity,
Browsing web pages, Remote Desktop network activity, etc.) To select a template, click the button to the right of the
Name field in the rule settings.

How Firewall decides which networks are local

Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted networks,
Local networks or Public networks. How does the Firewall decide which addresses belong to which networks?

Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the policy does not
describe a network status, the Firewall defines it itself on the client computer.

To add a network to the policy and select a status for it:

1. Click the Networks link in Application Settings | Essential Threat Protection | Firewall
2. Click the Add button above the list
3. Type a name for the subnet and select its type
4. Specify subnet address in the following format: <IP address>/<netmask length in bits>, for example
192.168.0.0/24 or 1234::cdef/96 for IPv6 networks

7
For ICMP message types and code values, consult protocol documentation
II–60 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

On the computer, the Firewall adds the networks configured for the computer's network adapters to the networks
specified in the policy. If an adapter’s network coincides with or belongs to a network from the policy, it receives
the status specified in the policy.

If the adapter’s network does not belong to any of the networks described in the policy, the Firewall assigns it a
status based on its status in the operating system. If it is a domain, work or home network, the Firewall assigns it the
Local status. If the network is public in the operating system, it will also be public for Kaspersky Endpoint Security
Firewall.

All other addresses are considered to be addresses of public networks.

For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And
a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24
respectively. Let’s say Kaspersky Endpoint Security automatically assigned the Public status to both these
networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network
effectively becomes Local network, because there is an entry in the policy for network 172.16.0.0/16 that includes
172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching
entry in the policy.
II–61
Unit II. Protection management

In the default policy settings, there are three network entries, all of which have the Local network status:

— 10.0.0.0/8
— 172.16.0.0/12
— 192.168.0.0/16

These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered
for computers outside the perimeter, e.g., the computers connected via VPN or laptop computers on a business trip.

How Firewall restricts programs

If the Firewall does not find a matching rule for a packet, or finds it, but the action specified in the rule is According
to the application rule, it starts looking for the packet rule configured for this application. And if the application has
no settings in the policy, it checks the program’s reputation and looks for a matching packet rule in the reputation
settings.

The Firewall uses the same reputations as Host Intrusion Prevention. The settings that Host Intrusion Prevention
uses to select a reputation are also applied to the Firewall. If Host Intrusion Prevention is not installed, Firewall
defines the reputation itself using the Host Intrusion Prevention settings. A program cannot be Trusted for Host
Intrusion Prevention and at the same time High Restricted for the Firewall. Each program has only one reputation.

To consult packet rules for applications and reputations:

1. In the Related Host Intrusion Prevention settings area, click the Network rules link
2. In the left pane Applications, select a program or reputation
3. At the top of the right pane, in the drop-down list, select Network rules

There are no applications in a policy by default; there are only reputations and settings for reputations. The
administrator can add programs to a reputation and after that he or she will be able to add whichever packet rules to
the program properties. Applications can be added in the same manner as in Host Intrusion Prevention.

Each program and reputation in the list of rules has three rules that are always located at the bottom of the list:

— Any network activity in Trusted networks


— Any network activity in Local networks
— Any network activity in Public networks
II–62 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for the High
Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or modified, except for
the Action attribute, which can be changed by the administrator.

By default, if only reputations are configured in the policy, reputations have only these three rules. These rules
intercept any network activity, because any address belongs to either a trusted, or a local, or a public network. That
is why there is always a rule for any packet: A packet belongs to a process, the process has a reputation, and the
reputation has at least one rule for any remote address according to the network type.

The administrator can add custom rules to the list of reputation or application rules. These rules have only the
following attributes:

Action Allow or Block


Protocol TCP, UDP, ICMP and ICMPv6
Direction Inbound, Outbound or Inbound/Outbound
Remote ports for TCP and UDP
Local ports for TCP and UDP
ICMP type for ICMP and ICMPv6
ICMP code for ICMP and ICMPv6
Remote addresses
Local addresses for TCP and UDP
Action Allow or Block

5.3 What Firewall does under default settings

Default network packet rules

A standard policy does not contain rules for applications (except for the standard ones specified for the reputations).
That is why the ultimate network status and application reputations are defined locally in the Firewall.
II–63
Unit II. Protection management

Packet rules are inherited from the policy, and accordingly, packets are filtered as follows:

1. The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external
port 53) and email (over TCP protocol, external ports 25, 465, 143, and 993). The According to the
application rule action is selected in these rules, that is, programs from the Trusted and Low Restricted
groups will be able to send DNS requests and email, while the others will not

2. Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted
networks, any activity is allowed by default, except for DNS and email limitations for Untrusted and High
Restricted programs

3. The fifth rule defines the order of packet processing in local networks. Such packets are processed
according to the application rules. The default application rules say that the programs from the Trusted and
Low Restricted groups have no limitations in local networks, while High restricted and Untrusted have
no access

4. The rest of the rules effectively regulate program behavior in the Public networks, since all packets from
Trusted and Local networks are processed one way or another by the above rules. Rules 6-8 block remote
desktop connections to the computer from public networks, and also block connections to the local DCOM
service, NetBIOS packets, access to Windows shared folders, and access to Universal Plug & Play devices

5. Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the Trusted and
Low Restricted groups. Considering the default application rules, this means that Trusted and Low
restricted applications can receive incoming connections from Public networks, whereas High restricted
and Untrusted applications cannot.

6. Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to test
connection to remote computers

What it means for applications on the computer

Trusted and Low Restricted programs have full access to all networks. That is why the Firewall does not hamper
well-known programs by default.

Untrusted and High restricted programs are allowed to access only trusted networks, and even there may not work
with email and DNS. However, there are no trusted networks in a policy by default, and Untrusted and High
restricted programs have no network access.
II–64 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Thus Firewall prevents unknown malware from stealing passwords, downloading additional modules, receiving
commands from the control center and sending spam

Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop, DCOM,
etc.) and blocks ICMP requests from public networks.

What if the Firewall impedes an application

Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed
to exchange data over the network.

However, little-known open source programs or tailor-made software may receive the High Restricted reputation
and will not be able to work with the network.

To grant access to the network to a program that has High Restricted reputation, use one of the following
approaches:

— Change the program reputation, add its executable file to the Low Restricted or Trusted reputation as
described in section 4.3

— If the program’s files are signed with a certificate, use Host Intrusion Prevention settings to trust these files

— If files are not signed with a certificate, think about signing them with a self-signed certificate and use the
exclusion settings to trust this certificate

— Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet rules are
processed earlier than the rules for applications and reputations.

Move your rules to the top of packet rules list


II–65
Unit II. Protection management

5.4 Why Network Threat Protection is necessary

What Network Threat Protection does

The purpose of the Network Threat Protection component is to block network attacks including port scanning,
denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and
services running on the computer.

Network Threat Protection uses signatures and blocks all connections that correspond to the descriptions of known
network attacks.

As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect
a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory
and thus execute the malicious code. The Network Threat Protection component is able to prevent infections from
spreading this way. That is why it must be enabled, and its settings must be locked.

Network Threat Protection has a few configurable parameters. If the component is enabled, attacks are blocked
automatically.

Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for some
time. The Add the attacking computer to the list of blocked computers option regulates this behavior; by default,
it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but
only in the local interface of Kaspersky Endpoint Security.

Sometimes, Network Threat Protection considers numerous packets sent by surveillance cameras and other similar
devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses to exclusions. Network
Threat Protection will not analyze packets from trusted addresses.
II–66 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

What the Protection from MAC Spoofing does

Protection from MAC spoofing prevents unauthorized modification of ARP tables on the devices protected by
Kaspersky Endpoint Security.

The following methods protect ARP tables against unauthorized modifications:

— Ignore an incoming ARP reply unless it answers an ARP request sent


— After an ARP request has been sent, accept only the first ARP reply and ignore all others; log information
about them
— Wait for an ARP reply for some time. Ignore belated answers
— Reply an incoming ARP request without adding a record to the system ARP table

Protection from MAC spoofing is regulated by two options available in Essential Threat Protection | Network
Protection. You can enable or disable protection (it is disabled by default); and configure reaction to potentially
dangerous attacks.

How to unblock a blocked computer


II–67
Unit II. Protection management

When a client computer blocks another client computer because of a network attack, the administrator can see only
an event informing of a network attack in the console. There is no list of blocked computers, or events informing
that a computer was blocked and later unblocked.

You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security:

1. In Kaspersky Endpoint Security window, click Protection components and select Network Monitor

2. In the Network Monitor window, open the Blocked computers tab

3. To unblock a computer, select it and click Unblock

To unblock a computer from the Administration Console, restart the Network Threat Protection component on the
computer that blocked an attack:

1. Find the event informing about the attack and check which computer sent the event (not which computer
attacked)

2. Find this computer in the console and open its properties

3. Switch to the Tasks tab and find the Network Threat Protection component

4. Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list)
II–68 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

5.5 Network protection: Summary

At the network level, packets are scanned by the Firewall and Network Threat Protection components. Other
essential protection components (Web Threat Protection and Mail Threat Protection) scan data at the application
level.

Firewall protects computer services in public networks, and also does not allow Untrusted and High Restricted
programs to use network. Thus it prevents unknown malware from connecting to its control center.

Network Threat Protection analyzes sequences of packets within allowed connections and blocks known types of
attacks.

If these components impede a program:

— Make the program trusted for Host Intrusion Prevention. The Firewall uses the same reputations as Host
Intrusion Prevention.
— Open ports and addresses with which the program works using simple packet rules
— Add the application’s address to exclusions of Network Threat Protection
II–69
Unit II. Protection management

Chapter 6. How to protect a computer


outside the network

6.1 Which local networks to trust

The risk of computer infection is lower within a corporate network than outside. Thus, applying different settings to
the computers that are taken out of office seems reasonable.

Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12 and
192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within them.

However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may belong to
hotels, bars, airports and other public places. It is dangerous to trust them similarly to local networks.

Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is taken outside
the corporate network.

6.2 How to create a policy for computers outside


the office

Out-of-office is the third possible policy status, in addition to the Active and Inactive status.

An out-of-office policy may be created for any group. There can be only one out-of-office policy for each version of
Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner as an active policy.
However, while an active policy is enforced immediately, a policy for out-of-office computers starts working only
when the computer meets the specified conditions (which will be described later).
II–70 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if
an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever settings
are locked in the parent group policy, they do not restrict the policy of the out-of-office users within the child group.

In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy,
where the locked settings are inherited by the policies of child groups. Out-of-office policies are inherited only
completely by those subgroups where an out-of-office policy is not configured.

How to create a policy for computers outside the office

To create an out-of-office policy:

1. Start the policy creation wizard: Open the tab Devices | Policies and profiles and click Add

2. Select the Kaspersky Endpoint Security for Windows application

Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for
Windows. Policies of the Network Agent or, for example, Kaspersky Security for Windows Servers
Enterprise Edition do not have such an option.

3. Accept the KSN agreement


4. Name the policy comprehensibly
5. Create a policy with the default settings
6. Select the policy status: Out-of-office

To modify the status of a ready policy, open the General section in its properties.
II–71
Unit II. Protection management

When computers switch to the out-of-office policy

By default, computers will never switch to the out-of-office policy. To make them switch to such a policy, specify
conditions in the Network Agent policy using either of the following methods:

1. Select Enable out-of-office mode when Administration Server is not available

A computer will switch to the out-of-office policy if it is not connected to any network, or if the Network
Agent cannot synchronize with the Administration Server three times in a row.

In practice, this happens when a computer is disconnected from the corporate network. By default, the
synchronization period is 15 minutes. Therefore, a client will switch to the out-of-office mode instantly
after disconnected from the network or in 30 to 45 minutes if the network has not been disconnected.

2. Configure network locations for the <Offline mode> profile

Configuring network locations is the best choice. They can describe more precisely when a computer is located in a
corporate network, and when it is not.

If there are many computers in the network and the Administration Server is overloaded, some of the computers
may fail to connect to the Server at every regular synchronization. It might happen that a computer fails to
synchronize three times in a row and will switch to the out-of-office policy within the corporate network. Depending
on the out-of-office policy settings, such a computer can, for example, block access to its shared folders, which
would make quite a lot of trouble if it happens to a file server or a domain controller.

Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be solved8.
However, improperly configured conditions of switching to the out-of-office mode may aggravate the issue.

8
Course KL 302 explains how to correctly scale Kaspersky Security Center to large networks.
II–72 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

How to set conditions for switching to the out-of-office


policy

Instead of using the option Enable out-of-office mode when Administration Server is not available, configure
network locations that precisely describe when a computer is located within the corporate network, and when
outside.

Network Agents can use different connection profiles in different network locations. See course KL 302 for details.
To make computers switch to the out-of-office mode, configure network locations for the <Offline mode> profile.

The Network Agent policy provides various conditions to describe network locations. Many of them are simple and
clear, for example, subnet address or main gateway address. However, they may fail to unambiguously define the
corporate network. Suppose, subnet 192.168.0.0/24 is used in the internal network. However, there can be the same
network in a hotel, bar or a free hotspot in the street. That is why the conditions by subnet, gateway or DNS server
address are insufficiently reliable.

It is best to use the Condition for name resolvability and specify a name that can only be resolved on the internal
DNS server of the company. Configure computers to switch to the out-of-office mode when they cannot resolve this
name:

1. In the Network Agent policy, open Application Settings | Network and in the Connection profiles area,
click the Settings button

2. Add a network location description: Click the Add button above the upper list

3. Name the network location comprehensibly, for example, “<an internal DNS name> unresolvable” and
select the check box Description enabled

4. In the Use connection profile drop-down list, select the <Offline mode> profile

5. Add a Name resolvability condition

6. Add a name that can only be resolved in the internal network to the list

7. Below the DNS or NetBIOS device name list, switch the parameter to Does not match any of the values
in the list. This means that the condition is met if the specified name cannot be resolved

8. Save the condition


II–73
Unit II. Protection management

6.3 Which settings computers should use outside


the office

The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer
restrictions. This may not be a safe assumption out of office. These can be networks in hotels, bars or other public
places which cannot be trusted. Make these networks public in the out-of-office policy. Alternatively, if you trust the
users, delete all networks from the policy: Firewall will check the statuses of networks in the operating system,
which are specified by the user.

A policy for out-of-office computers must take into account the fact that while the host is outside the corporate
network, it is the user who manages Kaspersky Endpoint Security. Consequently, the policy must allow the user
access to the information about the protection status and to the product management tools. The user should at least
be allowed to scan suspicious files/drives and start updates. For this purpose, allow the user to manage group or
local tasks, or both. The corresponding settings are located in the policy section Local tasks.
II–74 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

To help the users make rational decisions about protection, you need to provide them with more information about
incidents. The user should be warned about detected threats, the need for advanced disinfection and about outdated
databases:

— Open the list of local Kaspersky Endpoint Security events in the policy: Go toApplication Settings |
General Settings | Interface, and in the Notifications area, click the Notification rules link

— Select a component and then tick all events that are important for the user in the Notify on screen column

Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a red triangle on the
application icon in the notification area. Select about which issues to inform the user in the Interface section of the
policy, Warnings area.

6.4 Out-of-office policies: Summary

When the users work outside the corporate network, they need other settings for Kaspersky Endpoint Security.
Kaspersky Security Center has out-of-office policies for this purpose.

By default, out-of-office policies are not used. To make them used, configure conditions in the Network Agent
policy. Configure network locations for the <Offline mode> profile. In the network location descriptions, specify
the conditions that reliably describe when a computer is located within the corporate network, and when outside.
Use Modify condition for name resolvability and Modify condition for SSL connection address accessibility.

In the out-of-office policy, strengthen the protection settings:

— Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12

Give the users more information and more control over Kaspersky Endpoint Security:

— Inform about threats on the computer screen


— Signal about issues on the icon in the notification area
— Allow the user to start and stop tasks
II–75
Unit II. Protection management

Chapter 7. What else is there in protection and


why?

7.1 What Self-Defense does and why it is necessary

What Self-Defense does


II–76 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

A self-defense technology is implemented within Kaspersky Endpoint Security, which prevents unauthorized
product disabling and other attempts to hamper its operation. Self-defense is configured using two options in
General Settings | Application Settings:

— The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security
processes in the computer system memory, its files on the hard drive and its registry keys

— The Disable external management of the system services option does not permit stopping Kaspersky
Endpoint Security services unless the command is carried out via the product interface

If self-defense is disabled, the computer protection level decreases. By default, both parameters are enabled and
locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with remote
management utilities, though there are better ways for handling those) or for troubleshooting.

How to manage KES over Remote Desktop

To prevent malware from disabling protection by simulating the user’s commands in the product window, self-
defense accepts mouse and keyboard events only directly from a device rather than from other processes by default.
Therefore, when the administrator tries to manage Kaspersky Endpoint Security via a remote access program, such
as UltraVNC or TeamViewer, self-defense does not permit clicking anything in the Kaspersky Endpoint
Security window.

If you need to manage Kaspersky Endpoint Security via a remote access program, and self-defense will not allow
this, configure an exclusion. Add the executable file of your remote access tool to the list of trusted applications.

The process that the administrator starts on his or her computer is not necessarily the same as the process on the
remote computer that accepts the connection and provides access to the desktop. Add the process that runs on the
remote computer

In the properties of the trusted program, select the check box Do not block interaction with the application
interface. Clear the other check boxes. Do not allow programs more than they need for their work.
II–77
Unit II. Protection management

What BadUSB Attack Prevention does

Firmware of any USB flash drive can be modified. When such a USB flash drive is connected to a computer, the
operating system may recognize it as another device and perform functions designed by criminals. For example, a
USB flash drive can be identified as a keyboard and send commands on behalf of the user logged on to the system.
In practice, it is may be absolutely any action: hidden malware downloading or intercepting and sending out
confidential data. And even if the user does not possess system administrator permissions, it will not solve the issue,
because there are various methods of elevating privileges, and permissions of an ordinary user are typically enough
to organize a data leakage.

The BadUSB Attack Prevention component does not permit USB devices to connect as a keyboard without the
user’s authorization. It works as follows. When a USB device is connected, if the operating system recognizes it as a
keyboard, BadUSB Attack Prevention notifies the user and requires that the user authenticates the device.

By default, the BadUSB Attack Prevention component is not installed on the computers. If necessary, you can add
it using the Kaspersky Endpoint Security task Change application components. The BadUSB Attack Prevention
component is recommended to be installed on notebooks.

