Professional Documents
Culture Documents
002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection Management
002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection Management
Protection management
002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection management
ed
ut
1.1 How criminals attack a computer .....................................................................................................4
ib
How malware gets on a computer ....................................................................................................4
How malware causes harm ..............................................................................................................7
r
1.2 How Kaspersky Endpoint Security counters attacks ........................................................................9
st
How Kaspersky Endpoint Security counters threats ........................................................................9
How Kaspersky Security Network helps to repel threats ...............................................................10
Where are Kaspersky Endpoint Security settings located .............................................................12
di
2.1 How Kaspersky Endpoint Security protects files ............................................................................13
re
How Kaspersky Security protects files within Windows Subsystem for Linux ...............................14
2.2 What and how to configure in File Threat Protection .....................................................................16
Configure File Threat Protection ....................................................................................................16
2.3 What to do if File Threat Protection slows down the computer ......................................................22
or
How to exclude an application’s folder ...........................................................................................23
How to exclude files that a process accesses ................................................................................24
How to merge policy exclusions .....................................................................................................24
How to use local exclusions ...........................................................................................................25
d
ed
What Web Threat Protection does .................................................................................................42
Configuring Web Threat Protection ................................................................................................43
How to make a website trusted ......................................................................................................43
ut
3.4 How to not intercept all traffic of a program....................................................................................44
3.5 Protection for network connections: Summary ...............................................................................45
ib
4.1 How Kaspersky Endpoint Security protects against new threats ...................................................46
4.2 Detection technologies used in Kaspersky Endpoint Security .......................................................47
4.3 What Advanced Threat Protection does.........................................................................................48
r
How Behavior Detection protects against new threats ...................................................................48
st
How Exploit Prevention protects against new threats ....................................................................50
How Remediation Engine protects against new threats .................................................................50
How Host Intrusion Prevention stops new threats..........................................................................51
di
How to configure Host Intrusion Prevention to stop ransomware ..................................................54
How AMSI Protection Provider stops new threats..........................................................................55
4.4 How to exclude a program from monitoring ...................................................................................56
re
What to do if KES hampers a program...........................................................................................56
How to modify a program’s trust category ......................................................................................57
How to make a program trusted for Behavior Detection and Intrusion Prevention ........................59
4.5 Protection against new and sophisticated threats: Summary ........................................................61
or
5.1 How Firewall protects against threats ............................................................................................62
5.2 How Firewall works in Kaspersky Endpoint Security .....................................................................62
d
ed
7.1 What Self-Defense does and why it is necessary ..........................................................................81
What Self-Defense does.................................................................................................................81
How to manage KES over Remote Desktop ..................................................................................82
ut
What BadUSB Attack Prevention does ..........................................................................................83
7.2 How to protect Kaspersky Endpoint Security from the user ...........................................................84
How the user can stop protection ...................................................................................................84
ib
How to enable password protection ...............................................................................................85
Configuring password protection for Network Agent ......................................................................86
How to protect data if a device is stolen or lost ..............................................................................86
r
7.3 Other protection settings ................................................................................................................87
st
Actions ............................................................................................................................................87
Other settings .................................................................................................................................88
Computer protection: Summary......................................................................................................90
di
re
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection management
ed
ut
r ib
st
di
re
or
e d
pi
Malware gets on a computer via everything that connects the computer to the external world. Specifically,
co
via network connections and removable drives. Let us examine typical scenarios of how malware
penetrates a computer, and how to prevent this.
be
The user has installed a vulnerable browser. A webpage may exploit a vulnerability to make the browser
download and run any software on the computer. A user visits a dubious website, which starts malware
on the computer. Malicious code can reside in the ad blocks that the website receives from other sites
rather than on its own pages.
to
ed
The user looks for free software on the internet. For example, a handy free utility, or a pirate version of an
expensive program, or a key generator for an expensive application. Finds, downloads, and starts it on
the computer. The program turns out to be malicious.
ut
Maybe the user has downloaded a seemingly appropriate file from an 'internet garbage can'. Attackers
may change the code of free software or hack an official download page and replace the software.
ib
To protect against such an attack:
— Do not allow the users to open whichever webpages
— Do not allow the users to open websites that are known for distributing malware
r
— Scan files that the users download from the internet by protection software
st
di
The user receives an email message that looks like a message from a bank, shop, delivery service, from
a partner, acquaintance, etc. The message prompts to click a link or open an attachment. The link leads
to a malicious or phishing website. The attachment contains malware or a document with embedded
malware.
The user copied a program from a shared folder on another computer and started it. The program turned
pi
out to be malicious.
The user opened a document from a shared folder on another computer. The document contained
co
malicious code.
There is a vulnerability in the operating system on the user's computer. If a special sequence of packets
is sent to a specific port, one can make the vulnerable service run the code within these packets. An
infected computer will also attack the vulnerable service on all other network computer and infect them.
to
ed
The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains
ut
malware that uses a vulnerability in the operating system to automatically run on the computer.
Or the user simply connected a USB flash drive to find out what it contains, found a document or an
executable file with an intriguing name and decided to open it. The file turned out to be infected.
ib
To protect against such an attack:
— Do not allow the users to connect unknown (or all) USB flash drives to the computers
r
— Scan files on USB drives by protection software
st
— Install security updates for operating systems
di
The user connected a USB device that looks like a USB flash drive to the computer. The device
registered with the operating system as a USB flash drive and as a keyboard. After a while, the device
started to execute commands on the computer by sending keystrokes.
re
To shield from such an attack, use protection against BadUSB attacks
or
All threat prevention methods can be grouped as follows:
Do not allow the users to save executable files from email messages to the drive
Prohibit connections to the ports that the users do not need for their work
Do not allow the users to connect unknown (or any) USB flash drives to the computers
Use protection tools to detect attacks
be
Do not allow the users to open websites that are known for distributing malware
No
ed
ut
r ib
st
di
re
No protection solution can protect against 100% of threats. Criminals may always be half a step ahead
since they
or
— Register new domains and websites
— Write new malware
— Use zero-day vulnerabilities for which updates have not been issued yet
Even if protection works properly, there is always risk that a computer may be infected with a new
d
malware. If protection is not installed on some computers, if databases are outdated on computers, if
important protection components are disabled, the risk grows.
e
Let us study the harm that malware can cause and how it can be decreased.
pi
co
Ransomware encrypts documents and other files on the computer and in shared folders, and demands
money in return for the encryption key. The key is stored on the criminals’ server. Malware either
downloads the key from the server, encrypts files and deletes the key; or generates a random key, sends
it to the server, encrypts files and deletes the key. Anyway, ransomware connects to its server over the
network.
To protect against such an attack:
be
Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on
the drive. Malware intercepts everything the user enters, takes screenshots and shoots through the web
camera. The program sends all this to the criminals’ server.
t
ed
Malware writes itself to the USB flash drives connected to a computer and to shared folders over the
network. Malware infects neighbor computers via vulnerable services. Malware sends spam and
participates in DDOS attacks at a control center’s command.
ut
To protect against such an attack:
— Do not allow unknown programs to establish and accept network connections
—
ib
Use protection tools that heuristically detect dangerous activities
r
Criminals often use very simple files, which do not impose any direct threat, to get around protection
st
solutions and infect a computer. But these files may download additional malicious files, which can
encrypt documents, steal passwords, etc.
di
To protect against such an attack: Do not allow unknown programs to establish and accept network
connections
re
Malware makes other programs hang or malfunction, a computer run really slow, spontaneously restart,
or display a blue screen.
or
To protect against such an attack: Regularly scan files on the computer by protection software
d
The loss reduction methods may be grouped similarly to attack prevention methods:
e
ed
ut
r ib
st
di
re
or
Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect
against attacks and prevent losses.
course KL 009)
Kaspersky Security Center (see
pi
ed
Install protection applications on all computers Kaspersky Security Center (see Unit I)
File Threat Protection
Scan the files that the users copy, open or start
Host Intrusion Prevention
ut
Scan files on USB drives by protection software Virus scanning
Scan files attached to email messages by protection software Mail Threat Protection
ib
Scan files that the users download from the internet by
Web Threat Protection
protection software
r
Do not allow the users to open known infected and phishing
Web Threat Protection
st
websites
Do not allow the users to open websites that are known for
Web Threat Protection
distributing malware
di
Use protection software to check inbound packets for
Network Threat Protection
network attacks
re
Do not allow the users to automatically connect any USB
BadUSB Attack Prevention
devices as a keyboard
This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack
surface, or actively scan, detect and block threats.
d
Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To
e
To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to
regularly update the signature databases.
be
It is also important to allow Kaspersky Endpoint Security to use the Kaspersky Security Network.
Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of
verdicts for all protection components.
Kaspersky Security Network servers collect information about files on the protected computers, analyze it
to
using machine learning technologies, consider when a file was detected for the first time, whether it is
widespread, in which regions, whether the users of personal versions of Kaspersky Security trust the file,
whether the file is signed with a certificate and which one, etc. Suspicious files are additionally analyzed
by Kaspersky experts.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 1. How Kaspersky Endpoint Security protects computers
Unit II. Protection management
ed
ut
r ib
st
di
After that, Kaspersky Security Network assigns a trust group to the file:
—
—
—
—
Trusted
Low Restricted
High Restricted
Untrusted
re
or
For each trust group, Kaspersky analysts have developed scenarios that describe what files are allowed
to do and what is prohibited depending on the assigned trust group (reputation).
d
This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to
the network, which programs may install drivers, and which of the trusted programs are to be scanned
especially thoroughly, because they may contain vulnerabilities.
e
Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky
pi
receives checksums of reference files from many known software manufacturers, such as Microsoft,
Adobe, Google, etc. That is why Kaspersky Endpoint Security components know which files are not
infected for sure and do not hamper the respective programs.
co
Except for files, Kaspersky Security Network forms reputation for webpages and software activity
patterns.
If Kaspersky detects a new threat, checksums of all malicious files and webpages get to the Kaspersky
Security Network in a split second and are available to all products that use the Kaspersky Security
be
Network. Products learn about new threats via Kaspersky Security Network a few hours earlier than the
threat signatures that are downloaded with updates.
The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and
anonymous. The complete list can be found in the Kaspersky Security Network agreement that the
administrator must accept prior to enabling Kaspersky Security Network in the Kaspersky Endpoint
to
Security policy.
To be able to use Kaspersky Security Network without sending anything to Kaspersky, there is the
Kaspersky Private Security Network service.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 1. How Kaspersky Endpoint Security protects computers
Unit II. Protection management
ed
ut
r ib
st
di
In this unit, we will study:
—
re
Which settings are available in the Kaspersky Endpoint Security components
or
— Their default values
— How parameters influence the components’ behavior
— When and how to modify settings to improve computer protection or user experience
Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example,
d
ed
ut
ib
File Threat Protection intercepts all file operations (such as reading, copying, executing) using
the klif.sys driver and scans the files being accessed. By default, if the file is infected, the operation will
be blocked, and the file will be either disinfected or deleted.
r
Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malicious
st
files on the computer drive. And even those attacks that start with executing code in the memory, can
load only small amount of code there and use it as the first step of the attack, which then downloads
additional modules in files and saves them to the drive.
di
Even if Mail Threat Protection and Web Threat Protection are disabled, the user will not be able to start
an infected file received by email or downloaded from the internet, because a file cannot be started either
from an attachment or from a webpage without being saved to the hard drive; and when the file is saved
re
on the disk, it will be detected and blocked by the File Threat Protection.
