002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection Management

002.11.6: Kaspersky Endpoint Security and Management. Unit II.
Protection management
002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection management
ed
ut
1.1 How criminals attack a computer .....................................................................................................4
ib
How malware gets on a computer ....................................................................................................4
How malware causes harm ..............................................................................................................7
r
1.2 How Kaspersky Endpoint Security counters attacks ........................................................................9
st
How Kaspersky Endpoint Security counters threats ........................................................................9
How Kaspersky Security Network helps to repel threats ...............................................................10
Where are Kaspersky Endpoint Security settings located .............................................................12
di
2.1 How Kaspersky Endpoint Security protects files ............................................................................13
re
How Kaspersky Security protects files within Windows Subsystem for Linux ...............................14
2.2 What and how to configure in File Threat Protection .....................................................................16
Configure File Threat Protection ....................................................................................................16
2.3 What to do if File Threat Protection slows down the computer ......................................................22
or
How to exclude an application’s folder ...........................................................................................23
How to exclude files that a process accesses ................................................................................24
How to merge policy exclusions .....................................................................................................24
How to use local exclusions ...........................................................................................................25
d
How to not scan network drives .....................................................................................................26

How to apply settings to computers ...............................................................................................26
e
2.4 How and why configure scheduled file scanning............................................................................27

pi
Why scan for malware in addition to File Threat Protection ...........................................................27

What and how to scan for threats ...................................................................................................28
How to select an optimal schedule .................................................................................................29
co
2.5 What to do with false positives .......................................................................................................31

How to configure an exclusion for an incorrect verdict ...................................................................31
Exclusions by checksum ................................................................................................................32
Exclusion by certificate ...................................................................................................................33
2.6 File protection: Summary................................................................................................................33
be
3.1 How network protection works........................................................................................................35

What network components do ........................................................................................................35
to
How Kaspersky Endpoint Security intercepts traffic .......................................................................35

How Kaspersky Endpoint Security scans encrypted traffic ............................................................36
3.2 Mail Threat Protection ....................................................................................................................39
What Mail Threat Protection does ..................................................................................................39
t
Configuring Mail Threat Protection .................................................................................................40

Attachment filter ..............................................................................................................................41
No
Exclusions for false positives..........................................................................................................42

3.3 Web Threat Protection....................................................................................................................42
ed
What Web Threat Protection does .................................................................................................42
Configuring Web Threat Protection ................................................................................................43
How to make a website trusted ......................................................................................................43
ut
3.4 How to not intercept all traffic of a program....................................................................................44
3.5 Protection for network connections: Summary ...............................................................................45
ib
4.1 How Kaspersky Endpoint Security protects against new threats ...................................................46
4.2 Detection technologies used in Kaspersky Endpoint Security .......................................................47
4.3 What Advanced Threat Protection does.........................................................................................48
r
How Behavior Detection protects against new threats ...................................................................48
st
How Exploit Prevention protects against new threats ....................................................................50
How Remediation Engine protects against new threats .................................................................50
How Host Intrusion Prevention stops new threats..........................................................................51
di
How to configure Host Intrusion Prevention to stop ransomware ..................................................54
How AMSI Protection Provider stops new threats..........................................................................55
4.4 How to exclude a program from monitoring ...................................................................................56
re
What to do if KES hampers a program...........................................................................................56
How to modify a program’s trust category ......................................................................................57
How to make a program trusted for Behavior Detection and Intrusion Prevention ........................59
4.5 Protection against new and sophisticated threats: Summary ........................................................61
or
5.1 How Firewall protects against threats ............................................................................................62
5.2 How Firewall works in Kaspersky Endpoint Security .....................................................................62
d
How Firewall analyzes packets and connections ...........................................................................63

How Firewall decides which networks are local .............................................................................64
e
How Firewall restricts programs .....................................................................................................66

5.3 What Firewall does under default settings .....................................................................................67
pi
Default network packet rules ..........................................................................................................67

What it means for applications on the computer ............................................................................69
What if the Firewall impedes an application ...................................................................................69
co
5.4 Why Network Threat Protection is necessary ................................................................................71

What Network Threat Protection does ...........................................................................................71
What the Protection from MAC Spoofing does...............................................................................72
How to unblock a blocked computer ..............................................................................................73
be
5.5 Network protection: Summary ........................................................................................................74
6.1 Which local networks to trust ..........................................................................................................75

6.2 How to create a policy for computers outside the office .................................................................76
to
How to create a policy for computers outside the office .................................................................76

When computers switch to the out-of-office policy .........................................................................77
How to set conditions for switching to the out-of-office policy ........................................................78
6.3 Which settings computers should use outside the office ...............................................................79
t
6.4 Out-of-office policies: Summary .....................................................................................................80

No
ed
7.1 What Self-Defense does and why it is necessary ..........................................................................81
What Self-Defense does.................................................................................................................81
How to manage KES over Remote Desktop ..................................................................................82
ut
What BadUSB Attack Prevention does ..........................................................................................83
7.2 How to protect Kaspersky Endpoint Security from the user ...........................................................84
How the user can stop protection ...................................................................................................84
ib
How to enable password protection ...............................................................................................85
Configuring password protection for Network Agent ......................................................................86
How to protect data if a device is stolen or lost ..............................................................................86
r
7.3 Other protection settings ................................................................................................................87
st
Actions ............................................................................................................................................87
Other settings .................................................................................................................................88
Computer protection: Summary......................................................................................................90
di
re
or
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
re
or
e d
pi
Malware gets on a computer via everything that connects the computer to the external world. Specifically,
co
via network connections and removable drives. Let us examine typical scenarios of how malware
penetrates a computer, and how to prevent this.
be
The user has installed a vulnerable browser. A webpage may exploit a vulnerability to make the browser
download and run any software on the computer. A user visits a dubious website, which starts malware
on the computer. Malicious code can reside in the ad blocks that the website receives from other sites
rather than on its own pages.
to
To protect against such an attack:

— Install updates for web browsers
— Do not allow the users to start whichever browsers
— Do not allow the users to open whichever webpages
t
— Do not allow the users to open known infected websites

No
— Do not allow web browsers to start child processes

002.11.6: Kaspersky Endpoint Security and Management. 1. How Kaspersky Endpoint Security protects computers
Unit II. Protection management
ed
The user looks for free software on the internet. For example, a handy free utility, or a pirate version of an
expensive program, or a key generator for an expensive application. Finds, downloads, and starts it on
the computer. The program turns out to be malicious.
ut
Maybe the user has downloaded a seemingly appropriate file from an 'internet garbage can'. Attackers
may change the code of free software or hack an official download page and replace the software.
ib
— Do not allow the users to open whichever webpages
— Do not allow the users to open websites that are known for distributing malware
r
— Scan files that the users download from the internet by protection software
st
di
The user receives an email message that looks like a message from a bank, shop, delivery service, from
a partner, acquaintance, etc. The message prompts to click a link or open an attachment. The link leads
to a malicious or phishing website. The attachment contains malware or a document with embedded
malware.

—
re
Filter email by antispam tools (software that protects against anonymous bulk unsolicited
emailing)
or
— Scan files attached to email messages by protection software
— Do not allow the users to save executable files from email messages to the drive
— Protect against links in the messages the same way as against attacks via web browsers
e d
The user copied a program from a shared folder on another computer and started it. The program turned
pi
out to be malicious.
The user opened a document from a shared folder on another computer. The document contained
co
malicious code.

— Install protection applications on all computers
— Scan the files that the users copy, open or start
be
There is a vulnerability in the operating system on the user's computer. If a special sequence of packets
is sent to a specific port, one can make the vulnerable service run the code within these packets. An
infected computer will also attack the vulnerable service on all other network computer and infect them.
to

— Install security updates for operating systems
— Prohibit connections to the ports that the users do not need for their work
t
— Use protection software to check inbound packets for network attacks

No
ed
The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains
ut
malware that uses a vulnerability in the operating system to automatically run on the computer.
Or the user simply connected a USB flash drive to find out what it contains, found a document or an
executable file with an intriguing name and decided to open it. The file turned out to be infected.
ib
— Do not allow the users to connect unknown (or all) USB flash drives to the computers
r
— Scan files on USB drives by protection software
st
— Install security updates for operating systems
di
The user connected a USB device that looks like a USB flash drive to the computer. The device
registered with the operating system as a USB flash drive and as a keyboard. After a while, the device
started to execute commands on the computer by sending keystrokes.
re
To shield from such an attack, use protection against BadUSB attacks
or
All threat prevention methods can be grouped as follows:
Eliminate potential attack targets

Install security updates for operating systems
d
Install updates for web browsers and other programs

e
Do not allow the users to start whichever browsers

pi
Do not allow the users to open whichever webpages

Do not allow web browsers to start child processes
co
Do not allow the users to save executable files from email messages to the drive
Prohibit connections to the ports that the users do not need for their work
Do not allow the users to connect unknown (or any) USB flash drives to the computers
Use protection tools to detect attacks
be
Install protection applications on all computers

Scan the files that the users copy, open or start
Scan files on USB drives by protection software
to
Scan files attached to email messages by protection software

Scan files that the users download from the internet by protection software
Do not allow the users to open known infected websites
t
Do not allow the users to open websites that are known for distributing malware
No
Use protection software to check inbound packets for network attacks

Use protection against BadUSB attacks
ed
ut
r ib
st
di
re
No protection solution can protect against 100% of threats. Criminals may always be half a step ahead
since they
or
— Register new domains and websites
— Write new malware
— Use zero-day vulnerabilities for which updates have not been issued yet
Even if protection works properly, there is always risk that a computer may be infected with a new
d
malware. If protection is not installed on some computers, if databases are outdated on computers, if
important protection components are disabled, the risk grows.
e
Let us study the harm that malware can cause and how it can be decreased.
pi
co
Ransomware encrypts documents and other files on the computer and in shared folders, and demands
money in return for the encryption key. The key is stored on the criminals’ server. Malware either
downloads the key from the server, encrypts files and deletes the key; or generates a random key, sends
it to the server, encrypts files and deletes the key. Anyway, ransomware connects to its server over the
network.
be
— Regularly back up all important files

— Do not allow unknown programs to establish and accept network connections
— Use protection tools that detect encryption heuristically
to
Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on
the drive. Malware intercepts everything the user enters, takes screenshots and shoots through the web
camera. The program sends all this to the criminals’ server.
t

No

— Use protection tools that detect spying heuristically
ed
Malware writes itself to the USB flash drives connected to a computer and to shared folders over the
network. Malware infects neighbor computers via vulnerable services. Malware sends spam and
participates in DDOS attacks at a control center’s command.
ut
—
ib
Use protection tools that heuristically detect dangerous activities
r
Criminals often use very simple files, which do not impose any direct threat, to get around protection
st
solutions and infect a computer. But these files may download additional malicious files, which can
encrypt documents, steal passwords, etc.
di
To protect against such an attack: Do not allow unknown programs to establish and accept network
connections
re
Malware makes other programs hang or malfunction, a computer run really slow, spontaneously restart,
or display a blue screen.
or
To protect against such an attack: Regularly scan files on the computer by protection software
d
The loss reduction methods may be grouped similarly to attack prevention methods:
e

pi
Do not allow unknown programs to establish and accept network connections

Use protection tools to detect attacks
co
Use protection solutions that heuristically detect dangerous activities

Regularly scan files on the computer by protection software
be
t to
No
ed
ut
r ib
st
di
re
or
Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect
against attacks and prevent losses.

d
Kaspersky Security Center (see

Install security updates for operating systems
e
course KL 009)
Kaspersky Security Center (see
pi
Install updates for web browsers and other programs

course KL 009)
Do not allow the users to start whichever browsers Application Control
co
Do not allow the users to open whichever webpages Web Control

Behavior Detection
Do not allow web browsers to start child processes
Exploit Prevention
Do not allow the users to save executable files from email
be
Mail Threat Protection

messages to the drive
Prohibit connections to the ports that the users do not need
Firewall
for their work
Do not allow the users to connect unknown (or any) USB
Device Control
to
flash drives to the computers

Do not allow unknown programs to establish and accept
Firewall
network connections
t
No
Use protection solutions to detect attacks
ed
Install protection applications on all computers Kaspersky Security Center (see Unit I)
File Threat Protection
Scan the files that the users copy, open or start
Host Intrusion Prevention
ut
Scan files on USB drives by protection software Virus scanning
Scan files attached to email messages by protection software Mail Threat Protection
ib
Scan files that the users download from the internet by
Web Threat Protection
protection software
r
Do not allow the users to open known infected and phishing
st
websites
Do not allow the users to open websites that are known for
distributing malware
di
Use protection software to check inbound packets for
Network Threat Protection
network attacks
re
Do not allow the users to automatically connect any USB
BadUSB Attack Prevention
devices as a keyboard
Use protection solutions that heuristically detect dangerous Behavior Detection

activities Host Intrusion Prevention
or
Regularly scan files on the computer by protection software Virus scanning
This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack
surface, or actively scan, detect and block threats.
d
Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To
e
protect against spam, use Kaspersky products for mail systems:
— Kaspersky Security for Microsoft Exchange Servers

pi
— Kaspersky Secure Mail Gateway

co
To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to
regularly update the signature databases.
be
It is also important to allow Kaspersky Endpoint Security to use the Kaspersky Security Network.
Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of
verdicts for all protection components.
Kaspersky Security Network servers collect information about files on the protected computers, analyze it
to
using machine learning technologies, consider when a file was detected for the first time, whether it is
widespread, in which regions, whether the users of personal versions of Kaspersky Security trust the file,
whether the file is signed with a certificate and which one, etc. Suspicious files are additionally analyzed
by Kaspersky experts.
t
No
ed
ut
r ib
st
di
After that, Kaspersky Security Network assigns a trust group to the file:
—
—
—
—
Trusted
Low Restricted
High Restricted
Untrusted
re
or
For each trust group, Kaspersky analysts have developed scenarios that describe what files are allowed
to do and what is prohibited depending on the assigned trust group (reputation).
d
This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to
the network, which programs may install drivers, and which of the trusted programs are to be scanned
especially thoroughly, because they may contain vulnerabilities.
e
Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky
pi
receives checksums of reference files from many known software manufacturers, such as Microsoft,
Adobe, Google, etc. That is why Kaspersky Endpoint Security components know which files are not
infected for sure and do not hamper the respective programs.
co
Except for files, Kaspersky Security Network forms reputation for webpages and software activity
patterns.
If Kaspersky detects a new threat, checksums of all malicious files and webpages get to the Kaspersky
Security Network in a split second and are available to all products that use the Kaspersky Security
be
Network. Products learn about new threats via Kaspersky Security Network a few hours earlier than the
threat signatures that are downloaded with updates.
The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and
anonymous. The complete list can be found in the Kaspersky Security Network agreement that the
administrator must accept prior to enabling Kaspersky Security Network in the Kaspersky Endpoint
to
Security policy.
To be able to use Kaspersky Security Network without sending anything to Kaspersky, there is the
Kaspersky Private Security Network service.
t
No
ed
ut
r ib
st
di
In this unit, we will study:
—
re
Which settings are available in the Kaspersky Endpoint Security components
or
— Their default values
— How parameters influence the components’ behavior
— When and how to modify settings to improve computer protection or user experience
Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example,
d
scheduled virus scanning, data wiping or updates, are set up in tasks.