It is controlled by two parameters in Application Settings | Essential Threat Protection | BadUSB Attack
Prevention:

— BadUSB Attack Prevention can either be Enabled or Disabled; by default, it is enabled

— The parameter Prohibit use of On-Screen Keyboard for authorization of USB devices permits (or
disallows) the user to authenticate devices via on-screen keyboard. By default, the use of on-screen
keyboard is blocked

If BadUSB Attack Prevention is planned to be used on notebooks: We recommend that you allow the use of on-
screen keyboards in the out-of-office policy to avoid issues with wireless pointers and presenters.
II–78 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

7.2 How to protect Kaspersky Endpoint Security


from the user

How the user can stop protection

The default settings provide the users with at least two methods to disable the protection.

— Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in the notification
area.) This action doesn’t even ask for elevated permissions, any user can do this.

— Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However, some users
may have them, especially on laptops.

To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password protection for
the mentioned actions in the policy and make these settings required (close the lock). Though a user with
administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way or another,
the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which doesn’t
allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and processes
in the memory. Together, password protection and self-defense are mostly able to prevent any damage a user might
try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas password
protection is not.

Another (a less evident) way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes
after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and
the user will be able to change any setting. There is password protection for the Network Agents too, and it is not
enabled by default either.
II–79
Unit II. Protection management

How to enable password protection

Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: Editing its
settings, exiting, and uninstalling.

To enable password protection for Kaspersky Endpoint Security:

1. Open the policy, switch to the Application Settings tab, in General Settings | Interface, enable Password
protection

2. Set a password

3. Configure permissions for the group Everyone. Select which operations will not prompt the user for
password:

— Configure application settings—protects against any attempts to modify Kaspersky Endpoint


Security settings, including the options that enable and disable the components (e.g. File Threat
Protection); but the user will still be able to stop a component via its shortcut menu

— Remove / modify / restore the application—the password prompt is added to the uninstall wizard of
Kaspersky Endpoint Security

— Disable Kaspersky Security Center policy—adds the option to temporarily disable the policy via
the shortcut menu of Kaspersky Endpoint Security icon after entering the password.

— Exit the application—protects the Exit command on the shortcut menu of the product's icon.
Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its
processes or files

— View reports—prompt for the password prior to showing events in the local interface of Kaspersky
Endpoint Security

The password protects both graphic interface of Kaspersky Endpoint Security and the command line
interface.

— Restore access to data on encrypted drives—prevents the user from starting the data recovery tool. It
is the administrator’s job to recover data, not user’s

— Restore from Backup—prompts for the password when restoring files from backup
II–80 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

— Disable protection components—the user can start protection components and local tasks (if they are
displayed); the password window appears only if the user attempts to stop them. The update tasks lack
this protection

— Disable control components—the password is necessary to disable the Device Control, Application
Control, or Web Control

This capability is useful for local troubleshooting. When a policy is active, the administrator can’t
change Kaspersky Endpoint Security parameters to see which component or which particular setting is
causing troubles for the user. Moving a problem computer to a special group for diagnostics and then
returning it back after the problem is solved is an awkward solution, especially if different IT units are
responsible for centralized protection management and local diagnostics. The capability to temporarily
disable a policy using a special password on a computer helps to carry out diagnostics without
changing the settings on the Administration Server.

— Remove key—the user cannot stop protection by deleting the key unless the password is entered

The advantage of password protection is that it remains active even when the policy is disabled. Once the password
protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product
without a valid password even if the administrator disables the policy. Password protection permits configuring
permissions for each user or group of users.

Configuring password protection for Network Agent

The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of
installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be
sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges,
the attempt will succeed.

To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates the
Network Agent policy automatically.

The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not specified.
Enable the Use uninstall password option, enter the password and don’t forget to lock this group of settings. It’s
not locked by default and setting the password while leaving the option ‘unlocked’ has zero effect on the local
Network Agent settings.

Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An attempt to
uninstall the Network Agent using the command line without the password will also fail.
II–81
Unit II. Protection management

7.3 Which other protection settings are available

Kaspersky Endpoint Security policy has more settings than we have described in this chapter.

Actions

For most of the protection components, you can select what to do with malicious files and other threats.

By default, all components try to disinfect malicious files, and if disinfection fails or is impossible, delete them. The
administrator can select to delete all malicious files immediately, or only block them rather than delete. Blocking
instead of deleting makes sense only if you are testing something. On the protected computers, use the action that
deletes malicious files. We recommend that you leave the default action.

Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup. It is a special folder on
the computer, where to Kaspersky Endpoint Security stores encrypted copies of malware. If Kaspersky Endpoint
Security deletes a file mistakenly, the administrator will be able to restore it from the Backup after configuring an
exclusion.

Other settings

The settings that we have not mentioned usually should not be changed. They are described in the help system of
Kaspersky Endpoint Security.

The following table briefly describes some of the settings:


II–82 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

General Settings | Exclusions | Objects for detection


Viruses and worms (cannot be Do not change these settings.
disabled) All these objects at least hamper the user, and may cause significant harm if worst
Trojans (cannot be disabled) comes to worst.
Malicious tools (enabled) If the administrators use testing utilities that the antivirus considers to be malicious,
Adware (enabled) configure exclusions for them instead of disabling detection of the whole category
Auto-dialers (enabled) of objects.
Other (disabled) The Other category includes remote management utilities, such as RAdmin,
Packed files that may cause harm UltraVNC, DameWare, etc. Criminals may use these legitimate tools for
(enabled) unauthorized access to computers. However, administrators and users may need
Multi-packed files (enabled) them for their work. Configure as necessary.

<Component name> | Action on threat detection


Disinfect Do not modify the action settings. Let the components delete all malicious objects.
Delete if disinfection fails If false positives occur, configure exclusions. Restore erroneously deleted files from
the Backup repository after configuring an exclusion.

Local tasks | Removable drives scan


Action when a removable drive is Change the action to Quick Scan or Detailed scan.
connected: (by default) Do not scan Although File Threat Protection scans everything the user starts or copies from a
Maximum removable drive size: (by removable drive, it is not recommended to leave passive malicious files on
default) 4096 MB removable drives. The user may, for example, take this drive to a customer and
accidentally infect a computer.
To save employees’ time and prevent Kaspersky Endpoint Security from scanning
large drives, limit the maximum size of the drive to be scanned, for example, to 32
MB.

Local tasks | Task management


(By default) Is disabled Do not enable. Local tasks are difficult to manage with the Administration Server
and they confuse the administrator.
If you need to enable the users to start updates or stop virus scanning, it is best to
select the check box Allow group tasks to be displayed in this list.

General Settings | Application Settings | Performance | Postpone scheduled tasks while running on battery
power
(By default) Is enabled Lots of contemporary laptops boast 10-plus hours battery life. It may be dangerous
to postpone virus scanning, let alone updates, until the user plugs the notebook in.
Disable this option for such computers.
At the same time, old laptops may have short battery life; this parameter was
designed for them. Place old and modern notebooks into different groups and
specify proper settings for them via dedicated policies.

General Settings | Application Settings | Performance | Concede resources to other applications


(By default) Is enabled Do not disable.

General Settings | Reports and Storage | Reports


Store reports no longer than: (by For most companies, event history of 30 days is enough.
default) 30 days If you need to store events longer, increase the storage time and maximum file size.
Maximum file size: (by default) 1024 Think about sending events to a SIEM system (see course KL 009).
MB

General Settings | Reports and Storage | Backup


Store objects no longer than: (by If you suspect a file to be malicious, but Kaspersky Endpoint Security does not react
default) 30 days to it, receive its reputation from KSN in real time or send the file to technical
Maximum storage size: (by default) is support via the companyaccount.kaspersky.com portal.
not specified
II–83
Unit II. Protection management

General Settings | Reports and Storage | Data transfer to Administration Server


About files in Backup Enable the first two lists: They inform about threats and false positives
About unprocessed files Send the lists of devices and encryption errors only if you use Device Control and
About installed devices Encryption.
About started applications We recommend that you send the list of started applications only from individual
About file encryption errors computers, do not enable it for the whole network.

General Settings | Interface | Notification rules | Component | <Event>


Save in local log Store all events in the local log.
Save in Windows Event Log In Windows log, store at least functional failure events to be able to view them if
Notify on screen Kaspersky Endpoint Security does not work.
Notify by email Notify on screen only about control events. The less messages by Kaspersky
Endpoint Security the user sees, the better.
Do not configure email notifications here. To receive email notifications, click the
link Email notification settings

General Settings | Interface | Interaction with user


Display full interface: Is enabled by Select No interface if users complain that Kaspersky Endpoint Security
default hampers them
Simplified interface: Is disabled by If the corporate policy prohibits completely hiding software interface from
default the users, select With simplified interface: The users will see the Kaspersky
Endpoint Security icon in the notification area, but will not be able to open
its window or understand which components and tasks are running

General Settings | Interface | Warnings


Active threats Disable on the network computers. It is the administrator who needs to be informed
Computer restart required about issues rather than the user, and they are to be displayed in the Administration
Problems with signature databases Console rather than in the local interface.
Problems with protection level Enable in an out-of-office policy to permit the users take care of protection on
Problems with license notebooks.
Updates available
II–84 KASPERSKY LAB™
KL 002.11.1 Kaspersky Endpoint Security and Management

Computer protection: Summary

All protection components in Kaspersky Endpoint Security either detect and block threats, or reduce the attack
surface, meaning, prevent the user and applications from taking actions that are potentially dangerous to the
computer.

Therefore, do not disable the protection components. Instead, create exclusions for those programs that are slowed
down by the antivirus.

Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of scanned files, after
which File Threat Protection and other components work faster.

All components do well with the default settings. Usually, these settings can hardly be improved, and should not be
changed. However, to better counter ransomware, you can configure Host Intrusion Prevention to guard your
documents.

The default settings can be improved for notebooks, which are taken outside the corporate network. Create an out-
of-office policy for them.

Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user. Configure
password protection for Kaspersky Endpoint Security and Network Agent.
Unit III. Security Controls
Chapter 1. Overview ....................................................................................................... 3
1.1 Purpose of the control components ......................................................................................................................... 3
1.2 Licenses and installation types................................................................................................................................ 3
1.3 Installing the Control components .......................................................................................................................... 5

Chapter 2. Application Control ....................................................................................... 6


2.1 How Application Control works ............................................................................................................................. 6
Operation principles .............................................................................................................................................. 6
How to configure Application Control ................................................................................................................... 7
2.2 How to configure application categories................................................................................................................. 7
A category that is created and updated manually .................................................................................................. 9
Automatically filled folder-based category .......................................................................................................... 16
Category based on a reference computer ............................................................................................................ 17
What you can do with programs and categories after the initial configuration .................................................. 19
2.3 How to create control rules ................................................................................................................................... 25
Application Control modes .................................................................................................................................. 25
Application Control rules..................................................................................................................................... 26
2.4 How it will work ................................................................................................................................................... 27
How to find out what a particular user is prohibited from .................................................................................. 27
Local notifications and user requests................................................................................................................... 28
User requests selection ........................................................................................................................................ 29
Events ................................................................................................................................................................... 30
Report on blocked runs ........................................................................................................................................ 30
2.5 Default deny mode ................................................................................................................................................ 31

Chapter 3. Device Control ............................................................................................ 33


3.1 What can be blocked and how .............................................................................................................................. 35
Additional options ................................................................................................................................................ 37
USB flash drive access log ................................................................................................................................... 38
How to specify trusted Wi-Fi networks ................................................................................................................ 39
What Anti-Bridging does ...................................................................................................................................... 40
3.2 How to specify a trusted device ............................................................................................................................ 41
3.3 How to configure interaction with users ............................................................................................................... 43
3.4 How to configure temporary access ...................................................................................................................... 44
How can the user send a request to get access to a blocked device? ................................................................... 45
How to create activation code.............................................................................................................................. 46
How to activate temporary access ....................................................................................................................... 47
3.5 Monitoring Device Control ................................................................................................................................... 47
III-2 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Chapter 4. Web Control ................................................................................................ 49


4.1 Blocking criteria ................................................................................................................................................... 51
4.2 Configuring exclusions and trusted servers .......................................................................................................... 53
4.3 Diagnostics and testing ......................................................................................................................................... 54
4.4 Configuring interaction with users ........................................................................................................................ 55
4.5 Web Control statistics ........................................................................................................................................... 57
4.6 Web control report ................................................................................................................................................ 58

Chapter 5. Adaptive Anomaly Control .......................................................................... 59


5.1 How to configure Adaptive Anomaly Control ...................................................................................................... 60
5.2 Configuring interaction with users ........................................................................................................................ 63
5.3 Adaptive Anomaly Control statistics .................................................................................................................... 63
5.4 Reports about Adaptive Anomaly Control operation ............................................................................................ 65
III-3
Unit III. Security Controls

Chapter 1. Overview

1.1 Purpose of the control components

In addition to anti-malware protection, Kaspersky Endpoint Security 11.1 contains control components that restrict
actions harmful to the computers or the company in general.

— Application Control monitors users’ attempts to start programs and regulates software start through the
rules configured by the administrator.

— Device Control brings the use of various devices to conformity with the company policy. The Anti-
Bridging component prohibits unauthorized network connections

— Web Control limits access to websites depending on their content; you can also block addresses by masks

— Adaptive Anomaly Control contains a set of pre-configured rules and monitors non-typical behavior on
the device that usually precedes an infection, and helps nip it in the bud

1.2 Licenses and installation types


There are five functional areas in Kaspersky Security Center 11:

— Protection against threats


— Control components
— Encryption
— Systems management
— Mobile device management

The control components require a KESB Select license and are automatically installed if the Standard installation
type is selected. Except the new Adaptive Anomaly Control component, which requires a KESB Advanced license.
III-4 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

In ММС console, Encryption settings and Control components are not displayed in the Kaspersky Endpoint Security
policy 11.1 by default. To enable representation of these settings, in the main window of the Console, click the link
Configure functionality displayed in user interface:

— Display data encryption and protection—displays the Encryption settings


— Display endpoint control settings—displays the settings of the Control components

Web Console does not need to be reconfigured, all functionality is immediately accessible.
III-5
Unit III. Security Controls

1.3 Installing the Control components

Control components are enabled by default in the properties of the Kaspersky Endpoint Security 11.1 package,
which is created automatically during the Administration Server installation.

The only technicality is that not all of the components will be installed on a server operating system.

If some components are not installed on the computers, the administrator can add them.

Use the Change application components task of Kaspersky Endpoint Security. This task is designed especially for
uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product. The task creates
little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on the client computer
during the initial installation.

In the task properties, you can select the components to be installed, just like in an installation package. However,
you cannot select individual components while creating the task in the wizard. To specify the necessary components,
complete the task creation wizard and then open the task properties: the choice of components is not limited there.
III-6 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Chapter 2. Application Control


Application Control helps to implement the corporate security policy; in particular, restrict software start on
the endpoints. At the same time, Application Control reduces the computer infection risk by decreasing the attack
surface.

2.1 How Application Control works

Operation principles

Application Control allows the administrator to restrict which programs the users can run on the computers.
Software start permissions are specified in special rules.

When a program starts, Application Control checks:

— The category the program belongs to (the categories are configured by the administrator)
— The account under which the program was started
— Whether the Kaspersky Endpoint Security policy contains any rules that regulate the start of this program
category for this account

Application Control can operate in either of the two modes:

— Black list: Everything is allowed by default. Only the programs that belong to categories that the
administrator prohibited in the Kaspersky Endpoint Security policy are blocked. Meaning, if there is no
matching block rule, the program will be permitted to start

— White list: Everything is prohibited by default. Only the programs that belong to categories that the
administrator allowed in the Kaspersky Endpoint Security policy are permitted to start. If there is no
matching allow rule, the program will be blocked

The white list mode is used in the default deny approach. It is described in the respective section of this
chapter, and much more detail is available in a dedicated training course KL 032 Default Deny.
III-7
Unit III. Security Controls

How to configure Application Control

In two stages:

1. Create application categories

1.1. Make up the list of categories. For example, Web browsers, Games, Third-party messengers, Allowed
programs, etc.

1.2. Add all programs that we want to control to these categories. How to do it is described in the next
section.

Categories are configured for the whole Administration Server at once in Operations | Third-Party
Applications | Application Categories

2. Make up the list of rules:

In the Kaspersky Endpoint Security policy, you can specify what Kaspersky Endpoint Security is to do
with the applications that belong to each application category: allow, block, or just notify Kaspersky
Security Center about each start.

Note that categories are specified for the whole server, while different rules may be configured for different
computer groups. For example, Skype can be prohibited for everybody except individual users; additionally,
marketers can be allowed to use it, but every time when they start it, the administrator will receive the respective
notification.

2.2 How to configure application categories


Categories are created on the Kaspersky Security Center Administration Server and are transferred to client
computers similarly to policies and tasks. You can send the complete list and contents of categories every time, or
only the changes. This is configured in the Administration Server properties, in the Application categories section.

This transfer option appeared in Kaspersky Security Center 10 SP2 MR1 and Kaspersky Endpoint Security 10 SP2;
in earlier versions, the full set of categories is always transferred, even if changes are few and minor. That is why
everything is transferred by default; otherwise, if there are older clients in the network, they will not be able to
receive changes only, and will receive nothing.
III-8 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

An application category is a list of conditions and exclusions that allows identifying a program or a group of
programs. The list is displayed in the Operations | Third-Party Applications | Application Categories and is
empty by default. New categories are created using a special wizard. There are three types of categories:

— Filled manually—their conditions are added and changed only manually. For example, all programs that
have “zombies” in their names, or all programs signed with the specified certificate

— Filled automatically from a folder—the administrator selects a directory, which is scanned for the
following files: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL, HTML, HTM,
DRV, OCX, SCR. The Administration Server will also check the contents of this directory on schedule,
calculate checksums of executable files (SHA256 and/or MD5), and update the list of the category criteria.
A network folder whereto all prohibited or allowed programs are copied may come in handy

— Filled automatically from the selected devices—the administrator selects one or several managed
computers, and the Administration Server automatically includes executable files found on these computers
into the category. Meaning, you can specify a reference computer where, for example, all allowed programs
are installed
III-9
Unit III. Security Controls

At the first step, the New Category Wizard prompts you for the category name and creation method. If you are not
happy with the category contents when it is ready and want to modify the method, you will have to re-create the
category.