This makes File Threat Protection an important component of Kaspersky Endpoint Security.
or
e d
pi
co
be
— Malware signatures—a signature database is a denylist of known malicious files. If a file does
not match any of the database records, signature analysis considers it to be clean. A complete
to
denylist (where each known malicious or infected file is described thoroughly) requires too much
space; that is why a signature database is optimized and narrowed down to a size that can be
easily downloaded to a computer. Each record identifies a family of similar threats.
change their code during the execution, and which are therefore difficult to detect using
signatures. File Threat Protection starts executable files in a special isolated environment and
No
— KSN checks—File Threat Protection sends the file checksum to KSN and receives an answer:
ed
Whether such a file is found in the KSN database, and what reputation it has. The KSN database
is a huge list of all files (to be more exact, their checksums) known to Kaspersky. This list
includes files with the untrusted reputation. It is a denylist, and File Threat Protection blocks such
files. There are also files with a trusted reputation. This is an allow list that includes known
harmless files of operating systems and widespread software. File Threat Protection does not
ut
block these files even if they match malware signatures. KSN verdict has higher priority, because
KSN contains more information than a local signature database.
ib
To receive a verdict from KSN, a computer needs a connection to the internet, which may be unreliable.
For this reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature
database and emulation.
r
KSN verdicts may change with time. A file that has just appeared on the internet has no reputation at first.
Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes
st
and may become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the
KSN verdict at each file operation. But it would scale up the computer’s network traffic. Besides, sending
a request and receiving an answer takes time, which depends on the quality of communication channel.
di
To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN
verdicts in the local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky
Endpoint Security re-check the verdict often. For the files that have long been known, this time is large.
re
To avoid slowing down the computer, File Threat Protection does not scan all files; it scans only those
files that may infect a computer. For example, File Threat Protection does not scan archives, because
files must be extracted prior to being started. It is either the user who extracts the file from the archive, or
the operating system does this for the user. Anyway, File Threat Protection will scan the extracted files
(and block them if necessary).
or
Scan the files that are not scanned by File Threat Protection by virus scan tasks. Virus scanning checks
files within the specified scope and uses the same methods as File Threat Protection.
e d
Windows Subsystem for Linux (WSL) is a compatibility layer that permits running native Linux command-
pi
line tools within Windows 10 or Windows Server 2016. As with Docker containers, the main challenge that
WSL addresses is to provide a cross-platform tool for developers, especially web developers and those
who work with open source code.
co
WSL advantages over standard virtualization are simple installation and less resource consumption
compared to a hypervisor or a virtual machine.
In Windows Server 2016, an administrator can deploy the following Linux systems: Ubuntu, openSUSE
Leap42, SUSE Linux Enterprise Server.
be
Windows Subsystem for Linux is the wsl.exe application (in older versions of Windows, bash.exe) that
you can run via the Windows command prompt (cmd.exe). After running Bash.exe, the Linux version
selected and installed in advance will start: Ubuntu, openSUSE Leap42, or SUSE Linux Enterprise
Server.
to
Windows Subsystem for Linux translates Linux system calls into Windows system calls, which permits
deploying full-fledged Linux tools on Windows without emulation and virtualization.
— Run Bash shell scripts and GNU/Linux command-line applications including vim, emacs and
tmux
— Use programming languages: JavaScript / node.js, Ruby, Python, C / C ++, C #, Go, etc.
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
— Install additional software using your own GNU/Linux distribution package manager.
— Invoke Windows applications using a Unix-like command-line shell,
— Invoke GNU/Linux applications on Windows.
ut
r ib
st
di
re
or
The Windows Subsystem for Linux compatibility layer shares the file system with the main operating
system where it is installed, and File Threat Protection will intercept all file operations executed in the
Linux subsystem.
e d
pi
co
be
to
If a malicious file is compiled or run in the Linux environment, File Threat Protection of Kaspersky
Endpoint Security will detect and delete it.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
r ib
st
di
re
or
File Threat Protection, as well as Kaspersky Endpoint Security in general, solves two tasks:
The more files File Threat Protection scans, the better it solves the former task, and the worse the latter,
and vice versa. The default settings balance protection and performance. By adjusting the settings, the
e
You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are
located in the respective sections: File Threat Protection, in Essential Threat Protection on the
Application Settings tab.
co
Let us first talk about the parameters that should not be changed and explain why.
be
Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may
contain executable code (macros), which can be malicious. Even documents without code, some graphic
files for example, may use vulnerabilities of the applications that open them and make these programs
run a part of the file as code.
By default, File Threat Protection scans files by format. This way, Kaspersky Endpoint Security reliably
to
protects the computer, because it scans all dangerous files, but does not slow down the computer, since
it does not scan all the files.
Scanning files by extension only is dangerous. For example, a malicious Word document may have
extension .123, which is not included in the scan list, but the user can open it nevertheless via its shortcut
t
menu (Open with). Also, scanning by extension is not significantly faster than scanning by format. The
No
If the administrator wants to improve performance of slow computers, better start with exclusions for the
ed
programs with which users work. How to create exclusions is explained at the end of this section.
ut
com Program executable file whose size does not exceed 64KB
ib
sys System file of Microsoft Windows
Text of the dBase™, Clipper or Microsoft Visual FoxPro® application, a program from
prg WAVmaker suite
r
bin Binary file
st
bat File that contains one or more commands
cmd Command file of Microsoft Windows NT (a counterpart of a bat file for DOS), OS/2
di
dpl Packed Borland Delphi library
scr
cpl
Microsoft Windows screen saver file
reg File for importing and exporting Microsoft Windows registry keys
co
Configuration file that contains settings for Microsoft Windows, Windows NT and some other
ini software
js,
JavaScript source text
jse
htm Hypertext document
to
ed
wsh Microsoft Windows Script Host file
ut
the Screensaver file for Microsoft Windows 95 desktop
ib
eml Microsoft Outlook Express message
r
msg Microsoft Mail email message
st
plg Email message
di
doс* Microsoft Office Word document, such as:
re
docx XML-based Microsoft Office Word 2007 document
jpg,
Graphic file for storing compressed images
jpeg
Enhanced Metafile. The next generation of Microsoft Windows operating system metafiles.
to
ico Icon
ed
xlt Microsoft Office Excel template
ut
xltm Microsoft Office Excel 2007 macro-enabled workbook
ib
xltx Microsoft Office Excel 2007 template
r
xlam Microsoft Office Excel 2007 macro-enabled add-in
st
pp* Microsoft Office PowerPoint documents, such as:
di
ppt Microsoft Office PowerPoint presentation
re
pptm Microsoft Office PowerPoint 2007 macro-enabled presentation
Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment
be
and watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can
change its code during the execution.
When criminals email new malware, or upload a new version of a malicious module to an infected
computer, they may generate a file with a unique checksum for each computer or addressee. Signatures
to
and even Kaspersky Security Network will not help in this case. But heuristic analysis clearly shows that
all these versions restore the same malicious code when running.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
Most of the files a rarely changed on the computer, and if File Threat Protection scans only new and
changed files, it almost does not load the computer. In the first few days, while all files are new for
Kaspersky Endpoint Security, the user may feel that the computer works slower. But File Threat
ut
Protection stops influencing performance soon.
Do not turn off the option Scan only new and changed files in File Threat Protection, it will slow down
the computer.
r ib
The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of
st
these records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file
modification date.
FAT32 file system cannot log the modification date; neither can it protect the modification date against
di
unsolicited changes. Malware may modify a file, and then assign any modification date to it. For this
reason, Kaspersky Endpoint Security saves checksums of scanned files into a special database for
FAT32 drives. When the file is accessed next time, Kaspersky Endpoint Security re-calculates the
re
checksum and compares it with that saved. If the sums differ, the file has been changed, and File Threat
Protection scans it.
Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint
Security receives its signatures, File Threat Protection will scan it, consider to be clean, and will not scan
or
at the next start.
To prevent this, even if the option Scan only new and changed files is enabled, File Threat Protection
scans all new files repeatedly, at least twice, or even several times.
d
For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file
was scanned fist and last. If a file has been scanned only once, or if the current version of signatures was
e
issued less than 24 hours after that with which the file was scanned for the first time, File Threat
Protection re-scans the file.
pi
What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides,
except for signatures, Kaspersky Endpoint Security uses data from Kaspersky Security Network, which
contains most recent information about threats.
co
To further reduce the risk, use a virus scan task to check all files on the computer, including those that
have not been changed, and which File Threat Protection scanned already.
be
Enabled File Threat Protection scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and
to
ICE archives. For this purpose, File Threat Protection unpacks an archive into a
temporary folder or into the memory
Disabled
File Threat Protection neither unpacks archives nor scans files within them
(by default)
t
No
To scan archived files, File Threat Protection unpacks the archive, which consumes considerable
computer resources. Archives are not dangerous as they are. A malicious file cannot be started from the
archive. The user either unpacks the archive manually, or the operating system does this for the user.
Anyway, a malicious file gets on a drive prior to run, and File Threat Protection scans it as any other file.
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
Do not enable the Scan archives option in File Threat Protection. It will slow down the computer, but will
ed
not improve protection
ut
File Threat Protection scans files within self-extracting archives and installation
Enabled packages, such as MSI. For this purpose, File Threat Protection unpacks an
archive into a temporary folder or into the memory
ib
Disabled File Threat Protection does not scan self-extracting archives and installation
(by default) packages
r
st
Installation packages are executable files, and File Threat Protection scans their executable part anyway.
However, a large part of data within an installation package consists of archived files of the program to be
installed by the package. To scan them, File Threat Protection extracts them from the package, similar to
archives.
di
Installation packages do not need to be scanned by File Threat Protection. If the user copies a package, it
cannot infect the computer. If the user starts a package, it will extract files itself and save them on the
re
drive, where they will be scanned by File Threat Protection.
File Threat Protection scans executable parts only within Microsoft Office
Disabled documents, and skips embedded objects
d
Microsoft Office files have a complicated structure. We can even say that there is a file system with
e
additional files within a Microsoft Office document. When the user pastes an Excel chart into a Word
document, Microsoft Office can add the whole Excel document to the Word document, with all its data,
pi
Do not disable scanning for office documents. Not scanning objects embedded in office documents is
co
dangerous. They may contain malicious macros, which Office programs can start without saving to the
drive.
If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the
be
operation will not start until File Threat Protection unpacks the archive and scans all files within it.
Meanwhile, the user cannot do anything with the archive.
If the administrator wants to scan archives, the user experience can be improved by changing additional
archive scan settings.
to
Do not unpack large File Threat Protection will scan only those archives that are less than the
compound files Maximum file size
File Threat Protection will detain operations with small archives only. If the
ed
Unpack compound user opens a large archive, File Threat Protection will allow access, but at
files in the the same time will unpack the archive and scan the files. The user will not
background mode have to wait. Large archives are those that are larger than the Minimum file
size value
ut
By default, is not specified. Meaning, if you select to unpack compound files
Minimum file size in the background, File Threat Protection will scan all archives in the
background mode
r ib
Malware detected by File Threat Protection should not be left unprocessed, and the settings that regulate
st
File Threat Protection actions should be locked. The optimal choice is to disinfect and if disinfection is
impossible, delete infected files. Most of the malicious files cannot be disinfected, because they contain
nothing but the infected code.
di
Before a file is disinfected or deleted, its copy is placed into the Backup repository. In case a file contains
important information or is deleted because of a false positive, it can be recovered.
re
If the Remediation Engine component is enabled in Advanced Threat Protection, Kaspersky Endpoint
Security not only deletes malicious files, but also rolls back their actions1.
or
e d
pi
co
be
to
First, find out whether File Threat Protection actually slows down the computer (or a program):
— Disable the policy on it (see the section How to Protect Kaspersky Endpoint Security from the
User)
No
1
The rollback procedure is described in Chapter 4 of this Unit.