e
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 2. How to configure file protection
ed
ut
ib
File Threat Protection intercepts all file operations (such as reading, copying, executing) using
the klif.sys driver and scans the files being accessed. By default, if the file is infected, the operation will
be blocked, and the file will be either disinfected or deleted.
r
Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malicious
st
files on the computer drive. And even those attacks that start with executing code in the memory, can
load only small amount of code there and use it as the first step of the attack, which then downloads
additional modules in files and saves them to the drive.
di
Even if Mail Threat Protection and Web Threat Protection are disabled, the user will not be able to start
an infected file received by email or downloaded from the internet, because a file cannot be started either
from an attachment or from a webpage without being saved to the hard drive; and when the file is saved
re
on the disk, it will be detected and blocked by the File Threat Protection.
This makes File Threat Protection an important component of Kaspersky Endpoint Security.
or
e d
pi
co
be
File Threat Protection scans for malware using:
— Malware signatures—a signature database is a denylist of known malicious files. If a file does
not match any of the database records, signature analysis considers it to be clean. A complete
to
denylist (where each known malicious or infected file is described thoroughly) requires too much
space; that is why a signature database is optimized and narrowed down to a size that can be
easily downloaded to a computer. Each record identifies a family of similar threats.
— Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which

t
change their code during the execution, and which are therefore difficult to detect using
signatures. File Threat Protection starts executable files in a special isolated environment and
No
checks whether code changes in the memory to match a signature.

— KSN checks—File Threat Protection sends the file checksum to KSN and receives an answer:
ed
Whether such a file is found in the KSN database, and what reputation it has. The KSN database
is a huge list of all files (to be more exact, their checksums) known to Kaspersky. This list
includes files with the untrusted reputation. It is a denylist, and File Threat Protection blocks such
files. There are also files with a trusted reputation. This is an allow list that includes known
harmless files of operating systems and widespread software. File Threat Protection does not
ut
block these files even if they match malware signatures. KSN verdict has higher priority, because
KSN contains more information than a local signature database.
ib
To receive a verdict from KSN, a computer needs a connection to the internet, which may be unreliable.
For this reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature
database and emulation.
r
KSN verdicts may change with time. A file that has just appeared on the internet has no reputation at first.
Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes
st
and may become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the
KSN verdict at each file operation. But it would scale up the computer’s network traffic. Besides, sending
a request and receiving an answer takes time, which depends on the quality of communication channel.
di
To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN
verdicts in the local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky
Endpoint Security re-check the verdict often. For the files that have long been known, this time is large.
re
To avoid slowing down the computer, File Threat Protection does not scan all files; it scans only those
files that may infect a computer. For example, File Threat Protection does not scan archives, because
files must be extracted prior to being started. It is either the user who extracts the file from the archive, or
the operating system does this for the user. Anyway, File Threat Protection will scan the extracted files
(and block them if necessary).
or
Scan the files that are not scanned by File Threat Protection by virus scan tasks. Virus scanning checks
files within the specified scope and uses the same methods as File Threat Protection.
e d
Windows Subsystem for Linux (WSL) is a compatibility layer that permits running native Linux command-
pi
line tools within Windows 10 or Windows Server 2016. As with Docker containers, the main challenge that
WSL addresses is to provide a cross-platform tool for developers, especially web developers and those
who work with open source code.
co
WSL advantages over standard virtualization are simple installation and less resource consumption
compared to a hypervisor or a virtual machine.
In Windows Server 2016, an administrator can deploy the following Linux systems: Ubuntu, openSUSE
Leap42, SUSE Linux Enterprise Server.
be
Windows Subsystem for Linux is the wsl.exe application (in older versions of Windows, bash.exe) that
you can run via the Windows command prompt (cmd.exe). After running Bash.exe, the Linux version
selected and installed in advance will start: Ubuntu, openSUSE Leap42, or SUSE Linux Enterprise
Server.
to
Windows Subsystem for Linux translates Linux system calls into Windows system calls, which permits
deploying full-fledged Linux tools on Windows without emulation and virtualization.
WSL permits you to:

t
— Run common command-line tools such as grep, sed, awk

No
— Run Bash shell scripts and GNU/Linux command-line applications including vim, emacs and
tmux
— Use programming languages: JavaScript / node.js, Ruby, Python, C / C ++, C #, Go, etc.
— Use services: sshd, MySQL, Apache, lighttpd
ed
— Install additional software using your own GNU/Linux distribution package manager.
— Invoke Windows applications using a Unix-like command-line shell,
— Invoke GNU/Linux applications on Windows.
ut
r ib
st
di
re
or
The Windows Subsystem for Linux compatibility layer shares the file system with the main operating
system where it is installed, and File Threat Protection will intercept all file operations executed in the
Linux subsystem.
e d
pi
co
be
to
If a malicious file is compiled or run in the Linux environment, File Threat Protection of Kaspersky
Endpoint Security will detect and delete it.
t
No
ed
ut
r ib
st
di
re
or
File Threat Protection, as well as Kaspersky Endpoint Security in general, solves two tasks:
— Prevent malware from causing harm

— Not to hamper the user or legitimate software
d
The more files File Threat Protection scans, the better it solves the former task, and the worse the latter,
and vice versa. The default settings balance protection and performance. By adjusting the settings, the
e
administrator can tilt the balance one way or the other.

pi
You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are
located in the respective sections: File Threat Protection, in Essential Threat Protection on the
Application Settings tab.
co
Let us first talk about the parameters that should not be changed and explain why.
be
Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may
contain executable code (macros), which can be malicious. Even documents without code, some graphic
files for example, may use vulnerabilities of the applications that open them and make these programs
run a part of the file as code.
By default, File Threat Protection scans files by format. This way, Kaspersky Endpoint Security reliably
to
protects the computer, because it scans all dangerous files, but does not slow down the computer, since
it does not scan all the files.
Scanning files by extension only is dangerous. For example, a malicious Word document may have
extension .123, which is not included in the scan list, but the user can open it nevertheless via its shortcut
t
menu (Open with). Also, scanning by extension is not significantly faster than scanning by format. The
No
user will not perceive any difference in performance.

If the administrator wants to improve performance of slow computers, better start with exclusions for the
ed
programs with which users work. How to create exclusions is explained at the end of this section.
The list of scanned extensions:
ut
com Program executable file whose size does not exceed 64KB
exe Executable file, self-extracting archive
ib
sys System file of Microsoft Windows
Text of the dBase™, Clipper or Microsoft Visual FoxPro® application, a program from
prg WAVmaker suite
r
bin Binary file
st
bat File that contains one or more commands
cmd Command file of Microsoft Windows NT (a counterpart of a bat file for DOS), OS/2
di
dpl Packed Borland Delphi library
dll Dynamic-link library
scr
cpl
Microsoft Windows screen saver file
Control panel module in Microsoft Windows re

or
ocx Microsoft OLE object (Object Linking and Embedding)
tsp Time-shared program
drv Device driver

d
vxd Driver of a Microsoft Windows virtual device

e
pif File with information about a program
lnk Link file in Microsoft Windows

pi
reg File for importing and exporting Microsoft Windows registry keys
co
Configuration file that contains settings for Microsoft Windows, Windows NT and some other
ini software
cla Java class
vbs Visual Basic script

be
vbe Video BIOS Extension
js,
JavaScript source text
jse
htm Hypertext document
to
htt Microsoft Windows hypertext template file
hta Hypertext program for Microsoft Internet Explorer

t
asp Active Server Pages script

No
chm Compiled HTML file
pht HTML file with built-in PHP scripts

php Script built into an HTML file
ed
wsh Microsoft Windows Script Host file
wsf Microsoft Windows script
ut
the Screensaver file for Microsoft Windows 95 desktop
hlp Help file in Win Help format
ib
eml Microsoft Outlook Express message
nws Microsoft Outlook Express news message file
r
msg Microsoft Mail email message
st
plg Email message
mbx Extension for a saved message of Microsoft Office Outlook
di
doс* Microsoft Office Word document, such as:
doс Microsoft Office Word document
re
docx XML-based Microsoft Office Word 2007 document
docm Macro-enabled Microsoft Office Word 2007 document

dot* Microsoft Office Word 2007 document template
or
dot Microsoft Office Word document template
dotx Microsoft Office Word 2007 document template

d
dotm Microsoft Office Word 2007 macro-enabled document template
fpm Database program, a startup file of Microsoft Visual FoxPro

e
rtf Document in the Rich Text Format

pi
shs Windows Shell Scrap Object Handler file
dwg AutoCAD drawing database

co
msi Microsoft Windows Installer package
otm VBA project for Microsoft Office Outlook
pdf Adobe Acrobat document

be
swf Shockwave Flash object
jpg,
Graphic file for storing compressed images
jpeg
Enhanced Metafile. The next generation of Microsoft Windows operating system metafiles.
to
emf EMF files are not supported in 16-bit Microsoft Windows
ico Icon
ov? Microsoft Office Word executable files

t
xl* Microsoft Office Excel documents and files, such as:

No
xla Microsoft Office Excel add-in

xlc Microsoft Office Excel chart
ed
xlt Microsoft Office Excel template
xlsx Microsoft Office Excel 2007 workbook
ut
xltm Microsoft Office Excel 2007 macro-enabled workbook
xlsb Microsoft Office Excel 2007 workbook in binary (non-XML) format
ib
xltx Microsoft Office Excel 2007 template
xlsm Microsoft Office Excel 2007 macro-enabled template
r
xlam Microsoft Office Excel 2007 macro-enabled add-in
st
pp* Microsoft Office PowerPoint documents, such as:
pps Microsoft Office PowerPoint slide
di
ppt Microsoft Office PowerPoint presentation
pptx Microsoft Office PowerPoint 2007 presentation
re
pptm Microsoft Office PowerPoint 2007 macro-enabled presentation
potx Microsoft Office PowerPoint 2007 presentation template
potm Microsoft Office PowerPoint 2007 macro-enabled presentation template

or
ppsx Microsoft Office PowerPoint 2007 slide show
ppsm Microsoft Office PowerPoint 2007 macro-enabled slide show

d
ppam Microsoft Office PowerPoint 2007 macro-enabled add-in

md* Microsoft Office Access documents, such as:
e
mda Microsoft Office Access workgroup

pi
mdb Microsoft Office Access database
sldx Microsoft Office PowerPoint 2007 slide

co
sldm Microsoft Office PowerPoint 2007 macro-enabled slide
thmx Microsoft Office 2007 theme
Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment
be
and watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can
change its code during the execution.
When criminals email new malware, or upload a new version of a malicious module to an infected
computer, they may generate a file with a unique checksum for each computer or addressee. Signatures
to
and even Kaspersky Security Network will not help in this case. But heuristic analysis clearly shows that
all these versions restore the same malicious code when running.
t
No
ed
Most of the files a rarely changed on the computer, and if File Threat Protection scans only new and
changed files, it almost does not load the computer. In the first few days, while all files are new for
Kaspersky Endpoint Security, the user may feel that the computer works slower. But File Threat
ut
Protection stops influencing performance soon.
Do not turn off the option Scan only new and changed files in File Threat Protection, it will slow down
the computer.
r ib
The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of
st
these records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file
modification date.
FAT32 file system cannot log the modification date; neither can it protect the modification date against
di
unsolicited changes. Malware may modify a file, and then assign any modification date to it. For this
reason, Kaspersky Endpoint Security saves checksums of scanned files into a special database for
FAT32 drives. When the file is accessed next time, Kaspersky Endpoint Security re-calculates the
re
checksum and compares it with that saved. If the sums differ, the file has been changed, and File Threat
Protection scans it.
Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint
Security receives its signatures, File Threat Protection will scan it, consider to be clean, and will not scan
or
at the next start.
To prevent this, even if the option Scan only new and changed files is enabled, File Threat Protection
scans all new files repeatedly, at least twice, or even several times.
d
For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file
was scanned fist and last. If a file has been scanned only once, or if the current version of signatures was
e
issued less than 24 hours after that with which the file was scanned for the first time, File Threat
Protection re-scans the file.
pi
What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides,
except for signatures, Kaspersky Endpoint Security uses data from Kaspersky Security Network, which
contains most recent information about threats.
co
To further reduce the risk, use a virus scan task to check all files on the computer, including those that
have not been changed, and which File Threat Protection scanned already.
be
Application Settings | Essential Threat Protection | File Threat Protection |

Scan archives
Enabled File Threat Protection scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and
to
ICE archives. For this purpose, File Threat Protection unpacks an archive into a
temporary folder or into the memory
Disabled
File Threat Protection neither unpacks archives nor scans files within them
(by default)
t
No
To scan archived files, File Threat Protection unpacks the archive, which consumes considerable
computer resources. Archives are not dangerous as they are. A malicious file cannot be started from the
archive. The user either unpacks the archive manually, or the operating system does this for the user.
Anyway, a malicious file gets on a drive prior to run, and File Threat Protection scans it as any other file.
Do not enable the Scan archives option in File Threat Protection. It will slow down the computer, but will
ed
not improve protection

Scan distribution packages
ut
File Threat Protection scans files within self-extracting archives and installation
Enabled packages, such as MSI. For this purpose, File Threat Protection unpacks an
archive into a temporary folder or into the memory
ib
Disabled File Threat Protection does not scan self-extracting archives and installation
(by default) packages
r
st
Installation packages are executable files, and File Threat Protection scans their executable part anyway.
However, a large part of data within an installation package consists of archived files of the program to be
installed by the package. To scan them, File Threat Protection extracts them from the package, similar to
archives.
di
Installation packages do not need to be scanned by File Threat Protection. If the user copies a package, it
cannot infect the computer. If the user starts a package, it will extract files itself and save them on the
re
drive, where they will be scanned by File Threat Protection.