A category that is created and updated manually

For a manually filled category, conditions for the programs are specified in the list; each condition can contain
several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set
by various methods, but all of them can be boiled down to the following general types:

— KL category—Kaspersky Lab experts group white lists into categories according to programs’ purpose.
The category catalog helps to categorize an application or an individual file. In most cases, Kaspersky
Endpoint Security defines the category locally using the signature database or requests the verdict from
Kaspersky Security Network.

— Certificate—this function is available since Kaspersky Endpoint Security 10 SP2. You can specify a folder
on a client device that contains executable files signed by certificates. Certificates of executable files will
be added to the category conditions. You can also add certificates from a certificate store

— Application folder—all programs from the specified directory will be added to the category
III-10 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

— Removable drive—a special parameter that allows the administrator to create a separate category for
the files started from a removable drive

— Metadata—file name, its version, name of the program and manufacturer. The version does not have to be
specified exactly. You can select all files older or younger than the specified version. Various file
characteristics constitute a single condition, rather than several individual conditions. When specifying
metadata, you can allow only files signed with a valid certificate, or those for which KSN returns the
Trusted verdict

— Checksum—the checksum returned by SHA-256 function that allows unambiguous identification of


the file (the checksums of different files are different)

Note: In Kaspersky Endpoint Security version 10 SP1 MR3 and earlier, MD5 checksum was used for file
identification in Application Control instead of SHA-256. Starting with Kaspersky Endpoint Security 10
SP2, only SHA-256 is used.
If there are various Kaspersky Endpoint Security versions in the network, select the corresponding check
box in the category properties, for example, collect not only SHA-256, but also MD5. Then the same
category will be usable for policies configured for different Kaspersky Endpoint Security versions.
On the other hand, if application categories become too large as a result, you can create different categories
for different versions of Kaspersky Endpoint Security.

From the executable files list

The administrator can create a condition based on the Executable files list. It is a list of executable files that have
been started on the client computers or detected by an Inventory task.

Note: In Kaspersky Endpoint Security 11.1, information about started executable files will be transferred
only after you enable the Application Control component.

This list of files is displayed in the Operations | Third-Party Applications | Executable Files.
III-11
Unit III. Security Controls

From applications registry

The Applications registry node contains programs installed on computers and displayed in their Programs and
Features. Network Agents gather names and attributes of these programs and transfer them to the Administration
Server. The gathered information about the installed programs does not contain data about the program executable
files, but it is the data about executables that is necessary to create a condition. That is why the Administration
Server compares data about installed programs and data about executable files detected on the computers, and after
that creates a condition based on the hash sum of the program executables.

It might happen that a program is considered to be installed by mistake, or a program is installed but started
extremely rarely and the data about its executable file is missing on the Administration Server.

In this case, a condition for this program may fail to be created. On the other hand, if a program has several
executable files, the applications registry simplifies rule creation. The Administration Server automatically adds
conditions for all executable files associated with the program.

If a program is installed but its executable files haven’t been reported to the Administration Server yet,
the administrator may consider running an Inventory task to speed up the process.

We will describe inventory tasks in detail later.

From file properties

When selecting a file on the drive, the administrator can specify a simple SHA-256 (MD5) condition for it, or
a more flexible condition based on metadata or certificate.

A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For
example, hash sums are used in automatically filled categories described earlier, because it is important to allow
starting the exact file versions installed on the reference computer or included in an approved distribution. Any
changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file
start.

Hash sums are also convenient if you need to prohibit renamed files from starting. Renaming does not influence
the hash sum and the blocking rule will still work.
III-12 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

At the same time, you may need to include several application versions in a category. In this case you should create
a condition based on file attributes, such as name, manufacturer name, and version number. The version number
may not only coincide with the specified value, but also be more or less than the specified value, or start from it,
etc.; so you will be able to block old program versions or recent releases that have not been approved yet.

Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file
metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files
will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create
a condition based on the file name and then be surprised that a file with a matching name is not treated as expected.
Most probably, this means that the file has no digital signature.
In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by
the vendor’s certificate. To control open-source and freeware programs, use other condition types.

Use metadata or checksum of files in an MSI

If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be
scanned once when creating the category, and later will not be rescanned. The administrator can add any other
condition to such a category.
III-13
Unit III. Security Controls

Use KL categories

The described conditions enable the administrator to allow or prohibit known programs—programs whose hash
sum, or attributes, or location on the drive, etc. are known or can be found out.

In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for
one, etc. This task is not easy to solve using the described tools.

The solution is to use KL categories. These categories define program class or type: email programs, web browsers,
development tools, electronic payment systems, etc. ‘KL category’ means that the programs are categorized by
Kaspersky Lab experts.

The program categorization information is a part of the downloadable databases. That is why the Download
updates to the repository task must run at least once before you can create conditions based on KL categories.

Programs started on each computer are independently scanned for correspondence to the conditions, and if different
database versions are used on different computers, application control rules can work to different effects. Also, if
the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time.

Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All
uncategorized files are automatically associated with the Other Software KL category.
III-14 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Specify the path to the files explicitly

So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file
location. Copying or moving the executable file would not influence the file start regulations based on
these conditions.

The following two types of conditions consider only the file location:

— Application folder—defines the local path to the file. The administrator can, for example, prohibit starting
executable files from the desktop or from the whole user’s home directory.

Alternatively, the administrator can permit starting executable files from the system folders: C:\Windows,
C:\Program Files and prohibit from all other computer locations.

The condition is recursive, meaning, it works for the files in subfolders of the specified folder.

— Device type—can have only one value: Removable device. Essentially, its purpose is to enable
the administrator to prohibit starting programs from removable drives.
III-15
Unit III. Security Controls

Specify certificates

A more reliable method than using file path, but less reliable than SHA-256, is selecting files by certificates. You
can select from among the certificates on the Administration Server.

How to specify exclusions from a category

If you need to prohibit all programs that match the specified conditions except for one, add an exclusion to
the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion
condition will be excluded from the category.
III-16 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Automatically filled folder-based category

The contents of an automatically filled category are updated when the source folder contents change (executable
files are deleted or added). Also, you can make a category update to schedule.

If the specified folder contains archives or installation packages (for example, *.msi), the Administration Server will
automatically unpack them (into a temporary folder) and include data about the executable files within the archive
or package into the category. So, if you place program distribution into the folder, the category will include not only
the installation file, but also program files.

This method of creating a category is useful if the company has a repository of program distributions to be installed
on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add
programs to the list or replace them with newer versions.

To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make
the Administration Server automatically monitor the changes and add parameters of the detected files to
the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in
the policy to allow start of all the used programs.
III-17
Unit III. Security Controls

You can also select to Include dynamic-link libraries (.DLL) in this category. If this check box is selected,
Kaspersky Security Center will calculate checksums of DLL files and add them to the category along with
executable files.

It makes sense to care about DLL files because Windows permits starting processes from them through
the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others
blocked.

In this regard DLL files are similar to script files (*.js or *.vbs), which are not executable, but are started via
the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked.

To include scripts into a category, select the check box Include script data in this category.

Similar to other category types, you can use hash sums. If various KES versions are installed in the network, 10 SP2
and older, you can select both check boxes. Then the category will be larger, but will work for all Kaspersky
Endpoint Security versions.

Category based on a reference computer

In addition to the repository of allowed program distributions, there may be a reference computer in the organization
where all the programs used in the company are installed. Such a reference computer is usually necessary for
creating images to be deployed on new computers. As a result of such a deployment, the operating system and all
programs necessary for work are installed on the computer, and the whole process takes much less time than
installing everything from distributions. The administrator periodically upgrades programs on the reference
computer and updates the image accordingly.

With this approach, it is logical to automatically make all programs installed on the reference computer allowed. For
this purpose, you need to scan the computer, add all programs to a category, and then create an allow rule for it in
the policy. This is what a category automatically filled with files from selected computers is designed for.

Sometimes it is necessary to break down the files found on the reference computer into a few categories. For
example, separate Windows files from those found among Program Files. In this case, you can configure a filter
based on the folder where a file is located. The category will include only the files that are located in the specified
folder of the reference computer.
III-18 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with
a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky
Endpoint Security. This means that a reference computer must be equipped with the Application Control component
of Kaspersky Endpoint Security, which will draw up the list of executable files, and with Kaspersky Network Agent,
which will send the data to the Administration Server. There will be more details on how this works later in this
chapter.

The administrator can specify the scanning interval, the same way as within a category filled from a folder.

The detected files will be added to the category and will later be identifiable by SHA-256 (for the latest versions of
Kaspersky Endpoint Security) or MD5 sums (for Kaspersky Endpoint Security 10 SP1 MR3 or earlier)—depending
on the Kaspersky Endpoint Security version installed on the reference computer.

Note: Unlike for a folder-based category, here you must select either SHA-256 or MD5 (depending on the
Kaspersky Endpoint Security version installed on the reference computer). Which means that if Kaspersky Endpoint
Security of different versions is installed in the network, you need to use two reference computers for a category

A computer-based category will include the list of found files and SHA-256 or MD5 checksum of each file.
III-19
Unit III. Security Controls

What you can do with programs and categories after the


initial configuration

How to find out which KL category a file belongs to

If the administrator wants to know which KL category includes a specific executable file, they can find this
information either in Kaspersky Endpoint Security interface on the client computer, or in the Administration
console. The local verdicts (which may vary slightly on different computers because of different database versions)
are available in the Application Activity Monitor window.

Information in the Administration Console can be used for troubleshooting as well as for planning the rules. This list
of files is displayed in the Operations | Third-Party Applications | Executable Files. The administrator can view
the attributes and KL category of each file.

Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering
options may help finding the necessary one. The administrator can search for a file using a part of its name, or apply
a filter and search by the values of various file attributes.
III-20 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as
when the file was first detected on the computers, but also to add or exclude the file to or from an administrator-
defined category. There is a button that adds the file to administrator-defined categories. You can add the file to
an existing category or create a new one. And when modifying an existing category, you can either add the file to
the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the file’s SHA-256
or MD5 sum or certificate data.

How to add a program to an existing category

If the administrator notices something new when looking through the list of executable files detected on computers
connected to Kaspersky Security Center, and decides to add the program to a category, he or she does not need to
memorize its name and go to the container with program categories. You can simply select the necessary executable
file or program and carry out the Add to category command.

Then select how to add: To an existing category or create a new one. Where to add: You can add programs to
categories or exclusions.

The program will be added by hash sum or certificate with which its executable file is signed.
III-21
Unit III. Security Controls

How to find out which category a file belongs to

Via the applications registry

There are two handy lists in Kaspersky Security Center Administration Console: Applications registry and
Executable files. When you need to do something with a specific program, it is logical to use the Applications
registry. However, a program may have several executable files.

Kaspersky Endpoint Security can be configured to work with individual executable files as well as with programs at
the same time.

Select the necessary program in the Applications registry, open its properties, and go to the list of executable files
that correspond to this program.

Via the list of all executable files

The list of executable files that we can see on the Kaspersky Security Center Administration Server consists of all
executable files detected by Kaspersky Security Center and Kaspersky Endpoint Security on all computers
connected to this Administration Server. Meaning, this list can be very long.
III-22 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

However, when you know what you are looking for, it is very handy. You can sort it by names, or use filters.

Which other useful information is available about a file

On which computers and when it was detected for the first time (but not how), when it undertook network activity
for the first time, whether it is signed with a certificate.

How to make sure that all files have been collected

Where to enable sending information about found executable files

Right after the installation, the Executable files container will be empty on the Administration Server. Gradually,
when new clients are connected, new data will be sent to the Administration Server on the condition that the
Application Control component is enabled in Kaspersky Endpoint Security 11.1.
III-23
Unit III. Security Controls

Important: If Application Control is disabled, data about executable files will not be transferred when applications
start.

Except for that, there is an option for sending information about found executable files; it is enabled by default. You
can find it in the Kaspersky Endpoint Security policy: Application Settings | General Settings | Reports and
Storage, the option About started applications. This check box enables sending information about running
applications, as well as results of the Inventory task.

Note: we recommend that you do not enable sending information about installed applications for all client
computers; exclude, for example, weak computers or non-persistent virtual machines.

How to view all executable files found on a computer

There is a list of executable files in the properties of each managed computer. This list is supplemented by:
1. The Inventory task, which scans the client computers’ folders specified in it properties
2. Application Control which, when enabled, collects information about all executable files started on the
client computers.
III-24 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Network Agent also gathers information about software, but only about installed applications, for which it scans the
registry.

Inventory task

It is not created by default. This means that the list of executable files will include only those files that have been
started on computers where the Application Control component is enabled. However, some files start very rarely. It
may take a very long time until all executable files are intercepted and reported to the Administration Server. A
faster way to detect files is by using an Inventory task.

This is a Kaspersky Endpoint Security task, which can be created for a group or computer selection. With standard
settings, the task searches for executable files in the following directories:

— %SystemRoot%
— %ProgramFiles%
— %ProgramFiles(x86)%

The list of folders is configurable. The information about discovered files is sent to the Administration Server and is
available in the Web Console on the Operations | Third-Party Applications | Executable Files page.
III-25
Unit III. Security Controls

Unlike the monitoring components, this task can detect executable files within archives and installation packages.
Select the Scan archives and Scan distributions check boxes.

When executable files are being searched for, their checksums are calculated, which may slow down the computers.
To reduce resource consumption, you can use the option to Scan only new and changed files. The information
about changes is obtained using the iSwift technology and requires almost no calculations.

Alternatively, you can schedule the task to run during nonworking time, or use the option that suspends scheduled
scanning when the computer is being used and resumes it when screensaver is on and the computer is locked.

2.3 How to create control rules

Application Control modes

Note that Application Control is disabled by default in Kaspersky Endpoint Security starting with version 10
Service Pack 1. That is why the information about executable files is not sent by default. The first thing
the administrator needs to do before configuring rules is to enable the component and select the mode: White list or
Black list (for detailed information about these modes, see section 2.1 “How Application Control works”.)

By default, right after you enable Application Control, the Notify mode will be used. It is recommended to test the
rules first. Instead of real denies, only events will be sent to the Administration Server: Application startup
prohibited in test mode or Application startup allowed in test mode. You can generate a report based on these
events, analyze it, adjust the rules if necessary, and then switch them to the block mode. Later, to test new rules
without interrupting those already applied, the administrator can add a rule with the Test status. After you make sure
that the new rules do not interrupt useful applications, Enable them.

Each rule (regardless of the selected mode, white or black list) can use one of the following three statuses:
— On means that the Application Control component uses the rule.
— Off means that the Application Control component does not use the rule.
— Test means that Kaspersky Endpoint Security will always permit starting the programs to which this rule
applies, but will send information about starting these programs to the Administration Server.
III-26 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

The check box Control DLL and drivers enables you to restrict start of DLL libraries and drivers, but increases the
load on the computer, and is recommended to be used only if it is really indispensable. For example, with rigid
Default Deny.

Application Control rules

There can be as many rules as you wish; prohibition always has a higher priority. The black and white lists have
different sets of rules. For example, if you first selected the Black list, added a rule, and then switched to White list,
your rule will not be there.

Each rule has the following parameters:


— Category—an application category created on the Administration Server beforehand. A policy may contain
only one rule for each category
— Users and/or groups that are granted permission—the list of local or domain users and groups who are
allowed to start the programs belonging to the selected category. If more than one entity needs to be
specified, separate them with a semicolon (;)
— There is a related option Deny for other users. When enabled, it automatically denies permission to all
unlisted users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this
III-27
Unit III. Security Controls

option were always enabled. In Kaspersky Endpoint Security 11, this option is configurable and disabled by
default. Unlisted users are granted or denied permission based on the rest of the rules
— Users and/or groups that are denied permission—this parameter explicitly defines the list of users and
groups who are prohibited from starting the programs
— Trusted updaters—consider all programs of this category to be trusted updaters1

Denial has a higher priority than permission. For example, if a rule is configured to allow program start to all users
and prohibit for the Tom user, this user will not be able to start the program according to this rule.

The list of rules is initially empty for the black list mode; for the white list, it contains two system rules that cannot
be deleted:

— Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not be blocked
even if there are no allowing rules for them. It is a special KL category2 that includes programs that
download and install module updates, for example, Adobe Updater, Chrome Component Updater, etc.
The rule is enabled by default, meaning, Trusted updaters are allowed.

— Golden Image—contains the executable files necessary for the operating system, as well as executable
files supplied with the system—various standard utilities and applications, To prevent Kaspersky Endpoint
Security from accidentally blocking files important for the operating system

The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on
a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of
different application categories; but some programs may belong to several categories at once. If there is at least one
rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say.

If a program does not belong to any category, in the black list mode, it will be allowed, and in the white list mode,
blocked.

2.4 How it will work

How to find out what a particular user is prohibited from

1
This option is described in detail later in this chapter.
2 This KL category cannot be selected when configuring program category conditions.
III-28 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

There is the Static analysis button next to the list of startup control rules in the Kaspersky Endpoint Security policy.
It opens the window where you can select a user or a group; in the right pane, the list of prohibited categories and
blocked files will be displayed.

Static analysis is available only in the MMC console.

Local notifications and user requests

When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up notification
so that the user is not confused about the reason for the application behavior.

If the user needs this program for work, the pop-up notification permits sending the administrator a request to allow
program start. The user should click the Request access link in the notification window and then click the Send
button.

The text of the pop-up notification, as well as the request to allow a program to start, can be modified in
the Kaspersky Endpoint Security policy. You can use variables there, which provide information about a specific
event, for example, the name of the blocked program, the computer where the event was registered, etc.
III-29
Unit III. Security Controls

User requests selection

The standard User requests event selection contains the Application startup blockage message to administrator
events registered over the last 7 days. The Application startup blockage message to administrator event is
registered when a user sends a request to allow program start, and contains the request text along with
the information about the computer, username and the program in question: Complete information necessary for the
administrator to make a decision.

It may happen that a user would need a program urgently. That is why, if the administrator rarely opens User
requests, it might be worthwhile to configure email notification for the event Application startup blockage
message to administrator. This will enable the administrator to process the requests as soon as possible.

It is possible to use the request events to modify application categories. An event contains complete important
information about the blocked file, including its SHA-256 (MD5 for older versions of Kaspersky Endpoint
Security). The administrator can use the Add file to category link to immediately add the blocked file to an existing
or a new category either as an inclusion condition or as an exclusion.
III-30 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Events

Application Control generates five types of events:

— Application startup allowed


— Application startup prohibited
— Application startup allowed in test mode
— Application startup prohibited in test mode
— Application startup blockage message to administrator

By default, all the events except for Application startup allowed are transferred to the Administration Server.