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
— Check whether the computer (program) works any faster
Even if programs work faster on the computer without File Threat Protection, do not leave File Threat
Protection disabled. Configure exclusions for applications. Try various exclusion types:
ut
— If all program files are located in a single folder, exclude the program’s folder from scanning
— If the program works with files in various folders or in a temporary folder, make the executable
file of the program trusted
ib
Never exclude the operating system’s temporary folder from scanning. Malware is often started
from it.
r
— If the program works with files in shared folders, try to disable scanning of network drives
st
— For the programs that start on the specified schedule during off business hours, pause File
Threat Protection while the program runs
di
re
Exclusions are configured in Kaspersky Endpoint Security policy: Open Application Settings | General
Settings and click the Exclusions link.
or
e d
pi
co
be
To set up exclusions for folders, click the Scan exclusions link. They will apply to all protection
components. A scan exclusion consists of three attributes:
— File or folder—the name of the file or folder to which the exclusion applies. The name of the
object may include environment variables (%systemroot%, %userprofile% and others) and also
to
Of the four attributes, any of the first three and the last one must be specified. You can create a scan
exclusion for a file or folder without specifying the threat type; then the selected components will ignore
any threats in the specified file or folder. Alternatively, you can create a scan exclusion for a threat type,
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
for example, for the UltraVNC remote administration application, so that the selected protection
ed
components would not respond to this threat regardless of where it is detected.
All attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules
for widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type
ut
and the object (typical location of the executable file) are specified. According to such an exclusion,
Kaspersky Endpoint Security will permit running a remote administration application from the Program
Files folder, but if the user runs it from another folder, Kaspersky Endpoint Security will consider it a
threat.
r ib
If the computer runs resource-consuming programs, their operation can be slowed down by the File
st
Threat Protection. This is especially true for the programs that perform numerous file operations, for
example, backup copying or defragmentation. To avoid slowdowns, make these applications trusted.
For this purpose, in the exclusion settings window, add the executable file to the Trusted applications
di
list. Within the Application window, specify the path to the executable file, and select the Do not scan
opened files action. The path may contain environment variables and “*”, “?” wildcards.
re
or
e d
pi
co
be
You can merge the lists of scan exceptions and trusted applications when inheriting a policy or policy
profile. To achieve this, in the upper-level (parent) policy, in the Scan Exclusions, select the checkbox
Merge values when inheriting. Notice that the Inherit settings from parent policy option must be
enabled in the child policy.
to
As a result, you will be able to add other exceptions to those inherited from the parent policy when editing
the child policy or policy profile. This allows you to flexibly configure exceptions for a specific group or set
of devices.
Inherited exceptions cannot be deleted or modified in a child policy; you can only add more exceptions. If
t
you clear the checkbox Merge values when inheriting in the parent policy, inherited exceptions will not
be removed from the child policy automatically, but you will be able to delete or edit them.
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Sometimes, exceptions for trusted programs are much easier and faster to set up in the local Kaspersky
Endpoint Security interface. To make them work, on the Scan Exclusions page of the policy, select the
checkbox Allow use of local exclusions.
The main drawback of this approach is that exceptions added through the local interface are not
transferred to the policy and only work on the computer on which they were made.
to
You can export local exceptions to a file and then import into a policy. The exception import mechanism is
currently only available in the MMC administration console.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
r ib
st
di
re
Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that
protection applications are installed on all network computers. Do not disable network drive scanning “just
or
in case”; do it only if it solves the users’ issues
To exclude network drives from scanning, edit the protection scope in the File Threat Protection settings.
In other words, all drives from which malware can be run. A protection area permits adding individual
drives and folders instead of drive groups. However, disabling any standard scan scope considerably
decreases the protection level.
co
Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers.
be
Since all locks are closed in a policy by default, the administrator may not even notice them. While you
edit settings without touching the locks, all settings remain required and are enforced on the computers.
However, you should remember that if locks are open, the configured settings are not applied. If you have
changed settings in a policy, and they have not changed on the computers, check the locks in the policy.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
r ib
st
di
re
or
How can antimalware scanning help if File Threat Protection scans all dangerous files anyway? Virus
Scan:
— Updates caches of KSN and information about files’ checksums, after which File Threat
Protection can scan fewer files
e
— Scans files that have not been changed. The File Threat Protection does not scan such files,
pi
Virus scan tasks check objects using the same methods as File Threat Protection: signature and heuristic
analysis and KSN. The difference is that File Threat Protection checks files on-the-fly when they are
co
accessed while virus scan tasks inspect the files by schedule or on demand.
File Threat Protection works with the user. The more actively work the user’s applications, the more files
are scanned by the File Threat Protection and the more resources it consumes. Therefore, the File Threat
Protection settings are optimized to ensure protection against immediate threats only. If the user copies
be
an archive, there is no immediate infection risk, and the archive does not need to be scanned.
Virus scan tasks can be started during off hours, when more resources are available and a more
thorough scan can be performed. That is why the scan task will wait for the answer from KSN before
returning the final verdict, regardless of the signature and heuristic analysis results. Also, the task may
check the objects that are excluded from the scan scope of the File Threat Protection—archives,
to
A virus scan task can be configured to check the processes in the memory and be scheduled to run after
each successful database update.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
r ib
st
di
re
Configure malware scan settings in virus scan tasks. The administrator is to manually create a virus scan
task in the Managed devices group.
or
Starting with Kaspersky Security Center version eleven, the Quick Start Wizard does not create a Quick
Virus Scan task anymore. By default, a special local background Scan_IdleScan task scans computers
for viruses.
Background scanning is less resource-intensive compared to an ordinary virus scan task. It is performed
d
while the computer is locked, does not display any notifications to the user; however, it does not reset the
Virus scan has not been performed in a long time status. You cannot modify scan settings or scope of this
e
task.
If you want to use a custom virus scan task, we recommend that you disable background scanning. To
pi
disable the Scan_IdleScan task, in the properties of Kaspersky Endpoint Security policy, open
Application Settings | Local Tasks | Background scan and clear the check box Enable background
scan.
co
Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are
allowed (for example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the
be
folders, you can select whether to scan all the contents, including subfolders. If subfolders are not
selected to be scanned, the object icon is marked with the little red "minus" sign.
In addition to files and directories, the following scan objects can be specified:
— My email—Outlook data files (.pst and .ost)
— Kernel Memory—the kernel memory of the operating system
to
— Running processes and Startup Objects—the memory area allocated for processes and
executable files of applications that start at the operating system start. Additionally, if this object
is selected in the task properties, rootkit scanning will also be performed (rootkits are hidden
objects of the file system)
— Disk boot sectors—boot sectors of hard and removable drives
t
— All removable drives—the removable drives connected to the computer at the moment
— All hard drives—computer hard drives
— All network drives—all network drives connected to the computer
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
Create a task that scans the whole computer weekly or every other week. If you cannot find proper time
ed
for such a task, scan at least critical areas:
— Kernel Memory
— Running processes and Startup Objects
— Disk boot sectors
ut
— %systemroot%\
— %systemroot%\system\
— %systemroot%\system32\
— %systemroot%\system32\drivers\
ib
— %systemroot%\syswow64\
— %systemroot%\syswow64\drivers\
r
st
By default, scan tasks are started on the client computers under the Local System account. If the scan
scope includes network drives or other objects with restricted access, the task will not be able to scan
di
them. To solve this problem, specify an account that has the necessary rights within the task properties.
re
Virus scan tasks can use any regular schedule: every N days, weekly, monthly. They can also be started
once: either automatically at the specified time or manually.
or
e d
pi
co
be
may appear
— Start in N minutes after application startup—the task will start in a few minutes after the
launch of Kaspersky Endpoint Security. This is another opportunity for the scanning of the most
vulnerable computer areas
t
— On completing another task—a universal schedule that permits arranging tasks into a chain.
From the practical viewpoint, the best approach would be to link virus scan to update completion,
No
There is also an option that permits running missed tasks. If a computer is turned off at the scheduled
ed
time, the task will start as soon as the computer is switched on. Use this option cautiously. If virus
scanning starts in the morning when the user turns on the computer, scanning will hamper the user.
The mode Use automatically randomized delay for task starts makes more sense for an update task
than for a virus scan task. See Unit IV for details.
ut
The Additional task settings area contains a few other useful settings:
— Activate the device before the task is started through Wake-On-LAN (min)—the option
allows you to schedule scan start for the night time or weekends without needing to worry
ib
whether the computer is on. However, to use this feature, you need to enable its support in the
BIOS settings of the target computers
— Turn off device after task completion—the option may supplement the previous one. If
r
scanning is scheduled for the night or weekend, the computer can be turned off afterwards
st
— Stop task if it has been running longer than (min)—the option allows guaranteed task
completion before the working day begins, so that it does not interfere with the user’s activity
On servers, perform virus scanning on weekends, when they are less loaded.
di
On workstations, try to find such a time when computers are on, but virus scanning will not hamper the
users:
re
— Quick virus scanning can be performed during the lunchtime
— Full scanning should run at night. Explain the users which day of the week they should not shut
down their computers
or
e d
pi
co
be
If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the
to
computers at night and run the virus scan task. If this capability cannot be used either, use so-called idle
scanning.
To enable idle scanning, open the Application Settings tab in the task properties and under Advanced
Settings, select Scan when the computer is idling. In this mode, virus scanning will be performed only
t
when the computer is locked; while the user is working, the task will be Paused.
No
Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than
not to scan a computer at all.
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false
positive.
ib
False positives hamper work considerably. Kaspersky very thoroughly tests new signatures on a huge
number of files of operating systems and popular software to prevent false positives. During a scan,
Kaspersky Endpoint Security checks files against Kaspersky Security Network and ignores threats in the
files that KSN considers to be trusted.
r
st
False positives happen extremely rarely, and usually concern files of infrequent software, for example,
homeware.
di
re
or
e d
pi
If File Threat Protection or a virus scan task finds a threat in a clean file, create an exclusion for it:
co
1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings |
General Settings | Exclusions | Scan exclusions
2. Add the file that gets a false positive to the Scan exclusions list. Select the File or folder
be
checkbox. Click the link select file or folder in the lower part of the window to specify the
complete path to the file. Use environment variables, for example, %ProgramFiles%
It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected
erroneously rather than exclude the file entirely. For this purpose:
to
3. Select the checkbox Object name in the exclusion window. Click the link enter object name in
the lower part of the window to specify the threat name. You can find the threat name in the
description of a threat detection event by Kaspersky Endpoint Security.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
ut
r ib
st
di
re
or
e d
pi
co
be
What to do if a file for which you need to configure an exclusion may be installed into different directories
on different computers?
If the same file version is used on all computers, use the file checksum:
1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings |
to
2. Add the file that gets a false positive to the Scan exclusions list. Select the Object hash
checkbox Specify the file checksum in the Object hash field in the lower part of the window. You
can calculate the file’s checksum and add it manually, or copy it from a detection event.
t
No
Kaspersky Endpoint Security calculates checksums of the scanned files and displays them in the
detection events.
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
ed
What to do if you configured an exclusion, but a new program version has been issued with new names
of the folder and executable file, which also gets a false positive?
ut
If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of
symbols, and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask
matches all files whose names start with “file” and have the .exe extension.
ib
If file names are entirely different, but all files are signed by a certificate, place the certificates to the
certificate store on the computers where the program is used and configure Kaspersky Endpoint Security
to trust these certificates:
r
st
1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings |
General Settings | Exclusions
2. Select the checkbox Use trusted system certificate store and select a store. The default choice
di
is Enterprise Trust
3. Place the certificate(s) with which program files are signed to the selected store on the client
re
computer. You can use, for example, Active Directory group policies for this.
Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint
Security trusts only the certificates that are located in the computer’s store
or
For homeware, you can use even self-signed certificates.
e d
pi
co
be
to
File Threat Protection scans files on the drive that the user, operating system, and programs access. To
t
avoid slowing down the computer, File Threat Protection scans only those files that pose an immediate
No
threat. However, it does not prevent the user from copying archived malicious files.
Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for
example, archived malicious files.
