002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance

002.11.6: Kaspersky Endpoint Security and Management. Unit IV.
Maintenance
002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance
ed
ut
ib
2.1 How to create a custom dashboard ..................................................................................................6
How to answer all questions at a glance ..........................................................................................6
r
How to fill the dashboard with statistics............................................................................................7
st
How understand that important protection components are disabled in the policy ..........................8
2.2 How to email reports.........................................................................................................................9
Which reports to email ....................................................................................................................11
di
How to create a custom report .......................................................................................................11
2.3 How to email notifications ...............................................................................................................13
re
Where to enable notifications .........................................................................................................13
Where to modify the addressee and the mail server ......................................................................14
About which events you need to know ...........................................................................................16
or
3.1 What to do with malware ................................................................................................................18
Where to learn about threats ..........................................................................................................19
How to find computers with threats ................................................................................................19
How to understand what has happened to the threats ...................................................................20
d
How to find computers with non-disinfected threats .......................................................................21

How to scan critical areas...............................................................................................................22
e
How to isolate a computer and eliminate an active infection .........................................................23

How to reset virus counter ..............................................................................................................24
pi
3.2 What to do if Kaspersky Endpoint Security does not work.............................................................25

Where to find out that Kaspersky Endpoint Security does not work ..............................................26
How to start protection remotely .....................................................................................................27
co
3.3 What to do if databases are outdated ............................................................................................28

Where to find out that databases are out of date ...........................................................................29
How to find out whether a computer has an update task ...............................................................30
How to find out whether the Server has an update task ................................................................33
be
Where to specify proxy server parameters.....................................................................................34

How to disable automatic assignment of distribution points...........................................................35
How to check whether KSN is used ...............................................................................................36
3.4 How to check the client-server connection .....................................................................................37
How to distinguish powered off computers.....................................................................................37
to
What to do if a computer has not connected for a long time ..........................................................37

How to make a computer connect to the Server ............................................................................38
How to reconnect a computer to the Server ...................................................................................40
3.5 How to contact technical support ...................................................................................................40
t
When and how to contact technical support...................................................................................40

No
How to remotely collect Windows and GetSystemInfo logs ...........................................................41

How to remotely collect trace logs ..................................................................................................42
How to collect logs locally...............................................................................................................43
How to send a request to technical support ...................................................................................44
ed
4.1 How to install program updates ......................................................................................................45
Program update types ....................................................................................................................45
Where to find out that an update has been issued .........................................................................46
ut
How to install only approved updates .............................................................................................46
How to find out that a new version has been released ..................................................................48
4.2 How to renew a license ..................................................................................................................50
ib
When to renew a license ................................................................................................................50
How to find out that the license expires..........................................................................................51
How to find out that the number of activations is exceeded ...........................................................52
r
How to switch over to a new license ..............................................................................................52
How to replace the active license ...................................................................................................54
st
4.3 How to configure backup ................................................................................................................55
Why back up? .................................................................................................................................55
di
How to configure backup ................................................................................................................56
How to restore from a backup ........................................................................................................57
How and why maintain the database .............................................................................................58
re
4.4 Maintenance: Summary..................................................................................................................60
or
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
re
or
After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the
necessary policies and tasks, and configured them as necessary, you need to monitor the system to
d
make sure protection works, and react to incidents.
To keep protection working, you have to perform routine maintenance; some things have to be done
e
often, and some infrequently. Most of the actions are obvious, but we will tell about them nevertheless,
just in case.
pi
co
Check the most important things.
What to check Why so often

There are no You install protection to repel threats. Kaspersky Endpoint Security blocks
be
unprocessed threats most of them automatically. But if protection cannot handle the threat, you
on the computers should be informed about this as soon as possible and neutralize it
manually. The longer a threat is active, the more damage it can do.
This is obvious enough.
Protection is installed If protection does not work, you do not know whether there is malware on
to
and works on the the computer. And the longer protection does not work, the more chances
computers that malware infects the computer.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 1. How to maintain protection
Unit IV. Maintenance
ed
Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly.
ut
Computers have Almost all protection components use signatures to detect malware. If
the latest signatures are old, Kaspersky Endpoint Security will not be able to detect new
signature viruses. The older the signatures, the greater the risk. If signatures are two
ib
databases days old, it is bad, but not critical. And if they are two months old, it is almost as
dangerous as if protection was not running at all
Protection uses Kaspersky Security Network informs about known malicious files and helps to
r
Kaspersky detect them even if signatures are obsolete. Moreover, Kaspersky Security
st
Security Network Network informs about new malicious files earlier than signatures are issued
for them. Without Kaspersky Security Network, protection works not so well.
But still works and protects against most of the threats.
di
re
Perform preventive maintenance on the Administration Server.

Make sure that You spent quite a lot of time to install protection. If you lose the Administration
or
you can Server because of a hardware failure, you will have to spend almost as much
recover the time to install and configure protection once again. Backup copying can
Server from a prevent this. The crucial point about backup copying is that making a copy is
not enough. You must verify that you will be able to restore the configuration.
backup copy
Spend half an hour per month for maintenance to make sure that you do not
d
find yourself in a critical situation with a misconfigured backup from which you
cannot restore data.
e
Optimize the If the database is not optimized, eventually it grows in size and becomes
Administration fragmented. You will have to spend more time generating reports or displaying
pi
Server a computer selection, especially in a large network or if the resources are

database scarce on the Administration Server (to be more precise, database server, but
it is often the same computer).
co
Install updates and patches.

be
If there are any Kaspersky Security Center patches and Kaspersky Endpoint Security
maintenance releases are issued approximately once every quarter or two.
updates or patches
They correct errors, improve performance and sometimes add new functions
for Kaspersky
to
that are important for protection. You do not need to put much effort into
products installing patches, but do not forget to test them beforehand.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 1. How to maintain protection
ed
Renew the license and install new versions.
ut
The license has not Commercial licenses are typically issued for 1 year. Without a license,
expired and the node protection keeps working, but the update task stops downloading
limitation has not signatures and Kaspersky Endpoint Security stops using KSN. Eventually,
ib
been exceeded protection will be affected.
Whether there are any New versions or service packs are issued once every year or two. They
r
new versions of correct errors, improve performance, and also change settings and
Kaspersky products products’ operation logic. New technologies, components, interception
st
methods, etc. appear in new versions or service packs. If an old version is
not updated for too long, it will not be able to fight the latest threats even
with up-to-date signatures and KSN. A few years after release, a version’s
di
support ends.
re
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 2. What to do daily
ed
ut
r ib
st
di
During a daily inspection: re
or
1. Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If
you perform inspection daily, you can focus on detections in the last 24 hours.
2. Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed
threats, remediate them immediately.
d
3. Check whether protection works on all computers. If protection is not running or is not installed,
e
run or install it. Find out why it has happened.
To save time, configure the console to be able to quickly learn what you need about threats and
pi
protection.
co
be
Kaspersky Security Center console provides a lot of information:
— Reports
— Events
to
— Computer statuses
— Computer properties
— Statistics of installed applications in computer properties
— Repositories
— Task logs
t
However, these sources are either insufficiently clear as, for example, lists of events, or cannot be
No
reviewed all together as reports.

ed
ut
r ib
st
di
To get a general idea of the overall protection status, open the Monitoring & Reporting | Dashboard
re
page of the Web Console. The administrator selects which charts to show, which chart types to use and
how to organize them.
To save time, customize the Dashboard and add to it web widgets that inform about:
or
— Protection status
— Types of detected viruses and disinfection results
— New devices
— Network attacks
—
d
History of network attacks

— Types of detected viruses and disinfection results
— And other important data of your choice, for example, signature versions
e
Types of web widgets are hardcoded, but abundant and can answer most of your questions.
pi
co
By default, the Dashboard includes 7 web widgets devoted to various network status aspects: Protection
status, New devices, Threat activity, Most frequent threats, Most heavily infected devices, Threat
detection.
Usually, a web widget contains a chart with a legend or a table. By default, they represent events from all
be
managed computers over the last 24 hours. The administrator can narrow the scope or change the period
in the Properties window, which opens with the button. The dashboard consists of several web
widgets.
The administrator can add, delete and move web widgets on the dashboard, modify their settings and
to
representation.
Overall, there are more than 25 types of web widgets grouped into categories. for the administrator to
choose from.
t
To modify dashboard contents, click Add or restore widget.