If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup
prohibited in test mode events.

Report on blocked runs


III-31
Unit III. Security Controls

Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked runs,
which shows the distribution of the number of blocked starts on the client computers by applications. Switch to the
Details tab to consult information about all computers and programs detected by Application Control.

Starting with Kaspersky Security Center version 10 SP2 MR1, you can generate a report on program starts blocked
in the test mode. It will contain only events about blocked starts, regardless of the selected mode: Black list or White
list.

2.5 Default deny mode

Default deny is a scenario when Application Control prohibits devices from running any programs except those
specified in allow rules configured in the white list of Application Control.

The main difficulty when working in the white list mode (when the start of uncategorized programs is prohibited by
default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked
along with other programs. That is why there is an allow rule for operating system files in the white list by default.

For example, there can be a policy for using programs on the computers that are used as point-of-sale (POS)
terminals. Only special programs must be allowed to start on them, and all unknown programs must be prohibited.
III-32 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Various configurations of allow rules are possible; it will be necessary to create one or several categories for system
executable files and configure allow rules for them using one of the following methods:

 Use a reference computer with the operating system and allowed programs installed for creating
an automatically filled category

 Use a directory with distributions of allowed programs for creating an automatically filled category

To prevent blocking programs for which allow rules are configured after upgrades, use the standard rule Trusted
updaters. This rule exists by default in the list and cannot be deleted; but it is disabled by default. When enabled,
the programs downloaded and installed by the applications included in the Trusted updaters category will not be
blocked even if the corresponding allow rules are not configured.

The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allow
rule.

For more details about configuring Kaspersky Endpoint Security to default deny, refer to course KL 032.
III-33
Unit III. Security Controls

Chapter 3. Device Control

The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various
devices in the corporate network and, if necessary, prohibit using some of them.

The Device Control component allows the administrator to enforce the corporate security standards, by specifying
who, when and which devices can use on the computers. The rules may be applied to removable drives, printers,
CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc.

The most popular use case for this component is blocking USB flash drives. A user may bring an infected file from
home; accidentally or deliberately, a user can take away files that are of commercial value for the company on
a USB drive or other removable media. Users could also connect a workstation to the internet via a smartphone.
Restrictions help prevent such problems.
III-34 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Different settings are available for different device types. The following storage devices boast the most flexible
settings:

— Hard drives
— Removable drives
— Floppy disks
— CD/DVD drives

You can specify the accounts allowed / prohibited to access the devices, you can permit only copying information
from the devices and prohibit writing, or you can configure a schedule to allow access to devices only during
business hours.

Other device types can only be allowed or blocked, without any flexible settings.

Wi-Fi devices deserve specific mention, but we will tell about them later.

More globally, Device Control can block a connection bus completely, meaning, any devices that will be connected
to a specific physical port of the computer will be inaccessible.

Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules. To protect against
attacks when an infected USB flash drive pretends to be a keyboard, install and use a special component, BadUSB
Attack Prevention.
III-35
Unit III. Security Controls

The Device Control component permits you to draw up a list of trusted devices that will always be accessible,
regardless of the rules. Plus, you can specify the users who will be allowed to work with each specific trusted
device.

Also, the administrator will be able to grant temporary access to a prohibited device if a user needs to work with it.

3.1 What can be blocked and how

Device Control is configured in Kaspersky Endpoint Security policy. From the component properties, you can open
the rules for device types, connection buses’ settings, the list of trusted devices, or configure Anti-Bridging.

Some devices can be allowed, but with limitations: You can explicitly specify the prohibition schedule, restrict only
writing operations, or make exclusions for some users but not others. You can do that for:

— Hard drives
— Removable drives
— Floppy disks
— CD/DVD drives
III-36 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

All other device types you can only disable completely:

— Printers
— Modems
— Tape devices
— Multifunctional devices
— Smart card readers
— Windows CE USB ActiveSync devices
— Cameras and scanners
— Smart card readers
— Portable devices (MTP)
— Bluetooth

Access to Wi-Fi networks is special, we will tell about it later.

Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as
removable drives, if connected as external data carriers.

The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking
their connection buses.

Kaspersky Endpoint Security allows blocking connected devices by interface type (bus):

— USB
— FireWire
— Infra Red
— Serial Port
— Parallel Port
— PCMCIA

The administrator can totally block, for example, all USB devices.

Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash
drive will work correctly.

By default, all devices work in the “Depends on bus” mode, and all buses are allowed.
III-37
Unit III. Security Controls

Additional options

Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list
cannot be edited to add new devices.

You can flexibly restrict the use of removable drives, CD/DVD, hard drives, and floppy disks.

The following options are available:


 What can be done: You can select to prohibit only reading or writing
 The list of accounts that are allowed to use the device type. You can select accounts from the domain to
which the computer where the Administration Console is started belongs, or among local users if there is
no domain. The rule will work on any computer where the policy is enforced. The Everyone universal
account is always available.
 Operation types and access schedule. You can manage Read and Write permissions independently.
The schedule is specified by hours and days of the week. For example, you can allow Read operations for
removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to
the Administrators and only during business hours
III-38 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means “always
allow everyone to perform any operation.”

You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for
the administrators: allow them using USB flash drives during business hours.

The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are
blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable
as soon as the policy is enforced and the next operation will be blocked.

USB flash drive access log

If USB flash drives are allowed at the company in principle, but the company does not welcome using them, you can
configure logging access to USB flash drives. Then for each of the selected operations the corresponding event will
be sent to the Administration Server, File operation performed. It will specify who (which account) copied or
deleted a file.

Unlike other events, this event will not be stored locally.

By default, logging access to USB flash drives is disabled. To enable it, click the Logging button. It is available
only for removable drives. You can select which operations to log (writing and/or deleting), and file formats:

 Text files
 Video files
 Audio files
 Graphic files
 Executable files
 Office files
 Database files
 Archives
III-39
Unit III. Security Controls

How to specify trusted Wi-Fi networks

Device Control permits you to regulate access to Wi-Fi networks. Three actions can be taken when a device
connects to a network:

1. Allow
2. Block
3. Block with exceptions— contains additional settings, which permit to draw up a list of trusted Wi-Fi
networks based on network name, authentication type, and encryption type. A network is considered
trusted only if all the specified parameters are matched. If network name is not specified, it may vary.

Connecting corporate notebooks to public Wi-Fi networks is not always desired. You can use Device control to
disable Wi-Fi. However, for notebooks, which the users may take home, it is not the most optimal solution. It will
be more logical to use the option Block with exceptions, and specify trusted networks, for example, corporate and
home.
III-40 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

What Anti-Bridging does

Device control includes the Anti-Bridging component, which enables the administrator to prohibit users from
establishing two network connections simultaneously to prevent unauthorized bridges to the internal network that
bypass perimeter protection.

For example, a user’s computer is connected to the corporate network. The user has connected a Wi-Fi adapter to
the computer and configured it to act as a wireless access point. This access point may be used not only by those for
whom it was created, but also criminals who can use exploits for the adapter, bruteforce username and password, or
employ other methods to bypass protection. As a result, the user’s computer will be compromised and criminals will
have a stepping stone for further development of the attack vector. In this case, Anti-Bridging is a part of protection
that stops criminals from gaining access to the internal network, because as soon as the user turns on the Wi-Fi
adapter, Anti-Bridging will automatically disrupt all network connections, including access to the local network,
and only the Wi-Fi network will be active.

A similar threat to corporate network security may arise if a user’s notebook is connected to the organization’s
network using a wired connection. The user may create a hotspot on the smartphone to bypass the organization’s
protection solutions and connect the notebook to it over Wi-Fi. After that, accidentally or intentionally open a
webpage that contains an exploit pack, which will compromise the notebook, and criminals will receive the
capability to attack the organization’s internal network from the internet.

In both cases, there are two networks—local and Wi-Fi—on the user’s computer, which is connected to the
organization’s network. To eliminate simultaneous operation of two networks and give preference, for example, to a
wired connection, the administrator is to turn On all controls in Anti-Bridging settings and give maximum priority
to the network adapter. In this case, the user will not be able to turn on Wi-Fi network on a computer unless disables
the wired network.

The Anti-Bridging component is disabled by default; to enable it, in the Device Control properties, click the
corresponding link and Enable Anti-Bridging in the window that opens. After Anti-Bridging is enabled,
Kaspersky Endpoint Security will block already established connections according to the connection rules.
The higher the rule on the list, the higher its priority. Anti-Bridging can block all connections except the one that
has maximum priority. For this purpose, in the Anti-Bridging window, turn On all controls and define priorities for
all devices:

— Network adapter
— Wi-Fi
— Modem

Note: If several wired connections are configured, only one of them will be allowed (arbitrary). If the Wi-Fi adapter
is not connected to a network, it will not be blocked until the user tries to connect.
III-41
Unit III. Security Controls

3.2 How to specify a trusted device

If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile
to make them trusted.

Devices can be made trusted by their ID, a mask of ID or by model.

Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device Control | Trusted devices.

To make information about a device accessible in a policy, first connect the device to a workstation where
Kaspersky Endpoint Security is installed with the Device control component enabled; then wait for the connection
event to reach the Administration Server.
III-42 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Three options are available when adding trusted devices:

— Devices by ID
— Devices by model
— Devices by ID mask

The first two options allow you to select the device that you want to make trusted and its ID and model will be
added to the list. The Administration Server must have the device in its database. If the Administration Server is
unaware of this particular device you can’t make it trusted.

The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on
the Administration Server knowledge of the device, only on the administrator’s knowledge of the device ID. Device
ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of
the Device Instance Path property. It looks somewhat like

USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0

When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple devices, e.g.,
‘NEC*CDR??’. This helps when a company has a lot of devices with similar IDs that should be trusted. Adding
a device by model can also help in this case, if all devices are from the same vendor and of the same type.

There is also a Comment field when adding a trusted device, which the administrator can fill in to describe why this
trusted device (or a group) is added.

To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky
Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some
time till the information about the device makes it to the Administration Server.

To simplify the search for the necessary device, you can choose the device type and also specify the name of
the computer where it is or was connected. Then click the Refresh button to display the filtered results.
III-43
Unit III. Security Controls

You can also import /export the list of trusted devices in XML format. This capability may come in handy, for
example, when you need to edit the name of a trusted device displayed in Kaspersky Security Center interface, add
many similar devices, save a backup copy of the list of trusted devices, or move the list to another server.

Before adding the device, you can also restrict the list of users that will have access to it. You may want to have
trusted devices, but you may not necessarily want everybody to have access to them. Perhaps only administrators
should be able to use them.

You can import or export the list of devices only in the MMC console.

3.3 How to configure interaction with users

When the user attempts to connect a prohibited device, a pop-up notification is displayed.

If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or
even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add
the contact information of the person responsible for device access.
III-44 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Notification Templates are available in the Kaspersky Endpoint Security policy in the Device control settings. You
can use variables in the notification text, for example, the name of the device or the blocked operation.

If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled
nor hidden.

If the user sends a request, it will be sent to the server as a Warning event. Similar to the other control components,
requests are displayed in a special selection named User requests. The administrator does not have to react to a
request; but if they want to, they can, for example, configure the corresponding email notifications in the Kaspersky
Endpoint Security policy.

3.4 How to configure temporary access


III-45
Unit III. Security Controls

Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as
follows:

1. The user finds out that the necessary device is blocked


2. Generates a request file for it in the Kaspersky Endpoint Security local interface
3. Emails the request access file to the administrator

4. The administrator examines the request, and in the case of an affirmative answer, creates and sends the user
a special access key

Important: You can create a special access key only in the MMC console.

5. The user activates the received key. After this, the selected device (and only that device) becomes
accessible for the time span specified by the administrator. The user cannot pause temporary access to use
it later; and the administrator cannot remotely revoke temporary access

It goes without saying that many users may believe that their devices are blocked by mistake, and will ask
the administrator for temporary access. To avoid numerous requests, you can disable this capability: In
the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access
check box.

How can the user send a request to get access to a


blocked device?

In the local interface of Kaspersky Endpoint Security, click the button Settings, and go to section Security Controls
| Device Control. Click the button Request access. The window that opens by default lists the currently connected
devices, including blocked ones (to display all devices ever connected to the computer, apply the filter For the
entire runtime). Select the device that you need to access, and click the button Generate request access file.
Specify how long you will need to access the device (by default, 24 hours), click the button Save, and send the
.akey file to the administrator.

Note: If the administrator prohibits requesting temporary access, the button Request access appears dimmed.
III-46 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

How to create activation code

Temporary access is granted to a specific user for the specified device on the specified computer. That is why
the key is generated using the client computer’s shortcut menu, neither in the policy nor in the group properties.

Important: You can create a special access key only in the MMC console.

A client computer can be conveniently found in the Administration Console by the Search utility. Then
the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode
command. In the window that opens, switch to the Device Control tab and click the Browse button to select
the .akey file received from the user.

The Administration Server checks the file integrity and whether it belongs to the selected computer, and then
displays the request. If necessary, the administrator can change the access duration and activation window. Both
periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours.

Then the administrator is to save the generated key into an .acode file and send it to the user.

So, the key is generated for the exact device and the computer where the user generated the request access file. Any
other devices will still be blocked; also, the device for which the access was granted will be blocked on other
computers.

The key is also bound to the username. Another user will not be able to access the same device on the same
computer using this access key. If temporary access is activated by the user who requested it and another user logs
on to the computer during the allowed period, they will not be able to use the device.
III-47
Unit III. Security Controls

How to activate temporary access

In the same window where the request key was generated, the user clicks the Activate access key button, and
specifies the received .acode file. The device can be used immediately. Neither restart, nor synchronization with
the Administration Server is necessary.

The key must be activated before the specified activation window expires, and the access duration countdown starts
at the moment of activation. The device may be connected at any time (or even several times) during this period, or
not connected at all. The access countdown cannot be paused.

When temporary access is activated, a notification is sent to the Administration Server, but it is not included either
in the selection of user requests, or in the report on Device Control events.

3.5 Monitoring Device Control


III-48 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains
the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and
the account that initiated it.

The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of Critical
events. If necessary, the administrator can make a separate selection for blocked device access attempts.

The Operation with the device allowed event having the Info severity will be sent if a non-prohibited device is
connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners,
removable drives, etc.

All events, including requests, are stored on the server for 30 days by default.

The Report on Device Control events provides the general view of the device control work. It displays a chart with
the distribution of its responses by user names. By default, the report includes all actions—device connecting,
disconnecting and blocking. To generate a report about device blocking only, leave only the Device connection
blocked check box selected in the Settings section of the report properties.

If necessary, the administrator can configure receiving daily email statistics about who and when tried to connect,
for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV
Maintenance.
III-49
Unit III. Security Controls

Chapter 4. Web Control

The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is
used to block social networks, music, video, non-corporate web mail, etc. during business hours. If a user tries to
open such a website, either a notification that the access is blocked or a warning about an unwelcome website can be
displayed, depending on the settings in the policy.

Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule
properties include addresses or content types, user accounts, schedule, and the action. Only HTTP and HTTPS
traffic is scanned. Web Control is configured in Kaspersky Endpoint Security policy. The rules are applied in
the order specified by the administrator, and a page is processed according to the first applicable rule.

There are two default rules, which also regulate the operation mode:
— Allow all except the listed rules—the Black list mode
— Deny everything except the listed rules—the White list mode
III-50 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

By default, the Allow all universal rule is used and nothing is blocked.

Each rule has a name and the following attributes:


— Rule status
— Active
— Inactive
— Action
— Allow
— Block
— Warn
— Filtering type
— By content categories
— By types of data
— List of addresses
— Apply to all addresses
— Apply to individual addresses and/or groups
— Users
— Apply to all users
— Apply to individual users and/or groups
— Schedule
III-51
Unit III. Security Controls

4.1 Blocking criteria

First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be
blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*.

Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following
categories:
— Online stores, banks, payment systems
— Shops and auctions
— Banks
— Payment systems
— Internet communication
— Web-based email
— Social networks
— Chats and forums
— Blogs
— Dating sites
— Religions, religious associations
— Job search
— Weapons, explosives, pyrotechnics
— News media
— Software, audio, video
— Torrents
— File sharing
— Audio and video
— Anonymizers
— Banners
— Profanity, obscenity
— Violence
— Computer games
— Adult content
— Alcohol, tobacco, narcotics
— Gambling, lotteries, sweepstakes

The content can also be categorized by data types:


— Video
— Sound
— Office files
— Executable files
— Archives
— Graphic files
III-52 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and
data types.

Filtering by category and type can be combined within a rule: For example, you can block office files and archives
received by web mail.

Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic
analysis of page content. URL reputation can also be requested from Kaspersky Security Network.

Data types are hard-coded in Kaspersky Endpoint Security and include the following file types:

Category Category contents


Executable Win32 PE—exe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files
files Microsoft Installer Archive—msi
Adobe Flash Video—flv, f4v
Audio/Video Interleave—avi
MPEG4 ISO format—3gp, 3g2, 3gp2, 3p2
MPEG4—divx, mp4, m4a
Matroska—mkv
Video Apple Quicktime—mov, qt
Microsoft Container—asf, wma, wmv
RealMedia CB/VB—rm, rmvb
MPEG2 (DVD) format—vob
VCD (MPEG 1)—dat, mpg
Bink Video—bik
MPEG-1 Layer 3—mp3
Lossless Audio—flac, ape
OGG Vorbis Audio—ogg
Advanced Audio Coding—aac
Windows Media Audio—wma
Sound AC3 multichannel audio—ac3
Microsoft Wave—wav
Matroska Audio—mka
RealAudio—rm, ra, ravb
MIDI—mid, midi
CD digital Audio—cdr, cda
Open XML documents—docx, xlsx, pptx, dotx, potx, and others
Office 2007 macro enabled docs—docm, xlsm, pptm, dotm
Office files
MS Office documents—doc, xls, ppt, dot, pot
Adobe Acrobat—pdf
ZIP archive—zip, g-zip
7-zip archive—7z, 7-z
RAR archive—rar
Archives ISO-9660 CD Disk—iso
Windows Cabinet—cab
Java (ZIP) archive—jar
BZIP2 archive—bzip2, bz
JPEG/JFIF—jpg, jpe, jpeg, jff
GIF—gif
Portable Graphics—png
Windows Bitmap (DIB)—bmp
Graphic files Targa Image File Format—tif, tiff
Windows Meta-File—emf, wmf
Post-Script Format—eps
Adobe Photoshop—psd
Corel Draw—cdr
III-53
Unit III. Security Controls

Let’s mention some specifics of Kaspersky Endpoint Security types and categories:
 The type is defined by the file format rather than extension.
 Data types inside archives are not checked—if executable files are prohibited while archives are not,
archived executable files will be allowed
 PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites
that use pdf may display incorrectly
 In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In
Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web
Control
 Flash videos in SWF format can be blocked only by extension mask—usually it is *.swf

4.2 Configuring exclusions and trusted servers

Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network,
or online trainings can be blocked because of video files. In this case, it is easier to create an allow rule instead of
creating a separate group with a special policy. You can configure an allow rule giving access to some categories or
data types located on the specified servers.