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
Unit II. Protection management
If you cannot figure out a suitable schedule for running the scan task, use idle scanning.
ed
If File Threat Protection slows down the computer or programs:
— Schedule virus scanning. It updates the cache of scanned files and permits File Threat
ut
Protection not to scan them repeatedly if they have not been changed
— Configure exclusions for applications: For folders, executable files, or certificates
— If files (for example, user profiles) load slowly over the network, and protection is installed on
ib
network servers, do not scan network drives
— As a last resort, pause File Threat Protection while a resource-consuming program runs
r
Do not disable File Threat Protection. Schedule virus scanning on computers
st
di
re
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
ed
ut
r ib
st
di
re
or
e d
A network is one of the main ways of malware spreading. That is why network protection and network
pi
traffic scanning are so important for computer security. In Kaspersky Endpoint Security, Mail Threat
Protection and Web Threat Protection components are responsible for anti-malware scanning of network
traffic:
co
Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts
outbound connections from the computer programs and transfers packets to the network protection
components. Kaspersky Endpoint Security detects the connection protocol and transfers packets to the
corresponding component:
t
Other packets are sent directly to the programs and applications for which they are destined.
ed
ut
r ib
st
di
re
Kaspersky Endpoint Security can scan secure connections (SSL/TLS)
or
Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the
outbound connections. To configure this, in the Kaspersky Endpoint Security policy, open Application
Settings | General Settings | Network Settings and in the Monitored ports area, select Monitor
selected network ports only. Click the link 39 ports selected and specify the ports that are to be
controlled.
d
If you do not know which ports a program uses, select the checkbox Monitor all ports for specified
applications, and add the path to program’s executable file to the list.
e
Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or
pi
ed
Endpoint Security Personal Root Certificate—and saves it to the local Trusted Root Certification
Authorities store. At each start, KES checks whether the certificate is still there, and if no, restores it.
To scan encrypted traffic (SSL/TLS), Kaspersky Endpoint Security replaces the certificate. Kaspersky
ut
Endpoint Security intercepts an outbound connection from an application to a server, receives the
server’s certificate, generates a similar session certificate signed with Kaspersky Endpoint Security
Personal Root Certificate, and gives it to the client application. This permits intercepting the symmetric
encryption key and decrypting the whole communication session.
ib
The web browser will not show any warnings because Kaspersky Endpoint Security Personal Root
Certificate is located in the trusted certificate store.
r
Encrypted traffic scanning is enabled by default and pertains to the following components:
st
— Web Threat Protection
— Mail Threat Protection
— Web Control
di
re
or
e d
pi
co
SSL/TLS protocols support three authentication modes: Mutual authentication, anonymous client–server
authentication, and complete anonymity.
For example, when the user connects over https to a web server, in most cases, the second
authentication mode is used: Anonymous client–server authentication. In this case, the certificate is easy
be
to replace.
If the first authentication mode is used, mutual authentication. For example, if a banking application client
or cloud storage client rejects the substituted certificate, the encrypted connection will not be scanned
and Kaspersky Endpoint Security will return an error.
to
With the default settings, if errors arise when scanning a secure connection, the domain will be
automatically added to the list of Domains with scan errors and its whole traffic will be skipped without
scanning. An individual list is drawn up for each computer; it is stored locally and is not sent to the
Kaspersky Security Center. To consult its contents, in the local KES interface, open Protection
components | Network settings; then click the link Domains with scan errors.
t
No
If necessary, you can reset the local lists of Domains with scan errors. For this purpose, in the Kaspersky
Endpoint Security policy, open Application Settings | General Settings | Network settings, under
When encrypted connection scan errors occur, select to Block connection, save the changes, and
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
wait for the policy to be applied to the computers. Then restore the initial value of the parameter When
ed
encrypted connection scan errors occur: Add domain to exclusions, and apply the policy again. As
a result, the local lists of Domains with scan errors will be cleaned out.
ut
r ib
st
di
re
If something is wrong with the web server’s certificate, for example, it has expired, the web browser will
or
not be able to inform the user about this, because KES certificate is used within the session, which is all
right. It is KES that informs the user about connecting to a domain with untrusted certificate and prompts
whether to connect to the domain.
If necessary, the administrator can prohibit connecting to domains with untrusted certificates. For this
d
purpose, set the option When visiting a domain with an untrusted certificate to Block connection.
e
pi
co
be
to
Most websites use secure connections, and we recommend that you do not disable scanning secure
t
In the Kaspersky Endpoint Security policy, open Application Settings | General Settings | Network
settings. There are two links for configuring exclusions in the Encrypted connections scan area:
Trusted addresses and Trusted applications.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
If secure connection scanning hampers opening a website, add the website address to the trust list:
ed
1. Click the link Trusted addresses
2. Add the website address to the list. To specify a mask, use “*” and “?” wildcards
ut
Certificate will not be substituted for the listed websites.
If you have a program that conflicts with secure connection scanning, disable encrypted traffic scanning
for it:
ib
1. Click the link Trusted applications
2. Add the application executable file to the Applications tab: Specify the full path to the file. You
r
can use environment variables, such as %SystemRoot%.
st
3. Select the checkbox Do not scan network traffic, then select Encrypted traffic only, and clear
the other checkboxes
di
4. If servers with which a program works have permanent addresses (or a range of addresses) and
ports, specify them in the lower part of the window: It is safer this way
re
This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control
components.
or
e d
pi
co
be
to
The Mail Threat Protection protects from email threats. Messages are intercepted at the protocol level
t
(POP3, SMTP, IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI).
No
Mail Threat Protection detects and deletes malware using malware signatures, heuristic analysis and
Kaspersky Security Network. Additionally, Mail Threat Protection can block or rename email attachments
that match the specified masks.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
Mail Threat Protection changes the subject of infected messages. The action taken is described in
ed
the message subject.
ut
ib
Security settings, among other options, determine the Protection scope. Mail Threat Protection can scan
either
r
— Incoming messages only
st
To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing
messages can prevent inadvertent sending of an archived infected file and save the embarrassment.
Additionally, you can select to scan outgoing messages if you want to block attachments of certain types,
di
for example, music or videos.
By default, incoming and outgoing messages are scanned. You can modify the protection scope only in
re
the MMC Administration Console. or
The Advanced settings more precisely define the protection scope:
— Scan POP3, SMTP, NNTP, and IMAP traffic—enables scanning of mail and news messages
transferred over the specified protocols
d
— Connect Microsoft Office Outlook extension—scan objects2 when they are received, read
and sent at the level of Microsoft Office Outlook client.
e
— Scanning at the protocol level operates independent of the mail clients used. However,
messages transferred over unsupported protocols (for example, through Microsoft Exchange or
pi
If archives are attached, they can be unpacked and scanned. This behavior is controlled with the
following settings:
— Scan attached archives—this setting allows the administrator to fully disable archive scanning.
As a rule, it is better to leave this checkbox selected and to scan archives “on the fly” using Mail
to
Threat Protection. It is much easier not to allow any infected archive to penetrate into the mail
database than to remove it from the database later using a virus scan task.
— Scan attached Office formats
t
No
2Not only mail messages are scanned, but also the objects within Public folders and Calendar: any objects received over MAPI
from the Microsoft Exchange storage.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
You can disable these parameters only in the MMC Administration Console. Do not turn off these
ed
parameters. Malicious files are often spread in attached archives and office documents
ut
r ib
st
di
— re
Do not scan archives larger than NN MB—limits the volume of archives or office files to be
or
scanned. Malware is rarely spread in big files. Enable this limitation to avoid waiting too long
when receiving large compound files
— Limit the time for checking archives to NN seconds—this option implements protection
against ‘archive bombs’ whose scanning requires a very long time and a lot of resources, which
slows down the computer.
e d
pi
If archive scanning is enabled, Mail Threat Protection will rename archived files with the
specified extensions.
be
— This option can also be used to fight outbreaks of new malware. If names of the attachments
used by the malware are known, they can be added to the list and then renamed so that
the users are unable to open these attachments as regular files. Renaming can reliably prevent
infection. At the same time, if a harmless attachment matches the specified mask, renaming
would not cause any serious problems. The user can consult the administrator and receive
to
3 Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes
file.ex_
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
If archive scanning is enabled, Mail Threat Protection will delete files of the specified types from
ed
attached archives
By default, the list of filters contains masks of frequently used file extensions. In addition to
the extensions, user-defined masks can contain parts of names. “*” and “?” wildcard characters can be
ut
used. The added masks will go to the beginning of the list and will be enabled immediately.
ib
Exclusions for Mail Threat Protection are configured the same way as for File Threat Protection: In
the Application Settings | General Settings | Exclusions | Scan exclusions. For the File or folder,
r
you can specify a name or mask to exclude all matching files from scanning. The same exclusion must be
st
configured for File Threat Protection, or else the received attachments will not be saved or opened.
di
re
or
e d
pi
co
be
— Analyzes addresses of webpages opened by the user or applications, and blocks access to
phishing and malware-spreading sites
— Scans objects downloaded over HTTP, HTTPS, and FTP protocols, and blocks malicious files.
to
— Check against the database of malicious web addresses compares the address of the website to
t
be opened with the addresses of the websites known for hosting malware, attacking computers,
or other harmful activities;
No
— Check against the database of phishing web addresses—is similar to the previous check, but
against the database of sites on which phishing pages have been detected
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
— Heuristic analysis for detecting phishing links—analysis of the site contents for HTML code
ed
characteristic of phishing
— KSN check—addresses of the opened sites are checked against KSN. Dangerous links are
blocked. The received answer is saved in the local cache and is used for further checks.
ut
Downloaded files are scanned using all the available methods: signature and heuristic analysis, as well
as KSN.
r ib
st
You can select the action to be taken against all detected dangerous objects:
— Block download,
di
or
— Inform
You should select the Block download action in the policy and lock it so that the users are not able to
re
download hazardous objects or visit hazardous websites.
When the user attempts to open a deny-listed website or download an infected object, a notification will
be displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.
or
e d
pi
co
be
to
If Web Threat Protection erroneously considers a website to be malicious or phishing, add its address to
the trust list:
2. Select the checkbox Do not scan web traffic from trusted web addresses
3. Add the website address to the list. To specify a mask, use “*” and “?” wildcards
No
The listed sites and the objects downloaded from them will not be scanned by Web Threat Protection.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
If Web Threat Protection erroneously considers a file that a user downloads from a website to be
ed
malicious, make an exclusion for the file in Application Settings | General Settings | Exclusions. Apply
the exclusion at least to Web Threat Protection, File Threat Protection and Virus scan.
ut
r ib
st
di
re
or
Starting with version 10SP2, Kaspersky Endpoint Security uses a driver that does not disrupt the
d
connection; it uses the operating system functions to receive access to all packets.
e
If you have a program that conflicts with the new interception method too, disable traffic interception for it:
1. In Kaspersky Endpoint Security policy, open the Application Settings | General Settings |
Exclusions, and click the link Trusted applications.
co
2. Add the application executable file to the list of Trusted applications: Specify the full path to the
file. You can use environment variables, such as %SystemRoot%.
3. Select the checkbox Do not scan network traffic and clear the other checkboxes
be
4. If servers with which a program works have permanent addresses (or a range of addresses) and
ports, specify them in the lower part of the window: It is safer this way
This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control
components.
to
4In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2), the driver that intercepts connections for network
t
receive the packets, and then establishes another connection to the remote server to send the scanned packets. The answer packets from the
server are processed in a similar manner: First through the connection established by Kaspersky Endpoint Security, and then from Kaspersky
Endpoint Security to the program.
Some network programs are incompatible with this interception method.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
Unit II. Protection management
ed
ut
r ib
st
di
re
The network components Mail Threat Protection and Web Threat Protection consume few resources. On
the contrary, they enable File Threat Protection to scan fewer files, and improve computer performance.
or
Web Threat Protection is the only component that protects against phishing. It also protects against new
threats that are spread through known malicious websites.
