Kaspersky Technical Training

KL 002.11

Kaspersky
Endpoint Security
and Management.
Fundamentals

Student Guide
 ED
UT
IB
S TR
DI
RE
OR
DE
PI
CO
BE
TO
T
NO

Kaspersky Lab
www.kaspersky.com
 I-1
Unit I. Deployment

ED
UT
IB
Unit I. Deployment

S TR
Introduction .................................................................................................................... 4

DI
Basics of Kaspersky Endpoint Security for Business ................................................................................................... 5
Which products this course covers ......................................................................................................................... 5

RE
What constitutes Kaspersky Security Center .......................................................................................................... 5
What constitutes Kaspersky Endpoint Security ...................................................................................................... 6
How Kaspersky Security Center manages computers ............................................................................................ 8
How the administrator manages protection via the Console ................................................................................. 9
How policies are applied to computers ................................................................................................................ 10
OR

How policies work in groups................................................................................................................................ 11

How tasks are applied to computers .................................................................................................................... 12
How tasks work in groups .................................................................................................................................... 13
How Kaspersky Endpoint Security for Business is licensed ................................................................................. 14
What this course is about ............................................................................................................................................ 15
D

What we will tell you in this course and what not ................................................................................................ 15
Where to learn more about the products that fall out of this course scope .......................................................... 16
E

What this course includes..................................................................................................................................... 17

PI

Chapter 1. How to deploy Kaspersky Endpoint Security for Business ....................... 19

1.1 What to install and in what order .......................................................................................................................... 19
CO

1.2 How to organize the process ................................................................................................................................. 20

Chapter 2. How to install Kaspersky Security Center ................................................. 21

2.1 Requirements for the Administration Server ........................................................................................................ 21
BE

Support for server versions of Windows .............................................................................................................. 21

Support for Windows workstations ...................................................................................................................... 22
Virtualization support .......................................................................................................................................... 23
Support for database management servers .......................................................................................................... 24
Additional software requirements ........................................................................................................................ 25
TO

Minimum hardware requirements ........................................................................................................................ 25

2.2 Installation of the Administration Server .............................................................................................................. 25
Where to get the Kaspersky Security Center distribution .................................................................................... 25
Kaspersky Security Center installation shell........................................................................................................ 26
T

What you need to know before the installation .................................................................................................... 27

Setup wizard ......................................................................................................................................................... 28
NO

Additional consoles and plug-ins ......................................................................................................................... 40

Installation results................................................................................................................................................ 41
I-2 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
2.3 Quick Start Wizard................................................................................................................................................ 43
What you need to know prior to configuring ........................................................................................................ 43
Mobile device management .................................................................................................................................. 44

UT
License installation .............................................................................................................................................. 45
Configuring proxy server for internet access ....................................................................................................... 47
Checking for new versions ................................................................................................................................... 48
Kaspersky Security Network ................................................................................................................................. 50

IB
Configuring email notification ............................................................................................................................. 51
Configuring vulnerability and patch management ............................................................................................... 52
Creating tasks and policies .................................................................................................................................. 52

TR
Downloading updates to the repository................................................................................................................ 54
What to do next ..................................................................................................................................................... 55
2.4 What is there in the Administration Console? ....................................................................................................... 55

S
Chapter 3. How to install Kaspersky Endpoint Security on computers ...................... 57

DI
3.1 Requirements for the computers ........................................................................................................................... 57
Kaspersky Endpoint Security requirements for the operating system .................................................................. 57
The virtual platforms supported by Kaspersky Endpoint Security ....................................................................... 58

RE
Minimum hardware requirements ........................................................................................................................ 59
Requirements for the Network Agent .................................................................................................................... 59
3.2 Installation methods .............................................................................................................................................. 60
What to do prior to the installation ...................................................................................................................... 60
OR

Available installation methods ............................................................................................................................. 61

3.3 How to remotely install Network Agent and Kaspersky Endpoint Security ......................................................... 62
Remote installation wizard ................................................................................................................................... 62
Installation packages............................................................................................................................................ 63
D

Selecting the installation package ........................................................................................................................ 64

Selecting the computers ........................................................................................................................................ 65
E

Installation method ............................................................................................................................................... 68

Selecting the key ................................................................................................................................................... 69
PI

Uninstalling incompatible applications ............................................................................................................... 70

Where to place computers after the installation ................................................................................................... 71
Administrator account .......................................................................................................................................... 71
CO

Where to monitor the installation ......................................................................................................................... 72

Installation results ................................................................................................................................................ 73
3.4 How to install the Network Agent via Active Directory ....................................................................................... 74
How to install applications via Active Directory ................................................................................................. 74
How to publish the Network Agent package in Active Directory using a task ..................................................... 75
BE

What the task changes in Active Directory ........................................................................................................... 75

3.5 How to simplify local installation ......................................................................................................................... 77
Why install locally ................................................................................................................................................ 77
Standalone installation packages ......................................................................................................................... 77
TO

How to create a standalone package.................................................................................................................... 78

What to do with standalone packages .................................................................................................................. 80
3.6 How to select which KES components to install .................................................................................................. 82
Installation packages............................................................................................................................................ 82
T

Settings of a Kaspersky Endpoint Security package ............................................................................................. 83

Network Agent package parameters ..................................................................................................................... 89
NO
 I-3
Unit I. Deployment

ED
3.7 How to create an installation package ................................................................................................................... 91
Why create installation packages ......................................................................................................................... 91
Package creation wizard ...................................................................................................................................... 91

UT
Package types....................................................................................................................................................... 92
Package settings................................................................................................................................................... 93
How to download a new version .......................................................................................................................... 95
How to find out if new versions are available ...................................................................................................... 98

IB
3.8 How to uninstall incompatible applications .......................................................................................................... 98
Which programs are incompatible and why uninstall them ................................................................................. 98

TR
What if there are incompatible applications? ...................................................................................................... 99
How to find out if there are any incompatible applications ............................................................................... 101
How to uninstall incompatible applications that have not been found .............................................................. 102
How to display computers with an incompatible application ............................................................................ 104
How to uninstall incompatible applications using a task ................................................................................... 107

S
Chapter 4. How to organize computers into groups .................................................. 112

DI
4.1 How to understand that the deployment has been completed ............................................................................. 112

RE
Where to look for information about the deployment ......................................................................................... 112
Global statuses ................................................................................................................................................... 113
Device selections ................................................................................................................................................ 113
Reports ............................................................................................................................................................... 114
4.2 How the Administration Server discovers computers ......................................................................................... 116
OR

Polling types....................................................................................................................................................... 116

Where to configure polling................................................................................................................................. 116
Windows network polling ................................................................................................................................... 117
Active Directory polling ..................................................................................................................................... 120
IP range polling ................................................................................................................................................. 122
D

Where to monitor network polling ..................................................................................................................... 124

How to find out that the Server has discovered new computers ......................................................................... 124
E

4.3 How to create or import groups .......................................................................................................................... 125

PI

Why create groups ............................................................................................................................................. 125

How to add a group ........................................................................................................................................... 126
How to add a computer to a group .................................................................................................................... 127
CO

How to import a group structure........................................................................................................................ 128

4.4 How to add computers to groups automatically .................................................................................................. 131
Computer relocation rules ................................................................................................................................. 131
Configuring relocation rules .............................................................................................................................. 133
BE

Conditions in relocation rules ............................................................................................................................ 134

How to synchronize groups with Active Directory ............................................................................................. 136
Tags .................................................................................................................................................................... 137
Rule application order ....................................................................................................................................... 138
TO
T
NO
I-4 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
Introduction

IB
S TR
DI
RE
OR
D

First of all, let us introduce the course and tell you which topics it covers and which it omits. You will also learn
which solutions and products are studied in this course, what they consist of, how they interact and how they are
E

licensed.
PI
CO
BE
TO
T
NO
 I-5
Unit I. Deployment

ED
Basics of Kaspersky Endpoint Security for Business

UT
Which products this course covers

IB
S TR
DI
RE
OR

This course describes the Kaspersky Endpoint Security for Business solution that includes several Kaspersky Lab
D

products. This course does not cover all products; it tells only about those that can help to protect a not-too-large
Windows network.
E

A not-too-large network in our course means approximately up to 1000 endpoints in a single location. Endpoints in
PI

this course are servers and workstations running Windows.