To have such a rule applied before the blocking rules, place it higher on the list.

The organization policy can even prohibit the Internet during business hours and allow only the corporate site. An
exclusion can be made only for the IT department. In this case, the administrator creates the general rule: During
business hours, deny everything to everybody. Then adds two allow rules above it: The first allowing any content to
the IT department employees, and the second allowing everybody to access the corporate site.
III-54 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

4.3 Diagnostics and testing

When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this
purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control.

To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on
that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens
the window where you can specify the conditions of a presumed request:

— Select categories
— Select data types
— Specify day and time
— Select accounts
— Type site address (the * wildcard is allowed)

and get the web control verdict with the list of rules applicable to these conditions.

For example, the administrator can check whether access to a personal home mail server of an employee is blocked
by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you
can find out which rule works incorrectly.
III-55
Unit III. Security Controls

4.4 Configuring interaction with users

If Web Control blocks a part of page contents, the user may overlook it. If the page is completely forbidden,
a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or
a message about blocking.

If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of
the links in the warning message: The link to the specific page that was requested, the link that enables access to all
pages of the website, or all pages of the website and its sub sites (meaning, *.amazon.com/* rather than only
www.amazon.com/*).

If the site is blocked by Web Control, there are no links to proceed, access is completely denied.

There is also a Request access link in Web Control messages to disagree with the policy and request a policy
change to be able to access the blocked website freely. Requests are sent to the Administration Server as events and
fall into the User requests selection.
III-56 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

Notification Templates are available in the Kaspersky Endpoint Security policy in the Web control settings. When
editing, you can use variables.
III-57
Unit III. Security Controls

There is the Email address field in the webpage request template in case the Administration Server is inaccessible. In this
case, a request will be sent to the server in an email message rather than event.

4.5 Web Control statistics

When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding
event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with
Warning severity, respectively.

In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web
Control verdict. If the rule was created for a category or data type, they are also specified.

Note: Web Control independently processes each object of which the site consists. That is why, for example, when
graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access
a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses
the Internet day and night. That is why these events are not transferred to the Administration Server by default.
III-58 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully
attempted after warning event with the Warning severity is sent to the server.

4.6 Web control report

Reports come in handy for regular control and general information. It provides aggregate statistics on the number of
warnings and blockages for each rule. Allowing rules are not included.
III-59
Unit III. Security Controls

Chapter 5. Adaptive Anomaly Control

A new Adaptive Anomaly Control component has appeared in Kaspersky Endpoint Security 11.1. The component
contains a set of activity patterns (heuristics), which are updated together with antivirus databases.

These patterns describe most common behaviors characteristic of malware that may indicate possible attempts to
compromise security.

On the other hand, some of these activities may be legitimate for a specific computer or group of computers. For
example, PowerShell run from another program is quite an ordinary event on an administrator’s or developer’s
computer. Obfuscated PowerShell scripts may also be used for automating various tasks at a company.

The administrator is to instruct Adaptive Anomaly Control which activity is typical for a specific computer and
which is not; that is why the component works in the training mode (Smart Mode) for two weeks by default. During
this time, it monitors activities, informs the administrator about them, and it is the administrator (rather than the
component) who makes the decision whether a specific activity is normal for a computer.

Training in Smart Mode goes independently for each rule on each computer; meaning, on some computers it will
complete sooner, while on some others, later.

Note: Unlike other control components, Adaptive Anomaly Control needs at least KESB Advanced license.
III-60 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

5.1 How to configure Adaptive Anomaly Control

The Adaptive Anomaly Control component is installed and enabled by default; however, it works in the Smart
mode.

Adaptive Anomaly Control is configured in Kaspersky Endpoint Security policy. From the component’s properties,
you can open its reports and the list of rules.

Adaptive Anomaly Control uses rules (activity patterns), which are supplied together with antivirus databases,
meaning, are updatable. The rules comprise several categories:

— Activity of office applications


— Use of Windows Management Instrumentation (WMI)
— Activity of script engines and frameworks
— Abnormal program activity

When the administrator opens the rules, there is the message that updates are to be approved. On the one hand, the
approval does not influence the component’s operation, rule matches will be controlled anyway. On the other hand,
the administrator will not be able to create an exclusion unless clicks Approve updates first.
III-61
Unit III. Security Controls

If a new rule is added later, the update approval message will appear again to draw the administrator’s attention.

Rules have the following settings: On/Off status, Smart/Block/Notify operation mode, and exclusions.

You can explicitly specify the Block or Notify mode for each rule; by default, the Smart mode is enabled.

The Smart Training mode is tightly related to Kaspersky Security Center and the administrator’s actions. As we
already mentioned, the component learns for approximately two weeks after the installation; during this time,
nothing is blocked, but information about matched rules is sent to Kaspersky Security Center.

In an ideal situation when there are no matches in these two weeks, it means that the behavior described in the rules
is not typical for the computer. Adaptive Anomaly Control switches to the Smart Block mode and if a non-typical
activity is detected, it will be blocked.

If some rules are matched during the training period, the respective events appear in Operations | Repositories |
Triggering of Rules in Smart Training Mode on the Administration Server, which require the administrator’s
attention.
III-62 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

When an event arrives, the administrator is to process it. The administrator can confirm the verdict or add the
activity to exclusions.
— Confirm means that the administrator agrees that this behavior is suspicious and illegitimate
— Exclude means that the administrator considers this activity to be normal and wants to create an exclusion
for it in the respective rule

Why process events? What if the administrator ignores them?

Event processing influences only the duration of the training mode. Adaptive Anomaly Control needs about 14 days
to complete training. If the administrator does not process events, the counter will be reset every time when a new
event arrives. If the server receives no verdicts in 14 consecutive days, Adaptive Anomaly Control will switch to the
Smart Block mode. Adaptive Anomaly Control may get looped in eternal training if a rule is matched regularly (at
least once every 14 days), but the administrator does not process it.

If the administrator pays enough attention to the events and processes them in a timely manner, the counter will not
be reset and training will complete in two weeks.

Training goes on individually for each rule on each computer and information about confirmed verdicts is stored
locally on the computers; each rule has its own training duration counter.

Important: The Adaptive Anomaly Control component cannot decide whether a behavior is typical on its own. For
Adaptive Anomaly Control, any activity that matches a rule is non-typical, and only the administrator can tell that a
suspicious activity is legitimate. For this purpose, add the activity to exclusions within the rule that detects this
activity. In the Block mode, Adaptive Anomaly Control operates on the default deny principle, meaning, a non-
typical activity will be blocked until the administrator creates an exclusion for it.

Exclusions are added to the Kaspersky Endpoint Security policy and apply to all computers where it is enforced.

The main parameters of exclusions are:

— User
— Source process
— Source process hash
— Target process
— Target process hash

It should be noted that the same system processes will have different checksums on different operating systems, and
an exclusion created from an event logged on one computer may not be applicable to others. In this case, you need
to either create additional exclusions, or adjust the current one, for example, remove the checksum and leave only
the path to the process.
III-63
Unit III. Security Controls

5.2 Configuring interaction with users

When non-typical activity is detected, a pop-up notification is displayed.

If notifications are disabled, the user might think that something is wrong with an application or the operating
system, contact the technical support, or even worse, try to “fix” it without assistance. The administrator can modify
the notification text, for example, add the contact information of the person responsible for device access.

Notification Templates are available in the Kaspersky Endpoint Security policy in the Adaptive Anomaly control
settings.

If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled
nor hidden.

5.3 Adaptive Anomaly Control statistics


III-64 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

If the user sends a request, it will be transferred to the server as a Warning event. Similar to the other control
components, requests are displayed in a special selection named User requests. The administrator does not have to
react to a request; but if they want to, they can, for example, configure the corresponding email notifications in the
Kaspersky Endpoint Security policy.

Every time when a rule is matched in the Block, Smart Block, or Notify mode, Adaptive Anomaly Control sends the
corresponding Critical or Information event to the Administration Server.

In any case, an event contains the rule name, description of the suspicious activity with processes and checksums,
name of the user, computer name, date, and time.

The administrator can study an event and if the activity is legitimate, add an exclusion to the Kaspersky Endpoint
Security policy for the Adaptive Anomaly Control component right from the event. For this purpose, select the
event and carry out the Exclude from Adaptive Anomaly Control command. If several policies are configured for
Kaspersky Endpoint Security, the wizard will prompt you to select the necessary one.

Adaptive Anomaly Control has two types of events:

— Process action skipped—Information


— Process action blocked—Critical
III-65
Unit III. Security Controls

The former event is generated if an Adaptive Anomaly Control rule is matched in the Notify mode. The latter, if an
Adaptive Anomaly Control rule is matched in the Block or Smart Block mode.

If Adaptive Anomaly Control is used in the network, we recommend that the administrator creates an individual
selection for its events.

All events, including requests, are stored on the server for 30 days by default.

5.4 Reports about Adaptive Anomaly Control


operation

Reports come in handy for regular control and general information. Adaptive Anomaly Control has two types of
reports:

— Report on Adaptive Anomaly Control rules state


— Adaptive Anomaly Control report

The former shows in which mode a rule works. By default, an aggregate chart displays how many rules are
operating in each mode. The Details tab provides particularized information about rules’ status on each specific
computer.

Also, this report is the only place where you can see which rules have switched from the Smart Training mode to
Smart Block.
III-66 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management

The Adaptive Anomaly Control report shows which rules have been matched and in which mode: Block or Notify.
The Summary tab shows an aggregate chart for rule matches; and the Details tab, detailed information for each
computer.

If a rule switches to the Smart Block mode, information about its matches will also be included in the report.
IV-1
Unit IV. Maintenance

Unit IV. Maintenance


Chapter 1. How to maintain protection ......................................................................... 3

Chapter 2. What to do daily ............................................................................................ 5


2.1 How to create a custom dashboard ......................................................................................................................... 6
How to answer all questions at a glance................................................................................................................ 6
How to fill the dashboard with statistics ................................................................................................................ 7
How understand that important protection components are disabled in the policy ............................................... 8
2.2 How to email reports............................................................................................................................................... 9
Which reports to email ......................................................................................................................................... 10
How to create a custom report ............................................................................................................................. 11
2.3 How to email notifications .................................................................................................................................... 12
Where to enable notifications............................................................................................................................... 12
Where to modify the addressee and the mail server ............................................................................................. 13
About which events you need to know .................................................................................................................. 14

Chapter 3. What to do if something has happened ...................................................... 16


3.1 What to do with malware ...................................................................................................................................... 16
Where to learn about threats................................................................................................................................ 17
How to find computers with threats ..................................................................................................................... 17
How to understand what has happened to the threats ......................................................................................... 18
How to find computers with non-disinfected threats ............................................................................................ 19
How to scan critical areas ................................................................................................................................... 20
How to isolate a computer and eliminate an active infection .............................................................................. 20
How to reset virus counter ................................................................................................................................... 22
3.2 What to do if Kaspersky Endpoint Security does not work .................................................................................. 22
Where to find out that KES does not work ........................................................................................................... 23
How to start protection remotely ......................................................................................................................... 24
3.3 What to do if databases are outdated .................................................................................................................... 26
Where to find out that databases are out of date ................................................................................................. 27
How to find out whether a computer has an update task ..................................................................................... 28
How to find out whether the Server has an update task ....................................................................................... 30
Where to specify proxy server parameters ........................................................................................................... 32
How to disable automatic assignment of distribution points ............................................................................... 33
How to check whether KSN is used ...................................................................................................................... 33
IV–2 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

3.4 How to check the client-server connection ........................................................................................................... 34


How to distinguish powered off computers .......................................................................................................... 34
What to do if a computer has not connected for a long time ................................................................................ 35
How to make a computer connect to the Server ................................................................................................... 36
How to reconnect a computer to the Server ......................................................................................................... 37
3.5 How to contact technical support .......................................................................................................................... 38
When and how to contact technical support......................................................................................................... 38
How to remotely collect Windows and GetSystemInfo logs ................................................................................. 39
How to remotely collect trace logs ....................................................................................................................... 40
How to collect logs locally ................................................................................................................................... 40
How to send a request to technical support ......................................................................................................... 42

Chapter 4. What to do from time to time ...................................................................... 43


4.1 How to install program updates ............................................................................................................................ 43
Program update types .......................................................................................................................................... 43
Where to find out that an update has been issued ................................................................................................ 44
How to install only approved updates .................................................................................................................. 44
How to find out that a new version has been released ......................................................................................... 46
4.2 How to renew a license ......................................................................................................................................... 48
When to renew a license ....................................................................................................................................... 48
How to find out that the license expires ............................................................................................................... 49
How to find out that the number of activations is exceeded ................................................................................. 50
How to switch over to a new license .................................................................................................................... 51
How to replace the active license ......................................................................................................................... 53
4.3 How to configure backup ...................................................................................................................................... 54
Why back up? ....................................................................................................................................................... 54
How to configure backup ..................................................................................................................................... 55
How to restore from a backup .............................................................................................................................. 56
How and why maintain the database.................................................................................................................... 57
4.4 Maintenance: Summary ........................................................................................................................................ 58
IV-3
Unit IV. Maintenance

Chapter 1. How to maintain protection

After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the necessary
policies and tasks, and configured them as necessary, you need to monitor the system to make sure protection works,
and react to incidents.

To keep protection working, you have to perform routine maintenance; some things have to be done often, and some
infrequently. Most of the actions are obvious, but we will tell about them nevertheless, just in case.

What to do daily

Check the most important things.

What to check Why so often

There are no You install protection to repel threats. Kaspersky Endpoint Security blocks most of them
unprocessed threats on automatically. But if protection cannot handle the threat, you should be informed about
the computers this as soon as possible and neutralize it manually. The longer a threat is active, the more
damage it can do.
This is obvious enough.

Protection is installed If protection does not work, you do not know whether there is malware on the computer.
and works on the And the longer protection does not work, the more chances that malware infects the
computers computer.

What to do weekly

Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly.

What to check Why so often

The computers Almost all protection components use signatures to detect malware. If signatures are old,
have the latest Kaspersky Endpoint Security will not be able to detect new viruses. The older the signatures,
signature databases the greater the risk. If signatures are two days old, it is bad, but not critical. And if they are
two months old, it is almost as dangerous as if protection was not running at all
IV–4 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

Protection uses Kaspersky Security Network informs about known malicious files and helps to detect them
Kaspersky Security even if signatures are obsolete. Moreover, Kaspersky Security Network informs about new
Network malicious files earlier than signatures are issued for them. Without Kaspersky Security
Network, protection works not so well. But still works and protects against most of the
threats.

What to do monthly

Perform preventive maintenance on the Administration Server.

What to check Why so often

Make sure that You spent quite a lot of time to install protection. If you lose the Administration Server because
you can recover of a hardware failure, you will have to spend almost as much time to install and configure
the Server from protection once again. Backup copying can prevent this. The crucial point about backup copying
a backup copy is that making a copy is not enough. You must verify that you will be able to restore the
configuration. Spend half an hour per month for maintenance to make sure that you do not find
yourself in a critical situation with a misconfigured backup from which you cannot restore data.

Optimize the If the database is not optimized, eventually it grows in size and becomes fragmented. You will
Administration have to spend more time generating reports or displaying a computer selection, especially in a
Server database large network or if the resources are scarce on the Administration Server (to be more precise,
database server, but it is often the same computer).

What to do quarterly

Install updates and patches.

What to check Why so often

If there are any Kaspersky Security Center patches and Kaspersky Endpoint Security maintenance releases
updates or patches are issued approximately once every quarter or two. They correct errors, improve
for Kaspersky Lab performance and sometimes add new functions that are important for protection. You do not
products need to put much effort into installing patches, but do not forget to test them beforehand.

What to do yearly

Renew the license and install new versions.

What to check Why so often

The license has not Commercial licenses are typically issued for 1 year. Without a license, protection keeps
expired and the node working, but the update task stops downloading signatures and Kaspersky Endpoint
limitation has not been Security stops using KSN. Eventually, protection will be affected.
exceeded

Whether there are any New versions or service packs are issued once every year or two. They correct errors,
new versions of improve performance, and also change settings and products’ operation logic. New
Kaspersky Lab technologies, components, interception methods, etc. appear in new versions or service
products packs. If an old version is not updated for too long, it will not be able to fight the latest
threats even with up-to-date signatures and KSN. A few years after release, a version’s
support ends.
IV-5
Unit IV. Maintenance

Chapter 2. What to do daily

During a daily inspection:

1. Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If you perform
inspection daily, you can focus on detections in the last 24 hours.

2. Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed threats,
remediate them immediately.

3. Check whether protection works on all computers. If protection is not running or is not installed, run or
install it. Find out why it has happened.

To save time, configure the console to be able to quickly learn what you need about threats and protection.
IV–6 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

2.1 How to create a custom dashboard

How to answer all questions at a glance

Kaspersky Security Center console provides a lot of information:

— Reports
— Events
— Computer statuses
— Computer properties
— Statistics of installed applications in computer properties
— Repositories
— Task logs

However, these sources are either insufficiently clear as, for example, lists of events, or cannot be reviewed all
together as reports.

To get a general idea of the overall protection status, open the Monitoring & Reporting | Dashboard page of the
Web Console. The administrator selects which charts to show, which chart types to use and how to organize them.