Do not turn off network protection components, it will not improve performance, but will affect protection
d
If Web Threat Protection or Mail Threat Protection erroneously delete files, block safe websites or hamper
e
ed
ut
r ib
st
di
re
or
e d
Criminals continually create new malicious files. Kaspersky is famous for detecting new threats and
adding their signatures to the database very quickly. Checksums of malicious files get to Kaspersky
pi
Security Network even more promptly. However, criminals are still half a step ahead. How does
Kaspersky Endpoint Security protect against new threats and especially against ransomware?
co
Ransomware that encrypts documents and demands money in return for the key cause immediate and
direct harm
Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack:
be
Criminals publish malware on websites. Often Web Threat Protection uses the database of
known malicious websites and websites’
these websites have also been used reputation in KSN and prevents the users
previously from opening them
Mail Threat Protection renames executable
Criminals email new malware
to
signature scanning, but behave similarly to does, and detects new malware by behavior
other malware
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
ed
Behavior Detection uses heuristic and
homogeneous, as if produced by a random- statistical analysis as well as machine
number generator. This makes them different learning technologies to detect encryption in
from most ordinary files files
ut
Host Intrusion Prevention does not allow the
New malware does not have any reputation in
programs without a reputation to use many of
KSN the operating system functions
ib
New threats are mainly opposed by Behavior Detection, Exploit Prevention, and Host Intrusion
Prevention, with the help of Kaspersky Security Network.
r
st
di
re
or
e d
pi
co
Kaspersky Endpoint Security components can be broken down into three groups: Components that
provide static protection, components that provide dynamic protection, and additional components.
The File / Web / Mail Threat Protection components provide static protection for a device: Scan objects
be
The Behavior Detection, Exploit Prevention, and Rollback components provide dynamic protection:
Monitor objects’ actions, analyze, detect, and block dangerous behavior.
The third group includes Host Intrusion Prevention, Firewall, and Network Attack Blocker: Their task is to
to
decrease the attack surface on the protected devices by limiting untrusted programs’ start and network
access. This helps to partly take a load off dynamic and static protection.
Kaspersky Endpoint Security components scan objects using the antivirus engine, information from KSN,
t
and various technologies. Some of the detection technologies are implemented on the client side,
meaning, in the engine (signature analysis, heuristic analysis, behavior analysis). Some, on the
No
Kaspersky side (expert analysis, machine learning, reputation service). KES receives only the results:
Signature updates, program reputations, dangerous activity patterns, machine learning models, etc.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
A detection event displays the name of the component and technology that pinpointed the threat.
ed
In the local Kaspersky Endpoint Security interface, detection technologies display the source from which
they received information about the threat:
ut
Automatic analysis—data about the threat were received from the automatic object analysis
system. Object analysis is automated at Kaspersky. The automatic object analysis system
processes all objects that Kaspersky receives, returns results and generates signatures. If the
system cannot process an object, it sends it to virus analysts
ib
— Expert analysis—data about the threat were added by Kaspersky virus analysts. Virus analysts
are experts who develop not only threat signatures, but also dangerous activity patterns,
machine learning models, etc.
r
st
— Behavior analysis—data about the threat were received upon analyzing the object’s behavior
— Cloud analysis—data about the threat were received from the Astraea technology, a part of
KSN. Astraea is a big data processing system; it receives data from all sources of KSN requests,
di
analyzes, ranges validity, and evaluates the threat
— Machine learning—data about the threat were received from a machine learning model. A
re
machine learning model is developed at Kaspersky. Then the model learns on a large array of
data received from KSN and the Astraea system. Then KES uses the model along with other
technologies when hunting for threats.
Since the threat landscape changes continually, the model is regularly improved and learns
incrementally on the Kaspersky side. Updates to the machine learning model are supplied to
or
KES periodically the same way as threat signatures
e d
The components and technologies that help to counter new malware not yet added to the signature
databases or minimize their impact are called proactive defense.
pi
Heuristic analysis which we’ve studied already is an example of a proactive defense technology.
However, the main role in this protection aspect belongs to Behavior Detection, Exploit Prevention,
co
Remediation Engine, Host Intrusion Prevention, and to some extent to the Control components and
Firewall.
be
— Logs application activity for comparison with the behavior signatures database
— Detects malware and blocks their actions
— Protects shared folders against external encryption
to
Malware detection is the main task. For this purpose, Behavior Detection monitors program actions and
compares them with dangerous activity patterns. The application activity log includes file access
operations, established network connections, and system function calls.
t
The database of patterns is updatable, but updates are rarely issued for it. Efficiency of the Behavior
Detection almost does not depend on the databases’ update regularity.
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
ed
ut
r ib
st
di
re
Behavior Detection settings are few: in substance, you can only enable or disable the entire component,
or protection of shared folders against external encryption.
or
If Behavior Detection detects malicious behavior, it stops the program, deletes its executable file, and
moves it into the Backup repository.
d
Terminate the program—stop the malware and unload it from the memory
— Delete file—stop the program, delete the malicious file, and place its copy into the Quarantine
repository
co
If Protection of shared folders against external encryption detects an attempt to encrypt files in a shared
folder over the network, it blocks the write and delete operations for this session for 60 minutes. Then it
tries to restore non-encrypted file versions from a backup copy using the Remediation Engine
component.
be
Do not disable Behavior Detection. It protects against threats that other components may fail to counter.
ed
ut
r ib
st
di
re
Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative
permissions in the system or conceal code execution.
or
Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or
service, which processes them and therefore executes some parameters as code. Specifically, such
attacks against system services running under the local system account enable criminals to receive
administrative permissions on the computer.
d
Typically, malware tries to start itself under the administrator account as a result of such an attack. When
this option is enabled, start operations are being monitored and if a vulnerable program starts another
e
Remediation Engine—rolls back actions taken by the programs deleted by File Threat Protection, Virus
ed
Scan tasks, and Behavior Detection.
Actions to be rolled back are any changes made to the file system (creating, relocating, renaming files) or
registry keys (the records created by the malware are deleted). Also, a backup copy of some files and
ut
keys is created at the time of the system start, which permits rolling back to this version if malware
changes these files and keys. These special objects include hosts and boot.ini files and registry keys
responsible for starting programs and services during the system start.
ib
This option also restores files encrypted by ransomware, which encrypt files on drives and in shared
folders, and then demand a ransom.
Remediation Engine uses the application activity log written by the Behavior Detection component.
r
st
di
re
or
e d
pi
The main purpose of the Host Intrusion Prevention is to regulate the activities of the running programs,
co
namely, access to the file system and registry as well as interaction with other programs.
be
Host Intrusion Prevention categorizes applications into trust groups, for which limitations are specified.
Every program receives one of the four trust levels:
— Trusted
— Low Restricted
— High Restricted
to
— Untrusted
Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time. The main
categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the
program, the assigned category depends on the policy settings:
t
—
No
Trust group for applications that could not be added to existing groups—this setting
permits the administrator to select which category to assign to the programs that do not yet have
a reputation. The administrator can select High Restricted, Low Restricted or Untrusted
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
— Trust applications that have a digital signature—if this parameter is enabled, the programs
ed
signed by trusted certificates will be automatically placed in the Trusted group
ut
The defined trust group is saved and used at each start of the program. The saved data may be revised
or deleted depending on the following settings:
— Update rights for previously unknown applications from KSN database—program’s trust
group will be changed automatically if it appears in the KSN
ib
— Delete rights for applications that are not started for more than N days—permits wiping out
the trust group information for the programs that have not been started for a long time.
The lifetime is adjustable
r
st
Host Intrusion Prevention limits interaction with other programs and operating system services depending
di
on the trust group. Generally, the default restrictions for trust categories are as follows:
Trusted No limits
re
Low Low Restricted—almost everything is allowed, except for building into operating system
Restricted modules and accessing recorders (web cams and microphones)
High Interaction with operating system modules and other programs is prohibited. A program
or
Restricted is allowed to work only with its own segment of the system memory
Host Intrusion Prevention helps limit access to files, folders and registry keys on the hard drives. Host
d
Intrusion Prevention has a list of protected resources. They are grouped into two categories:
— Operating system
e
— Personal data
pi
Each category has its subcategories and resource descriptions: Paths to folders, file masks, registry key
masks. Initially, the list of protected resources contains groups of most important files and registry keys.
For example, the Operating system category has a subcategory Startup settings, which lists all registry
co
Rights to access groups of resources are defined for operations: Read, Write, Remove and Create.
Program limitations automatically apply to its child processes. If a program with limitations starts a trusted
program, this trusted program will also be restricted. If a trusted application is started by the user or
No
ed
ut
r ib
st
di
re
The administrator can modify limitations for any trust group and even for any individual program.
or
Do not change the Host Intrusion Prevention settings unless you know precisely what you are doing
1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky
d
The administrator can limit or extend rights for a program having the selected reputation here. For
example, you can allow low restricted programs to access the web cam.
1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky
Endpoint Security policy
2. Click the link Application rights and protected resources
To protect other files or registry keys, add them to the list. Keep your resources in an individual category.
to
ed
ut
r ib
st
di
To be informed when Host Intrusion Prevention blocks an operation, enable logging. For this purpose,
re
right-click an action in the table and select Log events. You can log allow events of Host Intrusion
Prevention5 to understand which programs work with a resource.
The limitations configured for a program are inherited by all its child processes, even if their executable
or
files are included in the Trusted group. Thus, the programs with lower trust level may not evade
the prohibitions by using the privileges of programs having higher trust levels.
d
With the default settings, Host Intrusion Prevention protects the operating system and other software on
e
The administrator can also easily protect users’ files against unknown programs. This way, they will be
protected against ransomware that encrypt documents.
— Either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit
starting it
— Or does not have any reputation in KSN and Host Intrusion Prevention will make it Low
Restricted (by default) or High Restricted, depending on the administrator’s choice
be
Programs designed for working with documents, such as Microsoft Office, are well-known and have a
Trusted reputation.
t to
No
5Be careful not to create an overwhelming stream of events from computers to the Administration Server. If you need to analyze access allow
events, save them only into the local log of Kaspersky Endpoint Security rather than sending to the Administration Server.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose:
ed
1. In the Kaspersky Endpoint Security policy, open Advanced Threat Protection | Host Intrusion
Prevention and click the link Application rights and protected resources
ut
2. Add documents to the list of protected resources in Host Intrusion Prevention: In the list on the
left, select the category Personal data| User files and add a new category named Documents
3. Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose,
ib
add File or folder to the category and specify the extension in the Path field. Repeat for all
extensions
4. Prohibit restricted applications from editing documents. For this purpose, select the category in
r
the list on the left and change the rights in the table on the right: Prohibit High Restricted and Low
st
Restricted applications from Writing and Deleting
di
re
or
e d
pi
co
Antimalware Scan Interface (AMSI) is an open API developed by Microsoft that permits antivirus and
other security solutions synchronously scan macros and other scripts and block execution of malicious
code within applications.
be
The AMSI Protection Provider component permits Kaspersky Endpoint Security better interact with
AMSI and thus improve detection of various attack types, for example, fileless attacks.