No
In the web widget settings, depending on its type, you can modify the time interval for the displayed data
and select the computers whose data will be shown. There are only two options for the computers: either
an administration group or computers from a specified selection.
ed
ut
r ib
st
di
You can also modify chart type and appearance in the web widget settings.
re
The web widgets’ capability to display the history of changes over the specified period can be useful. For
example, you can view how many viruses were detected during each hour of the last day. These data
may help to select the threshold for the Virus outbreak event. Reports lack this capability.
or
e d
pi
co
be
to
Starting with Kaspersky Endpoint Security version 11, there is a protection level indicator in the policy
interface, which helps the administrator to evaluate the level of threat prevention, and provides a hint
which components should be enabled to improve it.
t
For example, if administrator enables all Essential Threat Protection and Advanced Threat Protection
No
components in the policy, but (by mistake or intentionally) disables a critically important component
Behavior Detection, which pinpoints threats by analyzing software activities (in particular, it can detect
complex threats such as ransomware). Once the Behavior Detection component is disabled, Protection
level indicator will immediately turn red and show the status Low protection level. The following
ed
information will appear to the right of the Protection level indicator after the settings are saved: Some of
the recommended protection components are disabled, and a link Learn more. If you click it, the
Recommended protection components window will open, which allows you to enable the recommended
components to maximize threat counteraction. If the administrator ignores the caution and clicks Save in
the policy window, Kaspersky Security Center will display an information window and suggest that you fix
ut
the settings.
r ib
st
di
re
or
Protection level indicator can have one of the following values:
— High protection level. The indicator turns green if the following components are enabled:
d
— Critical
e
— File Threat Protection;

— Behavior Detection;
— Exploit Prevention;
pi
— Remediation Engine.
— Important
co
— Kaspersky Security Network;

— Web Threat Protection;
— Mail Threat Protection;
— Host Intrusion Prevention
— Medium protection level. The indicator turns yellow, if an important component is disabled.
be
— Low protection level. The indicator turns red if:

— One or several critical components are disabled;
— Two or more important components are disabled.
to
Some of the administrators open the Console only when they need to find out or configure something,
t
and prefer to be informed about issues by email. This way they use a single tool, mailbox, to learn about
No
issues of various subsystems instead of opening a dozen of various consoles.

ed
ut
r ib
st
di
Kaspersky Security Center can email notifications and reports. Reports that show what is happening in
re
the network better fit daily inspections. Notifications inform about specific threats that need immediate
attention.
To receive reports by email, use the corresponding task:

or
1. Go to Monitoring & Reporting | Reports and click New report delivery task
2. If a task of this type has already been created, the Web Console will inform you about it. To edit
its parameters, open the properties of the Deliver reports task and switch to the Application
settings tab
d
3. If there is no task of this type yet, the Console will start the report delivery task creation wizard
e
4. Select the types of reports that you want to receive. The task shows all report templates available
on the Reports tab. However, those are not all of the report types that Kaspersky Security Center
pi
can create. If some reports are missing, create them beforehand on the Monitoring & Reporting
| Reports page.
5. Select the format (html, xls or pdf) in the task parameters.
co
6. Select the action to be applied to reports: Reports can be emailed and/or saved to a folder.
7. Switch to the Schedule tab and select when to receive reports.
To select where to email reports, in the task properties, open the Application Settings tab, and in the
Action to apply to reports area, select the checkbox Send report by email; then click the Settings button.
be
Specify the recipient’s address and message subject. Check the sender’s address and mail server
parameters in the Administration Server properties.
Note: Unlike its MMC counterpart, the Quick Start Wizard of the Web Console does not create a report
delivery task automatically even if you specify the mail server in it.
t to
No
ed
ut
r ib
st
di
re
For daily inspections, you will need reports that show threats and protection status:
— Threats:
or
— Viruses (over the last day)
— Network attacks (over the last day)
— Phishing attempts (over the last day)
— Host Intrusion Prevention rule triggered (over the last day)
d
— Protection
e
— Protection status
— Anti-virus database usage
pi
— Errors (over the last day)
All pre-configured reports available on the Reports page either do not have any period or show events
over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is difficult to
co
understand what has changed since yesterday.
You need to create one-day reports manually. Delete all the reports you are not going to use. For
example, reports about encryption errors if you do not have an encryption license.
be
to
Formally, the Reports page contains report templates, which describe report type and parameters, rather
than reports themselves. The Administration Server generates reports from templates when emailing
them, or when the administrator clicks a report name.
t
No
ed
ut
r ib
st
di
re
or
e d
pi
co
To create a report (report template):
1. On the Reports page, click the Add button

2. Name the report comprehensibly, for example Threats report over the last day
3. Select the report type. There are more than 50 types of reports in Kaspersky Security Center
be
4. Select a scope for the report. A report can cover a group, individual computers (a list) or a
computer selection. Most of the reports should cover the whole network; for this purpose, select
the All networked devices scope.
5. Select the reporting period. For the daily reports, specify one day
to
Template settings also include the list of information fields to constitute the report tables. Some fields
contain insignificant information and can be deleted not to overload the report. For example, the Virtual
server field makes little sense in a report if virtual Administration Servers are not used in the network1.
t
No
1The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with
Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your
ed
ut
r ib
st
di
re
or
Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent,
and also in the Administration Server properties, on the Event configuration tab. The events are
grouped by four severity levels: Critical, Functional failure, Warning, and Info. The severity level is a
permanent attribute of an event, it cannot be modified. Each program has its own events with their default
d
settings.
e
An event has three storage settings:
— On the Administration Server—meaning, in the server database

pi
This storing method is enabled for most critical and error events, as well as for many warning and
some info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is
co
30 days for all events (naturally, except for the events whose storage is disabled).
The Administration Server events’ default lifetime is the same for all severity levels: 30 days.
You can export events of the Administration Server and other Kaspersky applications installed on
the managed devices to a SIEM system. For this purpose, select the checkbox Export to SIEM via
Syslog (standard RFC 5424).
be
— In the OS event log on device—makes sense only for the Network Agent events. Kaspersky
Endpoint Security already has this capability in the settings of local event processing.
— In the OS event log on Administration Server—similarly to local Kaspersky Endpoint Security
events. If the Administration Server becomes inaccessible, the administrator will be able to find
information in the Windows log.
to
When the specified lifetime is over, events are automatically deleted from the Administration Server
database (but not from Windows logs, which have their own settings). Increasing the lifetime will also
increase the number of events stored in the database, and this will affect the time required to process
t
No
Administration Server runs in a virtual machine, it is still an ordinary Administration Server, not a virtual server. Virtual servers in the reports and
other parts of the Console are something else entirely. Virtual Administration Servers are described in course 302.
operations on events. On the other hand, when the administrator decreases event lifetime, the maximum
ed
reporting period also decreases.
To be informed about important events, configure notifications. This is configured in the properties of
every particular event type that you want to be notified about. Kaspersky Security Center supports four
ut
notification channels:
— Email
— SMS
ib
— Running an executable file or script
— SNMP
Notifications help to draw the administrator’s attention to the most important events.
r
st
By default, notifications are not sent. To start receiving notifications, open the event properties and select
notification methods.
di
re
or
e d
pi
co
By default, all events are delivered with the same parameters, which are specified in the Administration
Server properties. To send different notifications to different addresses or with different text, open the
event properties and disable the option Use Administration Server settings. After that, change the
be
recipients’ addresses, text template and other notification parameters.
At first, email notification delivery parameters are specified in the Quick Start wizard. You can also modify
them later, in the Notification section of the General tab in the Administration Server properties.
t to
No
ed
ut
r ib
st
di
Email notification delivery parameters include:
—
—
—
—
SMTP server—name or IP address
SMTP server port
Use DNS MX lookup
re
Recipients—email addresses separated by semicolons
or
— Text of the notification message
These parameters are sufficient if the selected SMTP server does not require authorization. The recipient
address is also used for the sender address, and the subject of the sent notifications is made of the event
d
severity level and its type, for example, Critical event: Threats have been detected
Additionally, you can configure the following:

e
— Message template subject

pi
— Authorization username and password

— Sender address
— Specify a certificate for SMTP server authentication
co
When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:
— %SEVERITY%—event severity level

— %COMPUTER%—the sender computer
be
— %DOMAIN%—Windows domain
— %EVENT%—event
— %DESCR%—event description
— %RISE_TIME%—event time
— %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name
— %KL_PRODUCT%—program
to
— %KL_VERSION%—version number
— %HOST_IP%—IP address
— %HOST_CONN_IP%—connection IP address
t
No
ed
ut
r ib
st
di
re
It is up to the administrator to decide about which events to receive notifications. However, prime
candidates are events about active threats and potentially successful attacks:
or
Event What does it mean?
Active threat detected. The malicious file is not running on the computer, but Kaspersky
Advanced Disinfection Endpoint Security cannot terminate it. The user or the administrator
d
should be started must confirm starting the Advanced Disinfection procedure
A malicious object was detected using a request sent to KSN rather

e
Malicious object
detected (KSN) than signatures. This means that it is a new threat, and the
administrator should carefully monitor what is happening in the network.
pi
Maybe even switch to a policy with stricter protection settings
Previously opened Information that the link is dangerous has appeared only after a user
co
dangerous link detected opened it (data about previous actions is stored in the KSN cache and
Remediation Engine’s logs). The user could have downloaded and
started new malware
Process terminated Malware was running on a computer. Although Kaspersky Endpoint

Security terminated it, it could have done harm
be
Network attack detected If the attacking computer is located within the network, it may mean that
it is infected with unknown malware, or that protection does not work
there
Host Intrusion If you have configured Host Intrusion Prevention to protect documents
Prevention rule against ransomware, these events will inform when unknown programs
to
triggered try to edit or delete the user’s documents
All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in
the Kaspersky Endpoint Security policy, on the Event configuration tab. The last event is an Info event.
t
The others are Critical events.