To protect such a network, two Kaspersky Endpoint Security for Business products are necessary:
CO

— Kaspersky Endpoint Security for Windows—to protect computers against threats

— Kaspersky Security Center 10—to centrally manage the protection

Kaspersky Endpoint Security is an application that not only protects against malware and hackers, but also can
control the users’ actions and encrypt files and drives.
BE

What constitutes Kaspersky Security Center

TO

Kaspersky Security Center consists of several programs:

— Kaspersky Security Center Administration Server (“Administration Server”, “KSC Server” or simply
“Server” wherever sounds unambiguous) stores all the settings, collects events, draws up reports, etc. It is
the Server that manages protection on the administrator’s command.
T

— The database server maintains the database where the KSC Server stores events and some of the settings.
NO

Other settings are stored on the drive among KSC Server installation files.

— Kaspersky Security Center Network Agents (“Network Agents”, “KSC Agents”, or simply “Agents”)
connect Kaspersky Endpoint Security to the Administration Server: receive settings for Kaspersky
Endpoint Security from the Server, and send events to the server
I-6 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
— Kaspersky Security Center Administration Console provides a management system interface for the
administrator; the administrator configures parameters in the console, consults reports and events, and
manages protection in general

UT
What constitutes Kaspersky Endpoint Security

IB
S TR
DI
RE
OR

Kaspersky Endpoint Security is a single application that includes numerous components:

D

Protection components
E
PI

Kaspersky Requests the reputation of programs and web pages from Kaspersky Lab servers, provides the
Security Network latest information about threats, protects against zero-day attacks and false positives
CO

Behavior Monitors what applications do, but analyzes what a program does in general rather than its
Detection individual actions. Stops applications that behave as malware. In particular, stops programs that
try to encrypt files

Exploit Monitors which files start vulnerable programs, and blocks attempts to start executable files
Prevention unless initiated by the user
BE

Host Intrusion Also monitors software activities on the computer. Does not allow programs that have bad or
Prevention unknown reputation to change system settings and user’s files. Prevents them from fiddling
around with the operating system and other software
TO

Remediation Logs changes to the operating system and rolls back any changes performed by suspicious
Engine programs that have been detected by Behavior Detection, Exploit Prevention, or File Threat
Protection

File Threat Scans files whenever the user or a program creates, changes, copies, or starts one.
Protection Blocks operations with malicious files, and quarantines these files
T

Web Threat Scans web pages and files that the user or programs download from the Internet. Blocks
NO

Protection dangerous and phishing websites, prohibits downloading malicious files

Mail Threat Intercepts email messages, scans their text and attachments, deletes malicious files from
Protection messages
 I-7
Unit I. Deployment

ED
Firewall Controls the connections established by the programs running on the computer, and the packets
they receive or send. Blocks packets according to the configured rules. Does not allow an
unknown program or a program that has bad reputation to establish connections

UT
Network Threat Scans network packets that the computer receives. Blocks a connection if detects indications of
Protection a network attack

BadUSB Attack Does not permit connecting new input devices (keyboards, etc.) to the computer without the

IB
Prevention user’s consent. Protects against USB devices that pretend to be keyboards and send malicious
commands to the computer

TR
Control components

S
Application Blocks program start according to the configured rules. Can freeze a computer’s state and block
Control any new applications.

DI
Device Control Blocks access to devices according to the configured rules. The administrator can prohibit access
to all or some of removable drives, Wi-Fi adapters, or modems

Web Control
RE
Blocks access to web pages according to the configured rules. The administrator can prohibit
access to social networks, job search and news websites, torrent trackers, etc.

Encryption components
OR

Full Disk Encryption Encrypts all drives’ contents. Protects files on notebooks, which may be lost or stolen
D

File Level Encrypts individual files and folders according to the rules. Protects files on notebooks,
Encryption which may be lost or stolen
E

BitLocker Manages disk encryption via Microsoft BitLocker. Protects files on notebooks, which may
Management be lost or stolen
PI

Other components and tasks

CO

Virus Scan Scans files on the specified schedule. Performs this more thoroughly than File Threat
Protection.
BE

Update Downloads descriptions of threats and file reputations to the computers, provides protection
when Kaspersky Security Network is inaccessible

Endpoint Sensor Informs the Central Node of Kaspersky Anti-targeted Attack Platform about the programs’
activities on the computers, helps to detect Advanced Persistent Threats
TO

Integrity check Ensures that nobody can modify Kaspersky Endpoint Security files

Checking connection Checks KSN accessibility from endpoints

with KSN
T

For more details about the components and their settings, refer to Units II and III.
NO
I-8 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How Kaspersky Security Center manages computers

UT
IB
S TR
DI
RE
Let’s see how all components of Kaspersky Endpoint Security for Business interact.
OR

In a protected network, two programs are installed on each computer:

— Kaspersky Endpoint Security, for protection

— Kaspersky Security Center Network Agent, for management
D

The Network Agent connects to the Administration Server on the specified schedule, and also if necessary. By
default, a so-called synchronization takes place every 15 minutes.
E
PI

What the Server receives from computers

CO

For the administrator to see what’s happening in the network, Network Agent sends the following data to the server:

Events As soon as logged When Kaspersky Endpoint Security finds malware, cannot
download updates, cannot start components, etc.
BE

Statuses As soon as logged Kaspersky Endpoint Security is not running

Databases are out of date
KSN is inaccessible
There are dangerous unprocessed objects
TO

Lists Once per List of known executable files

synchronization interval List of vulnerable programs
List of quarantined malicious objects
List of unprocessed threats
List of hardware
T

List of installed software

Kaspersky Endpoint During a

NO

Security settings synchronization

Typically, Agents send only changes in the lists to the server. Once every several hours (3 hours for some lists, 12
for others), the Server completely synchronizes the lists with the computers.
 I-9
Unit I. Deployment

ED
Administration Server accepts connections from the Network Agents on TCP port 13000. Agents establish TLS/SSL
connections; they encrypt and compress data using the Administration Server certificate.

UT
What computers download from the Server

For Kaspersky Endpoint Security to protect a computer in a way the administrator wants, the Network Agent

IB
downloads settings for Kaspersky Endpoint Security in the form of policies and tasks from the Server.

During a synchronization, Network Agent compares the computer’s tasks and policies with those of the

TR
Administration Server, and if the administrator has changed something on the server, the Agent downloads new
tasks and policies.

Usually, computers receive tasks and policies earlier than at a planned synchronization. Network Agents accept

S
packets on UDP port 15000. If the Server wants an Agent to urgently connect to the Server, it sends a special signal
to this port. When the administrator modifies a task or policy, the Administration Server contacts Agents on all

DI
computers to which this task or policy pertains. During a synchronization, policies are downloaded only by those
computers that have not received the signal from the Server.