Fileless attacks are based on the following idea: Why develop malware if you can use existing legitimate
tools to achieve your aim? (For example, PowerShell, JavaScript, VBScript etc.) The criminals’ aim when
organizing a fileless attack is to intercept management of a process, run your code in its memory, and
to
Such an attack is difficult to detect, because criminals do not need to save their applications that may be
recognized as malicious on the device. Additionally, various masquerade techniques are often used. For
example, code obfuscation, which complicates code analysis, and evasion techniques, which permit
t
ed
ut
r ib
st
di
re
Let us explain operation of AMSI Protection Provider through the example of an attack that is becoming
increasingly widespread nowadays: Running PowerShell interpreter from a macro in document and
executing a malicious script in PowerShell.
or
When an application opens a document, before running the script, it transfers it to ASMI for scanning and
waits for the verdict. AMSI protocols the script’s actions and sends its commands via AMSI Protection
Provider to the antivirus provider: Kaspersky Endpoint Security. This permits antivirus provider to access
the commands that the script has compiled on the fly in the memory. Kaspersky Endpoint Security scans
d
commands generated by the script and returns a verdict. Depending on the received verdict, AMSI
instructs the application whether to run the script. This schema is implemented for Microsoft applications,
e
and can also be implemented for any application that supports AMSI.
pi
In addition to scripts, applications can send archives for scanning to Kaspersky Endpoint Security, as well
as plug-in distributions prior to installation.
co
be
Almost any heuristic analysis returns false positives. To reduce them, exclude known clean programs
from analysis:
— Programs that are considered to be trusted in Kaspersky Security Network
to
To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed
programs, use the following Host Intrusion Prevention setting: Application processing rules | Trust
applications that have a digital signature.
t
Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates
No
rather than all of them. Trusted certificates are those issued by trusted certification authorities.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
ed
ut
r ib
st
di
Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates
re
in the local store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky
Endpoint Security learns about this from Kaspersky Security Network, and will not trust files signed with
this certificate.
Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software
or
with a self-signed certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as
described in “Exclusion by certificate”, in section 2.6.
If a program does not have a digital signature, you can manually add it to the Trusted group in the Host
d
Intrusion Prevention policy. Alternatively, you can completely exclude a program from scanning by
Behavior Detection and Host Intrusion Prevention. How to do it will be explained later.
e
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
Most of the widespread commercial programs have a Trusted reputation. However, some open-source
ed
programs have a Low Restricted reputation. Homeware may not have any reputation in KSN, and may
receive a Low Restricted reputation (or High Restricted, depending on the policy settings).
If the reputation hampers working with a program, change its reputation in the Kaspersky Endpoint
ut
Security policy:
1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky
Endpoint Security policy
ib
2. Click the link Application rights and protected resources
3. Switch to the Application rights tab
r
4. Click Add above the list of application categories
st
5. Select the group to which you want to move the file: Trusted, Low Restricted, etc., and click
Next
6. Click Filtering and filter the list of applications by executable file name.
di
7. Select the executable file in the filtering results and click OK
If the administrator has selected a reputation for a file in the policy, Host Intrusion Prevention will use this
re
reputation on the computers instead of the KSN reputation. Reputation from KSN is used only for files
that are not explicitly specified in the policy. Meaning, for most files, because by default the policy has
only reputation groups, and no files.
If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its
or
restrictions as desired. For example, the administrator can add a program to the Trusted group, but then
open its rights and prohibit it from accessing the web cam.
e d
pi
co
be
to
If you use policies with the default settings, the list of executable files is likely to be empty in the policy.
t
Kaspersky Endpoint Security intercepts all executable files on the computers, and Host Intrusion
Prevention assigns a reputation to all of them. However, this data is not sent to the Administration Server
No
by default. And the policy shows only those executable files about which Kaspersky Endpoint Security
has informed the Administration Server.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
To make Kaspersky Endpoint Security send lists of executable files to the server, create and run an
ed
Inventory task, or enable the Application Control component and run the necessary application.
The lists of computer executable files are rather large. If all managed computers send them to the server,
it will increase the load on the network considerably. Usually, this is not necessary. Do not run the
ut
Inventory task on all computers. Do not enable Application Control for the computers where you are
not planning to use it to regulate applications’ start. To receive only the files that you need, create an
Inventory task for specific computers.
r ib
st
di
re
or
e d
We recommend that you do not collect lists of files from all computers. Administrators often have test
computers where all typical programs are installed. If you have such computers, gather lists of executable
pi
files from them. To fill the local list of known programs on a test computer, do not start all the programs
manually, use the Inventory task.
co
The Inventory task scans files in the specified folders, finds the executable files, adds them to the local list
of known executable files, and activates data transfer to the Administration Server. To have scanning
results sent to the server, select the checkbox Inform Administration Server about started
applications in the Kaspersky Endpoint Security policy.
To create an inventory task, run the task creation wizard on the Devices | Tasks page. Select the
be
Inventory task type under Kaspersky Endpoint Security for Windows. If it is a task for a test computer,
after creating the task, open it properties and include All hard drives in the scope. Assign the task to
individual test computers.
to
If the limitations set by the Host Intrusion Prevention still block a necessary program, you can configure
the corresponding exclusion. There are two types of exclusions in Host Intrusion Prevention:
t
No
— Exclusions for resources—allow any program to perform any operation with the specified
group of resources (is not available in the web console)
— Exclusions for programs—allow the specified programs to perform any operation
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
Unit II. Protection management
ed
ut
r ib
st
di
Exclusions for resources are configured in the properties of Host Intrusion Prevention, on the Protected
re
resources tab. You can configure exclusions for folders, files and registry keys.
Exclusions for programs are configured in the Trusted applications, and provide several additional
capabilities:
or
— Do not monitor application activity—disable all restrictions for the specified program
— Do not inherit restrictions of the parent process (application)—disable the limitations
inherited from the process that started the program and the parent processes of higher levels
—
d
Do not monitor child application activity—disable the restrictions for the processes started by
the program for which the exclusion is created
e
ed
ut
r ib
st
di
re
or
Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily
Behavior Detection and Host Intrusion Prevention. Both components monitor the operations performed by
the programs.
Host Intrusion Prevention calculates the reputation of executable files and limits actions of programs that
d
have bad or unknown reputations. Program reputation is supplied by Kaspersky Security Network, or the
administrator specifies it in the policy settings.
e
Behavior Detection monitors what programs do in general rather than their individual actions. For this
purpose, it logs everything that programs do and then checks whether sequences of actions resemble
pi
malicious activities. Remediation Engine uses the log of actions to roll back malicious activities.
Behavior Detection has special heuristics that permit detecting ransomware (malware that encrypts
co
documents and demands a ransom). In many cases, Behavior Detection can recover encrypted
documents with the help of Remediation Engine.
To better protect against ransomware, configure Host Intrusion Prevention to block access to documents
for programs that have a bad reputation.
be
Do not disable Behavior Detection and Host Intrusion Prevention. These components implement state-of-
the-art technologies that protect against most sophisticated threats
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
re
or
From the security point of view, the Firewall performs two functions:
d
— Block unauthorized network connections to the computer, thus decreasing the infection
probability
e
— Block unauthorized network activity of the programs on the client computer. This decreases
the risk of an outbreak, and also limits actions of the users that consciously or unconsciously
pi
The Firewall is tightly integrated with Host Intrusion Prevention. Host Intrusion Prevention does not limit
co
programs’ access to the settings of the operating system, other programs and user files. Firewall checks
the program reputation and limits its access to the network. This way, the Firewall prevents already
running malware from causing harm: for example, sending the user’s passwords to criminals.
The Network Threat Protection component complements the Firewall and analyzes packets. While
Firewall uses relatively simple rules to block packets and connections, Network Threat Protection checks
be
sequences of packets for signs of a network attack, for example, buffer overflow attack via known
vulnerabilities, and blocks connections through which an attack is performed.
to
Firewall controls connections at the network and transport level using packet rules. It analyzes inbound
and outbound packets, compares them with the rules and takes one of the two actions:
t
No
— Allow
— Block option
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
re
The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it,
open the Firewall settings in the Kaspersky Endpoint Security policy and click the link Network packet
or
rules.
According to the application rule means that Firewall will look for an appropriate rule in
the settings of the program to which the packet pertains, and if this program has no
e
settings, in the settings of the reputation group to which the program belongs
pi
ICMP type Echo, Echo Reply, Time Exceeded, Destination Unreachable, etc.
Can be selected for ICMP and ICMPv6 protocols
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ICMP Code for some ICMP types. You can select code 0, 1 or 2
ed
code For example, for a Destination Unreachable ICMP packet, code 0 means Net
Unreachable, code 1—Host Unreachable, code 2—Protocol Unreachable6
Network Permits specifying the network adapter by Interface type, IP address and MAC
ut
adapters address
Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP
connection, PPPoE connection, VPN connection, Modem connection
ib
TTL Packet lifetime
Remote Addresses of remote computers, which can be specified directly or indirectly
r
addresses To specify addresses directly, select Addresses from the list and fill the list of IP
addresses
st
To specify addresses indirectly, select Any address or Subnet addresses. Subnet
addresses are: Trusted networks, Local networks or Public networks.
di
Local Addresses of a local computer (a computer can have many addresses)
addresses You can select either Any address, or Addresses from the list, and fill the list
re
Both IPv4 and IPv6 can be specified for IP addresses
The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports,
direction, network adapter, local address, remote address), applies the action specified in the rule.
or
Rule application will be registered in the Firewall log if the Log events checkbox is selected.
The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules,
select a rule and move it using the Up and Down buttons.
d
A default policy contains a list of packet rules that provides reasonable security for computers both on
e
and off the corporate network. The standard settings are described in detail in the end of this chapter.
pi
Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom
rules. For convenience, the protocol, ports and direction can be specified by templates (for example, Any
network activity, Browsing webpages, Remote Desktop network activity, etc.) To select a template, click
the button to the right of the Name field in the rule settings.
co
Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted
be
networks, Local networks or Public networks. How does the Firewall decide which addresses belong to
which networks?
Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the
policy does not describe a network status, the Firewall defines it itself on the client computer.
t to
No
6 For ICMP message types and code values, consult protocol documentation
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
To add a network to the policy and select a status for it:
re
1. Click the Network settings link in Application Settings | Essential Threat Protection | Firewall
2. Click the Add button above the list
3. Type a name for the subnet and select its type
4. Specify subnet address in the following format: <IP address>/<netmask length in bits>, for
or
example 192.168.0.0/24 or 1234::cdef/96 for IPv6 networks
e d
pi
co
be
On the computer, the Firewall adds the networks configured for the computer's network adapters to the
to
networks specified in the policy. If an adapter’s network coincides with or belongs to a network from the
policy, it receives the status specified in the policy.
If the adapter’s network does not belong to any of the networks described in the policy, the Firewall
assigns it a status based on its status in the operating system. If it is a domain, work or home network,
t
the Firewall assigns it the Local status. If the network is public in the operating system, it will also be
public for Kaspersky Endpoint Security Firewall.
No
For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network
ed
status. And a managed computer might have two interfaces configured to use networks 172.16.55.0/24
and 192.168.5.0/24 respectively. Let’s say Kaspersky Endpoint Security automatically assigned
the Public status to both these networks. Now when the local networks are combined with the policy, the
status of 172.16.55.0/24 network effectively becomes Local network, because there is an entry in the
policy for network 172.16.0.0/16 that includes 172.16.55.0/24. On the other hand, the 192.168.5.0/24
ut
network retains its Public status because there is no matching entry in the policy.
In the default policy settings, there are three network entries, all of which have the Local network status:
ib
— 10.0.0.0/8
— 172.16.0.0/12
— 192.168.0.0/16
r
st
These are reasonable choices for the computers that are inside the perimeter; however, they should be
reconsidered for computers outside the perimeter, e.g., the computers connected via VPN or laptop
computers on a business trip.
di
re
or
e d
pi
co
If the Firewall does not find a matching rule for a packet, or finds it, but the action specified in the rule is
According to the application rule, it starts looking for the packet rule configured for this application. And if
be
the application has no settings in the policy, it checks the program’s reputation and looks for a matching
packet rule in the reputation settings.
The Firewall uses the same reputations as Host Intrusion Prevention. The settings that Host Intrusion
Prevention uses to select a reputation are also applied to the Firewall. If Host Intrusion Prevention is not
installed, Firewall defines the reputation itself using the Host Intrusion Prevention settings. A program
to
cannot be Trusted for Host Intrusion Prevention and at the same time High Restricted for the Firewall.