Scan Office formats
or
Enabled (by File Threat Protection scans executable parts not only within Microsoft Office
default) documents, but also in the objects embedded into them
File Threat Protection scans executable parts only within Microsoft Office
Disabled documents, and skips embedded objects
d
Microsoft Office files have a complicated structure. We can even say that there is a file system with
e
additional files within a Microsoft Office document. When the user pastes an Excel chart into a Word
document, Microsoft Office can add the whole Excel document to the Word document, with all its data,
pi
formulas and macros.
Do not disable scanning for office documents. Not scanning objects embedded in office documents is
co
dangerous. They may contain malicious macros, which Office programs can start without saving to the
drive.
If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the
be
operation will not start until File Threat Protection unpacks the archive and scans all files within it.
Meanwhile, the user cannot do anything with the archive.
If the administrator wants to scan archives, the user experience can be improved by changing additional
archive scan settings.
to
Do not unpack large File Threat Protection will scan only those archives that are less than the
compound files Maximum file size
Maximum file size: 8MB by default.

t
No
File Threat Protection will detain operations with small archives only. If the
ed
Unpack compound user opens a large archive, File Threat Protection will allow access, but at
files in the the same time will unpack the archive and scan the files. The user will not
background mode have to wait. Large archives are those that are larger than the Minimum file
size value
ut
By default, is not specified. Meaning, if you select to unpack compound files
Minimum file size in the background, File Threat Protection will scan all archives in the
background mode
r ib
Malware detected by File Threat Protection should not be left unprocessed, and the settings that regulate
st
File Threat Protection actions should be locked. The optimal choice is to disinfect and if disinfection is
impossible, delete infected files. Most of the malicious files cannot be disinfected, because they contain
nothing but the infected code.
di
Before a file is disinfected or deleted, its copy is placed into the Backup repository. In case a file contains
important information or is deleted because of a false positive, it can be recovered.
re
If the Remediation Engine component is enabled in Advanced Threat Protection, Kaspersky Endpoint
Security not only deletes malicious files, but also rolls back their actions1.
or
e d
pi
co
be
to
First, find out whether File Threat Protection actually slows down the computer (or a program):
— Find the computer that works slowly

t
— Disable the policy on it (see the section How to Protect Kaspersky Endpoint Security from the
User)
No
1
The rollback procedure is described in Chapter 4 of this Unit.
— Stop (disable) File Threat Protection
ed
— Check whether the computer (program) works any faster
Even if programs work faster on the computer without File Threat Protection, do not leave File Threat
Protection disabled. Configure exclusions for applications. Try various exclusion types:
ut
— If all program files are located in a single folder, exclude the program’s folder from scanning
— If the program works with files in various folders or in a temporary folder, make the executable
file of the program trusted
ib
Never exclude the operating system’s temporary folder from scanning. Malware is often started
from it.
r
— If the program works with files in shared folders, try to disable scanning of network drives
st
— For the programs that start on the specified schedule during off business hours, pause File
Threat Protection while the program runs
di
re
Exclusions are configured in Kaspersky Endpoint Security policy: Open Application Settings | General
Settings and click the Exclusions link.
or
e d
pi
co
be
To set up exclusions for folders, click the Scan exclusions link. They will apply to all protection
components. A scan exclusion consists of three attributes:
— File or folder—the name of the file or folder to which the exclusion applies. The name of the
object may include environment variables (%systemroot%, %userprofile% and others) and also
to
“*” and “?” wildcard characters

— Object name—the name of the threat to be ignored (usually corresponds to a malware name),
which can also be specified using wildcard characters
— Object hash—checksum (SHA-256) of the file to which the exclusion applies.
t
— Protection components—the list of protection components to which the rule applies

No
Of the four attributes, any of the first three and the last one must be specified. You can create a scan
exclusion for a file or folder without specifying the threat type; then the selected components will ignore
any threats in the specified file or folder. Alternatively, you can create a scan exclusion for a threat type,
for example, for the UltraVNC remote administration application, so that the selected protection
ed
components would not respond to this threat regardless of where it is detected.
All attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules
for widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type
ut
and the object (typical location of the executable file) are specified. According to such an exclusion,
Kaspersky Endpoint Security will permit running a remote administration application from the Program
Files folder, but if the user runs it from another folder, Kaspersky Endpoint Security will consider it a
threat.
r ib
If the computer runs resource-consuming programs, their operation can be slowed down by the File
st
Threat Protection. This is especially true for the programs that perform numerous file operations, for
example, backup copying or defragmentation. To avoid slowdowns, make these applications trusted.
For this purpose, in the exclusion settings window, add the executable file to the Trusted applications
di
list. Within the Application window, specify the path to the executable file, and select the Do not scan
opened files action. The path may contain environment variables and “*”, “?” wildcards.
re
or
e d
pi
co
be
You can merge the lists of scan exceptions and trusted applications when inheriting a policy or policy
profile. To achieve this, in the upper-level (parent) policy, in the Scan Exclusions, select the checkbox
Merge values when inheriting. Notice that the Inherit settings from parent policy option must be
enabled in the child policy.
to
As a result, you will be able to add other exceptions to those inherited from the parent policy when editing
the child policy or policy profile. This allows you to flexibly configure exceptions for a specific group or set
of devices.
Inherited exceptions cannot be deleted or modified in a child policy; you can only add more exceptions. If
t
you clear the checkbox Merge values when inheriting in the parent policy, inherited exceptions will not
be removed from the child policy automatically, but you will be able to delete or edit them.
No
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Sometimes, exceptions for trusted programs are much easier and faster to set up in the local Kaspersky
Endpoint Security interface. To make them work, on the Scan Exclusions page of the policy, select the
checkbox Allow use of local exclusions.
The main drawback of this approach is that exceptions added through the local interface are not
transferred to the policy and only work on the computer on which they were made.
to
You can export local exceptions to a file and then import into a policy. The exception import mechanism is
currently only available in the MMC administration console.
t
No
ed
ut
r ib
st
di
re
Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that
protection applications are installed on all network computers. Do not disable network drive scanning “just
or
in case”; do it only if it solves the users’ issues
To exclude network drives from scanning, edit the protection scope in the File Threat Protection settings.
By default, Protection scope of the File Threat Protection includes:

d
— All removable drives

e
— All hard drives

— All network drives
pi
In other words, all drives from which malware can be run. A protection area permits adding individual
drives and folders instead of drive groups. However, disabling any standard scan scope considerably
decreases the protection level.
co
Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers.
be
Since all locks are closed in a policy by default, the administrator may not even notice them. While you
edit settings without touching the locks, all settings remain required and are enforced on the computers.
However, you should remember that if locks are open, the configured settings are not applied. If you have
changed settings in a policy, and they have not changed on the computers, check the locks in the policy.
t to
No
ed
ut
r ib
st
di
re
or
How can antimalware scanning help if File Threat Protection scans all dangerous files anyway? Virus
Scan:
— Prevents users from spreading archived malware

d
— Updates caches of KSN and information about files’ checksums, after which File Threat
Protection can scan fewer files
e
— Scans files that have not been changed. The File Threat Protection does not scan such files,
pi
which may be dangerous
Virus scan tasks check objects using the same methods as File Threat Protection: signature and heuristic
analysis and KSN. The difference is that File Threat Protection checks files on-the-fly when they are
co
accessed while virus scan tasks inspect the files by schedule or on demand.
File Threat Protection works with the user. The more actively work the user’s applications, the more files
are scanned by the File Threat Protection and the more resources it consumes. Therefore, the File Threat
Protection settings are optimized to ensure protection against immediate threats only. If the user copies
be
an archive, there is no immediate infection risk, and the archive does not need to be scanned.
Virus scan tasks can be started during off hours, when more resources are available and a more
thorough scan can be performed. That is why the scan task will wait for the answer from KSN before
returning the final verdict, regardless of the signature and heuristic analysis results. Also, the task may
check the objects that are excluded from the scan scope of the File Threat Protection—archives,
to
installation packages, files in non-infectable formats, etc.
A virus scan task can be configured to check the processes in the memory and be scheduled to run after
each successful database update.
t
No
ed
ut
r ib
st
di
re
Configure malware scan settings in virus scan tasks. The administrator is to manually create a virus scan
task in the Managed devices group.
or
Starting with Kaspersky Security Center version eleven, the Quick Start Wizard does not create a Quick
Virus Scan task anymore. By default, a special local background Scan_IdleScan task scans computers
for viruses.
Background scanning is less resource-intensive compared to an ordinary virus scan task. It is performed
d
while the computer is locked, does not display any notifications to the user; however, it does not reset the
Virus scan has not been performed in a long time status. You cannot modify scan settings or scope of this
e
task.
If you want to use a custom virus scan task, we recommend that you disable background scanning. To
pi
disable the Scan_IdleScan task, in the properties of Kaspersky Endpoint Security policy, open
Application Settings | Local Tasks | Background scan and clear the check box Enable background
scan.
co
Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are
allowed (for example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the
be
folders, you can select whether to scan all the contents, including subfolders. If subfolders are not
selected to be scanned, the object icon is marked with the little red "minus" sign.
In addition to files and directories, the following scan objects can be specified:
— My email—Outlook data files (.pst and .ost)
— Kernel Memory—the kernel memory of the operating system
to
— Running processes and Startup Objects—the memory area allocated for processes and
executable files of applications that start at the operating system start. Additionally, if this object
is selected in the task properties, rootkit scanning will also be performed (rootkits are hidden
objects of the file system)
— Disk boot sectors—boot sectors of hard and removable drives
t
— System Backup—System Volume Information folders

No
— All removable drives—the removable drives connected to the computer at the moment
— All hard drives—computer hard drives
— All network drives—all network drives connected to the computer
Create a task that scans the whole computer weekly or every other week. If you cannot find proper time
ed
for such a task, scan at least critical areas:
— Kernel Memory
— Running processes and Startup Objects
— Disk boot sectors
ut
— %systemroot%\
— %systemroot%\system\
— %systemroot%\system32\
— %systemroot%\system32\drivers\
ib
— %systemroot%\syswow64\
— %systemroot%\syswow64\drivers\
r
st
By default, scan tasks are started on the client computers under the Local System account. If the scan
scope includes network drives or other objects with restricted access, the task will not be able to scan
di
them. To solve this problem, specify an account that has the necessary rights within the task properties.
re
Virus scan tasks can use any regular schedule: every N days, weekly, monthly. They can also be started
once: either automatically at the specified time or manually.
or
e d
pi
co
be
In addition, special schedule types are available:

— After application update—the task will start after new threat signatures are downloaded and
applied. This is convenient for the scanning of memory and other locations where active threats
to
may appear
— Start in N minutes after application startup—the task will start in a few minutes after the
launch of Kaspersky Endpoint Security. This is another opportunity for the scanning of the most
vulnerable computer areas
t
— On completing another task—a universal schedule that permits arranging tasks into a chain.
From the practical viewpoint, the best approach would be to link virus scan to update completion,
No
but there is already a special schedule option for that purpose

There is also an option that permits running missed tasks. If a computer is turned off at the scheduled
ed
time, the task will start as soon as the computer is switched on. Use this option cautiously. If virus
scanning starts in the morning when the user turns on the computer, scanning will hamper the user.
The mode Use automatically randomized delay for task starts makes more sense for an update task
than for a virus scan task. See Unit IV for details.
ut
The Additional task settings area contains a few other useful settings:
— Activate the device before the task is started through Wake-On-LAN (min)—the option
allows you to schedule scan start for the night time or weekends without needing to worry
ib
whether the computer is on. However, to use this feature, you need to enable its support in the
BIOS settings of the target computers
— Turn off device after task completion—the option may supplement the previous one. If
r
scanning is scheduled for the night or weekend, the computer can be turned off afterwards
st
— Stop task if it has been running longer than (min)—the option allows guaranteed task
completion before the working day begins, so that it does not interfere with the user’s activity
On servers, perform virus scanning on weekends, when they are less loaded.
di
On workstations, try to find such a time when computers are on, but virus scanning will not hamper the
users:
re
— Quick virus scanning can be performed during the lunchtime
— Full scanning should run at night. Explain the users which day of the week they should not shut
down their computers
or
e d
pi
co
be
If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the
to
computers at night and run the virus scan task. If this capability cannot be used either, use so-called idle
scanning.
To enable idle scanning, open the Application Settings tab in the task properties and under Advanced
Settings, select Scan when the computer is idling. In this mode, virus scanning will be performed only
t
when the computer is locked; while the user is working, the task will be Paused.
No
Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than
not to scan a computer at all.
ed
ut
If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false
positive.
ib
False positives hamper work considerably. Kaspersky very thoroughly tests new signatures on a huge
number of files of operating systems and popular software to prevent false positives. During a scan,
Kaspersky Endpoint Security checks files against Kaspersky Security Network and ignores threats in the
files that KSN considers to be trusted.
r
st
False positives happen extremely rarely, and usually concern files of infrequent software, for example,
homeware.
di
re
or
e d
pi
If File Threat Protection or a virus scan task finds a threat in a clean file, create an exclusion for it:
co
1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings |
General Settings | Exclusions | Scan exclusions
2. Add the file that gets a false positive to the Scan exclusions list. Select the File or folder
be
checkbox. Click the link select file or folder in the lower part of the window to specify the
complete path to the file. Use environment variables, for example, %ProgramFiles%
It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected
erroneously rather than exclude the file entirely. For this purpose:
to
3. Select the checkbox Object name in the exclusion window. Click the link enter object name in
the lower part of the window to specify the threat name. You can find the threat name in the
description of a threat detection event by Kaspersky Endpoint Security.
t
No
ed
ut
r ib
st
di
re
or
e d
pi
co
be
What to do if a file for which you need to configure an exclusion may be installed into different directories
on different computers?
If the same file version is used on all computers, use the file checksum:
to
General Settings | Exclusions | Scan exclusions
2. Add the file that gets a false positive to the Scan exclusions list. Select the Object hash
checkbox Specify the file checksum in the Object hash field in the lower part of the window. You
can calculate the file’s checksum and add it manually, or copy it from a detection event.
t
No
Kaspersky Endpoint Security calculates checksums of the scanned files and displays them in the
detection events.
ed
What to do if you configured an exclusion, but a new program version has been issued with new names
of the folder and executable file, which also gets a false positive?
ut
If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of
symbols, and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask
matches all files whose names start with “file” and have the .exe extension.
ib
If file names are entirely different, but all files are signed by a certificate, place the certificates to the
certificate store on the computers where the program is used and configure Kaspersky Endpoint Security
to trust these certificates:
r
st
General Settings | Exclusions
2. Select the checkbox Use trusted system certificate store and select a store. The default choice
di
is Enterprise Trust
3. Place the certificate(s) with which program files are signed to the selected store on the client
re
computer. You can use, for example, Active Directory group policies for this.
Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint
Security trusts only the certificates that are located in the computer’s store
or
For homeware, you can use even self-signed certificates.
e d
pi
co
be
to
File Threat Protection scans files on the drive that the user, operating system, and programs access. To
t
avoid slowing down the computer, File Threat Protection scans only those files that pose an immediate
No
threat. However, it does not prevent the user from copying archived malicious files.
Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for
example, archived malicious files.
If you cannot figure out a suitable schedule for running the scan task, use idle scanning.
ed
If File Threat Protection slows down the computer or programs:
— Schedule virus scanning. It updates the cache of scanned files and permits File Threat
ut
Protection not to scan them repeatedly if they have not been changed
— Configure exclusions for applications: For folders, executable files, or certificates
— If files (for example, user profiles) load slowly over the network, and protection is installed on
ib
network servers, do not scan network drives
— As a last resort, pause File Threat Protection while a resource-consuming program runs
r
Do not disable File Threat Protection. Schedule virus scanning on computers
st
di
re
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to configure protection against network threats
ed
ut
r ib
st
di
re
or
e d
A network is one of the main ways of malware spreading. That is why network protection and network
pi
traffic scanning are so important for computer security. In Kaspersky Endpoint Security, Mail Threat
Protection and Web Threat Protection components are responsible for anti-malware scanning of network
traffic:
co
Deletes malicious code from email messages and attachments