No
Some events (including important) may occur too frequently to send a notification for each of them. For
example, the Threats have been detected event during a virus outbreak may invoke tens and hundreds
of notifications.
To make each notification draw your attention, limit the number of notifications. For this purpose, in the
ed
Administration Server properties, open the Notification section and click the link Configure numeric limit
of notifications.
Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached,
ut
notifications are suppressed until the specified period is over. If new events are received afterwards,
the limit is counted anew. The same limit is used for all notification types, but applies individually to each
event type. E.g., if notifications for the Threats have been detected event hit the limit, notifications for
other event types will not be affected.
r ib
st
di
re
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. What to do if something has happened
ed
ut
r ib
st
di
re
or
If no new events about threats have appeared on the computers over the last day, you do not need to do
anything. But what to do if there are some events?
d
First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted,
e
disinfected or blocked a threat, you do not need to do anything. Just reset the virus counter on the
computer to be able to see when new threats appear.
pi
If malware is not treated or removed, act according to a plan. Prepare the plan beforehand.
A typical plan may include the following steps:

co
1. Run the critical areas scan task to understand whether the computer is infected
2. If a computer is infected or you suspect that it may be infected with unknown malware:
2.1. Isolate the computer from other computers in the network
2.2. Disable the policy using the password
be
2.3. Raise the heuristics level and enable Advanced Disinfection technology
2.4. Check integrity of Kaspersky Endpoint Security by a local task
2.5. Perform full scan on the computer
If this does not help, restore the computer from an image. If all computers are installed from images at the
to
company, and the users’ data are stored in the network rather than on the computers, restoring from an
image may be the first step of your plan to save time.
If you find suspicious files during an investigation, send them to Kaspersky for analysis via the portal
companyaccount.kaspersky.com. Also, invite internal or external experts if you suspect a targeted attack
t
against your organization.

No
ed
ut
r ib
st
di
re
You can find out that viruses have been found from events, reports, statistics and computers’ statuses.
Next to statistics, statuses draw your attention first of all.
or
Threat detection and their processing results define the computer status in the Administration Console:
OK, Warning or Critical. This allows the administrator to easily notice problematic computers when
looking through the groups.
d
The Many viruses detected status tells that viruses were found on the computers. This status is related
to the virus counter parameter. Every time malware is detected on the computer, the counter increases its
value by 1. The counter value is transferred to the Administration Server during the synchronization.
e
The status is activated if the virus counter value exceeds the specified threshold. By default, the Many
viruses detected status is disabled.
pi
To enable the status to show the computers where malware was found, go to the Devices | Hierarchy of
groups page and open the properties of the Managed devices group. Switch to the Device status tab
co
and activate the status Too many viruses detected. To make computers receive the Warning status and
be displayed yellow, activate the status in the Warning section. To make computers receive the Critical
status and be displayed red, activate the status in the Critical section. To paint computers yellow when
there are a few viruses on them, and red when the number of viruses exceeds, say, 5, configure different
thresholds for the status Many viruses detected (select the status and click the Edit button).
be
If at least one of the managed computers receives either There are active threats or Many viruses
detected status, the global Protection status also changes on the Dashboard.
to
The statuses OK, Warning, and Critical are links. If you click the Critical status, the selection of
devices that have the corresponding status will open. All statuses behave this way on the Dashboard
page. In the selection, you can find out why the device has received the corresponding status.
t
A selection is a dynamic set of computers selected by an attribute. There are standard selections on the
Administration Server, which show computers with various statuses. For example, There are active
No
threats and Many viruses detected

ed
ut
r ib
st
di
You can take group actions on the computers joined into a selection, for example, start update and
re
search tasks, move into a group, etc. So, selections are very useful when dealing with the computers that
have a problem status.
or
The Threats report shows statistics of processing the malware detected on the managed computers: How
many objects were treated, how many blocked (by Web Threat Protection), how many deleted and how
many still remain unprocessed. It also shows the number of dangerous objects whose processing results
d
are unknown. These statistics are available for each type of malware.
The Threats report can show which malware KES detected, and using which technology. To be able to
e
see this information, add the By KSN verdict column to the Details table. You can also add the
Detection technology that pinpointed the malicious code and SHA-256. For this purpose, in the
pi
properties of Threats report, open the Fields tab, click the Add button, and select the necessary data in
the Field name list.
co
be
t to
No
Report on most heavily infected devices and Report on users of infected devices may also come in
ed
handy. If some computers have been infected considerably more than others, it might be worthwhile to
find the reason and take appropriate measures.
Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the
ut
Network attack report. It shows which attack types were detected, and more importantly, the IP addresses
of the attacking computers. Knowing the address, the administrator can investigate the incidents and
better solve the problem.
ib
The Network attack report is not created by default. To view it, create a new template on the Monitoring
& Reporting | Reports page.
In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with
r
threats. Events show what was happening simultaneously with threat detection, whether there were other
st
threats or errors in components’ operation. To understand where a threat ended, always check the last
event about it. It is normal for Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and
in a second, report that the file was deleted successfully.
di
re
You do not have to study reports and events to be able to understand whether any computers are
infected.
Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this
using the status There are active threats. This status is enabled by default and is displayed on the web
or
widget Types of detected viruses and disinfection results. It gives computers the Warning status, and
is displayed on the Dashboard page.
This status is assigned to computers where malware programs were detected and were not cured.
e d
pi
co
be
to
The Active threats category can be comprised of widely different objects. It can be a virus in memory,
which actively counters the attempts to delete it. Or it can be an infected object on a network drive where
Kaspersky Endpoint Security has no Write permission to disinfect or delete the file.
t
No
When a user accesses a malicious file in a shared folder on a file server, the protection solution installed
on the server may block access and delete the file. Meanwhile, the protection software installed on the
user’s computer detects the threat at the same time, but cannot delete the file from the folder and informs
that there is an unprocessed threat, although in reality it has been processed on the server. This is a
reason for paying attention anyway, since malicious files must not appear in shared folders, and you need
ed
to find out how it got there.
To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the
described situation with malware in a shared folder, delete the record about the unprocessed object from
ut
the list of unprocessed objects:
1. In the Web Console, open Operations | Repositories | Active threats

2. Find the file in the shared folder and carry out the Delete command on it
r ib
st
If many viruses or a previously opened malicious link have been detected on a computer, or a malicious
process has been terminated, it may mean that the computer can still be infected. To scan a computer for
known threats, run critical areas scan there.
di
There are a few ways to achieve this. The one which is always available is as follows:
1. Open the computer properties
re
2. Open the Tasks tab
3. Find the task Critical Areas Scan and run it
Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security.
or
Local means that it is displayed only in the computer properties, but is not shown in groups or in the
Tasks node. This makes it less useful. To start it on several computers, you have to open their properties
one by one.
e d
pi
co
be
to
You can also use the group Virus Scan task, which has to be created manually. However, it will scan all
computers, and why slow down the computers where there are no threats?
To quickly scan critical areas on those computers where threats have been detected, make a virus scan
t
task for specific computers or the corresponding computer selection.