Each program has only one reputation.
There are no applications in a policy by default; there are only reputations and settings for reputations.
ed
The administrator can add programs to a reputation and after that he or she will be able to add whichever
packet rules to the program properties. Applications can be added in the same manner as in Host
Intrusion Prevention.
ut
Each program and reputation in the list of rules has three rules that are always located at the bottom of
the list:
ib
— Any network activity in Local networks
— Any network activity in Public networks
For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for
r
the High Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or
st
modified, except for the Action attribute, which can be changed by the administrator.
By default, if only reputations are configured in the policy, reputations have only these three rules. These
rules intercept any network activity, because any address belongs to either a trusted, or a local, or a
di
public network. That is why there is always a rule for any packet: A packet belongs to a process, the
process has a reputation, and the reputation has at least one rule for any remote address according to
the network type.
re
The administrator can add custom rules to the list of reputation or application rules. These rules have only
the following attributes:
Remote addresses
co
A standard policy does not contain rules for applications (except for the standard ones specified for
the reputations). That is why the ultimate network status and application reputations are defined locally in
the Firewall.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
Packet rules are inherited from the policy, and accordingly, packets are filtered as follows:
re
1. The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols,
external port 53) and email (over TCP protocol, external ports 25, 465, 143, and 993).
The According to the application rule action is selected in these rules, that is, programs from
the Trusted and Low Restricted groups will be able to send DNS requests and email, while
or
the others will not
2. Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted
networks, any activity is allowed by default, except for DNS and email limitations for Untrusted
d
3. The fifth rule defines the order of packet processing in local networks. Such packets are
e
processed according to the application rules. The default application rules say that the programs
from the Trusted and Low Restricted groups have no limitations in local networks, while High
pi
4. The rest of the rules effectively regulate program behavior in the Public networks, since all
co
packets from Trusted and Local networks are processed one way or another by the above rules.
Rules 6-8 block remote desktop connections to the computer from public networks, and also
block connections to the local DCOM service, NetBIOS packets, access to Windows shared
folders, and access to Universal Plug & Play devices
5. Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the
be
Trusted and Low Restricted groups. Considering the default application rules, this means that
Trusted and Low restricted applications can receive incoming connections from Public
networks, whereas High restricted and Untrusted applications cannot.
6. Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent
to test connection to remote computers
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
re
Trusted and Low Restricted programs have full access to all networks. That is why the Firewall does not
hamper well-known programs by default.
or
Untrusted and High restricted programs are allowed to access only trusted networks, and even there may
not work with email and DNS. However, there are no trusted networks in a policy by default, and
Untrusted and High restricted programs have no network access.
d
Thus, Firewall prevents unknown malware from stealing passwords, downloading additional modules,
receiving commands from the control center and sending spam
e
Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop,
pi
Most network applications are automatically included in either Trusted or Low Restricted groups, and
ed
are allowed to exchange data over the network.
However, little-known open source programs or tailor-made software may receive the High Restricted
reputation and will not be able to work with the network.
ut
r ib
st
di
re
or
To grant access to the network to a program that has High Restricted reputation, use one of the following
approaches:
— Change the program reputation, add its executable file to the Low Restricted or Trusted
d
these files
—
pi
If files are not signed with a certificate, think about signing them with a self-signed certificate and
use the exclusion settings to trust this certificate
— Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet
co
rules are processed earlier than the rules for applications and reputations.
ed
ut
r ib
st
di
re
or
The purpose of the Network Threat Protection component is to block network attacks including port
scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken
against the programs and services running on the computer.
d
Network Threat Protection uses signatures and blocks all connections that correspond to the descriptions
of known network attacks.
e
As we mentioned earlier, malware does not necessarily save executable code in the file system in order
pi
to infect a computer. For example, malware using a buffer-overrun attack can modify a process already
loaded in the memory and thus execute the malicious code. The Network Threat Protection component is
able to prevent infections from spreading this way. That is why it must be enabled, and its settings must
be locked.
co
Network Threat Protection has a few configurable parameters. If the component is enabled, attacks are
blocked automatically.
Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for
be
some time. The Add the attacking computer to the list of blocked computers option regulates this
behavior; by default, it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer
can be unblocked manually, but only in the local interface of Kaspersky Endpoint Security.
Sometimes, Network Threat Protection considers numerous packets sent by surveillance cameras and
other similar devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses
to
to exclusions. Network Threat Protection will not analyze packets from trusted addresses.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
re
Protection from MAC spoofing prevents unauthorized modification of ARP tables on the devices protected
by Kaspersky Endpoint Security.
or
The following methods protect ARP tables against unauthorized modifications:
Protection from MAC spoofing is regulated by two options available in Essential Threat Protection |
pi
Network Protection. You can enable or disable protection (it is disabled by default) and configure
reaction to potentially dangerous attacks.
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
Unit II. Protection management
ed
ut
r ib
st
di
re
When a client computer blocks another client computer because of a network attack, the administrator
can see only an event informing of a network attack in the console. There is no list of blocked computers,
or
or events informing that a computer was blocked and later unblocked.
You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security:
1. In Kaspersky Endpoint Security window, click More Tools and select Network Monitor
d
To unblock a computer from the Administration Console, restart the Network Threat Protection
ed
component on the computer that blocked an attack:
1. Find the event informing about the attack and check which computer sent the event (not which
computer attacked)
ut
2. Find this computer in the console and open its properties
3. Switch to the Tasks tab and find the Network Threat Protection component
ib
4. Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list)
r
st
di
re
or
e d
pi
At the network level, packets are scanned by the Firewall and Network Threat Protection components.
co
Other essential protection components (Web Threat Protection and Mail Threat Protection) scan data at
the application level.
Firewall protects computer services in public networks, and also does not allow Untrusted and High
Restricted programs to use network. Thus, it prevents unknown malware from connecting to its control
be
center.
Network Threat Protection analyzes sequences of packets within allowed connections and blocks known
types of attacks.
— Make the program trusted for Host Intrusion Prevention. The Firewall uses the same reputations
as Host Intrusion Prevention.
— Open ports and addresses with which the program works using simple packet rules
— Add the application’s address to exclusions of Network Threat Protection
t
No
002.11.6: Kaspersky Endpoint Security and Management. 6. How to protect a computer outside the network
Unit II. Protection management
ed
ut
r ib
st
di
re
or
d
The risk of computer infection is lower within a corporate network than outside. Thus, applying different
settings to the computers that are taken out of office seems reasonable.
e
Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12
pi
and 192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within
them.
co
However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may
belong to hotels, bars, airports and other public places. It is dangerous to trust them similarly to local
networks.
Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is
taken outside the corporate network.
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 6. How to protect a computer outside the network
Unit II. Protection management
ed
ut
r ib
st
di
re
or
Out-of-office is the third possible policy status, in addition to the Active and Inactive status.
An out-of-office policy may be created for any group. There can be only one out-of-office policy for each
version of Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner
as an active policy. However, while an active policy is enforced immediately, a policy for out-of-office
d
computers starts working only when the computer meets the specified conditions (which will be described
later).
e
If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However,
if an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever
pi
settings are locked in the parent group policy, they do not restrict the policy of the out-of-office users
within the child group.
co
In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active
policy, where the locked settings are inherited by the policies of child groups. Out-of-office policies are
inherited only completely by those subgroups where an out-of-office policy is not configured.
be
1. Start the policy creation wizard: Open the tab Devices | Policies and profiles and click Add
2. Select the Kaspersky Endpoint Security for Windows application
to
Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security
for Windows. Policies of the Network Agent or, for example, Kaspersky Security for Windows
Servers Enterprise Edition do not have such an option.
t
ed
ut
r ib
st
di
re
By default, computers will never switch to the out-of-office policy. To make them switch to such a policy,
specify conditions in the Network Agent policy using either of the following methods:
or
1. Select Enable out-of-office mode when Administration Server is not available
A computer will switch to the out-of-office policy if it is not connected to any network, or if the
Network Agent cannot synchronize with the Administration Server three times in a row.
d
In practice, this happens when a computer is disconnected from the corporate network. By
default, the synchronization period is 15 minutes. Therefore, a client will switch to the out-of-
e
office mode instantly after disconnected from the network or in 30 to 45 minutes if the network
has not been disconnected.
pi
Configuring network locations is the best choice. They can describe more precisely when a computer is
co
If there are many computers in the network and the Administration Server is overloaded, some of the
computers may fail to connect to the Server at every regular synchronization. It might happen that a
computer fails to synchronize three times in a row and will switch to the out-of-office policy within the
be
corporate network. Depending on the out-of-office policy settings, such a computer can, for example,
block access to its shared folders, which would make quite a lot of trouble if it happens to a file server or a
domain controller.
Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be
solved7. However, improperly configured conditions of switching to the out-of-office mode may aggravate
to
the issue.
t
No
7 Course KL 302 explains how to correctly scale Kaspersky Security Center to large networks.
002.11.6: Kaspersky Endpoint Security and Management. 6. How to protect a computer outside the network
Unit II. Protection management
ed
ut
r ib
st
di
re
Instead of using the option Enable out-of-office mode when Administration Server is not available,
configure network locations that precisely describe when a computer is located within the corporate
or
network, and when outside.
Network Agents can use different connection profiles in different network locations. See course KL 302
for details. To make computers switch to the out-of-office mode, configure network locations for the
<Offline mode> profile.
d
The Network Agent policy provides various conditions to describe network locations. Many of them are
simple and clear, for example, subnet address or main gateway address. However, they may fail to
e
unambiguously define the corporate network. Suppose, subnet 192.168.0.0/24 is used in the internal
network. However, there can be the same network in a hotel, bar or a free hotspot in the street. That is
pi
why the conditions by subnet, gateway or DNS server address are insufficiently reliable.
It is best to use the Condition for name resolvability and specify a name that can only be resolved on
co
the internal DNS server of the company. Configure computers to switch to the out-of-office mode when
they cannot resolve this name:
1. In the Network Agent policy, open Application Settings | Network and in the Connection
profiles area, click the Settings button
be
2. Add a network location description: Click the Add button above the upper list
3. Name the network location comprehensibly, for example, “<an internal DNS name> unresolvable”
and select the checkbox Description enabled
4. In the Use connection profile drop-down list, select the <Offline mode> profile
to
resolved
No
ed
ut
r ib
st
di
re
or
The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which
need fewer restrictions. This may not be a safe assumption out of office. These can be networks in hotels,
bars or other public places which cannot be trusted. Make these networks public in the out-of-office
policy. Alternatively, if you trust the users, delete all networks from the policy: Firewall will check the
statuses of networks in the operating system, which are specified by the user.
e d
pi
co
be
to
A policy for out-of-office computers must take into account the fact that while the host is outside the
corporate network, it is the user who manages Kaspersky Endpoint Security. Consequently, the policy
t
must allow the user access to the information about the protection status and to the product management
tools. The user should at least be allowed to scan suspicious files/drives and start updates. For this
No
purpose, allow the user to manage group or local tasks, or both. The corresponding settings are located
in the policy section Local tasks.
002.11.6: Kaspersky Endpoint Security and Management. 6. How to protect a computer outside the network
Unit II. Protection management
To help the users make rational decisions about protection, you need to provide them with more
ed
information about incidents. The user should be warned about detected threats, the need for advanced
disinfection and about outdated databases:
— Open the list of local Kaspersky Endpoint Security events in the policy: go to Application
ut
Settings | General Settings | Interface, and in the Notifications area, click the Notification
settings link
— Select a component and then tick all events that are important for the user in the Notify on
screen column
ib
Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a red triangle
on the application icon in the notification area. To select about which issues to inform the user, open the
r
Interface settings of the policy and adjust the options in the Show application’s status area.
st
di
re
or
e d
pi
co
When the users work outside the corporate network, they need other settings for Kaspersky Endpoint
Security. Kaspersky Security Center has out-of-office policies for this purpose.