Mail Threat Protection
Renames potentially dangerous attachments
Blocks attempts to download malicious files
be
Does not permit visiting malicious and phishing websites

to
Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts
outbound connections from the computer programs and transfers packets to the network protection
components. Kaspersky Endpoint Security detects the connection protocol and transfers packets to the
corresponding component:
t
HTTP, HTTPS, FTP Web Threat Protection, Web Control

No
SMTP, POP3, POP3S IMAP, NNTP Mail Threat Protection

Other packets are sent directly to the programs and applications for which they are destined.
ed
ut
r ib
st
di
re
Kaspersky Endpoint Security can scan secure connections (SSL/TLS)
or
Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the
outbound connections. To configure this, in the Kaspersky Endpoint Security policy, open Application
Settings | General Settings | Network Settings and in the Monitored ports area, select Monitor
selected network ports only. Click the link 39 ports selected and specify the ports that are to be
controlled.
d
If you do not know which ports a program uses, select the checkbox Monitor all ports for specified
applications, and add the path to program’s executable file to the list.
e
Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or
pi
programs are used, add them to the list.

co
be
t to
No
During the installation, Kaspersky Endpoint Security creates a self-signed certificate—Kaspersky
ed
Endpoint Security Personal Root Certificate—and saves it to the local Trusted Root Certification
Authorities store. At each start, KES checks whether the certificate is still there, and if no, restores it.
To scan encrypted traffic (SSL/TLS), Kaspersky Endpoint Security replaces the certificate. Kaspersky
ut
Endpoint Security intercepts an outbound connection from an application to a server, receives the
server’s certificate, generates a similar session certificate signed with Kaspersky Endpoint Security
Personal Root Certificate, and gives it to the client application. This permits intercepting the symmetric
encryption key and decrypting the whole communication session.
ib
The web browser will not show any warnings because Kaspersky Endpoint Security Personal Root
Certificate is located in the trusted certificate store.
r
Encrypted traffic scanning is enabled by default and pertains to the following components:
st
— Web Threat Protection
— Mail Threat Protection
— Web Control
di
re
or
e d
pi
co
SSL/TLS protocols support three authentication modes: Mutual authentication, anonymous client–server
authentication, and complete anonymity.
For example, when the user connects over https to a web server, in most cases, the second
authentication mode is used: Anonymous client–server authentication. In this case, the certificate is easy
be
to replace.
If the first authentication mode is used, mutual authentication. For example, if a banking application client
or cloud storage client rejects the substituted certificate, the encrypted connection will not be scanned
and Kaspersky Endpoint Security will return an error.
to
With the default settings, if errors arise when scanning a secure connection, the domain will be
automatically added to the list of Domains with scan errors and its whole traffic will be skipped without
scanning. An individual list is drawn up for each computer; it is stored locally and is not sent to the
Kaspersky Security Center. To consult its contents, in the local KES interface, open Protection
components | Network settings; then click the link Domains with scan errors.
t
No
If necessary, you can reset the local lists of Domains with scan errors. For this purpose, in the Kaspersky
Endpoint Security policy, open Application Settings | General Settings | Network settings, under
When encrypted connection scan errors occur, select to Block connection, save the changes, and
wait for the policy to be applied to the computers. Then restore the initial value of the parameter When
ed
encrypted connection scan errors occur: Add domain to exclusions, and apply the policy again. As
a result, the local lists of Domains with scan errors will be cleaned out.
ut
r ib
st
di
re
If something is wrong with the web server’s certificate, for example, it has expired, the web browser will
or
not be able to inform the user about this, because KES certificate is used within the session, which is all
right. It is KES that informs the user about connecting to a domain with untrusted certificate and prompts
whether to connect to the domain.
If necessary, the administrator can prohibit connecting to domains with untrusted certificates. For this
d
purpose, set the option When visiting a domain with an untrusted certificate to Block connection.
e
pi
co
be
to
Most websites use secure connections, and we recommend that you do not disable scanning secure
t
connections entirely. If secure connection scanning hampers a program, configure exclusions.

No
In the Kaspersky Endpoint Security policy, open Application Settings | General Settings | Network
settings. There are two links for configuring exclusions in the Encrypted connections scan area:
Trusted addresses and Trusted applications.
If secure connection scanning hampers opening a website, add the website address to the trust list:
ed
1. Click the link Trusted addresses
2. Add the website address to the list. To specify a mask, use “*” and “?” wildcards
ut
Certificate will not be substituted for the listed websites.
If you have a program that conflicts with secure connection scanning, disable encrypted traffic scanning
for it:
ib
1. Click the link Trusted applications
2. Add the application executable file to the Applications tab: Specify the full path to the file. You
r
can use environment variables, such as %SystemRoot%.
st
3. Select the checkbox Do not scan network traffic, then select Encrypted traffic only, and clear
the other checkboxes
di
4. If servers with which a program works have permanent addresses (or a range of addresses) and
ports, specify them in the lower part of the window: It is safer this way
re
This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control
components.
or
e d
pi
co
be
to
The Mail Threat Protection protects from email threats. Messages are intercepted at the protocol level
t
(POP3, SMTP, IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI).
No
Mail Threat Protection detects and deletes malware using malware signatures, heuristic analysis and
Kaspersky Security Network. Additionally, Mail Threat Protection can block or rename email attachments
that match the specified masks.
Mail Threat Protection changes the subject of infected messages. The action taken is described in
ed
the message subject.
ut
ib
Security settings, among other options, determine the Protection scope. Mail Threat Protection can scan
either
— Incoming and outgoing messages
r
— Incoming messages only
st
To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing
messages can prevent inadvertent sending of an archived infected file and save the embarrassment.
Additionally, you can select to scan outgoing messages if you want to block attachments of certain types,
di
for example, music or videos.
By default, incoming and outgoing messages are scanned. You can modify the protection scope only in
re
the MMC Administration Console. or
The Advanced settings more precisely define the protection scope:
— Scan POP3, SMTP, NNTP, and IMAP traffic—enables scanning of mail and news messages
transferred over the specified protocols
d
— Connect Microsoft Office Outlook extension—scan objects2 when they are received, read
and sent at the level of Microsoft Office Outlook client.
e
— Scanning at the protocol level operates independent of the mail clients used. However,
messages transferred over unsupported protocols (for example, through Microsoft Exchange or
pi
Lotus Notes servers) will not be scanned.

— Conversely, scan at the mail client level works regardless of the way the message was received.
However, the list of supported mail clients is rather limited.
co
These settings concern attached compound files.

be
If archives are attached, they can be unpacked and scanned. This behavior is controlled with the
following settings:
— Scan attached archives—this setting allows the administrator to fully disable archive scanning.
As a rule, it is better to leave this checkbox selected and to scan archives “on the fly” using Mail
to
Threat Protection. It is much easier not to allow any infected archive to penetrate into the mail
database than to remove it from the database later using a virus scan task.
— Scan attached Office formats
t
No
2Not only mail messages are scanned, but also the objects within Public folders and Calendar: any objects received over MAPI
from the Microsoft Exchange storage.
You can disable these parameters only in the MMC Administration Console. Do not turn off these
ed
parameters. Malicious files are often spread in attached archives and office documents
ut
r ib
st
di
— re
Do not scan archives larger than NN MB—limits the volume of archives or office files to be
or
scanned. Malware is rarely spread in big files. Enable this limitation to avoid waiting too long
when receiving large compound files
— Limit the time for checking archives to NN seconds—this option implements protection
against ‘archive bombs’ whose scanning requires a very long time and a lot of resources, which
slows down the computer.
e d
pi
These settings concern only attached files. The administrator can:
— Disable filtering—let through all kinds of non-malicious attachments

co
— Rename specified attachment types3—is used by default and renames attachments of

executable types (.exe, .bat, .cmd, etc.) This is a preventive measure against unknown malware.
The user will not be able to start an attached file without consciously renaming it.
If archive scanning is enabled, Mail Threat Protection will rename archived files with the
specified extensions.
be
— This option can also be used to fight outbreaks of new malware. If names of the attachments
used by the malware are known, they can be added to the list and then renamed so that
the users are unable to open these attachments as regular files. Renaming can reliably prevent
infection. At the same time, if a harmless attachment matches the specified mask, renaming
would not cause any serious problems. The user can consult the administrator and receive
to
instructions on how to rename the file back

— Delete specified attachment types is a safe way to prevent infections, which can also be used
to prevent exchange of files of certain types, for example, music or video files
t
No
3 Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes
file.ex_
If archive scanning is enabled, Mail Threat Protection will delete files of the specified types from
ed
attached archives
By default, the list of filters contains masks of frequently used file extensions. In addition to
the extensions, user-defined masks can contain parts of names. “*” and “?” wildcard characters can be
ut
used. The added masks will go to the beginning of the list and will be enabled immediately.
ib
Exclusions for Mail Threat Protection are configured the same way as for File Threat Protection: In
the Application Settings | General Settings | Exclusions | Scan exclusions. For the File or folder,
r
you can specify a name or mask to exclude all matching files from scanning. The same exclusion must be
st
configured for File Threat Protection, or else the received attachments will not be saved or opened.
di
re
or
e d
pi
co
be
The Web Threat Protection component performs two important functions:
— Analyzes addresses of webpages opened by the user or applications, and blocks access to
phishing and malware-spreading sites
— Scans objects downloaded over HTTP, HTTPS, and FTP protocols, and blocks malicious files.
to
Four technologies are used for scanning the links:
— Check against the database of malicious web addresses compares the address of the website to
t
be opened with the addresses of the websites known for hosting malware, attacking computers,
or other harmful activities;
No
— Check against the database of phishing web addresses—is similar to the previous check, but
against the database of sites on which phishing pages have been detected
— Heuristic analysis for detecting phishing links—analysis of the site contents for HTML code
ed
characteristic of phishing
— KSN check—addresses of the opened sites are checked against KSN. Dangerous links are
blocked. The received answer is saved in the local cache and is used for further checks.
ut
Downloaded files are scanned using all the available methods: signature and heuristic analysis, as well
as KSN.
r ib
st
You can select the action to be taken against all detected dangerous objects:
— Block download,
di
or
— Inform
You should select the Block download action in the policy and lock it so that the users are not able to
re
download hazardous objects or visit hazardous websites.
When the user attempts to open a deny-listed website or download an infected object, a notification will
be displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.
or
e d
pi
co
be
to
If Web Threat Protection erroneously considers a website to be malicious or phishing, add its address to
the trust list:
1. In Essential Threat Protection, click the link Web Threat Protection

t
2. Select the checkbox Do not scan web traffic from trusted web addresses
3. Add the website address to the list. To specify a mask, use “*” and “?” wildcards
No
The listed sites and the objects downloaded from them will not be scanned by Web Threat Protection.
If Web Threat Protection erroneously considers a file that a user downloads from a website to be
ed
malicious, make an exclusion for the file in Application Settings | General Settings | Exclusions. Apply
the exclusion at least to Web Threat Protection, File Threat Protection and Virus scan.
ut
r ib
st
di
re
or
Starting with version 10SP2, Kaspersky Endpoint Security uses a driver that does not disrupt the
d
connection; it uses the operating system functions to receive access to all packets.
e
This interception method usually does not affect network applications4.

pi
If you have a program that conflicts with the new interception method too, disable traffic interception for it:
1. In Kaspersky Endpoint Security policy, open the Application Settings | General Settings |
Exclusions, and click the link Trusted applications.
co
2. Add the application executable file to the list of Trusted applications: Specify the full path to the
file. You can use environment variables, such as %SystemRoot%.
3. Select the checkbox Do not scan network traffic and clear the other checkboxes
be
4. If servers with which a program works have permanent addresses (or a range of addresses) and
ports, specify them in the lower part of the window: It is safer this way
This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control
components.
to
4In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2), the driver that intercepts connections for network
t
protection components acts as a local proxy.