To save time, customize the Dashboard and add to it web widgets that inform about:

— Protection status
— Types of detected viruses and disinfection results
— New devices
— Network attacks
— History of network attacks
— Types of detected viruses and disinfection results
— And other important data of your choice, for example, signature versions

Types of web widgets are hardcoded, but abundant and can answer most of your questions.
IV-7
Unit IV. Maintenance

How to fill the dashboard with statistics

By default, the Dashboard includes 7 web widgets devoted to various network status aspects: Protection status,
New devices, Threat activity, Most frequent threats, Most heavily infected devices, Threat detection.

Usually, a web widget contains a chart with a legend or a table. By default, they represent events from all managed
computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties
window, which opens with the button. The dashboard consists of several web widgets.

The administrator can add, delete and move web widgets on the dashboard, modify their settings and representation.

Overall, there are more than 25 types of web widgets grouped into five categories for the administrator to choose
from.

To modify dashboard contents, click Add or restore widget.


IV–8 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

In the web widget settings, depending on its type, you can modify the time interval for the displayed data and select
the computers whose data will be shown. There are only two options for the computers: Either an administration
group, or computers from a specified selection.

You can also modify chart type and appearance in the web widget settings.

The web widgets’ capability to display the history of changes over the specified period can be useful. For example,
you can view how many viruses were detected during each hour of the last day. These data may help to select
the threshold for the Virus outbreak event. Reports lack this capability.

How understand that important protection components


are disabled in the policy

Starting with Kaspersky Endpoint Security version 11, there is a protection level indicator in the policy interface,
which helps the administrator to evaluate the level of threat prevention, and provides a hint which components
should be enabled to improve it.

For example, if administrator enables all Essential Threat Protection and Advanced Threat Protection components in
the policy, but (by mistake or intentionally) disables a critically important component Behavior Detection, which
pinpoints threats by analyzing software activities (in particular, it can detect complex threats such as ransomware).
Once the Behavior Detection component is disabled, Protection level indicator will immediately turn red and
show the status Low protection level. The following information will appear to the right of the Protection level
indicator after the settings are saved: Some of the recommended protection components are disabled, and a link
Learn more. If you click it, the Recommended protection components window will open, which allows you to enable
the recommended components to maximize threat counteraction. If the administrator ignores the caution and clicks
Save in the policy window, Kaspersky Security Center will display an information window and suggest that you fix
the settings.

Protection level indicator can have one of the following values:

— High protection level. The indicator turns green if the following components are enabled:

— Critical
 File Threat Protection;
 Behavior Detection;
 Exploit Prevention;
 Remediation Engine.
IV-9
Unit IV. Maintenance

— Important
 Kaspersky Security Network;
 Web Threat Protection;
 Mail Threat Protection;
 Host Intrusion Prevention

— Medium protection level. The indicator turns yellow, if an important component is disabled.

— Low protection level. The indicator turns red if:

— One or several critical components are disabled;


— Two or more important components are disabled.

2.2 How to email reports

Some of the administrators open the Console only when they need to find out or configure something, and prefer to
be informed about issues by email. This way they use a single tool, mailbox, to learn about issues of various
subsystems instead of opening a dozen of various consoles.

Kaspersky Security Center can email notifications and reports. Reports that show what is happening in the network
better fit daily inspections. Notifications inform about specific threats that need immediate attention.

To receive reports by email, use the corresponding task:

1. Select the Monitoring & Reporting | Reports tab and click New report delivery task

2. If a task of this type has already been created, the Web Console will inform you about it. To reconfigure it,
open the properties of the Deliver reports task and switch to the Application settings tab.

3. If there is no task of this type yet, the Console will start the report delivery task creation wizard

4. Select the types of reports that you want to receive. The task shows all report templates available on the
Reports tab. However, those are not all of the report types that Kaspersky Security Center can create. If
some reports are missing, create them beforehand on the Reports tab in Monitoring & Reporting.

5. Select the format (html, xls, or pdf) in the task parameters.


IV–10 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

6. Select the action to be applied to reports: Reports can be emailed and/or saved to a folder.

7. Switch to the Schedule tab and select when to receive reports.

To select where to email reports, in the task properties, open the Application Settings tab, and in the Action to
apply to reports area, select the checkbox Send report by email; then click the Settings button. Specify the
recipient’s address and message subject. Check the sender’s address and mail server parameters in the
Administration Server properties.

Note: Unlike its MMC counterpart, the Quick Start Wizard of the Web Console does not create a report delivery
task automatically even if you specify the mail server in it.

Which reports to email

For daily inspections, you will need reports that show threats and protection status:

— Threats:

— Viruses (over the last day)


— Network attacks (over the last day)
— Phishing attempts (over the last day)
— Host Intrusion Prevention rule triggered (over the last day)

— Protection

— Protection status
— Anti-virus database usage
— Errors (over the last day)

All pre-configured reports available on the Reports tab either do not have any period, or show events over the last
30 days by default. 30-day reports are not very useful for daily inspections. It is difficult to understand what has
changed since yesterday.

You need to create one-day reports manually. Delete all the reports you are not going to use. For example, reports
about encryption errors if you do not have an encryption license.
IV-11
Unit IV. Maintenance

How to create a custom report

How to create a report over the necessary period of time

Formally, the Reports page contains report templates, which describe report type and parameters, rather than
reports themselves. The Administration Server generates reports from templates when emailing them, or when the
administrator clicks the button Show report.

To create a report (report template):

1. On the Reports tab, click the Add button

2. Name the report comprehensibly, for example Threats report over the last day

3. Select the report type. There are more than 50 types of reports in Kaspersky Security Center

4. Select a scope for the report. A report can cover a group, individual computers (a list), or a computer
selection. Most of the reports should cover the whole network; for this purpose, select the All networked
devices scope.

5. Select the reporting period. For the daily reports, specify one day

Template settings also include the list of information fields to constitute the report tables. Some fields contain
insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes
little sense in a report if virtual Administration Servers are not used in the network1.

How to create a report about events

The administrator can use information field settings in a report template to create complex filters for the events to be
included in the report. Allowed values can be specified in the field properties. For example, for the Detected object
field, you can specify the malware name. As a result, you will get a report based on the events related to

1
The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused
with Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your
Administration Server runs in a virtual machine, it is still an ordinary Administration Server, not a virtual server. Virtual servers in the reports and other parts
of the Console are something else entirely. Virtual Administration Servers are described in course 302.
IV–12 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers
with the specified version of the protection software, even if these computers belong to different groups.

For example, there is no report type to display all phishing attempts. Instead, you can use an Event report:

1. Create a new report template of the Event report type


2. Open the template properties and switch to the Fields tab
3. Select the Event field and click Edit
4. Select the Filter check box and in the Filter value field, type *Dangerous link*

This is a part of description of events informing about blocked phishing attacks. This way, you will receive a report
that shows the number of such events.

In addition to filtering by field value, you can change sort order: Ascending, descending, or unsorted.

2.3 How to email notifications

Where to enable notifications

Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also
in the Administration Server properties, on the Event configuration tab. The events are grouped by four severity
levels: Critical, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event, it
cannot be modified. Each program has its own events with their default settings.

An event has three storage settings:

— On the Administration Server—meaning, in the server database

This storing method is enabled for most critical and error events, as well as for many warning and some
info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for
all events (naturally, except for the events whose storage is disabled).

The Administration Server events’ default lifetime depends on their severity levels. For Information events,
it is 30 days; for Warning, 90; and for Critical and Error, 180.
IV-13
Unit IV. Maintenance

You can export events of the Administration Server and other Kaspersky applications installed on the
managed devices to a SIEM system. For this purpose, select the check box Export to SIEM via Syslog
(standard RFC 5424).

— In the OS event log on device—makes sense only for the Network Agent events. Kaspersky Endpoint
Security already has this capability in the settings of local event processing.

— In the OS event log on Administration Server—similarly to local Kaspersky Endpoint Security events. If
the Administration Server becomes inaccessible, the administrator will be able to find information in
the Windows log.

When the specified lifetime is over, events are automatically deleted from the Administration Server database (but
not from Windows logs, which have their own settings). Increasing the lifetime will also increase the number of
events stored in the database, and this will affect the time required to process operations on events. On the other
hand, when the administrator decreases event lifetime, the maximum reporting period also decreases.

To be informed about important events, configure notifications. This is configured in the properties of every
particular event type that you want to be notified about. Kaspersky Security Center supports four notification
channels:

— Email
— SMS
— Running an executable file or script
— SNMP

Notifications help to draw the administrator’s attention to the most important events.

By default, notifications are not sent. To start receiving notifications, open the event properties and select
notification methods.

Where to modify the addressee and the mail server

By default, all events are delivered with the same parameters, which are specified in the Administration Server
properties. To send different notifications to different addresses or with different text, open the event properties and
disable the option Use Administration Server settings. After that, change the recipients’ addresses, text template
and other notification parameters.

At first, email notification delivery parameters are specified in the Quick Start wizard. You can also modify them
later, in the Notification section of the General tab in the Administration Server properties.
IV–14 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

Email notification delivery parameters include:

— Recipients—email addresses separated by semicolons


— SMTP server—name or IP address
— SMTP server port
— Use DNS MX lookup
— Text of the notification message

These parameters are sufficient if the selected SMTP server does not require authorization. The recipient address is
also used for the sender address, and the subject of the sent notifications is made of the event severity level and its
type, for example, Critical event: Threats have been detected

Additionally, you can configure the following:

— Message template subject


— Authorization username and password
— Sender address
— Specify a certificate for SMTP server authentication

When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:

— %SEVERITY%—event severity level


— %COMPUTER%—the sender computer
— %DOMAIN%—Windows domain
— %EVENT%—event
— %DESCR%—event description
— %RISE_TIME%—event time
— %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name
— %KL_PRODUCT%—program
— %KL_VERSION%—version number
— %HOST_IP%—IP address
— %HOST_CONN_IP%—connection IP address

About which events you need to know

It is up to the administrator to decide about which events to receive notifications. However, prime candidates are
events about active threats and potentially successful attacks.
IV-15
Unit IV. Maintenance

Event What does it mean?

Active threat detected. The malicious file is not running on the computer, but Kaspersky Endpoint Security
Advanced Disinfection cannot terminate it. The user or the administrator must confirm starting the Advanced
should be started Disinfection procedure

Malicious object A malicious object was detected using a request sent to KSN rather than signatures. This
detected (KSN) means that it is a new threat, and the administrator should carefully monitor what is
happening in the network. Maybe even switch to a policy with stricter protection settings

Previously opened Information that the link is dangerous has appeared only after a user opened it (data about
dangerous link previous actions is stored in the KSN cache and Remediation Engine’s logs). The user
detected could have downloaded and started new malware

Process terminated Malware was running on a computer. Although Kaspersky Endpoint Security terminated
it, it could have done harm

Network attack If the attacking computer is located within the network, it may mean that it is infected
detected with unknown malware, or that protection does not work there

Host Intrusion If you have configured Host Intrusion Prevention to protect documents against
Prevention rule ransomware, these events will inform when unknown programs try to edit or delete the
triggered user’s documents

All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in the
Kaspersky Endpoint Security policy, on the Event configuration tab. The last event is an Info event. The others are
Critical events.

Some events (including important) may occur too frequently to send a notification for each of them. For example,
the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications.

To make each notification draw your attention, limit the number of notifications. For this purpose, in the
Administration Server properties, open the Notification section and click the link Configure numeric limit of
notifications.

Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached, notifications
are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew.
The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for
the Threats have been detected event hit the limit, notifications for other event types will not be affected.
IV–16 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 3. What to do if something has


happened

3.1 What to do with malware

If no new events about threats have appeared on the computers over the last day, you do not need to do anything.
But what to do if there are some events?

First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted, disinfected,
or blocked a threat, you do not need to do anything. Just reset the virus counter on the computer to be able to see
when new threats appear.

If malware is not treated or removed, act according to a plan. Prepare the plan beforehand.

A typical plan may include the following steps:

— Run the critical areas scan task to understand whether the computer is infected

— If a computer is infected or you suspect that it may be infected with unknown malware:

— Isolate the computer from other computers in the network


— Disable the policy using the password
— Raise the heuristics level and enable Advanced Disinfection technology
— Check integrity of Kaspersky Endpoint Security by a local task
— Perform full scan on the computer

If this does not help, restore the computer from an image. If all computers are installed from images at the company,
and the users’ data are stored in the network rather than on the computers, restoring from an image may be the first
step of your plan to save time.

If you find suspicious files during an investigation, send them to Kaspersky Lab for analysis via the portal
companyaccount.kaspersky.com. Also, invite internal or external experts if you suspect a targeted attack against
your organization.
IV-17
Unit IV. Maintenance

Where to learn about threats

You can find out that viruses have been found from events, reports, statistics and computers’ statuses. Next to
statistics, statuses draw your attention first of all.

Threat detection and their processing results define the computer status in the Administration Console: OK,
Warning or Critical. This allows the administrator to easily notice problematic computers when looking through
the groups.

The Many viruses detected status tells that viruses were found on the computers. This status is related to the virus
counter parameter. Every time malware is detected on the computer, the counter increases its value by 1.
The counter value is transferred to the Administration Server during the synchronization. The status is activated if
the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled.

To enable the status to show the computers where malware was found, open the properties of the Managed devices
node. Switch to the Device status tab and activate the status Too many viruses detected. To make computers
receive the Warning status and be displayed yellow, activate the status in the Warning section. To make computers
receive the Critical status and be displayed red, activate the status in the Critical section. To paint computers yellow
when there are a few viruses on them, and red when the number of viruses exceeds, say, 5, configure different
thresholds for the status Many viruses detected (select the status and click the Edit button).

How to find computers with threats

If at least one of the managed computers receives either There are active threats or Many viruses detected status,
the global Protection status also changes on the Dashboard.

The statuses OK, Warning , and Critical are links. If you click the Critical status, the selection of devices that
have the corresponding status will open. All statuses behave this way on the Dashboard page. In the selection,you
can find out why the device has received the corresponding status.

A selection is a dynamic set of computers selected by an attribute. There are standard selections on the
Administration Server, which show computers with various statuses. For example, There are active threats and
Many viruses detected

You can take group actions on the computers joined into a selection, for example, start update and search tasks,
move into a group, etc. So, selections are very useful when dealing with the computers having a problem status.
IV–18 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to understand what has happened to the threats

The Threats report shows statistics of processing the malware detected on the managed computers: How many
objects were treated, how many blocked (by Web Threat Protection), how many deleted and how many still remain
unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics
are available for each type of malware.

The Threats report can show which malware KES detected, and using which technology. To be able to see this
information, add the By KSN verdict column to the Details table. You can also add the Detection technology that
pinpointed the malicious code and SHA-256. For this purpose, in the properties of Threats report, open the Fields
tab, click the Add button, and select the necessary data in the Field name list.

Report on most heavily infected devices and Report on users of infected devices may also come in handy. If some
computers have been infected considerably more than others, it might be worthwhile to find the reason and take
appropriate measures.

Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the Network
attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking
computers. Knowing the address, the administrator can investigate the incidents and better solve the problem.
IV-19
Unit IV. Maintenance

The Network attack report is not created by default. To view it, create a new template on the Reports tab.

In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with threats.
Events show what was happening simultaneously with threat detection, whether there were other threats or errors in
components’ operation. To understand where a threat ended, always check the last event about it. It is normal for
Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and in a second, report that the file was
deleted successfully.

How to find computers with non-disinfected threats

You do not have to study reports and events to be able to understand whether any computers are infected.

Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this using the
status There are active threats. This status is enabled by default and is displayed on the web widget Types of
detected viruses and disinfection results. It gives computers the Warning status, and is displayed on the
Dashboard page.

This status is assigned to computers where malware programs were detected and were not cured.

The Active threats category can be comprised of widely different objects. It can be a virus in memory, which
actively counters the attempts to delete it. Or it can be an infected object on a network drive where Kaspersky
Endpoint Security has no Write permission to disinfect or delete the file.

When a user accesses a malicious file in a shared folder on a file server, the protection solution installed on the
server may block access and delete the file. Meanwhile, the protection software installed on the user’s computer
detects the threat at the same time, but cannot delete the file from the folder and informs that there is an unprocessed
threat, although in reality it has been processed on the server. This is a reason for paying attention anyway, since
malicious files must not appear in shared folders, and you need to find out how it got there.

To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the described
situation with malware in a shared folder, delete the record about the unprocessed object from the list of
unprocessed objects:

1. In the Web Console, open the Operations | Repositories | Active threats page

2. Find the file in the shared folder and carry out the Delete command on it
IV–20 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to scan critical areas

If many viruses or a previously opened malicious link have been detected on a computer, or a malicious process has
been terminated, it may mean that the computer can still be infected. To scan a computer for known threats, run
critical areas scan there.

There are a few ways to achieve this. The one which is always available is as follows:

1. Open the computer properties


2. Open the Tasks tab
3. Find the task Critical Areas Scan and run it

Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security. Local
means that it is displayed only in the computer properties, but is not shown in groups or in the Tasks node. This
makes it less useful. To start it on several computers, you have to open their properties one by one.

You can also use the group Virus Scan task, which has to be created manually. However, it will scan all computers,
and why slow down the computers where there are no threats?

To quickly scan critical areas on those computers where threats have been detected, make a virus scan task for
specific computers or the corresponding computer selection.

How to isolate a computer and eliminate an active


infection

Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Host Intrusion Prevention,
Behavior Detection, and Exploit Prevention components are responsible for this. File Threat Protection does not
scan programs in the memory.

If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced Disinfection
technology.

This technology is disabled by default, because it blocks start of all programs and restarts the computer, which
would hamper the users. The user can agree to perform the Advanced Disinfection procedure and take the risk of
losing data, or refuse to start the procedure and leave the computer infected. Anyway, it should be the administrator
who makes the decision rather than the user.
IV-21
Unit IV. Maintenance

If you suspect that a computer is infected, it is best to reinstall it from the image. If it is unacceptable or impossible,
try to disinfect the computer:

— Disconnect the computer from the corporate network


— Disable the policy using the command Disable policy on the shortcut menu of KES icon

To use this command, enable password protection in the Kaspersky Endpoint Security policy

— Open Kaspersky Endpoint Security window and click Settings


— Go to General Settings, Application Settings and select the check box Enable Advanced Disinfection
technology
— Run a Virus scan task: Return to the main window of Kaspersky Endpoint Security and click the Tasks
area
— If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection procedure,
agree

With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit new
programs to start, scans memory, takes more aggressive methods when terminating processes, tries to
delete malicious files at restart
IV–22 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

— Restart the computer, connect it to the Internet and update the signatures
— Scan the whole computer once again

How to reset virus counter

After all threats have been neutralized, reset the virus counters on the computer.