The administrator can also send a synchronization request manually, via a computer’s shortcut menu in the
Administration Console.
RE
Additionally, Agents connect to the Server to download updates for Kaspersky Endpoint Security. For this purpose,
they also connect to port 13000 over an SSL connection.
OR

How the administrator manages protection via the

Console
E D
PI
CO
BE
TO

The events and statuses sent by the Network Agents help the administrator understand what is happening in the
T

network. The Administration Server summarizes statuses of individual computers and displays them on the main
page of the Administration Console—the Monitoring tab of the Administration Server node.
NO

To better understand what is happening, the administrator can consult reports, which the Administration Server
draws up based on events. There are many search and filter tools in the console that help to arrange events and
computers according to various parameters.
I-10 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
To specify settings for computer protection, the administrator creates tasks and policies in the console:

— Tasks—for operations that have a logical termination, for example, update completes when Kaspersky
Endpoint Security receives all new threat descriptions, virus scanning completes when all files in the scan

UT
scope have been scanned. That is why updates and virus scanning are configured as tasks, which have
schedules.

— Policies—for all the other parameters: how to scan files that the user downloads from the Internet or

IB
receives by email, how to scan files opened by programs, which network connections to allow and which to
block. These settings are to be applied permanently to protect the computer, that is why they are specified
in a policy.

TR
If different computers need different settings, the administrator organizes computers into groups and creates
individual policies or tasks within each group. For example, to perform virus scanning on servers at weekends, and
on workstations in the background mode during a business day, the administrator can create two groups (for servers

S
and workstations) and create virus scan tasks with different schedules for them.

DI
How policies are applied to computers

RE
OR
E D
PI
CO

A policy contains the same parameters as the local settings of Kaspersky Endpoint Security. When the administrator
BE

configures a policy, the local protection settings are changed.

In a policy, each parameter or a group of parameters has a lock button.

If the button appears pressed and the lock is closed, the parameters are applied to the computers where the policy is
TO

enforced. The user cannot modify the values of these parameters in the local interface of Kaspersky Endpoint
Security.

If the button appears released and the lock is open, the computer considers that this parameter has not been specified
in the policy. The user can change these parameters in the local interface.
T

The settings whose lock is closed are compulsory.

NO
 I-11
Unit I. Deployment

ED
How policies work in groups

UT
IB
S TR
DI
RE
Policies are applied to computer groups.
OR

Even if the user has not created any groups, there is the root group on the Administration Server, which is named
Managed devices. If the user wants to create custom groups, they are created as subgroups within the Managed
devices group.
D

Policies conform to the following rules:

— There may be policies for different applications in a group, for example, the Network Agent policy and the
E

Kaspersky Endpoint Security policy

PI

— There can be a few policies for the same application in a group, but only one of them can be active.
CO

The Active policy is the policy that the Administration Server sends to the computers.
An Inactive policy does not influence anything, but the administrator can make it active at any moment and
thus quickly reconfigure settings on all computers.
If the administrator makes a policy active, the policy that has been active so far becomes inactive
automatically.
BE

— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where there is no Kaspersky
Endpoint Security policy, the parent group’s policy is applied to the subgroup’s computers as well

— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where another Kaspersky
TO

Endpoint Security policy is configured, the subgroup’s computers receive the policy configured within their
subgroup. However, required (locked) parameters from the parental policy are enforced on the subgroup’s
policy, and the administrator cannot modify them. In a child policy, the administrator can edit only the
parameters that are not locked in the parent group’s policy
T

— The administrator can choose not to apply a group policy to subgroups: in the subgroup’s policy, clear the
check box that regulates inheriting parameters from the parental policy. After that, the administrator will be
NO

able to edit all parameters in the child policy

I-12 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How tasks are applied to computers

UT
IB
S TR
DI
RE
The administrator manages update and virus scan settings via tasks rather than the policy.
OR

While there can be only one type of Kaspersky Endpoint Security policy 1, there are many various task types in
Kaspersky Endpoint Security:

— Virus Scan
—
D

Update
— Rollback
— Inventory
E

— Add key
— Integrity check
PI

— Change application components

— Checking connection with KSN
— Manage Authentication Agent accounts
CO

Each task type has its own characteristic settings. For example, a virus scan task has its scope and file scan settings,
an update task has an update source and instructions which updates to download.

Every task has a schedule.

BE

Unlike policies, tasks have no locks. All task settings are enforced on the computers and the user cannot modify
them.

Tasks can be created not only by the administrator on the Administration Server, but also by the user in the local
TO

interface. However, if a policy is configured on the Administration Server and enforced on a computer, it will use
only the Administration Server’s tasks. Local tasks will be neither run nor even displayed in the interface, and the
user will not be able to create new local tasks.
T
NO

1
One for one or a few product versions. For example, Kaspersky Endpoint Security 10 SP2 has its own policy type, and Kaspersky Endpoint
Security 10 has another. Two policies of a single Kaspersky Endpoint Security version contain the same parameters, only the values of these
parameters differ.
 I-13
Unit I. Deployment

ED
How tasks work in groups

UT
IB
S TR
DI
RE
The administrator creates tasks in groups for regular activities, such as virus scanning or downloading updates.
OR

Similar to group policies, group tasks have their rules:

— If there is a subgroup in a group, a group task is applied to the subgroup’s computers

— There can be several tasks of each type in a group, for example, a few virus scan tasks. They may differ in
D

the scope and schedule, for example, one of the tasks may scan the whole computer once a week, and
another one, only critical areas but daily.
E

— If you want to scan for viruses the same scope with different schedules on different computers, organize
PI

computers into respective groups and create individual tasks within each group. For example, you can run
full scan on servers during the weekends, and on workstations, during business hours in background mode.
CO

— If there is a task in a group, and there is a subgroup with a task of the same type, the subgroup’s computers
will be running both tasks. Usually, this means that the administrator has not thought over thoroughly
enough which tasks are really needed.

You must be especially careful with update tasks. To update Kaspersky Endpoint Security on a computer,
BE

there must be one update task. If an update task is configured within a group and another one in its
subgroup, both will be applied to the computers that comprise the subgroup. If an update task is running
already, another one will return an error if started at the same time. Consequently, the administrator will
keep receiving update errors due to a configuration error while updates will work correctly.
TO

— Subgroups can be excluded from a task scope. Then the subgroup’s computers will receive only the
subgroup’s task, and the parental task will not be used

Unlike a policy, a task can be created for any list of computers, from a single computer to an arbitrary set of
computers belonging to different groups.
T
NO
I-14 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How Kaspersky Endpoint Security for Business is
licensed

UT
IB
S TR
DI
RE
OR

Which licenses are available for Kaspersky Endpoint Security for Business

We’ve studied how the components of Kaspersky Endpoint Security for Business interact, and how the
administrator manages them.
D

Now let us find out which licenses are available for Kaspersky Endpoint Security for Business, and what makes
E

them different.
PI

There are two levels of licenses in Kaspersky Endpoint Security for Business:

— Select
CO

— Advanced

Different licenses permit using different Kaspersky Lab products and different functions within these products.
BE

What licenses activate in Kaspersky Endpoint Security for Business

You do not need to activate Kaspersky Security Center to use it. Everything which is necessary for managing
workstation protection is available without a license.
TO

KESB Select permits protecting workstations, servers and mobile devices.

In Kaspersky Endpoint Security, a KESB Select license activates the protection and control components.
T

In Kaspersky Security Center, a KESB Select license activates the mobile device management functionality. You do
not need to activate Kaspersky Security Center to be able to manage only the protection and control on workstations
NO

and servers.

KESB Advanced permits protecting the same types of endpoints: workstations, servers and mobile devices, but
activates more functions.

In Kaspersky Endpoint Security for Windows, a KESB Advanced license permits using encryption.
 I-15
Unit I. Deployment

ED
In Kaspersky Security Center, a KESB Advanced license allows the customer to use Systems Management;
specifically, automatically download and install software fixes and updates, create and deploy images of operating
systems with pre-installed applications, etc.

UT
Targeted licenses

IB
If a customer does not need all KESB Advanced functions, licenses for individual functions are also available:

— Encryption
— Mobile Device Management

TR
— Systems Management

Except for the functionality, these licenses have a limitation on the number of endpoints to be protected. For

S
example, a customer purchases a license for 100 nodes, and if later wants to protect more devices, purchases a new
license for, say, 150 or 200 nodes.