When a program establishes connection to a remote server, Kaspersky Endpoint Security replaces the server address with its own address to
No
receive the packets, and then establishes another connection to the remote server to send the scanned packets. The answer packets from the
server are processed in a similar manner: First through the connection established by Kaspersky Endpoint Security, and then from Kaspersky
Endpoint Security to the program.
Some network programs are incompatible with this interception method.
ed
ut
r ib
st
di
re
The network components Mail Threat Protection and Web Threat Protection consume few resources. On
the contrary, they enable File Threat Protection to scan fewer files, and improve computer performance.
or
Web Threat Protection is the only component that protects against phishing. It also protects against new
threats that are spread through known malicious websites.
Do not turn off network protection components, it will not improve performance, but will affect protection
d
If Web Threat Protection or Mail Threat Protection erroneously delete files, block safe websites or hamper
e
network programs, configure exclusions:

pi
— Exclusions for websites in the Web Threat Protection settings

— Exclusions for programs in General Settings | Exclusions
— Exclusions for ports in General Settings | Exclusions
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to configure protection against sophisticated threats
ed
ut
r ib
st
di
re
or
e d
Criminals continually create new malicious files. Kaspersky is famous for detecting new threats and
adding their signatures to the database very quickly. Checksums of malicious files get to Kaspersky
pi
Security Network even more promptly. However, criminals are still half a step ahead. How does
Kaspersky Endpoint Security protect against new threats and especially against ransomware?
co
Ransomware that encrypts documents and demands money in return for the key cause immediate and
direct harm
Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack:
be
Criminals publish malware on websites. Often Web Threat Protection uses the database of
known malicious websites and websites’
these websites have also been used reputation in KSN and prevents the users
previously from opening them
Mail Threat Protection renames executable
Criminals email new malware
to
attachments, including archived ones

Exploit Prevention blocks attempts to infect
Criminals use software vulnerabilities to run
the machine through known and some
malicious code unknown application vulnerabilities
t
New malware has different code to get around

Behavior Detection monitors what a program
No
signature scanning, but behave similarly to does, and detects new malware by behavior
other malware
Encrypted data are statistically
ed
Behavior Detection uses heuristic and
homogeneous, as if produced by a random- statistical analysis as well as machine
number generator. This makes them different learning technologies to detect encryption in
from most ordinary files files
ut
Host Intrusion Prevention does not allow the
New malware does not have any reputation in
programs without a reputation to use many of
KSN the operating system functions
ib
New threats are mainly opposed by Behavior Detection, Exploit Prevention, and Host Intrusion
Prevention, with the help of Kaspersky Security Network.
r
st
di
re
or
e d
pi
co
Kaspersky Endpoint Security components can be broken down into three groups: Components that
provide static protection, components that provide dynamic protection, and additional components.
The File / Web / Mail Threat Protection components provide static protection for a device: Scan objects
be
before they run, block start and download of dangerous objects.
The Behavior Detection, Exploit Prevention, and Rollback components provide dynamic protection:
Monitor objects’ actions, analyze, detect, and block dangerous behavior.
The third group includes Host Intrusion Prevention, Firewall, and Network Attack Blocker: Their task is to
to
decrease the attack surface on the protected devices by limiting untrusted programs’ start and network
access. This helps to partly take a load off dynamic and static protection.
Kaspersky Endpoint Security components scan objects using the antivirus engine, information from KSN,
t
and various technologies. Some of the detection technologies are implemented on the client side,
meaning, in the engine (signature analysis, heuristic analysis, behavior analysis). Some, on the
No
Kaspersky side (expert analysis, machine learning, reputation service). KES receives only the results:
Signature updates, program reputations, dangerous activity patterns, machine learning models, etc.
A detection event displays the name of the component and technology that pinpointed the threat.
ed
In the local Kaspersky Endpoint Security interface, detection technologies display the source from which
they received information about the threat:
ut
Automatic analysis—data about the threat were received from the automatic object analysis
system. Object analysis is automated at Kaspersky. The automatic object analysis system
processes all objects that Kaspersky receives, returns results and generates signatures. If the
system cannot process an object, it sends it to virus analysts
ib
— Expert analysis—data about the threat were added by Kaspersky virus analysts. Virus analysts
are experts who develop not only threat signatures, but also dangerous activity patterns,
machine learning models, etc.
r
st
— Behavior analysis—data about the threat were received upon analyzing the object’s behavior
— Cloud analysis—data about the threat were received from the Astraea technology, a part of
KSN. Astraea is a big data processing system; it receives data from all sources of KSN requests,
di
analyzes, ranges validity, and evaluates the threat
— Machine learning—data about the threat were received from a machine learning model. A
re
machine learning model is developed at Kaspersky. Then the model learns on a large array of
data received from KSN and the Astraea system. Then KES uses the model along with other
technologies when hunting for threats.
Since the threat landscape changes continually, the model is regularly improved and learns
incrementally on the Kaspersky side. Updates to the machine learning model are supplied to
or
KES periodically the same way as threat signatures
e d
The components and technologies that help to counter new malware not yet added to the signature
databases or minimize their impact are called proactive defense.
pi
Heuristic analysis which we’ve studied already is an example of a proactive defense technology.
However, the main role in this protection aspect belongs to Behavior Detection, Exploit Prevention,
co
Remediation Engine, Host Intrusion Prevention, and to some extent to the Control components and
Firewall.
be
Behavior Detection performs several functions:
— Logs application activity for comparison with the behavior signatures database
— Detects malware and blocks their actions
— Protects shared folders against external encryption
to
Malware detection is the main task. For this purpose, Behavior Detection monitors program actions and
compares them with dangerous activity patterns. The application activity log includes file access
operations, established network connections, and system function calls.
t
The database of patterns is updatable, but updates are rarely issued for it. Efficiency of the Behavior
Detection almost does not depend on the databases’ update regularity.
No
ed
ut
r ib
st
di
re
Behavior Detection settings are few: in substance, you can only enable or disable the entire component,
or protection of shared folders against external encryption.
or
If Behavior Detection detects malicious behavior, it stops the program, deletes its executable file, and
moves it into the Backup repository.
d
Other possible actions:

e
— Inform—do nothing, only log the detection of malicious activity

—
pi
Terminate the program—stop the malware and unload it from the memory
— Delete file—stop the program, delete the malicious file, and place its copy into the Quarantine
repository
co
If Protection of shared folders against external encryption detects an attempt to encrypt files in a shared
folder over the network, it blocks the write and delete operations for this session for 60 minutes. Then it
tries to restore non-encrypted file versions from a backup copy using the Remediation Engine
component.
be
Do not disable Behavior Detection. It protects against threats that other components may fail to counter.
To prevent false positives or improve performance, create exclusions.

t to
No
ed
ut
r ib
st
di
re
Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative
permissions in the system or conceal code execution.
or
Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or
service, which processes them and therefore executes some parameters as code. Specifically, such
attacks against system services running under the local system account enable criminals to receive
administrative permissions on the computer.
d
Typically, malware tries to start itself under the administrator account as a result of such an attack. When
this option is enabled, start operations are being monitored and if a vulnerable program starts another
e
program without the user’s explicit command, the start is blocked.

pi
co
be
t to
No
Remediation Engine—rolls back actions taken by the programs deleted by File Threat Protection, Virus
ed
Scan tasks, and Behavior Detection.
Actions to be rolled back are any changes made to the file system (creating, relocating, renaming files) or
registry keys (the records created by the malware are deleted). Also, a backup copy of some files and
ut
keys is created at the time of the system start, which permits rolling back to this version if malware
changes these files and keys. These special objects include hosts and boot.ini files and registry keys
responsible for starting programs and services during the system start.
ib
This option also restores files encrypted by ransomware, which encrypt files on drives and in shared
folders, and then demand a ransom.
Remediation Engine uses the application activity log written by the Behavior Detection component.
r
st
di
re
or
e d
pi
The main purpose of the Host Intrusion Prevention is to regulate the activities of the running programs,
co
namely, access to the file system and registry as well as interaction with other programs.
be
Host Intrusion Prevention categorizes applications into trust groups, for which limitations are specified.
Every program receives one of the four trust levels:
— Trusted
— Low Restricted
— High Restricted
to
— Untrusted
Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time. The main
categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the
program, the assigned category depends on the policy settings:
t
—
No
Trust group for applications that could not be added to existing groups—this setting
permits the administrator to select which category to assign to the programs that do not yet have
a reputation. The administrator can select High Restricted, Low Restricted or Untrusted
— Trust applications that have a digital signature—if this parameter is enabled, the programs
ed
signed by trusted certificates will be automatically placed in the Trusted group
Trusted certificates are certificates that Kaspersky Security Network trusts.
ut
The defined trust group is saved and used at each start of the program. The saved data may be revised
or deleted depending on the following settings:
— Update rights for previously unknown applications from KSN database—program’s trust
group will be changed automatically if it appears in the KSN
ib
— Delete rights for applications that are not started for more than N days—permits wiping out
the trust group information for the programs that have not been started for a long time.
The lifetime is adjustable
r
st
Host Intrusion Prevention limits interaction with other programs and operating system services depending
di
on the trust group. Generally, the default restrictions for trust categories are as follows:
Trusted No limits
re
Low Low Restricted—almost everything is allowed, except for building into operating system
Restricted modules and accessing recorders (web cams and microphones)
High Interaction with operating system modules and other programs is prohibited. A program
or
Restricted is allowed to work only with its own segment of the system memory
Untrusted The program is prohibited even from starting
Host Intrusion Prevention helps limit access to files, folders and registry keys on the hard drives. Host
d
Intrusion Prevention has a list of protected resources. They are grouped into two categories:
— Operating system
e
— Personal data
pi
Each category has its subcategories and resource descriptions: Paths to folders, file masks, registry key
masks. Initially, the list of protected resources contains groups of most important files and registry keys.
For example, the Operating system category has a subcategory Startup settings, which lists all registry
co
keys related to startup.
Rights to access groups of resources are defined for operations: Read, Write, Remove and Create.
By default, Host Intrusion Prevention protects resources as follows:

be
Operating system Personal data

Trusted Full access Full access
Full access to everything except critical operating system files
Low Restricted Full access
For critical operating system files, Read only
to
High Restricted Read only Full access
Untrusted No access No access

t
Program limitations automatically apply to its child processes. If a program with limitations starts a trusted
program, this trusted program will also be restricted. If a trusted application is started by the user or
No
another trusted program, there will be no limits

ed
ut
r ib
st
di
re
The administrator can modify limitations for any trust group and even for any individual program.
or
Do not change the Host Intrusion Prevention settings unless you know precisely what you are doing
To find the trust groups and their limitations:
1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky
d
Endpoint Security policy

2. Click the link Application rights and protected resources
e
3. Switch to the Application rights tab

pi
4. Select the trust group in the left pane

5. At the top of the right pane, in the drop-down list, select Rights
co
The administrator can limit or extend rights for a program having the selected reputation here. For
example, you can allow low restricted programs to access the web cam.
To view protected resources:

be
To protect other files or registry keys, add them to the list. Keep your resources in an individual category.
to
To add your own protected resources:

1. Click the Add button to create your categories and resource descriptions
2. Configure access rights for the resource in the table on the right
t
No
ed
ut
r ib
st
di
To be informed when Host Intrusion Prevention blocks an operation, enable logging. For this purpose,
re
right-click an action in the table and select Log events. You can log allow events of Host Intrusion
Prevention5 to understand which programs work with a resource.
The limitations configured for a program are inherited by all its child processes, even if their executable
or
files are included in the Trusted group. Thus, the programs with lower trust level may not evade
the prohibitions by using the privileges of programs having higher trust levels.
d
With the default settings, Host Intrusion Prevention protects the operating system and other software on
e
the computer against programs that have a bad reputation.

pi
The administrator can also easily protect users’ files against unknown programs. This way, they will be
protected against ransomware that encrypt documents.
The idea is simple. Ransomware:

co
— Either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit
starting it
— Or does not have any reputation in KSN and Host Intrusion Prevention will make it Low
Restricted (by default) or High Restricted, depending on the administrator’s choice
be
Programs designed for working with documents, such as Microsoft Office, are well-known and have a
Trusted reputation.
t to
No
5Be careful not to create an overwhelming stream of events from computers to the Administration Server. If you need to analyze access allow
events, save them only into the local log of Kaspersky Endpoint Security rather than sending to the Administration Server.
Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose:
ed
1. In the Kaspersky Endpoint Security policy, open Advanced Threat Protection | Host Intrusion
Prevention and click the link Application rights and protected resources
ut
2. Add documents to the list of protected resources in Host Intrusion Prevention: In the list on the
left, select the category Personal data| User files and add a new category named Documents
3. Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose,
ib
add File or folder to the category and specify the extension in the Path field. Repeat for all
extensions
4. Prohibit restricted applications from editing documents. For this purpose, select the category in
r
the list on the left and change the rights in the table on the right: Prohibit High Restricted and Low
st
Restricted applications from Writing and Deleting
di
re
or
e d
pi
co
Antimalware Scan Interface (AMSI) is an open API developed by Microsoft that permits antivirus and
other security solutions synchronously scan macros and other scripts and block execution of malicious
code within applications.
be
The AMSI Protection Provider component permits Kaspersky Endpoint Security better interact with
AMSI and thus improve detection of various attack types, for example, fileless attacks.
Fileless attacks are based on the following idea: Why develop malware if you can use existing legitimate
tools to achieve your aim? (For example, PowerShell, JavaScript, VBScript etc.) The criminals’ aim when
organizing a fileless attack is to intercept management of a process, run your code in its memory, and
to
use this code to start other tools available on the device.
Such an attack is difficult to detect, because criminals do not need to save their applications that may be
recognized as malicious on the device. Additionally, various masquerade techniques are often used. For
example, code obfuscation, which complicates code analysis, and evasion techniques, which permit
t
transferring the necessary information to the computer.