No
ed
Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Host Intrusion
Prevention, Behavior Detection, and Exploit Prevention components are responsible for this. File Threat
Protection does not scan programs in the memory.
ut
If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced
Disinfection technology.
ib
This technology is disabled by default, because it blocks start of all programs and restarts the computer,
which would hamper the users. The user can agree to perform the Advanced Disinfection procedure and
take the risk of losing data, or refuse to start the procedure and leave the computer infected. Anyway, it
r
should be the administrator who makes the decision rather than the user.
st
If you suspect that a computer is infected, it is best to reinstall it from the image. If it is unacceptable or
impossible, try to disinfect the computer:
di
1. Disconnect the computer from the corporate network
2. Disable the policy using the command Disable policy on the shortcut menu of KES icon
re
To use this command, enable password protection in the Kaspersky Endpoint Security policy
or
e d
pi
co
be
3. Open the Kaspersky Endpoint Security window and click Protection components
4. Go to General and select the checkbox Use Advanced Disinfection technology
5. Run a Virus scan task: Return to the main window of Kaspersky Endpoint Security and click the
Tasks area
to
6. If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection
procedure, agree
With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit
new programs to start, scans memory, takes more aggressive methods when terminating
t
processes, tries to delete malicious files at restart

No
7. Restart the computer, connect it to the internet and update the signatures
8. Scan the whole computer once again
ed
ut
r ib
st
di
re
or
e d
pi
co
be
After all threats have been neutralized, reset the virus counters on the computer.
The virus counter can only increase without interference from outside, and the only method of changing
this status is to manually reset the counter. For this purpose, open the computer properties: On the
General tab, in the Protection section, there is the button Reset virus counter.
t to
No
ed
ut
r ib
st
di
re
or
If protection does not work, it may be caused by various reasons. Before contacting technical support,
please Make sure that:
The Network Agent is The user could have uninstalled Network Agent; then the Console would
installed on the show the last data which the Agent had sent to the Server. Reinstall the
d
computer Agent and protect it from the user: Set an uninstallation password
e
Kaspersky Endpoint
The user may have uninstalled Kaspersky Endpoint Security. Reinstall it
Security is installed and protect from the user: Set a password
pi
on the computer
A computer may belong to a group without a policy, or a Kaspersky
A policy is applied to Endpoint Security version for which there is no policy on the server can be
co
the computer installed on the computer. Create policies in all groups and for all used
versions of Kaspersky Endpoint Security
If the locks are open, the user can modify parameter values and
Policy settings are
potentially can disable components or even start of Kaspersky Endpoint
locked Security. Close the locks for all important parameters in the policy
be
Password protection If password protection is not enabled, the user can exit Kaspersky
is enabled Endpoint Security even without administrative permissions
After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run
to
because of failures, collect diagnostic logs and contact the technical support of Kaspersky.
t
No
ed
ut
r ib
st
di
re
The following computer statuses may mean that protection does not work:
or
Security application is This condition is enabled by default for the Warning and Critical
not installed statuses
Real-time protection It is disabled by default. You can set one of the following values:
level differs from — Starting
d
the level set by — Running (maximum speed)

the administrator — Running
e
— Stopped
— Running (recommended settings)
pi
— Running (custom settings)

— Paused
— Failed to start
—
co
Running
Protection is disabled This condition is enabled by default for the Critical status
Security application is It is enabled by default for the Critical status

not running
be
The status Real-time protection level differs from the level set by the administrator, although disabled by
default, is more useful than the status Protection is disabled. The status ‘Protection is disabled’ does not
show what is wrong: The application is malfunctioning or the user has exited it. The status Real-time
protection level differs from the level set by the administrator shows this difference.
to
We recommend that you enable the condition Real-time protection level differs from the level set by
the administrator for the Critical status and select the Running value for it.
There are standard computer selections for the statuses Protection is disabled and Security application is
t
not installed. The administrator can create custom selections for other statuses.
No
The status Security application is not running is always accompanied by the status Protection is disabled,
but not the other way around. If Kaspersky Endpoint Security works, but all protection components are
disabled, the computer’s status will be Protection is disabled without the status Security application is not
ed
running.
Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection
components works. Even if it is only Mail Threat Protection
ut
To understand that components have not started on the computer because of a failure, consult the Errors
report or an event selection. To check all errors:
ib
1. Go to Monitoring & Reporting | Event Selections
2. Click the Functional failures selection
r
To understand which components are running on a computer, open the Tasks tab in the computer
st
properties. Components are listed among other tasks and the list shows which ones are running and
which are not.
di
re
or
e d
pi
co
be
The Protection is disabled status is one of the most critical protection statuses. To solve this problem,
carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications
tab of the computer properties.
If individual components are not running, you can start them on the Tasks tab.
to
Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is
an advanced task of Kaspersky Security Center that can be created for groups or specific computers.
t
A group task is convenient if the Virus outbreak event is registered—it can start protection on all network
No
computers, in case the protection is stopped somewhere.
A task for specific computers can better serve the purpose of rectifying the Protection is disabled status.
ed
ut
r ib
st
di
To create a task that starts Kaspersky Endpoint Security:
re
1. Run the task creation wizard on the Devices | Tasks page
2. Select Kaspersky Security Center and task type Start or stop application
3. Specify the devices to which the task is to be assigned—Selection
or
4. Specify the computer selection Protection is disabled
5. Select the Kaspersky Endpoint Security versions that need to be run and the command Start
application
e d
pi
co
be
t to
No
If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay
attention to computers that have old signatures, update them and find out why the signatures have not
been updated.
First, solve trivial issues. Check the following:
ed
The computers have an update This task is created by default. However, when groups and
task tasks become numerous, it may turn out that some
computers do not have an update task for the necessary
ut
version of Kaspersky Endpoint Security
Task schedule If the administrator created update tasks manually, he or she

might fail to set a schedule for them by mistake
ib
Task source Within the network, the Kaspersky Security Center source
must be specified
r
The Administration Server has a It is created by default, but may have been deleted by
“Download updates to the mistake
st
repository” task
Schedule and source of It is created by default, but may have been deleted
di
the “Download updates to accidentally, or its schedule may be misconfigured
the repository” task
The Administration Server can Probably, the internet is accessible only through a proxy
re
access the selected source server, but its address and authentication data (username
and password) are not specified or need to be updated.
After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect
or
logs and contact the technical support.
Specifically consider whether you need distribution points. They are not of much help in a small network,
and complicate diagnostics. The Administration Server automatically assigns distribution points by
default. You can disable this.
e d
pi
co
be
t to
The web widget Distribution of antivirus databases on the Dashboard page provides the most
No
important information about the databases in use. If everything is fine, the web widget will display a green
pie chart and the time when the latest updates were downloaded to the server repository. If there is an
issue, a part of the chart will become yellow or red and the value of the corresponding counter will
ed
increase.
Database statuses displayed in the web widget are links that open the respective device selections:
— Devices with up-to-date databases
ut
— Devices with databases updated in the last 24 hours
— Devices with databases updated in the last 3 days
— Devices with databases updated in the last 7 days
— Devices with databases that have not been updated for more than 7 days
ib
More detailed information about the databases in use and computers with issues is available within the
appropriate reports. The Database usage report shows the number of computers where databases are 1-
r
day old, 3-day old, 7, and more.
st
If the databases became obsolete on the computer not because it was off, but because of update task
errors, the administrator would need to view update task events to find out the reason. The events sent to
the Administration Server are often insufficient for thorough analysis of the situation. The local update
di
report of Kaspersky Endpoint Security usually contains more events.
re
or
e d
pi
co
Computer statuses inform about old signature databases.
Computers with old databases receive a Warning or Critical status depending on how old their
databases are. The status criteria are configured in the group properties. By default, the Warning status
be
is given to the computers whose databases are 7 or more days old, and Critical is assigned after 14
days.
To understand why the computer status is not OK, consult the Status description column of the Devices
| Managed devices page or the Protection section of computer properties. To view detailed information
about the signatures and, specifically, the last update date, open the properties of the Kaspersky
to
Endpoint Security program on the Applications tab of computer properties.