DI
All the mentioned licenses are usually valid for a year. After that, the customer renews the license for another year,
and so on.

Subscription licenses RE
Additionally, Kaspersky Lab supports subscription licenses. These licenses are purchased from special partners, and
OR

the customer pays monthly. The customer can suspend a subscription and resume it later.

With a subscription license, the customer can select which functionality level to use and change the number of nodes
every month if necessary: expand or cut down depending on the current needs.
E D

What this course is about

PI
CO

What we will tell you in this course and what not

BE
TO
T
NO
I-16 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Kaspersky Endpoint Security for Business includes many products and capabilities. This course does not cover all of
them. It only talks about how to protect a not-too-large network of computers running Windows operating systems.

That is why this course does not describe all the products that belong to Kaspersky Endpoint Security for Business;

UT
instead, it focuses on:
— Kaspersky Endpoint Security for Windows
— Kaspersky Security Center

IB
The following products are out of the course scope:
— Kaspersky Endpoint Security for Linux

TR
— Kaspersky Endpoint Security for Mac
— Kaspersky Security for Windows Server
— Kaspersky Embedded Systems Security
— Kaspersky Endpoint Security for Android

S
— Safe Browser for iOS
— Kaspersky Security for Virtualization

DI
— Kaspersky Anti-Targeted Attack Platform/Kaspersky Endpoint Detection and Response

For the same reason, the course does not talk about all the capabilities of Kaspersky Endpoint Security for Windows
and Kaspersky Security Center, but concentrates on how to:
—
—
Install protection on the computers
Manage computer protection
RE
— Manage the Control components
— Use a single Kaspersky Security Center Administration Server
OR

The following topics fall outside the framework of this course:

— Encryption management
— Third-party vulnerability and patch management
—
D

Creation and deployment of disks with computer images

— Protection of large, complex, and distributed networks using Update Agents, Connection Gateways, or
E

several Kaspersky Security Center Administration Servers

PI

Where to learn more about the products that fall out of

this course scope
CO
BE
TO
T
NO
 I-17
Unit I. Deployment

ED
The following courses, which are devoted to other products and technologies, are available:

How to protect Linux workstations KL 013 1 day

UT
How to protect Linux servers KL 007 1 day

How to protect Mac workstations KL 011 1 day

IB
How to protect Windows servers using Kaspersky Security for Windows Servers KL 005 1 day

How to protect devices running embedded versions of Windows KL 037 1 day

TR
How to manage mobile devices KL 010 1 day

How to manage encryption KL 008 1 day

S
How to fix vulnerabilities and install updates on third-party software KL 009 1 day

DI
How to manage protection in large, complex and distributed networks KL 302 2 days

How to protect virtual machines using Kaspersky Security for Virtualization. Agentless KL 014 1 day

Troubleshooting
RE
How to protect virtual machines using Kaspersky Security for Virtualization. Light Agent KL 031

KL 016
1 day

1 day

How to implement a Default Deny policy KL 032 1 day

OR

KATA/KEDR KL 025 2 days

What this course includes

E D
PI
CO
BE
TO
T

This course consists of presentations and labs, which alternate. The instructor first explains every topic with slides,
and then the students put theory into practice in lab experience.
NO

The Student Guide includes all slides and elaborates on all the topics and product settings.

What to do during the labs is described in detail in the Lab Guide.

I-18 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
The students complete hands-on exercises using virtual machines. The virtual environment depends on the class: it
can be VMware Workstation, VMware vSphere, Microsoft Hyper-V, etc. The Lab Guide is designed for VMware
Workstation.

UT
Students use five virtual machines, which perform the following roles in the labs:

DC Provides AD domain services, DNS, file access

IB
Security-Center It is the Kaspersky Security Center Administration Server, where the administrator
manages protection from

TR
Alex-Desktop Represents a typical desktop computer in a corporate network

Tom-Laptop Represents a notebook that may be taken outside the corporate network for some time

S
Spare-Security-Center Another Administration Server, to test the data restore functionality

DI
RE
OR
E D
PI
CO
BE
TO
T
NO
 I-19
Unit I. Deployment

ED
UT
Chapter 1. How to deploy Kaspersky Endpoint
Security for Business

IB
TR
1.1 What to install and in what order

S
DI
RE
OR
E D
PI
CO

In a deployment, all network computers must be protected, and the administrator must be able to manage protection
centrally. To achieve this, you need to install Kaspersky Security Center 10 (KSC 10) and Kaspersky Endpoint
Security 11 for Windows (KES 11) on the computers.
BE

First, install the Kaspersky Security Center Administration Server. The Administration Server centrally manages
protection, and helps to install other components.

The Kaspersky Administration Console is installed automatically along with the Administration Server. To manage
the server remotely, use remote desktop, or install Kaspersky Security Center Administration Console on the
administrator’s computer.
TO

In order to protect the network, install Kaspersky Endpoint Security on every computer. Kaspersky Endpoint
Security alone cannot interact with Kaspersky Security Center; install the Network Agent on every computer to
make centralized management possible.
T

If you need to enforce different settings on different computers, organize the computers into groups. Do not create
NO

more groups than necessary. To be able to easily find computers, import the structure from Active Directory.

To sum up, deploy protection as follows:

1. Install the Kaspersky Security Center Administration Server

2. Install Kaspersky Security Center Network Agent and Kaspersky Endpoint Security
3. Organize computers into groups
I-20 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
1.2 How to organize the process

UT
IB
S TR
DI
RE
OR

You do not need much time to install all the components of Kaspersky Endpoint Security for Business. What
consumes time is troubleshooting.

To save time, do your homework. Try what you want to implement in a test environment. If you encounter issues,
think how to solve them, or find a workaround to use in case the issue arises on the network computers.
D

However, you are unlikely to stumble upon every possible issue in a test environment. Therefore, in your real
E

network, start with a small number of computers: 10–20. Try to select different computers to come upon as many
potential issues as possible. If you encounter new issues, return to the test environment, reproduce them and come
PI

up with a solution or a workaround.

Stage the deployment: for example, 100 computers at a time. This way, you will discover new issues gradually, and
CO

the number of problem computers will always be small.

To sum up, deploy as follows:

1. Install software in a test environment

BE

2. Install software on 10-20 typical computers

3. Install software on all computers, by stages, 100 computers at a time

At each step, plan some extra time for troubleshooting. Do not proceed to the following step until you decide how to
solve or get around all issues. Whenever possible, solve issues in a test environment rather than on the network
TO

computers.

Today, an IT test environment is usually made of virtual machines. If virtual machines are not available, use the
administrators’ computers for testing.
T
NO
 I-21
Unit I. Deployment

ED
Chapter 2. How to install Kaspersky Security

UT
Center

IB
TR
2.1 Requirements for the Administration Server

S
DI
To install the Kaspersky Security Center Administration Server, prepare a computer that meets the system
requirements.

RE
If there are fewer than 1000 endpoints in the network, the Administration Server and the database server will easily
share a single computer. If nodes are more numerous, use a more powerful computer or use a dedicated computer
for the database server.

The Administration Server computer can be either physical or virtual. If you are using a virtual Server, make sure
OR

that the virtual environment meets the system requirements.