No
ed
ut
r ib
st
di
re
Let us explain operation of AMSI Protection Provider through the example of an attack that is becoming
increasingly widespread nowadays: Running PowerShell interpreter from a macro in document and
executing a malicious script in PowerShell.
or
When an application opens a document, before running the script, it transfers it to ASMI for scanning and
waits for the verdict. AMSI protocols the script’s actions and sends its commands via AMSI Protection
Provider to the antivirus provider: Kaspersky Endpoint Security. This permits antivirus provider to access
the commands that the script has compiled on the fly in the memory. Kaspersky Endpoint Security scans
d
commands generated by the script and returns a verdict. Depending on the received verdict, AMSI
instructs the application whether to run the script. This schema is implemented for Microsoft applications,
e
and can also be implemented for any application that supports AMSI.
pi
In addition to scripts, applications can send archives for scanning to Kaspersky Endpoint Security, as well
as plug-in distributions prior to installation.
co
be
Almost any heuristic analysis returns false positives. To reduce them, exclude known clean programs
from analysis:
— Programs that are considered to be trusted in Kaspersky Security Network
to
— Programs signed with trusted certificates
To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed
programs, use the following Host Intrusion Prevention setting: Application processing rules | Trust
applications that have a digital signature.
t
Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates
No
rather than all of them. Trusted certificates are those issued by trusted certification authorities.
ed
ut
r ib
st
di
Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates
re
in the local store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky
Endpoint Security learns about this from Kaspersky Security Network, and will not trust files signed with
this certificate.
Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software
or
with a self-signed certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as
described in “Exclusion by certificate”, in section 2.6.
If a program does not have a digital signature, you can manually add it to the Trusted group in the Host
d
Intrusion Prevention policy. Alternatively, you can completely exclude a program from scanning by
Behavior Detection and Host Intrusion Prevention. How to do it will be explained later.
e
pi
co
be
t to
No
Most of the widespread commercial programs have a Trusted reputation. However, some open-source
ed
programs have a Low Restricted reputation. Homeware may not have any reputation in KSN, and may
receive a Low Restricted reputation (or High Restricted, depending on the policy settings).
If the reputation hampers working with a program, change its reputation in the Kaspersky Endpoint
ut
Security policy:
ib
3. Switch to the Application rights tab
r
4. Click Add above the list of application categories
st
5. Select the group to which you want to move the file: Trusted, Low Restricted, etc., and click
Next
6. Click Filtering and filter the list of applications by executable file name.
di
7. Select the executable file in the filtering results and click OK
If the administrator has selected a reputation for a file in the policy, Host Intrusion Prevention will use this
re
reputation on the computers instead of the KSN reputation. Reputation from KSN is used only for files
that are not explicitly specified in the policy. Meaning, for most files, because by default the policy has
only reputation groups, and no files.
If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its
or
restrictions as desired. For example, the administrator can add a program to the Trusted group, but then
open its rights and prohibit it from accessing the web cam.
e d
pi
co
be
to
If you use policies with the default settings, the list of executable files is likely to be empty in the policy.
t
Kaspersky Endpoint Security intercepts all executable files on the computers, and Host Intrusion
Prevention assigns a reputation to all of them. However, this data is not sent to the Administration Server
No
by default. And the policy shows only those executable files about which Kaspersky Endpoint Security
has informed the Administration Server.
To make Kaspersky Endpoint Security send lists of executable files to the server, create and run an
ed
Inventory task, or enable the Application Control component and run the necessary application.
The lists of computer executable files are rather large. If all managed computers send them to the server,
it will increase the load on the network considerably. Usually, this is not necessary. Do not run the
ut
Inventory task on all computers. Do not enable Application Control for the computers where you are
not planning to use it to regulate applications’ start. To receive only the files that you need, create an
Inventory task for specific computers.
r ib
st
di
re
or
e d
We recommend that you do not collect lists of files from all computers. Administrators often have test
computers where all typical programs are installed. If you have such computers, gather lists of executable
pi
files from them. To fill the local list of known programs on a test computer, do not start all the programs
manually, use the Inventory task.
co
The Inventory task scans files in the specified folders, finds the executable files, adds them to the local list
of known executable files, and activates data transfer to the Administration Server. To have scanning
results sent to the server, select the checkbox Inform Administration Server about started
applications in the Kaspersky Endpoint Security policy.
To create an inventory task, run the task creation wizard on the Devices | Tasks page. Select the
be
Inventory task type under Kaspersky Endpoint Security for Windows. If it is a task for a test computer,
after creating the task, open it properties and include All hard drives in the scope. Assign the task to
individual test computers.
to
If the limitations set by the Host Intrusion Prevention still block a necessary program, you can configure
the corresponding exclusion. There are two types of exclusions in Host Intrusion Prevention:
t
No
— Exclusions for resources—allow any program to perform any operation with the specified
group of resources (is not available in the web console)
— Exclusions for programs—allow the specified programs to perform any operation
ed
ut
r ib
st
di
Exclusions for resources are configured in the properties of Host Intrusion Prevention, on the Protected
re
resources tab. You can configure exclusions for folders, files and registry keys.
Exclusions for programs are configured in the Trusted applications, and provide several additional
capabilities:
or
— Do not monitor application activity—disable all restrictions for the specified program
— Do not inherit restrictions of the parent process (application)—disable the limitations
inherited from the process that started the program and the parent processes of higher levels
—
d
Do not monitor child application activity—disable the restrictions for the processes started by
the program for which the exclusion is created
e
These exclusions apply to Behavior Detection and Host Intrusion Prevention.

pi
co
be
t to
No
ed
ut
r ib
st
di
re
or
Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily
Behavior Detection and Host Intrusion Prevention. Both components monitor the operations performed by
the programs.
Host Intrusion Prevention calculates the reputation of executable files and limits actions of programs that
d
have bad or unknown reputations. Program reputation is supplied by Kaspersky Security Network, or the
administrator specifies it in the policy settings.
e
Behavior Detection monitors what programs do in general rather than their individual actions. For this
purpose, it logs everything that programs do and then checks whether sequences of actions resemble
pi
malicious activities. Remediation Engine uses the log of actions to roll back malicious activities.
Behavior Detection has special heuristics that permit detecting ransomware (malware that encrypts
co
documents and demands a ransom). In many cases, Behavior Detection can recover encrypted
documents with the help of Remediation Engine.
To better protect against ransomware, configure Host Intrusion Prevention to block access to documents
for programs that have a bad reputation.
be
Do not disable Behavior Detection and Host Intrusion Prevention. These components implement state-of-
the-art technologies that protect against most sophisticated threats
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to control network connections
ed
ut
r ib
st
di
re
or
From the security point of view, the Firewall performs two functions:
d
— Block unauthorized network connections to the computer, thus decreasing the infection
probability
e
— Block unauthorized network activity of the programs on the client computer. This decreases
the risk of an outbreak, and also limits actions of the users that consciously or unconsciously
pi
violate the security policy
The Firewall is tightly integrated with Host Intrusion Prevention. Host Intrusion Prevention does not limit
co
programs’ access to the settings of the operating system, other programs and user files. Firewall checks
the program reputation and limits its access to the network. This way, the Firewall prevents already
running malware from causing harm: for example, sending the user’s passwords to criminals.
The Network Threat Protection component complements the Firewall and analyzes packets. While
Firewall uses relatively simple rules to block packets and connections, Network Threat Protection checks
be
sequences of packets for signs of a network attack, for example, buffer overflow attack via known
vulnerabilities, and blocks connections through which an attack is performed.
to
Firewall controls connections at the network and transport level using packet rules. It analyzes inbound
and outbound packets, compares them with the rules and takes one of the two actions:
t
No
— Allow
— Block option
ed
ut
r ib
st
di
re
The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it,
open the Firewall settings in the Kaspersky Endpoint Security policy and click the link Network packet
or
rules.
A packet rule consists of the following attributes:
Action Allow, Block or According to the application rule

d
According to the application rule means that Firewall will look for an appropriate rule in
the settings of the program to which the packet pertains, and if this program has no
e
settings, in the settings of the reputation group to which the program belongs
pi
Protocol TCP, UDP, ICMP, ICMPv6, IGMP, GRE

Direction Inbound (packet)—applies to all inbound packets
Inbound—applies to all packets within inbound connections
co
Inbound/outbound—applies to all packets

Outbound (packet)—applies to all outbound packets
Outbound—applies to all packets within outbound connections
The TCP protocol establishes connections; use the directions Inbound, Outbound and
be
Inbound/Outbound together with the TCP protocol

Other protocols do not establish connections; they send packets. Use Inbound (packet),
Outbound (packet) and Inbound/Outbound with them
Remote Ports on a remote computer
ports
to
Can be specified for TCP and UDP protocols

To specify several ports, separate them by comma, for example: 25, 110
To specify a range, use a hyphen: 0-1024
Local Ports on the local computer
t
ports Can be specified for TCP and UDP protocols

No
ICMP type Echo, Echo Reply, Time Exceeded, Destination Unreachable, etc.
Can be selected for ICMP and ICMPv6 protocols
ICMP Code for some ICMP types. You can select code 0, 1 or 2
ed
code For example, for a Destination Unreachable ICMP packet, code 0 means Net
Unreachable, code 1—Host Unreachable, code 2—Protocol Unreachable6
Network Permits specifying the network adapter by Interface type, IP address and MAC
ut
adapters address
Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP
connection, PPPoE connection, VPN connection, Modem connection
ib
TTL Packet lifetime
Remote Addresses of remote computers, which can be specified directly or indirectly
r
addresses To specify addresses directly, select Addresses from the list and fill the list of IP
addresses
st
To specify addresses indirectly, select Any address or Subnet addresses. Subnet
addresses are: Trusted networks, Local networks or Public networks.
di
Local Addresses of a local computer (a computer can have many addresses)
addresses You can select either Any address, or Addresses from the list, and fill the list
re
Both IPv4 and IPv6 can be specified for IP addresses
The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports,
direction, network adapter, local address, remote address), applies the action specified in the rule.
or
Rule application will be registered in the Firewall log if the Log events checkbox is selected.
The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules,
select a rule and move it using the Up and Down buttons.
d
A default policy contains a list of packet rules that provides reasonable security for computers both on
e
and off the corporate network. The standard settings are described in detail in the end of this chapter.
pi
Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom
rules. For convenience, the protocol, ports and direction can be specified by templates (for example, Any
network activity, Browsing webpages, Remote Desktop network activity, etc.) To select a template, click
the button to the right of the Name field in the rule settings.
co
Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted
be
networks, Local networks or Public networks. How does the Firewall decide which addresses belong to
which networks?
Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the
policy does not describe a network status, the Firewall defines it itself on the client computer.
t to
No
6 For ICMP message types and code values, consult protocol documentation
ed
ut
r ib
st
di
To add a network to the policy and select a status for it:
re
1. Click the Network settings link in Application Settings | Essential Threat Protection | Firewall
2. Click the Add button above the list
3. Type a name for the subnet and select its type
4. Specify subnet address in the following format: <IP address>/<netmask length in bits>, for
or
example 192.168.0.0/24 or 1234::cdef/96 for IPv6 networks
e d
pi
co
be
On the computer, the Firewall adds the networks configured for the computer's network adapters to the
to
networks specified in the policy. If an adapter’s network coincides with or belongs to a network from the
policy, it receives the status specified in the policy.
If the adapter’s network does not belong to any of the networks described in the policy, the Firewall
assigns it a status based on its status in the operating system. If it is a domain, work or home network,
t
the Firewall assigns it the Local status. If the network is public in the operating system, it will also be
public for Kaspersky Endpoint Security Firewall.
No
All other addresses are considered to be addresses of public networks.

For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network
ed
status. And a managed computer might have two interfaces configured to use networks 172.16.55.0/24
and 192.168.5.0/24 respectively. Let’s say Kaspersky Endpoint Security automatically assigned
the Public status to both these networks. Now when the local networks are combined with the policy, the
status of 172.16.55.0/24 network effectively becomes Local network, because there is an entry in the
policy for network 172.16.0.0/16 that includes 172.16.55.0/24. On the other hand, the 192.168.5.0/24
ut
network retains its Public status because there is no matching entry in the policy.
In the default policy settings, there are three network entries, all of which have the Local network status:
ib
— 10.0.0.0/8
— 172.16.0.0/12
— 192.168.0.0/16
r
st
These are reasonable choices for the computers that are inside the perimeter; however, they should be
reconsidered for computers outside the perimeter, e.g., the computers connected via VPN or laptop
computers on a business trip.
di
re
or
e d
pi
co
If the Firewall does not find a matching rule for a packet, or finds it, but the action specified in the rule is
According to the application rule, it starts looking for the packet rule configured for this application. And if
be
the application has no settings in the policy, it checks the program’s reputation and looks for a matching
packet rule in the reputation settings.
The Firewall uses the same reputations as Host Intrusion Prevention. The settings that Host Intrusion
Prevention uses to select a reputation are also applied to the Firewall. If Host Intrusion Prevention is not
installed, Firewall defines the reputation itself using the Host Intrusion Prevention settings. A program
to
cannot be Trusted for Host Intrusion Prevention and at the same time High Restricted for the Firewall.
Each program has only one reputation.
To consult packet rules for applications and reputations:

t
1. In the Firewall settings, click the Application network rules link

No
2. In the left pane Applications, select a program or reputation

3. At the top of the right pane, in the drop-down list, select Network rules
There are no applications in a policy by default; there are only reputations and settings for reputations.
ed
The administrator can add programs to a reputation and after that he or she will be able to add whichever
packet rules to the program properties. Applications can be added in the same manner as in Host
Intrusion Prevention.
ut
Each program and reputation in the list of rules has three rules that are always located at the bottom of
the list:
— Any network activity in Trusted networks
ib
— Any network activity in Local networks
— Any network activity in Public networks
For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for
r
the High Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or
st
modified, except for the Action attribute, which can be changed by the administrator.
By default, if only reputations are configured in the policy, reputations have only these three rules. These
rules intercept any network activity, because any address belongs to either a trusted, or a local, or a
di
public network. That is why there is always a rule for any packet: A packet belongs to a process, the
process has a reputation, and the reputation has at least one rule for any remote address according to
the network type.
re
The administrator can add custom rules to the list of reputation or application rules. These rules have only
the following attributes:
Action Allow or Block

or
Protocol TCP, UDP, ICMP and ICMPv6
Direction Inbound, Outbound or Inbound/Outbound

d
Remote ports for TCP and UDP
Local ports for TCP and UDP

e
ICMP type for ICMP and ICMPv6

pi
ICMP code for ICMP and ICMPv6
Remote addresses
co
Local addresses for TCP and UDP
Action Allow or Block

be
to
A standard policy does not contain rules for applications (except for the standard ones specified for
the reputations). That is why the ultimate network status and application reputations are defined locally in
the Firewall.
t
No
ed
ut
r ib
st
di
Packet rules are inherited from the policy, and accordingly, packets are filtered as follows:
re
1. The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols,
external port 53) and email (over TCP protocol, external ports 25, 465, 143, and 993).
The According to the application rule action is selected in these rules, that is, programs from
the Trusted and Low Restricted groups will be able to send DNS requests and email, while
or
the others will not
2. Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted
networks, any activity is allowed by default, except for DNS and email limitations for Untrusted
d
and High Restricted programs
3. The fifth rule defines the order of packet processing in local networks. Such packets are
e
processed according to the application rules. The default application rules say that the programs
from the Trusted and Low Restricted groups have no limitations in local networks, while High
pi
restricted and Untrusted have no access
4. The rest of the rules effectively regulate program behavior in the Public networks, since all
co
packets from Trusted and Local networks are processed one way or another by the above rules.
Rules 6-8 block remote desktop connections to the computer from public networks, and also
block connections to the local DCOM service, NetBIOS packets, access to Windows shared
folders, and access to Universal Plug & Play devices
5. Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the
be
Trusted and Low Restricted groups. Considering the default application rules, this means that
Trusted and Low restricted applications can receive incoming connections from Public
networks, whereas High restricted and Untrusted applications cannot.
6. Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent
to test connection to remote computers
t to
No
ed
ut
r ib
st
di
re
Trusted and Low Restricted programs have full access to all networks. That is why the Firewall does not
hamper well-known programs by default.
or
Untrusted and High restricted programs are allowed to access only trusted networks, and even there may
not work with email and DNS. However, there are no trusted networks in a policy by default, and
Untrusted and High restricted programs have no network access.
d
Thus, Firewall prevents unknown malware from stealing passwords, downloading additional modules,
receiving commands from the control center and sending spam
e
Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop,
pi
DCOM, etc.) and blocks ICMP requests from public networks.