t
Updates from the Administration Server repository are distributed to the client computers by group update
No
tasks.
ed
ut
r ib
st
di
To ensure coverage of all managed computers, the update task must be created as a group task within
re
the Managed devices group. The Quick Start wizard creates this type of task: Install update. If
computers are combined into groups and the optimal updating procedure is different for various groups,
you can create a customized update task for each group.
If both parent and child groups have tasks of the same type, the computers of the child group will run both
or
tasks. This will most likely result in errors, since if an update task is already running, another one cannot
start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the
subgroups that have their own tasks from the parent group task scope.
d
Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security
for Mac or Kaspersky Security for Windows Servers) are used in your network, they need separate
e
update
pi
co
be
t to
No
If there are many groups in the Web console, and different versions of Kaspersky Endpoint Security are
ed
installed on the computers, it is hard to immediately understand whether all computers have update tasks.
If signatures are outdated on a computer, to understand whether it has an update task:
1. Open computer properties and switch to the Applications tab
ut
2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version
3. Go to the computer’s group
4. Switch to the Tasks tab
ib
5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with
that displayed in the computer properties
r
If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as
st
possible. One update task per each version of Kaspersky Endpoint Security created in the root group
Managed devices is often sufficient.
di
Each product update task has a specific schedule and settings, including:
re
— The list of update sources
— Update parameters
— The settings used to copy updates to a specified folder
— The list of subgroups on whose computers the task will not run
or
The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are
downloaded to the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines
the start time and starts the task regardless of whether the Administration Server can be reached or not,
the When new updates are downloaded to the repository schedule means that the task is always
started by the Administration Server command.
d
The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that
e
there are new settings for them. The port is listened to by the Network Agents, and upon receiving the call
the Agents connect to the Administration Server and download whatever new settings are available. Upon
pi
connection to the Server, the Agent receives the command to start the task and transfers it to Kaspersky
Endpoint Security, which carries it out. If the ‘wake up’ call doesn’t reach some computers, they will
receive the command during a planned synchronization performed every 15 minutes by default (the
period is defined in the Network Agent policy).
co
The schedule When new updates are downloaded to the repository guarantees that the client
computers will receive updates as soon as possible and without calling the server every now and then.
Alternatively, a simple periodical schedule can be used (for example, once an hour).
be
To prevent serious peak loads on the update source and the network at the moment of task start,
randomization of the task launch within a certain interval is used. E.g., if the 5-minute interval is selected,
the computer will begin the next scheduled update after a random delay ranging from 0 to 5 minutes.
By default, the Administration Server automatically defines the randomization interval depending on the
number of computers the task pertains to. The administrator can also specify it manually.
to
If signatures are outdated on the computers, check the update task schedule. If the schedule is set to
Manually, weekly or monthly, change it to When new updates are downloaded to the repository or Once
every N hours
t
No
ed
To specify the list of sources, open the task properties and switch to the Application Settings | Local
mode tab. Updates can be retrieved from the following sources:
ut
— Kaspersky Security Center—the recommended source for all managed computers. Moreover,
the most natural source for the When new updates are downloaded to the repository
schedule
— Kaspersky update servers—the recommended source for the computers outside the corporate
ib
perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection
rather than create extra internet traffic
— Local or network update folder—another option for backup update sources. You can specify an
r
HTTP or FTP address instead of a shared folder. For example, if there are several Administration
st
Servers in the network (this case is described in course KL 302 Kaspersky Endpoint Security and
Management: Advanced Skills), HTTP addresses of update folders located on other servers can
be used as backup sources
di
A task can have several different sources organized in a list. If the first source turns out to be
inaccessible, the task will attempt to download updates from the next.
re
Updates are retrieved from the Administration Server by the Network Agents. With the Kaspersky update
servers or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security
without the Agent.
or
If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security
Center source. If you want to use a folder or FTP server, make sure that updates are accessible at this
address, and the computers can access the files
In the update task properties, you can configure copying updates into a separate folder. This mode can
d
be used for creating an update source in small networks or subnets without their own Administration
Server. In larger networks, Distribution Points are used to create intermediate update sources. The
e
Administration Server assigns distribution points automatically (for more details, refer to course KL 302
Kaspersky Endpoint Security and Management: Advanced Skills.)
pi
co
be
t to
No
The task that updates the Administration Server repository is named Download updates to the
ed
repository. The Quick Start wizard automatically creates this task. You can find it in the console, on the
Devices | Tasks tab of the <Administration Server name> group.
If databases are outdated on the computers, check whether the Administration Server has an update
ut
task. Open the Devices | Tasks page of the Administration Server node and look for the Download
updates to the repository task.
You can have only one task of this type. If it is present already, the task creation wizard doesn’t permit
ib
creating another one. However, it is possible to delete the automatically created Download updates to
the repository task and create a new one for troubleshooting.
r
The settings of that task include the schedule, the update sources, connection parameters, the list of
updates to be downloaded and a few additional options.
st
Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals
ranging from 15-20 minutes to several hours. The default value is 1 hour.
di
The following update sources are possible:
— Kaspersky update servers—a list of FTP and HTTP servers officially maintained by Kaspersky.
re
These servers are located in various countries worldwide to ensure high reliability of the update
procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The
list of servers is downloaded together with the other updates
— Master Administration Server—this option is used if there are several Administration Servers and
or
they are connected in a hierarchy (described in detail in course KL 302 Kaspersky Endpoint
Security and Management. Advanced Skills)
— Local or network folder—an update source created by administrators. You may specify not only a
network folder, but also an FTP or HTTP address
d
The task can have several different sources organized in a list. If the first source turns out to be
inaccessible2, the task will attempt to download updates from the next.
e
pi
co
You may need to specify the proxy server parameters for the Administration Server update source. All
sources would share the same proxy server. If some sources are accessible without it, enable the Do not
use proxy server option in their properties.
be
The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server
parameters. To specify a proxy server later:
1. In the Administration Server properties, open General | Configuring internet access

2. Specify the proxy server address, port and authentication parameters: Username and password
to
These settings will be used for downloading updates and for KSN requests.
t
No
2 The Kaspersky update servers source is considered to be inaccessible if none of known servers are available.
ed
ut
r ib
st
di
re
or
e d
pi
co
If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy
be
server, specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open the
properties of policy on the Application Settings tab, select the General Settings section and click the link
Network settings.
By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security
to
will take the proxy server settings specified in the internet options in Windows Control Panel. The
administrator can explicitly specify the address, port and account for authentication.
t
Distribution points are additional update sources in a network. Any computer where the Network Agent is
No
installed can act as a distribution point. The Administration Server automatically selects the computers to
which it assigns the distribution point role. The administrator can disable automatic allocation and assign
distribution points manually.
Automatically selected distribution points multicast update files and you cannot disable multicasting.
ed
Network administrators often do not like uncontrollable traffic in the network. Also, in a small network of a
few hundred machines, the Administration Server can cope with updates alone, without distribution
points.
ut
To disable automatic assignment of distribution points:
1. Open the Distribution points section in the Administration Server properties

2. Select Manually assign distribution points
ib
With this option selected, the administrator can manually specify the computers to be assigned
distribution points.
r
For more details about distribution points, please refer to course KL 302. Scaling.
st
di
Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers
have no access to KSN, they are more likely to get infected.
re
or
e d
pi
co
be
If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via
the event KSN servers unavailable. To quickly find all computers that have no access to KSN, create a
custom computer selection.
By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named
to
Kaspersky Security Network proxy server. The service accepts connections on TCP port 13111. If
computers cannot access KSN, make sure that:
— The service Proxy server Kaspersky Security Network is running on the Administration Server
t
— Port 13111 is not closed by a firewall

No
ed
ut
r ib
st
di
re
or
In a large network, computers are almost never turned on simultaneously. Some are off at any moment in
time.
They differ by the icon in the console: Powered off computers have a red triangle icon with an
d
exclamation mark in the Visible in the network column. Also, check the columns Network Agent is
installed, Network Agent is running, and Last connected to the Administration Server. If the Agent is not
e
running, and the last connection was established long ago, do not pay attention to the computer
protection status, it can be inaccurate.
pi
co
be
t to
No
If a computer remains powered off for a long time, Administration Server assigns one of the following two
ed
statuses to it:
Network Agent has been By default, computers receive this status in 14 days. You can change
inactive for a long time this in the status settings, in the properties of the Managed devices
ut
node
This status means that the Network Agent has not connected to the
Server all this time, and the Server was not able to connect to the
computer during the full network poll either
ib
Device has become This status means that the Network Agent has not connected to the
unmanaged Server, but the Server connected to the computer during the full
r
network poll
st
di
re
or
e d
pi
If a computer has the status ’Network Agent has been inactive for a long time’, investigate what has
happened. If the computer does not exist anymore, delete it from the group and then once again from the
Discovery & deployment | Unassigned devices page. If its owner is on vacation, do nothing.
co
If employees may not connect to the network for a long time (months), increase the period after which the
Administration Server automatically deletes computers from groups (60 days by default). Open the
properties of the Managed devices group, switch to the Settings tab, and in the Device activity section,
change the value of the parameter Remove the device from the group if it has been inactive for
longer than (days). Or disable this parameter at all, if employees may work out of office for an
be
indefinitely long time.
To enable computers to connect to the Administration Server, to receive settings, and inform about
threats when outside the office, configure access to the Administration Server ports from the internet.
How to do it is described in course KL 302 Kaspersky Endpoint Security and Management: Advanced
to
Skills
t
If a computer has the status Not connected in a long time, make sure that:
No
— Network Agent is installed

— Network Agent is running
ed
ut
r ib
st
di
If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy.
re
If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network
Agent’s folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent:
— Run the command line interface (cmd.exe) as an administrator

or
— Go to the Network Agent’s folder
— Start the klnagchk.exe utility
When run without parameters, the utility outputs the Network Agent settings, tries to connect to the
d
Administration Server with these settings, publishes the result, and finally outputs the connection
statistics.
e
During the test connection, the Agent neither checks whether new settings are available on the server nor
sends its data to the server.
pi
To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb
co
This command must be executed locally on the client computer.
The Web Console also has commands for checking connection to a computer:
Check device accessibility Verifies the computer status Visible in the network against the
be
(This command is available Administration Server database. Does not try to connect to the
only in the MMC computer, and therefore adds nothing to what the computer icon
Administration Console) shows
Force synchronization Sends a signal to UDP port 15000 of the computer.