Support for server versions of Windows

E D
PI
CO
BE
TO

The complete list of supported server operating systems is as follows:

T

— Microsoft Small Business Server 2008 Standard 64-bit

—
NO

Microsoft Small Business Server 2008 Premium 64-bit

— Microsoft Small Business Server 2011 Essentials 64-bit
— Microsoft Small Business Server 2011 Premium Add-on 64-bit
— Microsoft Small Business Server 2011 Standard 64-bit
— Microsoft Windows Server 2008 Datacenter SP1 32-bit / 64-bit
— Microsoft Windows Server 2008 Enterprise SP1 32-bit / 64-bit
— Microsoft Windows Server 2008 Foundation SP2 32-bit / 64-bit
I-22 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
— Microsoft Windows Server 2008 SP1 32-bit / 64-bit
— Microsoft Windows Server 2008 Standard SP1 32-bit / 64-bit
— Microsoft Windows Server 2008 R2 Server Core 64-bit
— Microsoft Windows Server 2008 R2 Datacenter 64-bit

UT
— Microsoft Windows Server 2008 R2 Datacenter SP1 64-bit
— Microsoft Windows Server 2008 R2 Enterprise 64-bit
— Microsoft Windows Server 2008 R2 Enterprise SP1 64-bit
— Microsoft Windows Server 2008 R2 Foundation 64-bit

IB
— Microsoft Windows Server 2008 R2 Foundation SP1 64-bit
— Microsoft Windows Server 2008 R2 SP1 Core Mode 64-bit
— Microsoft Windows Server 2008 R2 Standard 64-bit

TR
— Microsoft Windows Server 2008 R2 Standard SP1 64-bit
— Microsoft Windows Server 2012 Server Core 64-bit
— Microsoft Windows Server 2012 Datacenter 64-bit
— Microsoft Windows Server 2012 Essentials 64-bit

S
— Microsoft Windows Server 2012 Foundation 64-bit
— Microsoft Windows Server 2012 Standard 64-bit

DI
— Microsoft Windows Server 2012 R2 Server Core 64-bit
— Microsoft Windows Server 2012 R2 Datacenter 64-bit
— Microsoft Windows Server 2012 R2 Essentials 64-bit
—
—
—
—
Microsoft Windows Server 2012 R2 Foundation 64-bit
Microsoft Windows Server 2012 R2 Standard 64-bit
Windows Storage Server 2008 R2 64-bit
Windows Storage Server 2012 64-bit
RE
— Windows Storage Server 2012 R2 64-bit
OR

— Microsoft Windows Server 2016 Server Core 64-bit

— Microsoft Windows Server 2016 Standard 64-bit
— Microsoft Windows Server 2016 Datacenter 64-bit

Support for Windows workstations

E D
PI
CO
BE
TO
T

It is better to use a server to host the Administration Server. However, in small networks (up to a couple of hundred
NO

computers), a powerful workstation will do. Also, you can use a workstation in a test environment.

The Administration Server can be installed on the following non-server versions of Windows:

— Microsoft Windows 10 Pro RS4 32-bit / 64-bit

— Microsoft Windows 10 Enterprise RS4 32-bit / 64-bit
— Microsoft Windows 10 Education RS4 32-bit / 64-bit
 I-23
Unit I. Deployment

ED
— Microsoft Windows 10 Pro RS3 32-bit / 64-bit
— Microsoft Windows 10 Enterprise RS3 32-bit / 64-bit
— Microsoft Windows 10 Education RS3 32-bit / 64-bit
— Microsoft Windows 10 Pro RS2 32-bit / 64-bit

UT
— Microsoft Windows 10 Enterprise RS2 32-bit / 64-bit
— Microsoft Windows 10 Education RS1 32-bit / 64-bit
— Microsoft Windows 10 Enterprise RS1 32-bit / 64-bit
— Microsoft Windows 10 Education RS1 32-bit / 64-bit

IB
— Microsoft Windows 10 Pro 32-bit / 64-bit
— Microsoft Windows 10 Enterprise 32-bit / 64-bit
— Microsoft Windows 10 Education 32-bit / 64-bit

TR
— Microsoft Windows 8.1 Pro 32-bit / 64-bit
— Microsoft Windows 8.1 Enterprise 32-bit / 64-bit
— Microsoft Windows 8 Pro 32-bit / 64-bit
— Microsoft Windows 8 Enterprise 32-bit / 64-bit

S
— Microsoft Windows 7 Professional SP1 32-bit / 64-bit
— Microsoft Windows 7 Enterprise SP1 32-bit / 64-bit

DI
— Microsoft Windows 7 Ultimate SP1 32-bit / 64-bit

Virtualization support
RE
To install the Administration Server on a virtual machine, use one of the following virtualization platforms:
OR

— VMware vSphere 5.5

— VMware vSphere 6
— VMware Workstation 12.x Pro
— Microsoft Hyper-V Server 2008
— Microsoft Hyper-V Server 2008 R2
—
D

Microsoft Hyper-V Server 2008 R2 SP1

— Microsoft Hyper-V Server 2012
— Microsoft Hyper-V Server 2012 R2
E

— Microsoft Hyper-V Server 2016

— Citrix XenServer 6.2
PI

— Citrix XenServer 6.5

— Citrix XenServer 7
— Citrix XenServer 7.1 LTSR
CO

— Parallels Desktop 11 or later

— Oracle VM VirtualBox 5.x (Windows guest operating systems are supported)

A virtual machine must meet the operating system, software and hardware requirements.
BE
TO
T
NO
I-24 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Support for database management servers

UT
IB
S TR
DI
RE
The Administration Server uses a database for which an SQL server is necessary. The following versions of SQL
OR

servers are supported:

— Microsoft SQL Server

— Microsoft SQL Server 2008 Express 32-bit

—
D

Microsoft SQL 2008 R2 Express 64-bit

— Microsoft SQL 2012 Express 64-bit
— Microsoft SQL 2014 Express 64-bit
E

— Microsoft SQL Server 2008 (all editions) 32-bit / 64-bit

— Microsoft SQL Server 2008 R2 (all editions) 64-bit
PI

— Microsoft SQL Server 2008 R2 Service Pack 2 64-bit

— Microsoft SQL Server 2012 (all editions) 64-bit
— Microsoft SQL Server 2014 (all editions) 64-bit
CO

— Microsoft SQL Server 2016 (all editions) 64-bit

— Microsoft Azure SQL Database

— MySQL
BE

— MySQL 5.5 32-bit / 64-bit

— MySQL Enterprise 5.5 32-bit / 64-bit
— MySQL 5.6 32-bit / 64-bit
— MySQL Enterprise 5.6 32-bit / 64-bit
TO

— MySQL 5.7 32-bit / 64-bit

— MySQL Enterprise 5.7 32-bit / 64-bit

Microsoft SQL Server Express is not included with Kaspersky Security Center distribution anymore.
T

Starting with Kaspersky Security Center version 10 SPЗ, administrators are to download and install Microsoft SQL
Server Express manually. Remember that Express editions have their limitations and must not be used for managing
NO

a large number of computers (more than 5000). Detailed information about this is provided in course KL 302.

SQL server can be installed either on the same computer as the Administration Server or on any other network
computer. The Administration Server must have Read and Write access to the SQL database. If the Administration
Server and SQL server are installed on the same computer, access issues do not arise.
 I-25
Unit I. Deployment

ED
Additional software requirements

UT
In addition to the operating system, the following software must be installed on the computer:

— Microsoft .NET Framework 4 (install as a Windows component)

— Windows Data Access Components 6.0

IB
— Windows Installer 4.5 (is included with the distribution)

Allocate a new computer for the Administration Server. If it is impossible, make sure that Kaspersky Security

TR
Center Network Agent is not installed on the computer. The installer automatically detects previous versions
of Network Agent and prompts the administrator to uninstall it.

Minimum hardware requirements

S
DI
Minimum hardware requirements are as follows:

— 1 GHz or higher processor (1.4 GHz for 64-bit systems)

— 4 GB of RAM RE
— 10 GB of free hard drive space (if you plan to use the Systems Management functionality, 100 GB of free
OR

hard drive space will be necessary)

A more powerful server is required for any significant number of clients. Recommendations are available in the
Implementation Guide. Practical experience of using the Administration Server in large networks is summarized in
course KL 302. “Kaspersky Endpoint Security and Management. Advanced Skills”.
E D

2.2 Installation of the Administration Server

PI
CO

Where to get the Kaspersky Security Center distribution

BE
TO
T
NO
I-26 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
To install Kaspersky Security Center, run the installer.