The virus counter can only increase without interference from outside, and the only method of changing this status is
to manually reset the counter. For this purpose, open the computer properties: On the General tab, in the Protection
section, there is the button Reset virus counter.

3.2 What to do if Kaspersky Endpoint Security does


not work
IV-23
Unit IV. Maintenance

If protection does not work, it may be caused by various reasons. Before contacting technical support, please make
sure that:

The Network Agent is The user could have uninstalled Network Agent; then the Console would show the last
installed on the data which the Agent had sent to the Server. Reinstall the Agent and protect it from the
computer user: Set an uninstallation password

Kaspersky Endpoint The user may have uninstalled Kaspersky Endpoint Security. Reinstall it and protect
Security is installed on from the user: Set a password
the computer

A policy is applied to A computer may belong to a group without a policy, or a Kaspersky Endpoint Security
the computer version for which there is no policy on the server can be installed on the computer.
Create policies in all groups and for all used versions of Kaspersky Endpoint Security

Policy settings are If the locks are open, the user can modify parameter values and potentially can disable
locked components or even start of Kaspersky Endpoint Security. Close the locks for all
important parameters in the policy

Password protection is If password protection is not enabled, the user can exit Kaspersky Endpoint Security
enabled even without administrative permissions

After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run because of
failures, collect diagnostic logs and contact the technical support of Kaspersky Lab.

Where to find out that KES does not work

The following computer statuses may mean that protection does not work:

Security application is not installed This condition is enabled by default for the Warning and
Critical statuses

Real-time protection level differs from the level set It is disabled by default. You can set one of the following
by the administrator values: Stopped, Paused, Running

Protection is disabled This condition is enabled by default for the Critical status

Security application is not running It is enabled by default for the Critical status
IV–24 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

The status Real-time protection level differs from the level set by the administrator, although disabled by default, is
more useful than the status Protection is disabled. The status ‘Protection is disabled’ does not show what is wrong:
The application is malfunctioning or the user has exited it. The status Real-time protection level differs from
the level set by the administrator shows this difference.

We recommend that you enable the condition Real-time protection level differs from the level set by
the administrator for the Critical status and select the Running value for it.

There are standard computer selections for the statuses Protection is disabled and Security application is not
installed. The administrator can create custom selections for other statuses.

The status Security application is not running is always accompanied by the status Protection is disabled, but not
the other way around. If Kaspersky Endpoint Security works, but all protection components are disabled, the
computer’s status will be Protection is disabled without the status Security application is not running.

Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection components
works. Even if it is only Mail Threat Protection

To understand that components have not started on the computer because of a failure, consult the Errors report or an
event selection. To check all errors:

— Open the Monitoring & Reporting | Event selections tab


— Tick the checkbox next to the Functional failures selection and click Start.

To understand which components are running on a computer, open the Tasks tab in the computer properties.
Components are listed among other tasks and the list shows which ones are running and which are not.

How to start protection remotely

How to start protection on a single computer

The Protection is disabled status is one of the most critical protection statuses. To solve this problem, carry out
the command for the Network Agent to start Kaspersky Endpoint Security on the Applications tab of the computer
properties.

If individual components are not running, you can start them on the Tasks tab.
IV-25
Unit IV. Maintenance

How to start protection on a few computers

Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is an
advanced task of Kaspersky Security Center that can be created for groups or specific computers.

A group task is convenient if the Virus outbreak event is registered—it can start protection on all network
computers, in case the protection is stopped somewhere.

A task for specific computers can better serve the purpose of rectifying the Protection is disabled status.

To create a task that starts Kaspersky Endpoint Security:

1. Run the task creation wizard on the Devices | Tasks tab

2. Select Kaspersky Security Center and task type Start or stop application

3. Specify the devices to which the task is to be assigned—Selection

4. Specify the computer selection Protection is disabled

5. Select the Kaspersky Endpoint Security versions that need to be run and the command Start application
IV–26 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

3.3 What to do if databases are outdated

If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay attention
to computers that have old signatures, update them and find out why the signatures have not been updated.

First, solve trivial issues. Check the following:

The computers have an update task This task is created by default. However, when groups and tasks become
numerous, it may turn out that some computers do not have an update task for
the necessary version of Kaspersky Endpoint Security

Task schedule If the administrator created update tasks manually, he or she may failed to set
a schedule for them by mistake

Task source Within the network, the Kaspersky Security Center source must be specified

The Administration Server has a It is created by default, but may have been deleted by mistake
“Download updates to the
repository” task

Schedule and source of It is created by default, but may have been deleted accidentally, or its
the “Download updates to schedule may be misconfigured
the repository” task

The Administration Server can Probably, the internet is accessible only through a proxy server, but its
access the selected source address and authentication data (username and password) are not specified or
need to be updated

After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect logs and
contact the technical support.

Specifically consider whether you need distribution points. They are not of much help in a small network, and
complicate diagnostics. The Administration Server automatically assigns distribution points by default. You can
disable this.
IV-27
Unit IV. Maintenance

Where to find out that databases are out of date

The web widget Distribution of antivirus databases on the Dashboard page provides the most important
information about the databases in use. If everything is fine, the web widget will display a green pie chart and the
time when the latest updates were downloaded to the server repository. If there is an issue, a part of the chart will
become yellow or red and the value of the corresponding counter will increase.

Database statuses displayed in the web widget are links that open the respective device selections:

— Devices with up-to-date databases


— Devices with databases updated in the last 24 hours
— Devices with databases updated in the last 3 days
— Devices with databases updated in the last 7 days
— Devices with databases that have not been updated for more than 7 days

More detailed information about the databases in use and computers with issues is available within the appropriate
reports. The Database usage report shows the number of computers where databases are 1-day old, 3-day old, 7, and
more.

If the databases became obsolete on the computer not because it was off, but because of update task errors,
the administrator would need to view update task events to find out the reason. The events sent to the Administration
Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint
Security usually contains more events.

Computer statuses inform about old signature databases.

Computers with old databases receive a Warning or Critical status depending on how old their databases are.
The status criteria are configured in the group properties. By default, the Warning status is given to the computers
whose databases are 7 or more days old, and Critical is assigned after 14 days.

To understand why the computer status is not OK, consult the Status description column of the Devices |
Managed devices page, or the Protection section of computer properties. To view detailed information about
the signatures and, specifically, the last update date, open the properties of the Kaspersky Endpoint Security
program on the Applications tab of computer properties.
IV–28 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to find out whether a computer has an update task

Updates from the Administration Server repository are distributed to the client computers by group update tasks.

To ensure coverage of all managed computers, the update task must be created as a group task within the Managed
devices group. The Quick Start wizard creates this type of task: Install update. If computers are combined into
groups and the optimal updating procedure is different for various groups, you can create a customized update task
for each group.

If both parent and child groups have tasks of the same type, the computers of the child group will run both tasks.
This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid
that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their
own tasks from the parent group task scope.

Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac
or Kaspersky Security for Windows Servers) are used in your network, they need separate update
IV-29
Unit IV. Maintenance

If there are many groups in the Web console, and different versions of Kaspersky Endpoint Security are installed on
the computers, it is hard to immediately understand whether all computers have update tasks. If signatures are
outdated on a computer, to understand whether it has an update task:

1. Open computer properties and switch to the Applications tab

2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version

3. Go to the computer’s group

4. Switch to the Tasks tab

5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with that
displayed in the computer properties

If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as possible. One
update task per each version of Kaspersky Endpoint Security created in the root group Managed devices is often
sufficient.

Schedule

Each product update task has a specific schedule and settings, including:

— The list of update sources


— Update parameters
— The settings used to copy updates to a specified folder
— The list of subgroups on whose computers the task will not run

The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to
the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts
the task regardless of whether the Administration Server can be reached or not, the When new updates are
downloaded to the repository schedule means that the task is always started by the Administration Server
command.

The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are
new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect
to the Administration Server and download whatever new settings are available. Upon connection to the Server,
IV–30 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

the Agent receives the command to start the task and transfers it to Kaspersky Endpoint Security, which carries it
out. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned
synchronization performed every 15 minutes by default (the period is defined in the Network Agent policy).

The schedule When new updates are downloaded to the repository guarantees that the client computers will
receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple
periodical schedule can be used (for example, once an hour).

To prevent serious peak loads on the update source and the network at the moment of task start, randomization of
the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin
the next scheduled update after a random delay ranging from 0 to 5 minutes.

By default, the Administration Server automatically defines the randomization interval depending on the number of
computers the task pertains to. The administrator can also specify it manually.

If signatures are outdated on the computers, check the update task schedule. If the schedule is set to Manually,
weekly or monthly, change it to When new updates are downloaded to the repository or Once every N hours

Source

To specify the list of sources, open the task properties and switch to the Application Settings | Local mode tab.
Updates can be retrieved from the following sources:

— Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most
natural source for the When new updates are downloaded to the repository schedule

— Kaspersky Lab update servers—the recommended source for the computers outside the corporate
perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection rather than
create extra Internet traffic

— Local or network update folder—another option for backup update sources. You can specify an HTTP or
FTP address instead of a shared folder. For example, if there are several Administration Servers in
the network (this case is described in course KL 302 Kaspersky Endpoint Security and Management:
Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources

A task can have several different sources organized in a list. If the first source turns out to be inaccessible, the task
will attempt to download updates from the next.

Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky
Lab or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security without the Agent.

If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security Center
source. If you want to use a folder or FTP server, make sure that updates are accessible at this address, and the
computers can access the files

In the update task properties you can configure copying updates into a separate folder. This mode can be used for
creating an update source in small networks or subnets without their own Administration Server. In larger networks,
distribution points are used to create intermediate update sources. The Administration Server assigns distribution
points automatically (for more details, refer to course KL 302 Kaspersky Endpoint Security and Management:
Advanced Skills.)

How to find out whether the Server has an update task

The task that updates the Administration Server repository is named Download updates to the repository.
The Quick Start wizard automatically creates this task. You can find it in the console, on the Devices | Tasks tab of
the <Administration Server name> group.
IV-31
Unit IV. Maintenance

If databases are outdated on the computers, check whether the Administration Server has an update task. Open the
Devices | Tasks tab within the Administration Server and look for the Download updates to the repository task

You can have only one task of this type. If it is present already, the task creation wizard doesn’t allow creating
another one. However, it is possible to delete the automatically created Download updates to the repository task
and create a new one for troubleshooting.

The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be
downloaded and a few additional options.

Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging
from 15-20 minutes to several hours. The default value is 1 hour.

The following update sources are possible:

— Kaspersky Lab update servers—a list of FTP and HTTP servers officially maintained by Kaspersky Lab.
These servers are located in various countries worldwide to ensure high reliability of the update procedure.
If the task cannot connect to a server, it will try contacting the next one in the list. The list of servers is
downloaded together with the other updates

— Master Administration Server—this option is used if there are several Administration Servers and they
are connected in a hierarchy (described in detail in course KL 302 Kaspersky Endpoint Security and
Management. Advanced Skills)

— Local or network folder—an update source created by administrators. You may specify not only a
network folder, but also an FTP or HTTP address

The task can have several different sources organized in a list. If the first source turns out to be inaccessible2,
the task will attempt to download updates from the next.

2
The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.
IV–32 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

Where to specify proxy server parameters

Where to specify proxy server parameters for the Administration Server

You may need to specify the proxy server parameters for the Administration Server update source. All sources
would share the same proxy server. If some sources are accessible without it, enable the Do not use proxy server
option in their properties.

The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server parameters. To
specify a proxy server later:

1. In the Administration Server properties, open General | Configuring Internet access

2. Specify the proxy server address, port and authentication parameters: User name and password

These settings will be used for downloading updates and for KSN requests.

Where to specify proxy server parameters for the computers

If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy server,
specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open the properties of policy on the
Application Settings tab, select the General Settings section and click the link Network settings.

By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security will take
the proxy server settings specified in the Internet options in Windows Control Panel. The administrator can
explicitly specify the address, port and account for authentication.
IV-33
Unit IV. Maintenance

How to disable automatic assignment of distribution


points
Distribution points are additional update sources in a network. Any computer where the Network Agent is installed
can act as a distribution point. The Administration Server automatically selects the computers to which it assigns the
distribution point role. The administrator can disable automatic allocation and assign distribution points manually.

Automatically selected distribution points multicast update files and you cannot disable multicasting. Network
administrators often do not like uncontrollable traffic in the network. Also, in a small network of a few hundred
machines, the Administration Server can cope with updates alone, without distribution points.

To disable automatic assignment of distribution points:


1. Open the Distribution points section in the Administration Server properties
2. Select Manually assign distribution points

With this option selected, the administrator can manually specify the computers to be assigned distribution points.

For more details about distribution points, please refer to course KL 302. Advanced Skills.

How to check whether KSN is used


Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers have no
access to KSN, they are more likely to get infected.

How to find out that computers have no access to KSN

If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via the event
KSN servers unavailable. To quickly find all computers that have no access to KSN, create a custom computer
selection.

By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named Kaspersky
Security Network proxy server. The service accepts connections on TCP port 13111. If computers cannot access
KSN, make sure that:

— The service Proxy server Kaspersky Security Network is running on the Administration Server
— Port 13111 is not closed by a firewall
IV–34 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

3.4 How to check the client-server connection

How to distinguish powered off computers

In a large network, computers are almost never turned on simultaneously. Some are off at any moment in time.

They differ by the icon in the console: Powered off computers have a red triangle icon with an exclamation mark in
the Visible in the network column. Also, check the columns Network Agent is installed, Network Agent is running,
and Last connected to the Administration Server. If the Agent is not running, and the last connection was established
long ago, do not pay attention to the computer protection status, it can be inaccurate.
IV-35
Unit IV. Maintenance

What to do if a computer has not connected for a long


time

If a computer remains powered off for a long time, Administration Server assigns one of the following two statuses
to it:

Network Agent has been inactive By default, computers receive this status in 14 days. You can change this in the
for a long time status settings, in the properties of the Managed devices node
This status means that the Network Agent has not connected to the Server all
this time, and the Server was not able to connect to the computer during the full
network poll either

Device has become unmanaged This status means that the Network Agent has not connected to the Server, but
the Server connected to the computer during the full network poll

If a computer has the status ’Network Agent has been inactive for a long time’, investigate what has happened. If the
computer does not exist anymore, delete it from the group and then once again from the Discovery & deployment |
Unassigned devices node. If its owner is on vacation, do nothing.
IV–36 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

If employees may not connect to the network for a long time (months), increase the period after which the
Administration Server automatically deletes computers from groups (60 days by default). Open the properties of the
Managed devices group, switch to the Settings tab, and in the Device activity section, change the value of the
parameter Remove the device from the group if it has been inactive for longer than (days). Or disable this
parameter at all, if employees may work out of office for an indefinitely long time.

To enable computers to connect to the Administration Server, to receive settings, and inform about threats when
outside the office, configure access to the Administration Server ports from the Internet. How to do it is described in
course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills

How to make a computer connect to the Server

If the computer has the status Not connected for a long time, make sure that:

— Network Agent is installed


— Network Agent is running

If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy.

If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network Agent’s
folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent:

— Run the command line interface (cmd.exe) as an administrator


— Go to the Network Agent’s folder
— Start the klnagchk.exe utility

When run without parameters, the utility outputs the Network Agent settings, tries to connect to the Administration
Server with these settings, publishes the result, and finally outputs the connection statistics.

During the test connection, the Agent neither checks whether new settings are available on the server nor sends its
data to the server.

To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb

This command must be executed locally on the client computer.


IV-37
Unit IV. Maintenance

The Web Console also has commands for checking connection to a computer:

Check device accessibility Verifies the computer status Visible in the network against the Administration Server
(This command is database. Does not try to connect to the computer, and therefore adds nothing to what
available only in the the computer icon shows
MMC Administration
Console)

Force synchronization Sends a signal to UDP port 15000 of the computer.


(Device properties, the
General tab, section
General)

How to reconnect a computer to the Server

If the Network Agent has incorrect Server connection parameters, modify them using the utility klmover.exe that is
located in the same folder of Network Agent:

— Run the command line interface (cmd.exe) as an administrator


— Go to the Network Agent’s folder
— Run the utility klmover.exe with the parameter –address and Server address:

klmover.exe –address 10.28.0.20

If the Server’s port is non-standard, add the parameter –ps and the port number.

To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the settings of the
Network Agent package. If an Agent has incorrect parameters, they may also be incorrect in the package.
IV–38 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

3.5 How to contact technical support

When and how to contact technical support

If Kaspersky Endpoint Security does not work or works differently from what the administrator has configured, and
simple measures cannot help, contact the tech support.

To receive an answer quicker, collect all logs and attach them to your request:

— Kaspersky Endpoint Security logs


— Trace logs of Kaspersky Endpoint Security around the moment when the issue arises
— Windows logs
— GetSystemInfo log—information about the computer

To contact the technical support:

1. Create a request at https://companyaccount.kaspersky.com


2. Select the product and functional area
3. Describe the steps that result in the issue
4. Attach the logs

You can collect logs locally on the computer, remotely using the Kaspersky Security Center remote diagnostics
utility, or via the MMC Kaspersky Security Center console.
IV-39
Unit IV. Maintenance

How to remotely collect Windows and GetSystemInfo logs

To collect logs remotely, connect to the computer using the remote diagnostics utility:

1. Start the utility from the Kaspersky Security Center folder in the Start menu.

2. Specify the target Device and the Administration Server address

3. Click the Sign In button

4. To receive information about the computer, click the link Load system information in the upper-left corner
of the window

5. To receive Windows logs, select the log and click the link Download event log… in the upper-left corner of
the window

Download Kaspersky Event Log and any other logs that contain events concerning the issue

The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in the
lower-left corner of the window.
IV–40 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to remotely collect trace logs

To collect trace logs using the diagnostics utility:

1. Select Kaspersky Endpoint Security in the tree


2. Click the link Enable tracing on the left, do not change the trace level, and click OK
3. Reproduce the steps that demonstrate the issue
4. Click the link Disable tracing in the diagnostics utility
5. Expand the folder Trace files under Kaspersky Endpoint Security
6. Select files one by one and download them using the link Download file on the left

If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of Network Agent,
Administration Server, Updater component in a similar manner.

When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the folder
until you send the logs to the technical support.