to
(Device properties, the

General tab, section
General)
t
No
ed
ut
r ib
st
di
re
If the Network Agent has incorrect Server connection parameters, modify them using the utility
klmover.exe that is located in the same folder of Network Agent:
or
— Run the command line interface (cmd.exe) as an administrator
— Go to the Network Agent’s folder
— Run the utility klmover.exe with the parameter –address and Server address:
d
klmover.exe –address 10.28.0.20

e
If the Server’s port is non-standard, add the parameter –ps and the port number.
pi
To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the
settings of the Network Agent package. If an Agent has incorrect parameters, they may also be incorrect
in the package.
co
be
If Kaspersky Endpoint Security does not work or works differently from what the administrator has
configured, and simple measures cannot help, contact the tech support.
to
To receive an answer quicker, collect all logs and attach them to your request:
— Kaspersky Endpoint Security logs

— Trace logs of Kaspersky Endpoint Security around the moment when the issue arises
— Windows logs
t
— GetSystemInfo log—information about the computer

No
ed
ut
r ib
st
di
To contact the technical support:
2. Select the product and functional area

3. Describe the steps that result in the issue
re
1. Create a request at https://companyaccount.kaspersky.com
or
4. Attach the logs
You can collect logs locally on the computer, remotely using the Kaspersky Security Center remote
diagnostics utility or via the MMC Kaspersky Security Center console.
e d
pi
co
be
t to
No
To collect logs remotely, connect to the computer using the remote diagnostics utility:
ed
1. Start the utility from the Kaspersky Security Center folder in the Start menu.
2. Specify the target Device and the Administration Server address
ut
3. Click the Sign In button
4. To receive information about the computer, click the link Load system information in the upper-
left corner of the window
ib
5. To receive Windows logs, select the log and click the link Download event log… in the upper-left
corner of the window
Download Kaspersky Event Log and any other logs that contain events concerning the issue
r
st
The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in
the lower-left corner of the window.
di
re
or
e d
pi
co
To collect trace logs using the diagnostics utility:
1. Select Kaspersky Endpoint Security in the tree

be
2. Click the link Enable tracing on the left, do not change the trace level, and click OK
3. Reproduce the steps that demonstrate the issue
4. Click the link Disable tracing in the diagnostics utility
5. Expand the folder Trace files under Kaspersky Endpoint Security
to
6. Select files one by one and download them using the link Download file on the left
If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of
Network Agent, Administration Server, Updater component in a similar manner.
t
When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the
No
folder until you send the logs to the technical support.

ed
ut
r ib
st
di
re
Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs
locally, too.
or
To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com
website. Run it and save the log in a folder. The utility also collects information about the system and
Windows logs, and you will not have to add them manually.
d
To collect the trace logs:

e
1. In the Kaspersky Endpoint Security window, click the button Support

2. In the Support window, click Support tools
pi
3. Select checkbox Enable application traces, select level Normal (500) and click Save
(You can select traces with rotation. In this case, you will be able to limit the maximum number
co
of trace files and the maximum size of a trace file. If the number of trace files reaches the limit,
the oldest file will be deleted to free space for a new one.
4. Reproduce the issue

5. Disable tracing
be
6. Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\
The file name includes the creation date and time; select the latest logs
How to locally enable trace logs for Kaspersky Security Center components is explained in the article
http://support.kaspersky.com/9323
t to
No
ed
ut
r ib
st
di
re
or
e d
pi
co
be
When you have all logs at hand, contact the technical support:
1. Log on to the website companyaccount.kaspersky.com
If you have no account, sign up: Specify your email and license for Kaspersky products (the
activation code or key file)
to
2. Click the button New request and select Make a request for Tech Support
3. Select the protection scope, product, version, operating system, request type and subtype
4. Type the request subject: Define the problem briefly
t
5. Describe the issue: The steps that result in it, which result you expect, and which get instead
No
6. Attach the archive with all logs

002.11.6: Kaspersky Endpoint Security and Management. 4. What to do from time to time
ed
ut
r ib
st
di
re
or
d
Except for signature updates, which are issued continually, there are program updates, which are
e
released much rarer:

pi
Are released once every few years, introduce new capabilities, components, settings,
New etc.
versions Are installed by Kaspersky Endpoint Security installation task and the installation
co
wizard of Kaspersky Security Center

Are released approximately yearly, sometimes rarer. Upgrade components and
drivers, may add new settings and capabilities, but the changed are not as significant
Service as in a new version
Packs
be
Are installed by Kaspersky Endpoint Security installation task and the installation
wizard of Kaspersky Security Center
For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix
errors, may slightly change settings, are installed by the update task
Maintenance
Releases For Kaspersky Security Center, a Maintenance Release is almost the same as a
to
Service Pack: They are released in a year after a new version or Service Pack, and
are installed by the installation wizard of Kaspersky Security Center
Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center,
Patch patches are released quarterly, fix errors, slightly alter operation, are installed
t
automatically on Network Agents

No
Are released by request, correct specific issues for individual customers. Usually, for
Private fixes customers with a Maintenance Service Agreement
ed
ut
r ib
st
di
re
You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for
Kaspersky Security Center) has been released in Operations | Kaspersky applications | Kaspersky
or
software updates and patches. Also, consult messages on the Monitoring & Reporting | Notifications
page, in the Updates section.
Minor updates are installed automatically, but only after the administrator approves them. Usually, to
install an update, you need to accept the license agreement. You need to accept the License
d
Agreements for updates status informs about this.

e
To be able to install updates by other manufacturers, you need a Vulnerability and Patch Management
license, for example, KESB Advanced. This is described in course KL 009 Vulnerability and Patch
pi
Management. The current version of Web console only partly supports the Vulnerability and Patch
Management functionality.
co
be
Kaspersky Endpoint Security can do without application updates. If there are no critical issues that
impede work, you can use Kaspersky Endpoint Security until a new version or Service Pack is released.
Still, module updates can be useful. They can improve computer performance, increase protection
efficiency and add new functionality to the product. Often benefits outweigh the risks. And the risks can
be mitigated by testing the updates and installing only approved ones. As far as module updates are
to
concerned, the administrator has the following option in the update task of Kaspersky Endpoint Security:
— Install approved application module updates—enabled by default. Can be disabled in the

groups where computers are extremely sensitive to changes, e.g., groups with important servers
t
— Automatically install critical application module updates—installs the updates marked as

approved by the administrator and the updates marked as critical by Kaspersky without
No
the administrator’s approval. Installing unapproved updates may be risky because unforeseen
issues might arise
ed
ut
r ib
st
di
To approve an update:
updates and patches

re
1. Select the update on the tab Operations | Kaspersky applications | Kaspersky software
2. Click the Approve button above the list of updates

or
3. If the update has a license agreement, the respective window will open. Accept the license
agreement
If you approve a wrong update by mistake, open its properties and change the value of the Update
d
approval field to Undefined or Declined.
Prior to approving an update, install it on test computers and make sure that it is not causing any issues.
e
After a program update is installed, a restart may be required.

pi
co
Approved updates of Network Agent are installed automatically without tasks. After the administrator
approves an update, Agents will start downloading it during planned synchronizations and install locally.
By default, the Administration Server installs all Network Agent updates rather than only approved ones.
To install only approved updates:
be
1. On the Devices | Policies and profiles page, open the Network Agent policy
2. Switch to the Application Settings tab and go to the Manage patches and updates section
3. Disable the option Automatically install applicable updates and patches for components
to
that have Undefined status
To test Network Agent updates, create a group for test computers and enable installing unapproved
updates in the policy of this group
t
The administrator can always select not to install some update, even if automatic update is configured in
No
the policy. For this purpose, open the update properties and for the parameter Update approval, select
Declined.
ed
ut
r ib
st
di
To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable
re
the respective parameter in the task Download updates to the repository:
1. On the Devices | Tasks tab, open the properties of the Download updates to the repository
task
or
2. Switch to the Application Settings tab and in the Other settings area, click Configure
3. Clear the checkbox Update Network Agent modules (for Network Agent versions earlier
than 10 Service Pack 2)
Since only one task of this type exists, module updates of Network Agents up to version 10 SP1
d
inclusive will or will not be installed in the whole network. You cannot enable installation of these
updates in some groups and disable in others.
e
pi
co
be
t to
No
The Monitoring & Reporting | Notifications | Updates page also informs about new product versions and
ed
Service Packs. Monitor the messages:
— Updates are available for Kaspersky Security Center components