By default, out-of-office policies are not used. To make them used, configure conditions in the Network
be
Agent policy. Configure network locations for the <Offline mode> profile. In the network location
descriptions, specify the conditions that reliably describe when a computer is located within the corporate
network, and when outside. Use Modify condition for name resolvability and Modify condition for SSL
connection address accessibility.
— Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12
Give the users more information and more control over Kaspersky Endpoint Security:
t
ed
ut
r ib
st
di
re
or
e d
pi
co
be
to
— The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint
Security processes in the computer system memory, its files on the hard drive and its registry
keys. It is enabled by default
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
— The Enable external services control checkbox is cleared by default, which prevents stopping
ed
Kaspersky Endpoint Security services8 using any method except the product interface
If self-defense is disabled, the computer protection level decreases. By default, both parameters are
locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with
ut
remote management utilities, though there are better ways for handling those) or for troubleshooting.
r ib
st
di
re
or
d
To prevent malware from disabling protection by simulating the user’s commands in the product window,
self-defense accepts mouse and keyboard events only directly from a device rather than from other
e
processes by default. Therefore, when the administrator tries to manage Kaspersky Endpoint Security via
a remote access program, such as UltraVNC or TeamViewer, self-defense does not permit clicking
pi
If you need to manage Kaspersky Endpoint Security via a remote access program, and self-defense will
not allow this, configure an exclusion. Add the executable file of your remote access tool to the list of
co
trusted applications.
The process that the administrator starts on his or her computer is not necessarily the same as the
process on the remote computer that accepts the connection and provides access to the desktop. Add
the process that runs on the remote computer
be
In the properties of the trusted program, select the checkbox Do not block interaction with the
application interface. Clear the other checkboxes. Do not allow programs more than they need for their
work.
t to
No
8There are two services in Kaspersky Endpoint Security: Kaspersky Endpoint Security (avp.exe) and Kaspersky Seamless
Update Service (avpsus.exe)
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
ed
ut
r ib
st
di
re
Firmware of any USB flash drive can be modified. When such a USB flash drive is connected to a
computer, the operating system may recognize it as another device and perform functions designed by
or
criminals. For example, a USB flash drive can be identified as a keyboard and send commands on behalf
of the user logged on to the system. In practice, it is may be absolutely any action: hidden malware
downloading or intercepting and sending out confidential data. And even if the user does not possess
system administrator permissions, it will not solve the issue, because there are various methods of
elevating privileges, and permissions of an ordinary user are typically enough to organize a data leakage.
d
The BadUSB Attack Prevention component does not permit USB devices to connect as a keyboard
without the user’s authorization. It works as follows. When a USB device is connected, if the operating
e
system recognizes it as a keyboard, BadUSB Attack Prevention notifies the user and requires that the
user authenticates the device.
pi
By default, the BadUSB Attack Prevention component is not installed on the computers. If necessary,
you can add it using the Kaspersky Endpoint Security task Change application components. The
co
You can configure it using two parameters in Application Settings | Essential Threat Protection |
BadUSB Attack Prevention:
— The parameter Prohibit use of On-Screen Keyboard for authorization of USB devices
permits (or disallows) the user to authorize devices via on-screen keyboard. By default, the use
of on-screen keyboard is blocked
If BadUSB Attack Prevention is planned to be used on laptops: We recommend that you allow the use of
to
on-screen keyboards in the out-of-office policy to avoid issues with wireless pointers and presenters.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
ed
ut
r ib
st
di
re
or
The default settings provide the users with at least two methods to disable the protection.
d
— Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in
the notification area.) This action doesn’t even ask for elevated permissions, any user can do
e
this.
— Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However,
pi
To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password
co
protection for the mentioned actions in the policy and make these settings required (close the lock).
Though a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint
Security one way or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint
Security self-defense, which doesn’t permit deleting or modifying Kaspersky Endpoint Security files and
registry entries, protects its service and processes in the memory. Together, password protection and
self-defense are mostly able to prevent any damage a user might try to inflict on Kaspersky Endpoint
be
Another (a less evident) way of disabling the protection is to uninstall the Network Agent. Some 10 to 20
minutes after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by
the policy and the user will be able to change any setting. There is password protection for the Network
Agents too, and it is not enabled by default either.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
ed
ut
r ib
st
di
re
Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security:
Editing its settings, exiting, and uninstalling.
or
To enable password protection for Kaspersky Endpoint Security:
1. Open the policy, switch to the Application Settings tab, in General Settings | Interface, enable
Password protection
d
2. Set a password
e
3. Configure permissions for the group Everyone. Select which operations will prompt the user for
password and which will not:
pi
Protection); but the user will still be able to stop a component via its shortcut menu
— Remove / modify / restore the application—the password prompt is added to the uninstall
wizard of Kaspersky Endpoint Security
— Disable Kaspersky Security Center policy—adds the option to temporarily disable the
be
policy via the shortcut menu of Kaspersky Endpoint Security icon after entering the password.
— Exit the application—protects the Exit command on the shortcut menu of the product's icon.
Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its
processes or files
to
— View reports—prompt for the password prior to showing events in the local interface of
Kaspersky Endpoint Security
The password protects both graphic interface of Kaspersky Endpoint Security and the
t
— Restore access to data on encrypted drives—prevents the user from starting the data
recovery tool. It is the administrator’s job to recover data, not user’s
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
— Restore from Backup—prompts for the password when restoring files from backup
ed
— Disable protection components—the user can start protection components and local tasks
(if they are displayed); the password window appears only if the user attempts to stop them.
The update tasks lack this protection
ut
— Disable control components—the password is necessary to disable the Device Control,
Application Control, or Web Control
ib
This capability is useful for local troubleshooting. When a policy is active, the administrator
can’t change Kaspersky Endpoint Security parameters to see which component or which
particular setting is causing troubles for the user. Moving a problem computer to a special
r
group for diagnostics and then returning it back after the problem is solved is an awkward
solution, especially if different IT units are responsible for centralized protection management
st
and local diagnostics. The capability to temporarily disable a policy using a special password
on a computer helps to carry out diagnostics without changing the settings on
the Administration Server.
di
— Remove key—the user cannot stop protection by deleting the key unless the password is
entered
re
The advantage of password protection is that it remains active even when the policy is disabled. Once the
password protection settings are applied to Kaspersky Endpoint Security, the users will be unable to
manage the product without a valid password even if the administrator disables the policy. Password
protection permits configuring permissions for each user or group of users.
or
The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list
d
of installed programs is one of the few places where it can be found. “Kaspersky” in the product name
may be sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator
e
To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates
pi
The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not
co
specified. Enable the Use uninstall password option, enter the password and don’t forget to lock this
group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’
has zero effect on the local Network Agent settings.
Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An
attempt to uninstall the Network Agent using the command line without the password will also fail.
be
Kaspersky Endpoint Security provides a number of tools to help protect user data when a device is stolen
to
This task allows the administrator to delete user’s data—folders and/or files having the specified
extensions—either using the operating system’s tools or overwrite the data with randomly generated files
thus eliminating the capability to recover the information. The Administrator can run the task manually or it
t
can start automatically if the device does not connect to Kaspersky Security Center for more than X days.
No
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Kaspersky Endpoint Security policy has more settings than we have described in this unit.
to
For most of the protection components, you can select what to do with malicious files and other threats.
By default, all components try to disinfect malicious files, and if disinfection fails or is impossible, delete
them. The administrator can select to delete all malicious files immediately, or only block them rather than
t
delete. Blocking instead of deleting makes sense only if you are testing something. On the protected
No
computers, use the action that deletes malicious files. We recommend that you leave the default action.
Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup. It is a special
folder on the computer, where to Kaspersky Endpoint Security stores encrypted copies of malware. If
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
Kaspersky Endpoint Security deletes a file mistakenly, the administrator will be able to restore it from the
ed
Backup after configuring an exclusion.
ut
The settings that we have not mentioned usually should not be changed. They are described in the help
system of Kaspersky Endpoint Security. The following table briefly describes some of the settings:
ib
General Settings | Exclusions | Types of detected objects
Viruses and worms (cannot be Do not change these settings.
disabled)
r
All these objects at least hamper the user, and may cause significant
Trojans (cannot be disabled) harm if worst comes to worst.
st
Malicious tools (enabled) If the administrators use testing utilities that the antivirus considers to
Adware (enabled) be malicious, configure exclusions for them instead of disabling
detection of the whole category of objects.
Auto-dialers (enabled)
di
The Other category includes remote management utilities, such as
Other (disabled) RAdmin, UltraVNC, DameWare, etc. Criminals may use these
Packed files that may cause harm legitimate tools for unauthorized access to computers. However,
(enabled) administrators and users may need them for their work. Configure as
re
necessary.
Multi-packed files (enabled)
default) 4096MB passive malicious files on removable drives. The user may, for
example, take this drive to a customer and accidentally infect a
computer.
To save employees’ time and prevent Kaspersky Endpoint Security
co
from scanning large drives, limit the maximum size of the drive to be
scanned, for example, to 32MB.
At the same time, old laptops may have short battery life; this
parameter was designed for them. Place old and contemporary
No
laptops into different groups and specify proper settings for them via
dedicated policies.
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
Unit II. Protection management
ed
Concede resources to other applications
(By default) Is enabled Do not disable.
ut
Store reports no longer than: (by For most companies, event history of 30 days is enough.
default) 30 days If you need to store events longer, increase the storage time and
Maximum file size: (by default) maximum file size.
ib
1024MB Think about sending events to a SIEM system (see course KL 009).
r
Store objects no longer than: (by If you suspect a file to be malicious, but Kaspersky Endpoint Security
st
default) 30 days does not react to it, receive its reputation from KSN in real time or
Maximum storage size: (by default) is send the file to technical support via the
not specified companyaccount.kaspersky.com portal.
di
General Settings | Reports and Storage | Data transfer to Administration Server
About files in Backup Enable the first two lists: They inform about threats and false positives
About unprocessed files Send the lists of devices and encryption errors only if you use Device
re
About installed devices Control and Encryption.
About started applications We recommend that you send the list of started applications only from
individual computers, do not enable it for the whole network.
About file encryption errors
or
General Settings | Interface | Notification Settings | <Component> | <Event>
Save in local report Store all events in the local log.
Save in Windows Event Log In Windows log, store at least functional failure events to be able to
Notify on screen view them if Kaspersky Endpoint Security does not work.
d
Notify by email Notify on screen only about control events. The less messages by
Kaspersky Endpoint Security the user sees, the better.
e
With full interface: is enabled by Select No interface if users complain that Kaspersky Endpoint
default Security hampers them
co
With simplified interface: is disabled If the corporate policy prohibits completely hiding software
by default interface from the users, select With simplified interface: The
users will see the Kaspersky Endpoint Security icon in the
notification area, but will not be able to open its window or
understand which components and tasks are running
General Settings | Interface | Show application’s status in notifications area
be
Active threats Disable on the network computers. It is the administrator who needs
Computer restart required to be informed about issues rather than the user, and they are to be
displayed in the Administration Console rather than in the local
Problems with signature databases interface.
Problems with protection level
to
ed
ut
r ib
st
di
re
All protection components in Kaspersky Endpoint Security either detect and block threats, or reduce the
attack surface, meaning, prevent the user and applications from taking actions that are potentially
or
dangerous to the computer.
Therefore, do not disable the protection components. Instead, create exclusions for those programs that
are slowed down by the antivirus.
d
Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of
scanned files, after which File Threat Protection and other components work faster.
e
All components do well with the default settings. Usually, these settings can hardly be improved, and
should not be changed. However, to better counter ransomware, you can configure Host Intrusion
pi
The default settings can be improved for laptops, which are taken outside the corporate network. Create
co
Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user.
Configure password protection for Kaspersky Endpoint Security and Network Agent.
be
t to
No
v.1.0.6