Prior to installing Kaspersky Security Center, you should install and configure a database server.

UT
You can download the installer for Kaspersky Security Center 10 from the Kaspersky Lab website
(https://www.kaspersky.com/small-to-medium-business-security/downloads/security-center) or from the product
page on the technical support website (http://support.kaspersky.com/ksc10#downloads).

IB
There are two installers:

— ksc_10sp3_10.5.1781_full_ru.exe—the full distribution of Kaspersky Security Center that includes

TR
a complete set of its own components, installation packages of the Network Agent and Kaspersky Endpoint
Security 10 for Windows, .NET Framework and other prerequisite software, as well as the management
plug-ins for all supported products. The size of this distribution is about 1 GB.

S
— ksc_10sp3_10.5.1781_lite_ru.exe—the lite version of the distribution that lacks the installation packages
of Kaspersky Endpoint Security 10 for Windows, .NET Framework, and some other software; as far as

DI
management plug-ins are concerned, only those of Kaspersky Security Center 10 components are included.
The size of this distribution is about 140 MB. This distribution comes in handy when upgrading Kaspersky
Security Center components.

Kaspersky Security Center installation shell

RE
OR

When the full distribution version is run, the installation shell starts. The installation shell allows selecting
the components to install, for example, the Administration Server or the Administration Console. You can also
extract installation files of the selected components into the specified folder.

The following products are available within the installation shell:

D

— Kaspersky Security Center Administration Server

E

— Kaspersky Security Center Administration Console

— Kaspersky Security Center Network Agent
PI

— Kaspersky Security Center SHV (System Health Validator for Microsoft Network Access Protection)
— iOS MDM Server (a component of Kaspersky Security Center for managing mobile devices)
— Exchange ActiveSync Mobile Device Server (a component of Kaspersky Security Center for managing
CO

mobile devices)
— Application management plug-ins
— Kaspersky Endpoint Security for Windows (extract only)

This course covers only Server, Console, Network Agent, and Kaspersky Endpoint Security.
BE
TO
T
NO
 I-27
Unit I. Deployment

ED
What you need to know before the installation

UT
IB
S TR
DI
RE
During the installation, the administrator selects:
OR

— Kaspersky Security Center components

— Installation folder
— SQL server type and connection parameters
— Path to the Administration Server shared folder
—
D

Ports and connection address of the Administration Server

— Management plug-ins for the products
E

Almost all of these decisions can be changed after the installation. Only the SQL server type cannot be modified. If
you select Microsoft SQL, you will not be able to switch to MySQL without losing data.
PI

You can switch to another SQL server of the same type without losing data, but it is not easy. You will need to back
up the Administration Server data, reinstall the Administration Server, select another SQL server, and after that,
CO

restore the data from the backup copy.

BE
TO
T
NO
I-28 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Setup wizard

UT
Installation types

IB
S TR
DI
RE
OR

Installation of the Administration Server can be either custom or standard 2.

During the standard installation, the administrator is prompted to:

D

— Accept the license agreement for Kaspersky Security Center

— Specify the network size
E

— Select a database server type

—
PI

Configure the database server connection parameters

Kaspersky Security Center distribution does not include a Microsoft SQL server anymore. You should deploy and
configure a Microsoft SQL or MySQL database server in the network prior to installing Administration Server
CO

If you select Custom installation and leave all the default settings, the result will be exactly the same as after the
Standard installation.
BE
TO
T
NO

2
On Windows Server Core, only custom installation is available.
 I-29
Unit I. Deployment

ED
Components and installation paths

UT
IB
S TR
DI
RE
You can install the following components together with the Administration Server:
OR

— SNMP agent
— Packages for mobile device support

The SNMP agent is necessary if you want the Administration Server to send notifications over SNMP. This
component requires the SNMP service (a Windows component) to be installed on the computer. If the SNMP
D

service is absent, the SNMP agent will not be shown in the list of Administration Server components during the
installation.
E

The option Install packages for mobile device support adds the components necessary for managing Kaspersky
PI

Endpoint Security for Mobile via Kaspersky Security Center. Detailed information is available in course KL 010.

Under the list of components, you can change the location of Administration Server program files. If you want to
CO

move files because drive C: lacks space, consider moving only the shared folder of the Administration Server. It can
be relocated independently of the program files, and it takes up much more space than the other program files. The
path to the shared folder will be configured later in the installation wizard.

Remember that backup copies of the Administration Server are stored to the %ProgramData%\KasperskySC folder
BE

by default. These copies consume much space, up to several gigabytes, depending on the number of endpoints.
TO
T
NO
I-30 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Network size

UT
IB
S TR
DI
RE
Four options are represented for the network size:
OR

— Fewer than 100 networked devices

— From 100 to 1,000 networked devices
— From 1,000 to 5,000 networked devices
— More than 5,000 networked devices
D

The following Administration Server parameters depend on the selected option:

E

Number of computers in the network Fewer From 100 From More than
than 100 to 1,000 1,000 to 5,000
PI

5,000

Automatically randomize task start – + + +

CO

Display slave Administration Servers – – + +

Display security settings – – + +

BE

Automatic randomization of the task start applies to the schedules of virus scan, update, vulnerability search, and
other group tasks.

If a task starts simultaneously on many computers, the load on the network and Administration Server drastically
increases. To even out the peak, tasks can start on the computers with a random delay.
TO

The administrator can enable randomization and then specify the randomization range manually or select automatic
randomization. On each computer, the delay is selected randomly within the specified or automatically chosen range.
T
NO
 I-31
Unit I. Deployment

ED
How automatic randomization works

If automatic randomization is used, the randomization range depends on the number of computers where the task

UT
starts:

The number of computers Randomization range

IB
0–200 0 minutes

200–500 5 minutes

TR
500–1,000 10 minutes

1,000–2,000 15 minutes

S
2,000–5,000 20 minutes

DI
5,000–10,000 30 minutes

10,000–20,000 1 hour

20,000–50,000

50,000+
RE 2 hours

3 hours
OR

Slave Administration Servers and security parameters are described in course KL 302 “Kaspersky Endpoint Security
and Management. Advanced Skills”. These functions are rarely used in small and middle-size networks.

The default settings are the same when the administrator selects either “From 1,000 to 5,000” or “More than 5,000
networked devices.” If you select the option “More than 5,000 networked devices”, the installation wizard will
recommend that you do not use a free version of Microsoft SQL server. Detailed information about large networks
D

is provided in technical training KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”.
E

The network size selection only influences a couple of interface settings, which can easily be modified after
the installation. The threshold value that actually makes the difference is 1,000 computers. Administration Server
PI

operation parameters do not depend on the selected network size.

CO

Administration Server service account

BE
TO
T
NO
I-32 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
By default, the installer creates a new account named KL-AK-<alphanumeric combination> for starting
the Administration Server service. It is a local account, which is not included in the computer administrators’ group,
but has the same permissions as administrators.

UT
Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of
the Administration Server. For security reasons, this account cannot log on to the system locally.

If the administrator decides to use another account, he or she must grant it all the necessary permissions.

IB
The Administration Server service account must have administrator permissions on the computer selected for
the installation.

TR
If the database is planned to be located on a remote SQL server, the account must have Read and Write access to
the Administration Server database on the SQL server.

S
If the Administration Server account has domain administrator permissions, some operations are simplified, for
example, remote installation.