— Updates are available for Kaspersky applications
— There are <N> new version(s) of Kaspersky applications available for download
ut
All of them lead to the Installation packages window.
ib
To open this window in another way, go to Operations | Kaspersky applications | Current application
versions
r
The window shows the list of available product versions by Kaspersky, which are manageable via
st
Kaspersky Security Center. You can download them from Kaspersky servers through this window.
Program versions include:
di
— Distributions that can be downloaded to the Administration Server
— Distributions that cannot be transformed into a package, but can just be downloaded
— Management plug-ins, which can be downloaded and installed in the console
re
The list includes numerous programs, a few versions of each program and several localizations of each
version, and it’s easy to get lost.
or
To find what you need, for example, the latest version of Kaspersky Endpoint Security in English,
configure a filter:
— Components:
d
Distributions and patches of Kaspersky Security Center and Network

Controls
e
Agent components for various platforms
Workstations Kaspersky Endpoint Security for various platforms (Windows, Mac)

pi
Distributions and plug-ins of Antivirus Kaspersky for Windows File

File Servers Servers,
co
and Storages Kaspersky Anti-Virus for Windows Servers and

Kaspersky Security for Windows Server
Distributions and plug-ins of Kaspersky Security for Virtualization Light
Virtualization Agent
be
Mobile devices Distributions and plug-ins of Kaspersky Security for Mobile (Android)
Embedded
Systems (ATM Kaspersky Embedded Systems Security distributions and plug-ins
and POS)
to
— Update type: full distribution package, patch, plug-in or web plug-in

— Specify the necessary program version
— Specify the program interface language
t
No
ed
ut
r ib
st
di
re
or
Initially, a license is purchased together with the product to entitle its use. Later, another license can be
purchased to overcome one of the following license limitations:
— Prolong—the most typical situation, when the company is satisfied with the product and it is
d
necessary to renew the license to keep using it

— Increase the number of computers—if the company grows and the number of computers is about to
e
exceed the license limit

— Extend functionality—if the necessity to use additional product functions has appeared at the
pi
company, for example, Encryption or automatic installation of Windows updates
Also, a license may be denylisted if it is exposed to the internet. Kaspersky blocks these licenses, and
co
they stop working. Products receive denylists of licenses together with signature updates.
Without a license, Kaspersky Endpoint Security works with limitations:
Before the first license is

be
Only File Threat Protection and Firewall work.

installed
All components keep working, but update tasks will not start
If a commercial license has
and KSN servers are inaccessible. Protection level gradually
expired decreases.
to
If a trial license has expired or a Only File Threat Protection and Firewall will keep working.
commercial license has been Protection will be resumed after you activate the product with
denylisted a valid commercial license.
t
No
ed
ut
r ib
st
di
re
If the license is about to expire or has expired on a computer, the administrator should pay attention.
or
The license expiration date is displayed in the license properties in Operations | Licensing | Kaspersky
licenses.
e d
pi
co
be
to
The computer statuses configured in the administration group properties may also attract the
administrator’s attention. Two status conditions relate to licenses:
— License term expired—sets the computer status to Critical. By default, the condition is triggered in
0 days, meaning, right after the license expires. It can be configured to trigger several days after
t
the license expiration so that the license could update automatically rather than waste the
administrator’s time
No
— License term expires soon—sets the computer status to Warning. By default, is displayed 7 days
before the expiration, but this parameter is adjustable
ed
ut
r ib
st
di
re
Most of the information about the keys that the administrator would ever need is available on
the Operations | Licensing | Kaspersky licenses page. including node restriction and use percentage.
or
The Administration Server shows how many of the managed computers are using the license. It does not
receive data from Kaspersky activation servers, which may have different statistics if the license is also
used on computers without the Network Agent
d
Administration Server events inform about exceeding the node limitation:

e
— License restriction has been exceeded—there are two events with this name, critical and
warning. A critical event is generated when the number of installations constitutes 110% of
pi
the license limit. A warning informs of reaching the limit (100%);

— Over 90% of this key is used up—an information message
co
The Administration Server does not impose any technical limitations if the license limit reaches either
100% or 110%. If keys are used for activation, the administrator can distribute them with a key installation
task to any number of computers. From the viewpoint of the license agreement, a license entitles you to
use software on the number of devices specified in the license certificate. However, if the Deploy key
automatically option is enabled in the key properties, the Administration Server will not only distribute it to
computers, but also remove the key from excessive computers if the license limit is surpassed.
be
If activation codes are used, Kaspersky activation servers may impose technical limitations. Each
instance of Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a
ticket for using the product. If the number of simultaneously issued tickets greatly exceeds the license
limit (1.5 to 2 times), the activation server will stop issuing tickets.
t to
No
When a license is soon to expire, the company can purchase a new license. The problem is how to switch
from one license to another without a time gap and without reducing the effective license period of any of
the licenses. You would rather not replace the old license when there still several days left of the licensing
ed
period. However, you want to activate the new license before the old one expires.
ut
r ib
st
di
re
To prevent losing the validity period of neither old nor new license, use one of the following approaches:
or
1. Distribute a new key to the computers using a key installation task beforehand. In the task
settings, specify that it is an additional (backup) key
Additional keys and codes can be added in almost all Kaspersky products. Once the active key
expires, the product is automatically activated with the additional key or code.
d
2. Add the new license to the Administration Server and enable the option Deploy key automatically
in its properties
e
When the previous key expires on the computers, they will receive the new automatically
distributed key from the Administration Server.
pi
Automatically deployed license keys are sent to all computers. If a computer does not have an active
license, the automatically distributed key will be activated on it. If an active license is already available,
the automatically distributed key will be deployed as an additional one. If a computer has both an active
co
and an additional license, the automatically distributed key will not be installed.
The key or code to be distributed can be added in the Quick Start wizard. To add keys later, on the
Operations | Licensing | Kaspersky licenses page, click the button Add.
be
Registered keys and codes can be imported from the storage as key files or text files with the code. (This
functionality is available only in the MMC Administration Console.) These can be used for local activation
if necessary, or for backup purposes.
to
Only the extended functions of Kaspersky Security Center Administration Server available in KESB Select
and KESB Advanced licenses require activation.
t
The operations described in this course do not require activating the Administration Server.
No
To replace the active key or add another one to the Administration Server, open the Keys section in the
Server properties. You can specify the active and additional license in this section. You can also replace
or delete licenses as necessary.
ed
ut
r ib
st
di
You can select a license for the Administration Server from among those added to the Kaspersky
re
licenses storage.
To add a key to the Administration Server, select a key specifically designed for Kaspersky Security
Center. Check what is written in key table in the Application name column. There is usually a descriptor
there: Security Center or Kaspersky Endpoint Security that indicates the key purpose.
or
If you are adding a code, you do not need to check the name, the same code activates all products
covered by the license: Kaspersky Endpoint Security and Kaspersky Security Center.
e d
pi
co
be
t to
Sometimes you need to install a specific key on a specific computer or a group of computers. Automatic
distribution would not serve this purpose. Instead, you can create an Add key task.
No
This task can be created using the typical task creation wizard on the Devices | Tasks page.
If two products require different Console plug-ins to be managed, they would require different Add key
ed
tasks as well. For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint
Security 10 Service Pack 1 have independent plug-ins. Therefore, a task to add key to Kaspersky
Endpoint Security 10 SP2 wouldn’t run on Kaspersky Endpoint Security 10 SP1 and vice versa.
ut
In the task creation wizard or later in the task properties, you can select a license from the list of keys and
codes (those available on the Operations | Licensing | Kaspersky licenses page). There is an option in
the task that permits installing the selected key or code as an additional key. This option is enabled by
default, because the main license is supposed to be installed through the automatic installation feature
ib
(an option in the key or code properties).
r
st
di
re
or
e d
pi
co
Creating backup copies is a good practice that can save you a lot of trouble. The administrator will be
able to restore the entire management system from a backup copy within about an hour. To ensure a
quick recovery, it is important to store backups in a reliable location.
be
A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration
settings. This includes the event database (which contains more than just the events), administration
group structure, tasks and policies, report templates, installation packages3, selections of computers and
events, the Administration Server certificate, and more. Updates are not included, because they quickly
become outdated, and there is no reason to keep an old copy.
to
Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become
even more important. The Administration Server configuration now includes the encryption key store that
contains master keys for all computers where encryption is used. These keys are necessary for
recovering access to encrypted data in case of failures. If the master keys stored on the Administration
t
No
3Including stand-alone, but excluding operating system image packages. (These packages are described in detail in course KL 009
Vulnerability and Patch Management.)
Server are lost, encrypted data may also be lost irretrievably. Encryption and the risks involved are
ed
described in course KL 008 Encryption.
However, even if we leave encryption out of consideration, losing Administration Server data can result in
many hours or days or even weeks spent on system recovery. In a large network, even creating
ut
a structure of groups can be difficult and may consume much time and effort. If the server is reinstalled,
its certificate changes, which means that Network Agents, even if they use the correct address, will not be
able to establish a connection to the new Administration Server. Generally, to recover connection to
the computers, all Network Agents will have to be reinstalled.
ib
A backup copy relieves the administrators from these issues, because a copy includes the server
certificate, all the settings, and the encryption key store.
r
Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center
st
version. A standard upgrade procedure implies installing a new version over the old one. In this case, the
installer detects a previous version and upgrades its components, saving old settings if possible. Using
the backup mechanism, you can create a backup copy of your old system, uninstall it, then install the new
version of the Administration Server, and restore its configuration from the backup. You can use this
di
method when it is necessary to upgrade not only the software components of the Administration Server,
but also its hardware configuration.
re
In a similar manner, you can use backups to move the Administration Server to a different computer. First
create a backup copy, and then install the Administration Server on another system. Restore the
Administration Server settings from the backup copy. In this case, it is important to ensure that the same
SQL server type (Microsoft SQL or MySQL) is installed for both new and old instances of the
Administration Server.
or
If you move the Administration Server to another system and want to change the Server’s name, you
must make this change before the migration. For details, refer to course KL 302 Kaspersky Endpoint
Security and Management. Scaling.
d
The most important thing about backup copying is to regularly make sure that you can restore the system
from a backup copy
e
Spend half an hour once a month or at least quarter to restore Administration Server data on a test
computer. This way, you will make sure that the backup copies are not corrupted and sharpen your skills.
pi
In case of a real failure, you will be able to restore systems quickly and easily.
co
To create backup copies, Kaspersky Security Center has a special task called Backup of Administration
Server data. Only one instance of this task can exist on the Administration Server, and the default one is
created by the Quick Start wizard. If necessary, you can delete and recreate it as a troubleshooting
be
measure.
The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery
of the Administration Server. The task launches the utility with the specified options, which then creates
a backup copy.
to
Starting with Kaspersky Security Center version 10 SP3, when creating a backup copy, the klbackup.exe
utility does not stop any services; it copies the Server settings and data, then instructs the SQL server to
back up the database.
Only one parameter is required for the backup task: the location of backup copies. This folder will contain
t
subfolders for each backup copy. The names of the subfolders consist of the date and time of creation.
No
The default location of backup copies is the SC_Backup folder in the Administration Server data directory
(%ProgramData%\KasperskySC\SC_Backup).
ed
ut
r ib
st
di
It is risky to store backup copies on the disk where the Administration Server is installed, because in the
re
event of a hardware failure, both the current system and its backup copy will suffer. We strongly
recommend that you store backup copies in another location. The administrator can either specify a
network location or use an additional process to move backup copies to a safer place for storage.
or
It is important to realize that backup copies of the Administration Server data are created under
the Administration Server account, whereas backups of the database are created under the database
server account. If you specify a network path as the target location for backup copies, both the
Administration Server and SQL server must have access to this folder. Also, the specified drive must
have enough free space.
d
Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of
e
stored data), it makes sense to limit the number of stored backup copies. By default, the maximum
number of backup copies is three.
pi
The Administration Server certificate is stored in an encrypted form for security reasons. This security
measure prevents intruders from using the certificate to gain control over the client systems. To enable
certificate encryption, you need to provide a password. By default, the password is empty.
co
The backup data copying task is scheduled to start every two days at 2am by default; therefore, only
three backup copies of the last six days are stored.
be
There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done
by design, because an accidental launch of such a task would result in the loss of newly added settings
and data.
to
In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be
run from the Start menu. When started without command line options, this utility works as a wizard that
prompts you to choose the restore option and enter the path to the backup copy and the password for
decrypting the Administration Server certificate. You need to specify the full path to the subfolder that
contains the backup copy. For example, if you specified the c:\backups path for the backup task, to
t
restore the system, you need to enter something similar to c:\backups\klbackup2018-12-27#02-00-02