co
be
t to
No
Most network applications are automatically included in either Trusted or Low Restricted groups, and
ed
are allowed to exchange data over the network.
However, little-known open source programs or tailor-made software may receive the High Restricted
reputation and will not be able to work with the network.
ut
r ib
st
di
re
or
To grant access to the network to a program that has High Restricted reputation, use one of the following
approaches:
— Change the program reputation, add its executable file to the Low Restricted or Trusted
d
reputation as described in section 4.3

— If the program’s files are signed with a certificate, use Host Intrusion Prevention settings to trust
e
these files
—
pi
If files are not signed with a certificate, think about signing them with a self-signed certificate and
use the exclusion settings to trust this certificate
— Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet
co
rules are processed earlier than the rules for applications and reputations.
Move your rules to the top of packet rules list

be
t to
No
ed
ut
r ib
st
di
re
or
The purpose of the Network Threat Protection component is to block network attacks including port
scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken
against the programs and services running on the computer.
d
Network Threat Protection uses signatures and blocks all connections that correspond to the descriptions
of known network attacks.
e
As we mentioned earlier, malware does not necessarily save executable code in the file system in order
pi
to infect a computer. For example, malware using a buffer-overrun attack can modify a process already
loaded in the memory and thus execute the malicious code. The Network Threat Protection component is
able to prevent infections from spreading this way. That is why it must be enabled, and its settings must
be locked.
co
Network Threat Protection has a few configurable parameters. If the component is enabled, attacks are
blocked automatically.
Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for
be
some time. The Add the attacking computer to the list of blocked computers option regulates this
behavior; by default, it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer
can be unblocked manually, but only in the local interface of Kaspersky Endpoint Security.
Sometimes, Network Threat Protection considers numerous packets sent by surveillance cameras and
other similar devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses
to
to exclusions. Network Threat Protection will not analyze packets from trusted addresses.
t
No
ed
ut
r ib
st
di
re
Protection from MAC spoofing prevents unauthorized modification of ARP tables on the devices protected
by Kaspersky Endpoint Security.
or
The following methods protect ARP tables against unauthorized modifications:
— Ignore an incoming ARP reply unless it answers an ARP request sent

— After an ARP request has been sent, accept only the first ARP reply and ignore all others; log
d
information about them

— Wait for an ARP reply for some time. Ignore belated answers
— Reply an incoming ARP request without adding a record to the system ARP table
e
Protection from MAC spoofing is regulated by two options available in Essential Threat Protection |
pi
Network Protection. You can enable or disable protection (it is disabled by default) and configure
reaction to potentially dangerous attacks.
co
be
t to
No
ed
ut
r ib
st
di
re
When a client computer blocks another client computer because of a network attack, the administrator
can see only an event informing of a network attack in the console. There is no list of blocked computers,
or
or events informing that a computer was blocked and later unblocked.
You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security:
1. In Kaspersky Endpoint Security window, click More Tools and select Network Monitor
d
2. In the Network Monitor window, open the Blocked computers section;

e
3. To unblock a computer, select it and click Unblock

pi
co
be
t to
No
To unblock a computer from the Administration Console, restart the Network Threat Protection
ed
component on the computer that blocked an attack:
1. Find the event informing about the attack and check which computer sent the event (not which
computer attacked)
ut
2. Find this computer in the console and open its properties
3. Switch to the Tasks tab and find the Network Threat Protection component
ib
4. Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list)
r
st
di
re
or
e d
pi
At the network level, packets are scanned by the Firewall and Network Threat Protection components.
co
Other essential protection components (Web Threat Protection and Mail Threat Protection) scan data at
the application level.
Firewall protects computer services in public networks, and also does not allow Untrusted and High
Restricted programs to use network. Thus, it prevents unknown malware from connecting to its control
be
center.
Network Threat Protection analyzes sequences of packets within allowed connections and blocks known
types of attacks.
If these components impede a program:

to
— Make the program trusted for Host Intrusion Prevention. The Firewall uses the same reputations
as Host Intrusion Prevention.
— Open ports and addresses with which the program works using simple packet rules
— Add the application’s address to exclusions of Network Threat Protection
t
No
002.11.6: Kaspersky Endpoint Security and Management. 6. How to protect a computer outside the network
ed
ut
r ib
st
di
re
or
d
The risk of computer infection is lower within a corporate network than outside. Thus, applying different
settings to the computers that are taken out of office seems reasonable.
e
Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12
pi
and 192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within
them.
co
However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may
belong to hotels, bars, airports and other public places. It is dangerous to trust them similarly to local
networks.
Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is
taken outside the corporate network.
be
t to
No
ed
ut
r ib
st
di
re
or
Out-of-office is the third possible policy status, in addition to the Active and Inactive status.
An out-of-office policy may be created for any group. There can be only one out-of-office policy for each
version of Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner
as an active policy. However, while an active policy is enforced immediately, a policy for out-of-office
d
computers starts working only when the computer meets the specified conditions (which will be described
later).
e
If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However,
if an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever
pi
settings are locked in the parent group policy, they do not restrict the policy of the out-of-office users
within the child group.
co
In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active
policy, where the locked settings are inherited by the policies of child groups. Out-of-office policies are
inherited only completely by those subgroups where an out-of-office policy is not configured.
be
To create an out-of-office policy:
1. Start the policy creation wizard: Open the tab Devices | Policies and profiles and click Add
2. Select the Kaspersky Endpoint Security for Windows application
to
Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security
for Windows. Policies of the Network Agent or, for example, Kaspersky Security for Windows
Servers Enterprise Edition do not have such an option.
t
3. Accept the KSN agreement

4. Name the policy comprehensibly
No
5. Select the policy status: Out-of-office

6. Create a policy with the default settings
To modify the status of a ready policy, open the General section in its properties.
ed
ut
r ib
st
di
re
By default, computers will never switch to the out-of-office policy. To make them switch to such a policy,
specify conditions in the Network Agent policy using either of the following methods:
or
1. Select Enable out-of-office mode when Administration Server is not available
A computer will switch to the out-of-office policy if it is not connected to any network, or if the
Network Agent cannot synchronize with the Administration Server three times in a row.
d
In practice, this happens when a computer is disconnected from the corporate network. By
default, the synchronization period is 15 minutes. Therefore, a client will switch to the out-of-
e
office mode instantly after disconnected from the network or in 30 to 45 minutes if the network
has not been disconnected.
pi
2. Configure network locations for the <Offline mode> profile
Configuring network locations is the best choice. They can describe more precisely when a computer is
co
located in a corporate network, and when it is not.
If there are many computers in the network and the Administration Server is overloaded, some of the
computers may fail to connect to the Server at every regular synchronization. It might happen that a
computer fails to synchronize three times in a row and will switch to the out-of-office policy within the
be
corporate network. Depending on the out-of-office policy settings, such a computer can, for example,
block access to its shared folders, which would make quite a lot of trouble if it happens to a file server or a
domain controller.
Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be
solved7. However, improperly configured conditions of switching to the out-of-office mode may aggravate
to
the issue.
t
No
7 Course KL 302 explains how to correctly scale Kaspersky Security Center to large networks.
ed
ut
r ib
st
di
re
Instead of using the option Enable out-of-office mode when Administration Server is not available,
configure network locations that precisely describe when a computer is located within the corporate
or
network, and when outside.
Network Agents can use different connection profiles in different network locations. See course KL 302
for details. To make computers switch to the out-of-office mode, configure network locations for the
<Offline mode> profile.
d
The Network Agent policy provides various conditions to describe network locations. Many of them are
simple and clear, for example, subnet address or main gateway address. However, they may fail to
e
unambiguously define the corporate network. Suppose, subnet 192.168.0.0/24 is used in the internal
network. However, there can be the same network in a hotel, bar or a free hotspot in the street. That is
pi
why the conditions by subnet, gateway or DNS server address are insufficiently reliable.
It is best to use the Condition for name resolvability and specify a name that can only be resolved on
co
the internal DNS server of the company. Configure computers to switch to the out-of-office mode when
they cannot resolve this name:
1. In the Network Agent policy, open Application Settings | Network and in the Connection
profiles area, click the Settings button
be
2. Add a network location description: Click the Add button above the upper list
3. Name the network location comprehensibly, for example, “<an internal DNS name> unresolvable”
and select the checkbox Description enabled
4. In the Use connection profile drop-down list, select the <Offline mode> profile
to
5. Add a Name resolvability condition

6. Add a name that can only be resolved in the internal network to the list
7. Below the DNS or NetBIOS device name list, switch the parameter to Does not match any of
the values in the list. This means that the condition is met if the specified name cannot be
t
resolved
No
8. Save the condition

ed
ut
r ib
st
di
re
or
The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which
need fewer restrictions. This may not be a safe assumption out of office. These can be networks in hotels,
bars or other public places which cannot be trusted. Make these networks public in the out-of-office
policy. Alternatively, if you trust the users, delete all networks from the policy: Firewall will check the
statuses of networks in the operating system, which are specified by the user.
e d
pi
co
be
to
A policy for out-of-office computers must take into account the fact that while the host is outside the
corporate network, it is the user who manages Kaspersky Endpoint Security. Consequently, the policy
t
must allow the user access to the information about the protection status and to the product management
tools. The user should at least be allowed to scan suspicious files/drives and start updates. For this
No
purpose, allow the user to manage group or local tasks, or both. The corresponding settings are located
in the policy section Local tasks.
To help the users make rational decisions about protection, you need to provide them with more
ed
information about incidents. The user should be warned about detected threats, the need for advanced
disinfection and about outdated databases:
— Open the list of local Kaspersky Endpoint Security events in the policy: go to Application
ut
Settings | General Settings | Interface, and in the Notifications area, click the Notification
settings link
— Select a component and then tick all events that are important for the user in the Notify on
screen column
ib
Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a red triangle
on the application icon in the notification area. To select about which issues to inform the user, open the
r
Interface settings of the policy and adjust the options in the Show application’s status area.
st
di
re
or
e d
pi
co
When the users work outside the corporate network, they need other settings for Kaspersky Endpoint
Security. Kaspersky Security Center has out-of-office policies for this purpose.
By default, out-of-office policies are not used. To make them used, configure conditions in the Network
be
Agent policy. Configure network locations for the <Offline mode> profile. In the network location
descriptions, specify the conditions that reliably describe when a computer is located within the corporate
network, and when outside. Use Modify condition for name resolvability and Modify condition for SSL
connection address accessibility.
In the out-of-office policy, strengthen the protection settings:

to
— Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12
Give the users more information and more control over Kaspersky Endpoint Security:
t
— Inform about threats on the computer screen

No
— Signal about issues on the icon in the notification area

— Allow the user to start and stop tasks
002.11.6: Kaspersky Endpoint Security and Management. 7. What else is there in protection and why?
ed
ut
r ib
st
di
re
or
e d
pi
co
be
to
A self-defense technology is implemented within Kaspersky Endpoint Security, which prevents

unauthorized product disabling and other attempts to hamper its operation. Self-defense is configured
t
using two options in Application Settings | General Settings | Application Settings:

No
— The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint
Security processes in the computer system memory, its files on the hard drive and its registry
keys. It is enabled by default
— The Enable external services control checkbox is cleared by default, which prevents stopping
ed
Kaspersky Endpoint Security services8 using any method except the product interface
If self-defense is disabled, the computer protection level decreases. By default, both parameters are
locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with
ut
remote management utilities, though there are better ways for handling those) or for troubleshooting.
r ib
st
di
re
or
d
To prevent malware from disabling protection by simulating the user’s commands in the product window,
self-defense accepts mouse and keyboard events only directly from a device rather than from other
e
processes by default. Therefore, when the administrator tries to manage Kaspersky Endpoint Security via
a remote access program, such as UltraVNC or TeamViewer, self-defense does not permit clicking
pi
anything in the Kaspersky Endpoint Security window.
If you need to manage Kaspersky Endpoint Security via a remote access program, and self-defense will
not allow this, configure an exclusion. Add the executable file of your remote access tool to the list of
co
trusted applications.
The process that the administrator starts on his or her computer is not necessarily the same as the
process on the remote computer that accepts the connection and provides access to the desktop. Add
the process that runs on the remote computer
be
In the properties of the trusted program, select the checkbox Do not block interaction with the
application interface. Clear the other checkboxes. Do not allow programs more than they need for their
work.
t to
No
8There are two services in Kaspersky Endpoint Security: Kaspersky Endpoint Security (avp.exe) and Kaspersky Seamless
Update Service (avpsus.exe)
ed
ut
r ib
st
di
re
Firmware of any USB flash drive can be modified. When such a USB flash drive is connected to a
computer, the operating system may recognize it as another device and perform functions designed by
or
criminals. For example, a USB flash drive can be identified as a keyboard and send commands on behalf
of the user logged on to the system. In practice, it is may be absolutely any action: hidden malware
downloading or intercepting and sending out confidential data. And even if the user does not possess
system administrator permissions, it will not solve the issue, because there are various methods of
elevating privileges, and permissions of an ordinary user are typically enough to organize a data leakage.
d
The BadUSB Attack Prevention component does not permit USB devices to connect as a keyboard
without the user’s authorization. It works as follows. When a USB device is connected, if the operating
e
system recognizes it as a keyboard, BadUSB Attack Prevention notifies the user and requires that the
user authenticates the device.
pi
By default, the BadUSB Attack Prevention component is not installed on the computers. If necessary,
you can add it using the Kaspersky Endpoint Security task Change application components. The
co
BadUSB Attack Prevention component is recommended to be installed on laptops.
You can configure it using two parameters in Application Settings | Essential Threat Protection |
BadUSB Attack Prevention:
— BadUSB Attack Prevention can either be Enabled or Disabled; by default, it is enabled

be
— The parameter Prohibit use of On-Screen Keyboard for authorization of USB devices
permits (or disallows) the user to authorize devices via on-screen keyboard. By default, the use
of on-screen keyboard is blocked
If BadUSB Attack Prevention is planned to be used on laptops: We recommend that you allow the use of
to
on-screen keyboards in the out-of-office policy to avoid issues with wireless pointers and presenters.
t
No
ed
ut
r ib
st
di
re
or
The default settings provide the users with at least two methods to disable the protection.
d
— Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in
the notification area.) This action doesn’t even ask for elevated permissions, any user can do
e
this.
— Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However,
pi
some users may have them, especially on laptops.
To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password
co
protection for the mentioned actions in the policy and make these settings required (close the lock).
Though a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint
Security one way or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint
Security self-defense, which doesn’t permit deleting or modifying Kaspersky Endpoint Security files and
registry entries, protects its service and processes in the memory. Together, password protection and
self-defense are mostly able to prevent any damage a user might try to inflict on Kaspersky Endpoint
be
Security. However, self-defense is enabled by default, whereas password protection is not.
Another (a less evident) way of disabling the protection is to uninstall the Network Agent. Some 10 to 20
minutes after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by
the policy and the user will be able to change any setting. There is password protection for the Network
Agents too, and it is not enabled by default either.
t to
No
ed
ut
r ib
st
di
re
Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security:
Editing its settings, exiting, and uninstalling.
or
To enable password protection for Kaspersky Endpoint Security:
1. Open the policy, switch to the Application Settings tab, in General Settings | Interface, enable
Password protection
d
2. Set a password
e
3. Configure permissions for the group Everyone. Select which operations will prompt the user for
password and which will not:
pi
— Application settings—protects against any attempts to modify Kaspersky Endpoint Security

settings, including the options that enable and disable the components (e.g., File Threat
co
Protection); but the user will still be able to stop a component via its shortcut menu
— Remove / modify / restore the application—the password prompt is added to the uninstall
wizard of Kaspersky Endpoint Security
— Disable Kaspersky Security Center policy—adds the option to temporarily disable the
be
policy via the shortcut menu of Kaspersky Endpoint Security icon after entering the password.
— Exit the application—protects the Exit command on the shortcut menu of the product's icon.
Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its
processes or files
to
— View reports—prompt for the password prior to showing events in the local interface of
Kaspersky Endpoint Security
The password protects both graphic interface of Kaspersky Endpoint Security and the
t
command line interface.

No
— Restore access to data on encrypted drives—prevents the user from starting the data
recovery tool. It is the administrator’s job to recover data, not user’s
— Restore from Backup—prompts for the password when restoring files from backup
ed
— Disable protection components—the user can start protection components and local tasks
(if they are displayed); the password window appears only if the user attempts to stop them.
The update tasks lack this protection
ut
— Disable control components—the password is necessary to disable the Device Control,
Application Control, or Web Control
ib
This capability is useful for local troubleshooting. When a policy is active, the administrator
can’t change Kaspersky Endpoint Security parameters to see which component or which
particular setting is causing troubles for the user. Moving a problem computer to a special
r
group for diagnostics and then returning it back after the problem is solved is an awkward
solution, especially if different IT units are responsible for centralized protection management
st
and local diagnostics. The capability to temporarily disable a policy using a special password
on a computer helps to carry out diagnostics without changing the settings on
the Administration Server.
di
— Remove key—the user cannot stop protection by deleting the key unless the password is
entered
re
The advantage of password protection is that it remains active even when the policy is disabled. Once the
password protection settings are applied to Kaspersky Endpoint Security, the users will be unable to
manage the product without a valid password even if the administrator disables the policy. Password
protection permits configuring permissions for each user or group of users.
or
The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list
d
of installed programs is one of the few places where it can be found. “Kaspersky” in the product name
may be sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator
e
privileges, the attempt will succeed.
To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates
pi
the Network Agent policy automatically.
The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not
co
specified. Enable the Use uninstall password option, enter the password and don’t forget to lock this
group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’
has zero effect on the local Network Agent settings.
Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An
attempt to uninstall the Network Agent using the command line without the password will also fail.
be
Kaspersky Endpoint Security provides a number of tools to help protect user data when a device is stolen
to
or lost. One of these tools is the Data Wipe task.
This task allows the administrator to delete user’s data—folders and/or files having the specified
extensions—either using the operating system’s tools or overwrite the data with randomly generated files
thus eliminating the capability to recover the information. The Administrator can run the task manually or it
t
can start automatically if the device does not connect to Kaspersky Security Center for more than X days.
No
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Kaspersky Endpoint Security policy has more settings than we have described in this unit.
to
For most of the protection components, you can select what to do with malicious files and other threats.
By default, all components try to disinfect malicious files, and if disinfection fails or is impossible, delete
them. The administrator can select to delete all malicious files immediately, or only block them rather than
t
delete. Blocking instead of deleting makes sense only if you are testing something. On the protected
No
computers, use the action that deletes malicious files. We recommend that you leave the default action.
Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup. It is a special
folder on the computer, where to Kaspersky Endpoint Security stores encrypted copies of malware. If
Kaspersky Endpoint Security deletes a file mistakenly, the administrator will be able to restore it from the
ed
Backup after configuring an exclusion.
ut
The settings that we have not mentioned usually should not be changed. They are described in the help
system of Kaspersky Endpoint Security. The following table briefly describes some of the settings:
ib
General Settings | Exclusions | Types of detected objects
Viruses and worms (cannot be Do not change these settings.
disabled)
r
All these objects at least hamper the user, and may cause significant
Trojans (cannot be disabled) harm if worst comes to worst.
st
Malicious tools (enabled) If the administrators use testing utilities that the antivirus considers to
Adware (enabled) be malicious, configure exclusions for them instead of disabling
detection of the whole category of objects.
Auto-dialers (enabled)
di
The Other category includes remote management utilities, such as
Other (disabled) RAdmin, UltraVNC, DameWare, etc. Criminals may use these
Packed files that may cause harm legitimate tools for unauthorized access to computers. However,
(enabled) administrators and users may need them for their work. Configure as
re
necessary.
Multi-packed files (enabled)
<Component name> | Action on threat detection

Disinfect Do not modify the action settings. Let the components delete all
or
Delete if disinfection fails malicious objects.
If false positives occur, configure exclusions. Restore erroneously
deleted files from the Backup repository after configuring an
exclusion.
d
Local tasks | Removable drives scan

Action when a removable drive is Change the action to Quick Scan or Detailed scan.
e
connected: (by default) Do not scan

Although File Threat Protection scans everything the user starts or
Maximum removable drive size: (by copies from a removable drive, it is not recommended to leave
pi
default) 4096MB passive malicious files on removable drives. The user may, for
example, take this drive to a customer and accidentally infect a
computer.
To save employees’ time and prevent Kaspersky Endpoint Security
co
from scanning large drives, limit the maximum size of the drive to be
scanned, for example, to 32MB.
Local tasks | Task management

(By default) Is disabled Do not enable. Local tasks are difficult to manage with the
be
Administration Server and they confuse the administrator.

If you need to enable the users to start updates or stop virus
scanning, it is best to select the checkbox Allow group tasks to
be displayed in this list.
General Settings | Application Settings | Performance |
to
Postpone scheduled tasks while running on battery power

(By default) Is enabled Lots of contemporary laptops boast 10-plus hours battery life. It may
be dangerous to postpone virus scanning, let alone updates, until the
user plugs the laptop in. Disable this option for such computers.
t
At the same time, old laptops may have short battery life; this
parameter was designed for them. Place old and contemporary
No
laptops into different groups and specify proper settings for them via
dedicated policies.
General Settings | Application Settings | Performance |
ed
Concede resources to other applications
(By default) Is enabled Do not disable.
General Settings | Reports and Storage | Reports
ut
Store reports no longer than: (by For most companies, event history of 30 days is enough.
default) 30 days If you need to store events longer, increase the storage time and
Maximum file size: (by default) maximum file size.
ib
1024MB Think about sending events to a SIEM system (see course KL 009).
General Settings | Reports and Storage | Backup
r
Store objects no longer than: (by If you suspect a file to be malicious, but Kaspersky Endpoint Security
st
default) 30 days does not react to it, receive its reputation from KSN in real time or
Maximum storage size: (by default) is send the file to technical support via the
not specified companyaccount.kaspersky.com portal.
di
General Settings | Reports and Storage | Data transfer to Administration Server
About files in Backup Enable the first two lists: They inform about threats and false positives
About unprocessed files Send the lists of devices and encryption errors only if you use Device
re
About installed devices Control and Encryption.
About started applications We recommend that you send the list of started applications only from
individual computers, do not enable it for the whole network.
About file encryption errors
or
General Settings | Interface | Notification Settings | <Component> | <Event>
Save in local report Store all events in the local log.
Save in Windows Event Log In Windows log, store at least functional failure events to be able to
Notify on screen view them if Kaspersky Endpoint Security does not work.
d
Notify by email Notify on screen only about control events. The less messages by
Kaspersky Endpoint Security the user sees, the better.
e
Do not configure email notifications here.
General Settings | Interface | Interaction with user

pi
With full interface: is enabled by Select No interface if users complain that Kaspersky Endpoint
default Security hampers them
co
With simplified interface: is disabled If the corporate policy prohibits completely hiding software
by default interface from the users, select With simplified interface: The
users will see the Kaspersky Endpoint Security icon in the
notification area, but will not be able to open its window or
understand which components and tasks are running
General Settings | Interface | Show application’s status in notifications area
be
Active threats Disable on the network computers. It is the administrator who needs
Computer restart required to be informed about issues rather than the user, and they are to be
displayed in the Administration Console rather than in the local
Problems with signature databases interface.
Problems with protection level
to
Enable in an out-of-office policy to permit the users take care of

Problems with license protection on laptops.
Updates available
t
No
ed
ut
r ib
st
di
re
All protection components in Kaspersky Endpoint Security either detect and block threats, or reduce the
attack surface, meaning, prevent the user and applications from taking actions that are potentially
or
dangerous to the computer.
Therefore, do not disable the protection components. Instead, create exclusions for those programs that
are slowed down by the antivirus.
d
Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of
scanned files, after which File Threat Protection and other components work faster.
e
All components do well with the default settings. Usually, these settings can hardly be improved, and
should not be changed. However, to better counter ransomware, you can configure Host Intrusion
pi
Prevention to guard your documents.
The default settings can be improved for laptops, which are taken outside the corporate network. Create
co
an out-of-office policy for them.
Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user.
Configure password protection for Kaspersky Endpoint Security and Network Agent.
be
t to
No
v.1.0.6

002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

002.11.6: Kaspersky Endpoint Security and Management. Unit II. Protection Management

Uploaded by

Copyright:

Available Formats

002.11.6: Kaspersky Endpoint Security and Management. Unit II.

How to not scan network drives .....................................................................................................26

2.4 How and why configure scheduled file scanning............................................................................27

Why scan for malware in addition to File Threat Protection ...........................................................27

2.5 What to do with false positives .......................................................................................................31

3.1 How network protection works........................................................................................................35

How Kaspersky Endpoint Security intercepts traffic .......................................................................35

Configuring Mail Threat Protection .................................................................................................40

Exclusions for false positives..........................................................................................................42

3.3 Web Threat Protection....................................................................................................................42

How Firewall analyzes packets and connections ...........................................................................63

How Firewall restricts programs .....................................................................................................66

Default network packet rules ..........................................................................................................67

5.4 Why Network Threat Protection is necessary ................................................................................71

5.5 Network protection: Summary ........................................................................................................74

6.1 Which local networks to trust ..........................................................................................................75

How to create a policy for computers outside the office .................................................................76

6.4 Out-of-office policies: Summary .....................................................................................................80

To protect against such an attack:

— Do not allow the users to open known infected websites

— Do not allow web browsers to start child processes

To protect against such an attack:

To protect against such an attack:

To protect against such an attack:

— Use protection software to check inbound packets for network attacks

Eliminate potential attack targets

Install updates for web browsers and other programs

Do not allow the users to start whichever browsers

Do not allow the users to open whichever webpages

Install protection applications on all computers

Scan files attached to email messages by protection software

Use protection software to check inbound packets for network attacks

— Regularly back up all important files

To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections

Eliminate potential attack targets

Do not allow unknown programs to establish and accept network connections

Use protection solutions that heuristically detect dangerous activities

Eliminate potential attack targets

Kaspersky Security Center (see

Install updates for web browsers and other programs

Do not allow the users to open whichever webpages Web Control

Mail Threat Protection

flash drives to the computers

Use protection solutions to detect attacks

Use protection solutions that heuristically detect dangerous Behavior Detection

protect against spam, use Kaspersky products for mail systems:

— Kaspersky Security for Microsoft Exchange Servers

— Kaspersky Secure Mail Gateway

scheduled virus scanning, data wiping or updates, are set up in tasks.

File Threat Protection scans for malware using:

— Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which

checks whether code changes in the memory to match a signature.

WSL permits you to:

— Run common command-line tools such as grep, sed, awk

— Use services: sshd, MySQL, Apache, lighttpd

— Prevent malware from causing harm

administrator can tilt the balance one way or the other.

user will not perceive any difference in performance.

The list of scanned extensions:

exe Executable file, self-extracting archive

dll Dynamic-link library

Control panel module in Microsoft Windows re