DI
Account for accessory services

RE
OR
E D
PI
CO

The KL-AK-* account starts only the Administration Server service: Kaspersky Security Center Administration
BE

Server. The Administration Server also has other services:

— Kaspersky Activation Proxy

— Kaspersky Lab Web Server
— Kaspersky Security Network Proxy
TO

— Kaspersky Security Center Network Agent

— Kaspersky Security Center automation object

The first three services are started under another service account created by the installer: KlScSvc. This account has
the same rights as KL-AK-*: The permissions are equivalent to administrative less the right to log on locally.
T

The Network Agent and the automation object operate under the Local System account. On some operating systems,
NO

the automation object operates under the Network Service account.

The installation wizard allows selecting another account instead of KlScSvc. For example, if the company already
has a service account for this purpose.
 I-33
Unit I. Deployment

ED
Selecting the SQL server type

UT
IB
S TR
DI
RE
The Administration Server stores events, information about computers and a part of the settings in the SQL database.
OR

The Administration Server supports the following types of SQL servers:

— Microsoft SQL Server

— MySQL
D

The choice depends on the company’s and the administrator’s preferences.

E

Microsoft SQL Server is an industry standard and is recommended for large networks (5,000 endpoints or more).
PI

MySQL server has open source code and can run on a Linux operating system. That is why MySQL is sometimes
preferred by state institutions.
CO

Starting with version 10 SP3, Kaspersky Security Center distribution does not include Microsoft SQL Server
Express. The administrator is to install and configure an SQL server unassisted. We recommend you to do it before
you start the Kaspersky Security Center installer.

How to specify a Microsoft SQL server

BE

If you decide to use a Microsoft SQL server, specify the full name of the instance and the name of the database
designed for the Administration Server.
TO
T
NO
I-34 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
RE
To find the necessary instance in the network, click the button Browse. If it does not show, make sure that SQL
Server Browser service is running on the SQL server. It is disabled by default.

If you have not installed a Microsoft SQL server in advance, you can do it without interrupting the KSC installation
wizard. The SQL server settings page provides two links to Microsoft webpages:
OR

— Microsoft SQL Server 2014 SP2 Express download link (a free version recommended for small networks
up to 5000 endpoints)

— A link to descriptions of Microsoft SQL Server editions, where you will be able to select what you need
D

How to connect to your Microsoft SQL server

E
PI
CO
BE
TO
T
NO

The database for the Administration Server is created by the installer. Later, the Administration Server will connect
to the database to record and extract events.

The installer needs the permission to create a database. The Administration Server will need the write and read
permissions for the database.
 I-35
Unit I. Deployment

ED
If the Microsoft Windows Authentication Mode is selected, the installer connects to the SQL server under the
current Windows user account. Meanwhile, the Administration Server will connect to the database under the
account of its service: KL-AK-<*> by default, or the one selected by the administrator at a previous step.

UT
The current user must have the right to create a database on the SQL server. To check whether the user’s
permissions are sufficient, click the button Check connection.

If the Kaspersky Security Center administrator does not have permissions to create a database on the SQL server,

IB
the SQL server administrator should create an empty database, and the Kaspersky Security Center administrator is to
specify the names of the instance and database in the installation wizard.

TR
The KL-AK-<*> account (or another one specified by the administrator) must have read and write permissions for
the database. You cannot check this before the installation, but you can grant the selected account these permissions
afterwards, or even specify another account for the Administration Server service.

S
If you select the SQL Server Authentication Mode, specify an SQL server account rather than a Windows account.
Both the installer and the Administration Server will use this account to create the database and record events there.

DI
By default, the SQL Server Authentication Mode is disabled in all supported versions of SQL server. It is considered
to be obsolete and unsafe. Microsoft and Kaspersky Lab recommend to use Microsoft Windows Authentication
Mode.
RE
If the SQL server instance is located on another computer, make sure that SQL server allows remote connections,
and that ports are not blocked by the firewall. Click the button Check connection.
OR

How to specify a mySQL server

E D
PI
CO
BE
TO

If you selected MySQL server, specify the database server address, port (typically, 3306), and database name.

The database page does not offer a download link for MySQL. You can find MySQL products on the website
www.mysql.org
T
NO
I-36 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to connect to the mySQL server

UT
IB
S TR
DI
RE
Specify the username and password to connect to MySQL server. The name and password will be used by both the
installer to create the database, and by the Administration Server to write into it.
OR

In the latest versions of MySQL server, to enable an account to connect to the server, you need to allow a specific
address or computer name to use it on the SQL server side. See MySQL documentation for details.

To check whether the selected account can connect to the selected server, click the button Check connection.
D

The shared folder of the Administration Server

E
PI
CO
BE
TO
T
NO

The shared folder stores signature updates and the installation files for applications, specifically, Network Agent and
Kaspersky Security Center.

By default, the installer creates the shared folder of the Administration Server in the folder with program files.
The local name of this folder is Share, and the network name is KLSHARE.
 I-37
Unit I. Deployment

ED
Right after the installation and initial setup, the shared folder takes up about 300 MB. It may grow up to several
gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place
the shared folder of the Administration Server on a drive other than the system one.

UT
The location of the shared folder can be changed later via the Administration Console.

Connection ports of the Administration Server

IB
S TR
DI
RE
OR
D

Administration Server accepts connections from Network Agents on two TCP ports:

— 13000 for SSL connections

E

— 14000 for non-SSL connections

PI

By default, all connections are encrypted in Kaspersky Security Center, so only SSL port 13000 is used. Port 14000
might be used only if the administrator disables connection encrypting for troubleshooting.
CO

If you want to use other ports, make this decision beforehand and specify them in the installation wizard.

To modify the ports after the Administration Server has been installed, you will have to edit them in several places
in the Console. And to modify the ports after Network Agents have been installed on the network computers, you
will have to use a special task or reinstall the Agents.
BE

In older versions of Kaspersky Security Center, Administration Consoles connect to port 13000. In the recent
versions, KSC Consoles connect on TCP port 13291. You cannot select this port in the installation wizard, but you
can easily modify it later via the Administration Console.
TO

Web server and activation proxy server services use 4 more ports, which can also be reconfigured in the console.

To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years
during the installation. To save and restore the certificate after failures or after reinstalling the Administration Server,
use the backup procedure (see Unit IV “Maintenance” for details).
T
NO
I-38 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Administration Server address for Network Agents

UT
IB
S TR
DI
RE
The client computers where the Network Agent is installed will connect to the Administration Server using
the address and port specified during the installation.
OR

You can specify the Server address in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice
depends on the network configuration. Even though an IPv6 address can’t be specified, Network Agents can connect
to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name.
D

If the Administration Server has a static IP address that will not be changed in the foreseeable future, it is the best
choice. In this case, the ability to connect depends only on the routers, rather than on the name resolution system.
E

If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection
PI

address, because you will have to modify the client connection settings often. To avoid the trouble, it is better to
specify the server name: either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS
name since DNS name resolution is not usually blocked by local firewalls.
CO

NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls.
Therefore, the NetBIOS name should only be used for connections if the other methods cannot be used.

After the installation, the Server connection address and ports can be changed in the properties of Network Agent
BE

installation package. The default Server connection address and ports, which will be automatically added to new
Network Agent packages, are specified in the properties of the Advanced | Remote installation | Installation
packages node.
TO
T
NO
 I-39
Unit I. Deployment

ED
Management plug-ins for the programs

UT
IB
S TR
DI
RE
The distribution of Kaspersky Security Center includes the management plug-ins for all current versions of
Kaspersky Lab products. The custom installation enables the administrator to select the plug-ins of the products that
OR

are used or will be used in the network. The plug-ins can also be installed later from the Kaspersky Security Center
installation shell. Plug-in installers are also included with the distributions of the corresponding products.