No
The backup copying utility can not only restore the data from backup copies, but it can also create backup
copies. To do so, at the Choose Action step, select Backup of Administration Server data.
ed
ut
r ib
st
di
Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This
re
mode can be used, for example, when you only need to restore connection between the Network Agents
and the Server, but want to create the structure and settings from scratch. This limited backup is not
available in the backup task.
The klbackup.exe utility can be launched from the command line with the following parameters:
or
— –path—backup copy destination folder, or the source folder during a recovery
— –restore—the option that instructs the utility to restore data; without it, the utility will create a
backup copy
d
— –use_ts—the option that creates a subfolder with a name consisting of the time and date of
creation; without it, the utility will create a backup copy right in the folder specified by the path
e
option
— –password—the option that specifies the password for encrypting the Administration Server
pi
certificate
co
With time, the Administration Server database may slow down. In particular, the reports may be
generated slowly, and lists of events or computers may be displayed only after a noticeable pause.
be
To speed up the console’s work with the events stored in the database, the database is to be optimized.
Before Kaspersky Security Center 10 SP2, it could have been done only using the database server tools.
Kaspersky Security Center 10 SP2 features a special task named Database maintenance, which can
optimize a Microsoft SQL database of the Administration Server. The task does not support MySQL
databases. If you use MySQL, optimize the database using the database server tools.
to
To speed up the Administration Server database, the Database maintenance task performs
the following:
— Looks for errors in the database and fixes them

— Rebuilds indexes
t
— Updates the database statistics

—
No
Optionally shrinks the database
The task has few parameters. In addition to the schedule, there is only the Shrink database option,
which decreases the database size. The database is recommended to be optimized once a week.
ed
ut
r ib
st
di
re
If the Administration Server works slowly because its resources are scarce, the Maintenance database
task will not help
There can be only one Maintenance database task. It is created by the Quick Start wizard. By default,
the task starts every Saturday, at 1am
or
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
re
To keep protection working on the computers, monitor important events:
or
— Configure notifications about possibly infected computers
— Configure reports to be emailed
— Organize daily inspections of the protection status: Customize the Dashboard
Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week.
d
Do not allow them to pile up; otherwise, it will soon be difficult to notice something important among them.
e
If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect
logs and attach them to your request.
pi
Install updates and new versions. They correct errors and improve performance and protection.
Back up the Administration Server data. Regularly make sure that you can restore data from a backup.
co
Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration
beforehand.
be
t to
No
v1.0.3

002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance

Uploaded by

Copyright:

Available Formats

002.11.6: Kaspersky Endpoint Security and Management. Unit IV.

How to find computers with non-disinfected threats .......................................................................21

How to isolate a computer and eliminate an active infection .........................................................23

3.2 What to do if Kaspersky Endpoint Security does not work.............................................................25

3.3 What to do if databases are outdated ............................................................................................28

Where to specify proxy server parameters.....................................................................................34

What to do if a computer has not connected for a long time ..........................................................37

When and how to contact technical support...................................................................................40

How to remotely collect Windows and GetSystemInfo logs ...........................................................41

make sure protection works, and react to incidents.

Check the most important things.

What to check Why so often

What to check Why so often

What to check Why so often

Server a computer selection, especially in a large network or if the resources are

Install updates and patches.

What to check Why so often

What to check Why so often

run or install it. Find out why it has happened.

Kaspersky Security Center console provides a lot of information:

reviewed all together as reports.

History of network attacks

To modify dashboard contents, click Add or restore widget.

— File Threat Protection;

— Kaspersky Security Network;

— Low protection level. The indicator turns red if:

issues of various subsystems instead of opening a dozen of various consoles.

To receive reports by email, use the corresponding task:

— Errors (over the last day)

understand what has changed since yesterday.

To create a report (report template):

1. On the Reports page, click the Add button

An event has three storage settings:

— On the Administration Server—meaning, in the server database

recipients’ addresses, text template and other notification parameters.

Additionally, you can configure the following:

— Message template subject

— Authorization username and password

— %SEVERITY%—event severity level

should be started must confirm starting the Advanced Disinfection procedure

A malicious object was detected using a request sent to KSN rather

Maybe even switch to a policy with stricter protection settings

Process terminated Malware was running on a computer. Although Kaspersky Endpoint

triggered try to edit or delete the user’s documents

The others are Critical events.

A typical plan may include the following steps:

against your organization.

threats and Many viruses detected

1. In the Web Console, open Operations | Repositories | Active threats

1. Open the computer properties

task for specific computers or the corresponding computer selection.

processes, tries to delete malicious files at restart

the level set by — Running (maximum speed)

— Running (custom settings)

Security application is It is enabled by default for the Critical status

computers, in case the protection is stopped somewhere.

First, solve trivial issues. Check the following:

Task schedule If the administrator created update tasks manually, he or she

Computer statuses inform about old signature databases.

Endpoint Security program on the Applications tab of computer properties.

1. Open computer properties and switch to the Applications tab

1. In the Administration Server properties, open General | Configuring internet access

1. Open the Distribution points section in the Administration Server properties