How to collect logs locally


IV-41
Unit IV. Maintenance

Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs locally, too.

To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com website.
Run it and save the log in a folder. The utility also collects information about the system and Windows logs, and you
will not have to add them manually.

To collect the trace logs:

1. In the Kaspersky Endpoint Security window, click the button Support

2. In the Support window, click the link System tracing

3. On the drop-down list, select is enabled; in the list that will appear, select level Normal (500), and click
OK

(You can select traces with rotation. In this case, you will be able to limit the maximum number of trace
files and the maximum size of a trace file. If the number of trace files reaches the limit, the oldest file will
be deleted to free space for a new one.)

4. Reproduce the issue

5. Disable tracing: select is disabled

6. Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\

The file name includes the creation date and time, select the latest logs

How to locally enable trace logs for Kaspersky Security Center components is explained in the article
http://support.kaspersky.com/9323
IV–42 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to send a request to technical support

When you have all logs at hand, contact the technical support:

1. Log on to the website companyaccount.kaspersky.com

If you have no account, sign up: Specify your email and license for Kaspersky Lab products (the activation
code or key file)

2. Click the button New request and select Make a request for Tech Support

3. Select the protection scope, product, version, operating system, request type and subtype

4. Type the request subject: Define the problem briefly

5. Describe the issue: The steps that result in it, which result you expect, and which get instead

6. Attach the archive with all logs


IV-43
Unit IV. Maintenance

Chapter 4. What to do from time to time

4.1 How to install program updates

Program update types

Except for signature updates, which are issued continually, there are program updates, which are released much
rarer:

New Are released once every few years, introduce new capabilities, components, settings, etc.
versions Are installed by Kaspersky Endpoint Security installation task and the installation wizard of
Kaspersky Security Center

Service Are released approximately yearly, sometimes rarer. Upgrade components and drivers, may add new
Packs settings and capabilities, but the changed are not as significant as in a new version
Are installed by Kaspersky Endpoint Security installation task and the installation wizard of
Kaspersky Security Center

Maintenance For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix errors, may
Releases slightly change settings, are installed by the update task
For Kaspersky Security Center, a Maintenance Release is almost the same as a Service Pack: They
are released in a year after a new version or Service Pack, and are installed by the installation wizard
of Kaspersky Security Center

Patch Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center, patches are
released quarterly, fix errors, slightly alter operation, are installed automatically on Network Agents

Private fixes Are released by request, correct specific issues for individual customers. Usually, for customers with
a Maintenance Service Agreement
IV–44 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

Where to find out that an update has been issued

You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for Kaspersky
Security Center) has been released in Operations | Kaspersky Lab applications | Kaspersky Lab software
updates and patches. Also, consult messages on the Monitoring & Reporting | Notifications page.

Minor updates are installed automatically, but only after the administrator approves them. Usually, to install an
update, you need to accept the license agreement. “Kaspersky Lab software updates not approved” status informs
about this.

To be able to install updates by other manufacturers, you need a Systems Management license, for example, KESB
Advanced. This is described in course KL 009 Systems Management. The current version of Web console does not
support the Systems Management functionality.

How to install only approved updates

How to install only approved updates of KES


IV-45
Unit IV. Maintenance

Kaspersky Endpoint Security can do without application updates. If there are no critical issues that impede work,
you can use Kaspersky Endpoint Security until a new version or Service Pack is released.

Still, module updates can be useful. They can improve computer performance, increase protection efficiency and
add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing
the updates and installing only approved ones. As far as module updates are concerned, the administrator has the
following option in the update task of Kaspersky Endpoint Security:

— Install approved application module updates—enabled by default. Can be disabled in the groups where
computers are extremely sensitive to changes, e.g., groups with important servers

— Automatically install critical application module updates—installs the updates marked as approved
by the administrator and the updates marked as critical by Kaspersky Lab without the administrator’s
approval. Installing unapproved updates may be risky because unforeseen issues might arise

To approve an update:

1. Select the update on the tab Operations | Kaspersky Lab applications | Kaspersky Lab software
updates and patches
2. Click the Approve button above the list of updates
3. If the update has a license agreement, the respective window will open. Accept the agreement

If you approve a wrong update by mistake, open its properties and change the value of the Update approval field to
Undefined or Declined.

Prior to approving an update, install it on test computers and make sure that it is not causing any issues.

After a program update is installed, a restart may be required.

How to install only approved updates of Network Agent

Approved updates of Network Agent are installed automatically without tasks. After the administrator approves an
update, Agents will start downloading it during planned synchronizations and install locally.

By default, the Administration Server installs all Network Agent updates rather than only approved ones. To install
only approved updates:

1. On the Devices | Policies and profiles page, open the Network Agent policy
IV–46 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

2. Switch to the Application Settings tab and go to the Manage patches and updates section

3. Disable the option Automatically install applicable updates and patches for components that have
Undefined status

To test Network Agent updates, create a group for test computers and enable installing unapproved updates in the
policy of this group

The administrator can always select not to install some update, even if automatic update is configured in the policy.
For this purpose, open the update properties and for the parameter Update approval, select Declined.

To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable the
respective parameter in the task Download updates to the repository:

1. On the Devices | Tasks tab, open the properties of the Download updates to the repository task

2. Switch to the Application Settings tab and in the Other settings area, click Configure

3. Clear the check box Update Network Agent modules (for Network Agent versions earlier than 10
Service Pack 2)

Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or
will not be installed in the whole network. You cannot enable installation of these updates in some groups and
disable in others.

How to find out that a new version has been released

Where to look for new versions

The Updates section of the Monitoring & Reporting | Notifications tab informs about new product versions and
Service Packs. Monitor the messages:

— Updates are available for Kaspersky Security Center components


— Updates are available for Kaspersky Lab applications
— There are <N> new version(s) of Kaspersky Lab applications available for download

All of them lead to the Installation packages window.


IV-47
Unit IV. Maintenance

To open this window in another way, go to Operations | Kaspersky Lab applications | Current application
versions

The window shows the list of available product versions by Kaspersky Lab, which are manageable via Kaspersky
Security Center. You can download them from Kaspersky Lab servers through this window.

Program versions include:

— Distributions that can be downloaded to the Administration Server using the button Download and create
installation package

— Distributions that cannot be transformed into a package, but can just be downloaded

— Management plug-ins, which can be downloaded and installed in the console

How to find the necessary product, version and language

The list includes numerous programs, a few versions of each program and several localizations of each version, and
it’s easy to get lost.

To find what you need, for example, the latest version of Kaspersky Endpoint Security in English, configure a filter:

1. Components:

Controls Distributions and patches of Kaspersky Security Center and Network Agent
components for various platforms

Workstations Kaspersky Endpoint Security for various platforms (Windows, Mac)

File Servers and Storages Distributions and plug-ins of Antivirus Kaspersky for Windows File Servers,
Kaspersky Anti-Virus for Windows Servers and
Kaspersky Security for Windows Server

Virtualization Distributions and plug-ins of Kaspersky Security for Virtualization Light


Agent

Mobile Distributions and plug-ins of Kaspersky Security for Mobile (Android)

Embedded Systems (ATM Kaspersky Embedded Systems Security distributions and plug-ins
and POS)

2. Update type: Full distribution package, patch, plug-in, or web plug-in

3. Specify the necessary program version

4. Specify the program interface language


IV–48 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

4.2 How to renew a license

When to renew a license

Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to
overcome one of the following license limitations:

— Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to
renew the license to keep using it

— Increase the number of computers—if the company grows and the number of computers is about to exceed
the license limit

— Extend functionality—if the necessity to use additional product functions has appeared in the company, for
example, Encryption or automatic installation of Windows updates

Also, a license may be blacklisted if it is exposed to the Internet. Kaspersky Lab blocks these licenses, and they stop
working. Products receive black lists of licenses together with signature updates.

Without a license, Kaspersky Endpoint Security works with limitations:

Before the first license is installed Only File Threat Protection and Firewall work.

If a commercial license has expired All components keep working, but update tasks will not start and KSN
servers are inaccessible. Protection level gradually decreases.

If a trial license has expired or a Only File Threat Protection and Firewall will keep working.
commercial license has been blacklisted Protection will be resumed after you activate the product with a valid
commercial license.
IV-49
Unit IV. Maintenance

How to find out that the license expires

If the license is about to expire or has expired on a computer, the administrator should pay attention.

The license expiration date is displayed in the license properties in Operations | Licensing | Kaspersky Lab
Licenses.

The computer statuses configured in the administration group properties may also attract the administrator’s
attention. Two status conditions relate to licenses:

— License term expired—sets the computer status to Critical. By default, the condition is triggered in 0
days, meaning, right after the license expires. It can be configured to trigger several days after the license
expiration so that the license could update automatically rather than waste the administrator’s time

— License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before
the expiration, but this parameter is adjustable
IV–50 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to find out that the number of activations is


exceeded

Most of the information about the keys that the administrator would ever need is available on the Operations |
Licensing | Kaspersky Lab Licenses page. including node restriction and use percentage.

The Administration Server shows how many of the managed computers are using the license. It does not receive
data from Kaspersky Lab activation servers, which may have different statistics if the license is also used on
computers without the Network Agent

Administration Server events inform about exceeding the node limitation:

— License restriction has been exceeded—there are two events with this name, critical and warning.
The critical event is generated when the number of installations constitutes 110% of the license limit.
The warning informs of reaching the limit (100%)

— Over 90% of this key is used up—an information message

The Administration Server does not impose any technical limitations if the license limit reaches either 100% or
110%. If keys are used for activation, the administrator can distribute them with a key installation task to any
number of computers. From the viewpoint of the license agreement, a license entitles you to use software on the
number of devices specified in the license certificate. However, if the Deploy key automatically option is enabled in
the key properties, the Administration Server will not only distribute it to computers, but also remove the key from
excessive computers if the license limit is surpassed.

If activation codes are used, Kaspersky Lab activation servers may impose technical limitations. Each instance of
Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a ticket for using the product.
If the number of simultaneously issued tickets greatly exceeds the license limit (1.5 to 2 times), the activation server
will stop issuing tickets.
IV-51
Unit IV. Maintenance

How to switch over to a new license

How to renew a license on the computers

When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one
license to another without a time gap and without reducing the effective license period of any of the licenses. You
would rather not replace the old license when there still several days left of the licensing period. However, you want
to activate the new license before the old one expires.

To prevent losing the validity period of neither old nor new license, use one of the following approaches:

1. Distribute a new key to the computers using a key installation task beforehand. In the task settings, specify
that it is an additional (backup) key

Additional keys and codes can be added in almost all products by Kaspersky Lab. Once the active key
expires, the product is automatically activated with the additional key or code.

2. Add the new license to the Administration Server and enable in it properties the option Deploy key
automatically

When the previous key expires on the computers, they will receive the new automatically distributed key
from the Administration Server.

Automatically deployed keys are sent to all computers. If a computer does not have an active license,
the automatically distributed key will be activated on it. If an active license is already available, the automatically
distributed key will be deployed as an additional one. If a computer has both an active and an additional license,
the automatically distributed key will not be installed.

The key or code to be distributed can be added in the Quick Start wizard. To add keys later, on the Operations |
Licensing | Kaspersky Lab Licenses page, click the button Add.

Registered keys and codes can be imported from the storage as key files or text files with the code (This
functionality is available only in the MMC Administration Console.) These can be used for local activation, if
necessary, or for backup purposes.
IV–52 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

How to renew an Administration Server license

Only the extended functions of Kaspersky Security Center Administration Server available in KESB Select and
KESB Advanced licenses require activation.

The operations described in this course do not require activating the Administration Server.

To replace the active key or add another one to the Administration Server, open the Keys section in the Server
properties. You can specify the active and additional license in this section. You can also replace or delete licenses
as necessary.

You can select a license for the Administration Server from among those added to the Kaspersky Lab Licenses
storage.

To add a key to the Administration Server, select a key specifically designed for Kaspersky Security Center. Check
what is written in key table in the Application name column. There is usually a descriptor there: Security Center or
Kaspersky Endpoint Security that indicates the key purpose.

If you are adding a code, you do not need to check the name, the same code activates all products covered by the
license: Kaspersky Endpoint Security and Kaspersky Security Center.
IV-53
Unit IV. Maintenance

How to replace the active license

Sometimes you need to install a specific key on a specific computer or a group of computers. Automatic distribution
would not serve this purpose. Instead, you can create an Add key task.

This task can be created using the typical task creation wizard on the Devices | Tasks page.

If two products require different Console plugins to be managed, they would require different Add key tasks as well.
For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint Security 10 Service Pack 1
have independent plugins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP2 wouldn’t run on
Kaspersky Endpoint Security 10 SP1 and vice versa.

In the task creation wizard or later in the task properties, you can select a license from the list of keys and codes
(those available on the Operations | Licensing | Kaspersky Lab Licenses page). There is an option in the task that
allows installing the selected key or code as an additional key. This option is enabled by default, because the main
license is supposed to be installed through the automatic installation feature (an option in the key or code properties).
IV–54 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

4.3 How to configure backup

Why back up?

Creating backup copies is a good practice that can save you a lot of trouble. The administrator will be able to restore
the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important
to store backups in a reliable location.

A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This
includes the event database (which contains more than just the events), administration group structure, tasks and
policies, report templates, installation packages3, selections of computers and events, the Administration Server
certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to
keep an old copy.

Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more
important. The Administration Server configuration now includes the encryption key store that contains master keys
for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case
of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost
irretrievably. Encryption and the risks involved are described in course KL 008 Encryption.

However, even if we leave encryption out of consideration, losing Administration Server data can result in many
hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be
difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, which means that
Network Agents, even if they use the correct address, will not be able to establish a connection to the new
Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be
reinstalled.

A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all
the settings, and the encryption key store.

Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard
upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous
version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create

3
Including standalone, but excluding operating system image packages (These packages are described in detail in course KL
009 Systems Management.)
IV-55
Unit IV. Maintenance

a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore
its configuration from the backup. You can use this method when it is necessary to upgrade not only the software
components of the Administration Server, but also its hardware configuration.

In a similar manner, you can use backups to move the Administration Server to a different computer. First create
a backup copy, and then install the Administration Server on another system. Restore the Administration Server
settings from the backup copy. In this case, it is important to ensure that the same SQL server type (Microsoft SQL
or MySQL) is installed for both new and old instances of the Administration Server.

If you move the Administration Server to another system and want to change the Server’s name, you must make this
change before the migration. For details, refer to course KL 302 Kaspersky Endpoint Security and Management.
Advanced Skills.

The most important thing about backup copying is to regularly make sure that you can restore the system from a
backup copy

Spend half an hour once a month or at least quarter to restore Administration Server data on a test computer. This
way, you will make sure that the backup copies are not corrupted and sharpen your skills. In case of a real failure,
you will be able to restore systems quickly and easily.

How to configure backup

To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data.
Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick
Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure.

The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the
Administration Server. The task launches the utility with the specified options, which then creates a backup copy.

Starting with Kaspersky Security Center version 10 SP3, when creating a backup copy, the klbackup.exe utility
does not stop any services; it copies the Server settings and data, then instructs the SQL server to back up the
database.

Only one parameter is required for the backup task: the location of backup copies. This folder will contain
subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default
location of backup copies is the SC_Backup folder in the Administration Server data directory
(%ProgramData%\KasperskySC\SC_Backup).
IV–56 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

It is risky to store backup copies on the disk where the Administration Server is installed, because in the event of a
hardware failure, both the current system and its backup copy will suffer. We strongly recommend that you store
backup copies in another location. The administrator can either specify a network location or use an additional
process to move backup copies to a safer place for storage.

It is important to realize that backup copies of the Administration Server data are created under the Administration
Server account, whereas backups of the database are created under the database server account. If you specify a
network path as the target location for backup copies, both the Administration Server and SQL server must have
access to this folder. Also, the specified drive must have enough free space.

Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored
data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup
copies is three.

The Administration Server certificate is stored in an encrypted form for security reasons. This security measure
prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption,
you need to provide a password. By default, the password is empty.

The backup data copying task is scheduled to start every two days at 2 a.m. by default; therefore, only three backup
copies of the last six days are stored.

How to restore from a backup

There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done by design,
because an accidental launch of such a task would result in the loss of newly added settings and data.

In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from
the Start menu. When started without command line options, this utility works as a wizard that prompts you to
choose the restore option and enter the path to the backup copy and the password for decrypting the Administration
Server certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if
you specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to
c:\backups\klbackup2018-12-27#02-00-02

The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To
do so, at the Choose Action step, select Backup of Administration Server data.

Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can
be used, for example, when you only need to restore connection between the Network Agents and the Server, but
want to create the structure and settings from scratch. This limited backup is not available in the backup task.
IV-57
Unit IV. Maintenance

The klbackup.exe utility can be launched from the command line with the following parameters:

— –path—backup copy destination folder, or the source folder during a recovery

— –restore—the option that instructs the utility to restore data; without it, the utility will create a backup copy

— –use_ts—the option that creates a subfolder with a name consisting of the time and date of creation;
without it, the utility will create a backup copy right in the folder specified by the path option

— –password—the option that specifies the password for encrypting the Administration Server certificate

How and why maintain the database

With time, the Administration Server database may slow down. In particular, the reports may be generated slowly,
and lists of events or computers may be displayed only after a noticeable pause.

To speed up the console’s work with the events stored in the database, the database is to be optimized. Before
Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security
Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database
of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize
the database using the database server tools.

To speed up the Administration Server database, the Database maintenance task performs the following:

— Looks for errors in the database and fixes them


— Rebuilds indexes
— Updates the database statistics
— Optionally shrinks the database

The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases
the database size. The database is recommended to be optimized once a week.

If the Administration Server works slowly because its resources are scarce, the Maintenance database task will not
help

There can be only one Maintenance database task. It is created by the Quick Start wizard. By default, the task
starts every Saturday, at 1 a.m.
IV–58 KASPERSKY LAB™
KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals

4.4 Maintenance: Summary

To keep protection working on the computers, monitor important events:

— Configure notifications about possibly infected computers


— Configure reports to be emailed
— Organize daily inspections of the protection status: Customize the Dashboard

Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week. Do not
allow them to pile up; otherwise, it will soon be difficult to notice something important among them.

If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect logs and
attach them to your request.

Install updates and new versions. They correct errors and improve performance and protection.

Back up the Administration Server data. Regularly make sure that you can restore data from a backup.

Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration beforehand.

v1.0.1