Every plug-in is installed by its own short installation wizard. Some plug-ins are installed automatically, while
others prompt the administrator to accept the license agreement.
D

If you upgrade a product to a new version with a new plug-in, uninstall the old plug-in. The following
E

knowledgebase article explains how to remove unnecessary plug-ins:

http://support.kaspersky.com/faq/?qid=208280749
PI

During the standard installation, management plug-ins for Kaspersky Security Center 10 components and Kaspersky
Endpoint Security 10 for Windows are installed, as well as mobile device management plug-ins.
CO

Plug-ins are installed at the very end of the Administration Server installation. After the Kaspersky Endpoint
Security 10 plug-in is installed, the installation is finished. On the last page, the administrator may accept starting
the Administration Console.
BE
TO
T
NO
I-40 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Completing the installation

UT
IB
S TR
DI
RE
On the last page, the wizard offers to start the local Administration Console immediately and proceed with the
installation in the Administration Server Quick Start Wizard.
OR

Usually, Administration Server needs a few minutes to start working and accept connections.

Additional consoles and plug-ins

E D
PI
CO
BE
TO
T

If you need plug-ins for other Kaspersky Lab products, you can install them from the installation shell.
NO

To be able to manage the Administration Server remotely in a way other than via RDP, install the Administration
Console. The console has a very simple installation wizard without settings. Plug-ins for the console can also be
installed from the same installation shell.

Plug-ins are to be installed on each console, rather than on the Administration Server. If the console lacks a plug-in,
the administrator will not able to open tasks and policies of the corresponding program and the console will display
an error message. To fix this, simply install the necessary plug-in.
 I-41
Unit I. Deployment

ED
Installation results

UT
IB
S TR
DI
RE
If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages,
OR

the result will be the same as with the Standard option:

Components Administration Server

Network Agent
Administration Console
D

Installation %Program Files(x86)%\Kaspersky Lab\Kaspersky Security Center—program files

E

paths %ProgramData%\KasperskyLab\adminkit—settings
%ProgramData%\KasperskySC\SC_Backup—the folder for backup copies
PI

Services Kaspersky Security Center Administration Server

Kaspersky Security Center Network Agent
Kaspersky Security Center automation object
CO

Kaspersky Security Network proxy server

Kaspersky Lab Web Server
Kaspersky Activation Proxy

SQL server Database name: KAV

BE

Users groups KLAdmins

KLOperators
(see course KL 302 for details)

Accounts KL-AK-<*>—starts the service of the Kaspersky Security Center Administration Server
TO

KlScSvc—starts the services of the Kaspersky Activation Proxy, Kaspersky Security Network
Proxy Server and Kaspersky Lab Web Server
The KL-AK-<*> and KlScSvc accounts have the same permissions as the local administrator, but
are not included in the computer built-in administrators group
KlPxeUser—a user account for the PXE server (see course KL 009 for details)
T

Shared folder KLSHARE

NO

Its local path is %Program Files(x86)%\Kaspersky Lab\Kaspersky Security Center\Share

I-42 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
Connection
address
DNS name of the server
RE
Connection ports 13000—for SSL connections of Network Agents
OR

14000—for non-SSL connections of Network Agents and Administration Consoles

13291—for SSL connections of Administration Consoles and Web Consoles
8060—http port of Kaspersky Lab Web Server
8061—https port of Kaspersky Lab Web Server
13111—port of Kaspersky Security Network proxy server service
17000—port of Kaspersky Activation Proxy
D

Plug-ins Kaspersky Security Center 10 Administration Server (10.5)

E

Kaspersky Security Center 10 Network Agent (10.5)

Kaspersky Endpoint Security 11 for Windows
PI

Kaspersky Endpoint Security for Mobile

Kaspersky Mobile Device Management 10
CO

Installation Kaspersky Endpoint Security 11 for Windows

packages Kaspersky Security Center Network Agent (10.5)

Most of these settings can be modified either during the custom installation, or in the product settings after
the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is
BE

installed; some others are very difficult to change. You should consider the following very carefully before
the installation:

1. The path to data files cannot be modified at all, which complies with Microsoft requirements
TO

2. To modify the path to the program files, as well as the SQL server address, you will have to reinstall
Kaspersky Security Center

3. The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way.
T
NO
 I-43
Unit I. Deployment

ED
2.3 Quick Start Wizard

UT
What you need to know prior to configuring

IB
S TR
DI
RE
OR

When the console connects to the server for the first time, it shows the administrator the server certificate
D

thumbprint.
E

From the security point of view, make sure that the certificate attributes in the console coincide with those of the
certificate located in the folder %ProgramData%\KasperskyLab\adminkit\1093\cert\. If the attributes mismatch, it
PI

may mean that somebody or something is intercepting the console-server connection (a “Man in the Middle” attack).
CO
BE
TO
T
NO

When the Console connects to the Server for the first time, the Quick Start wizard launches. It continues the setup
and creates the default settings. The wizard prompts the administrator to:

— Enable the mobile device support

— Add a license
I-44 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
— Configure the proxy server
— Download the latest versions of plug-ins and installation packages
— Enable Kaspersky Security Network
— Configure email notification and reporting

UT
— Specify vulnerability search and software update parameters

After that, the wizard:

IB
— Creates primary tasks and policies
— Downloads signature updates to the Administration Server

TR
Mobile device management

S
DI
RE
OR
E D
PI

The first step of the Quick Start wizard is setting up mobile device support. The administrator is to specify whether
CO

Kaspersky Security Center will be used for managing mobile devices.

If you select to Enable mobile device support, the wizard will

— Enable representation of the respective elements in the console interface

BE

— Offer to download and install plugins and installation packages for mobile devices
— Prompt the administrator to configure parameters for connecting mobile devices to the Administration
Server
— Create policies for mobile devices if the respective plugins have been downloaded
TO

If you are not sure, select Mobile device support is not required. You will be able to enable or disable it any time
in the Mobile Device Management node of the Administration Console.

Mobile device management is described in detail in course KL 010. The Fundamentals course does not cover
support of mobile devices.
T
NO
 I-45
Unit I. Deployment

ED
License installation

UT
IB
S TR
DI
RE
The next step is product activation. Most Kaspersky Lab products require activation and some, particularly
OR

Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different levels of functionality.
That is, depending on the license, some functions may be unavailable.

Activation keys and codes

D

To activate a product, you need a key or a code. Both can represent the customer’s license with all relevant
E

restrictions.
PI

A key is a file and the product can verify its validity and restrictions locally. A code is just a string and the product
needs to connect to Kaspersky Lab Activation service online to verify its validity and restrictions.
CO

Older versions of Kaspersky Lab products can be activated only with a key. All recent versions can be activated
with either a key or a code.

Codes are more useful, because a single code can activate all products that you have purchased. With key activation,
a license often includes several different key files. A key designed for Kaspersky Security Center cannot activate
BE

Kaspersky Endpoint Security, and vice versa. Meanwhile, a single code can activate both.

Keys are indispensable when you need to activate a product on a computer without access to the Internet. If you
have only a code rather than keys, add the code to the key store on the Administration Server (Kaspersky Lab
Licenses node of the Administration Console). The Server will automatically download the corresponding keys,
TO

which you will be able to export into files.

If computers have no Internet access but are connected to the Administration Server, which does have web access,
the products on the computers can be activated with a code. The products will verify the code via the Administration
Server service, Kaspersky Activation Proxy.
T
NO
I-46 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Activation with a code

UT
IB
S TR
DI
RE
OR
E D
PI
CO
BE

In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all simple, just
choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to
connect to the Internet at this stage.
TO

You can select to install a code (or key) to the client computers automatically. For this purpose, select the check box
Automatically deploy key to managed devices. If the Administration Server detects a managed computer where
Kaspersky Endpoint Security is not activated, it will automatically send the key selected for automatic installation
there.
T

For more details about how to activate Kaspersky Endpoint Security on the client computers, refer to Chapter 3 of
this Unit.
NO
 I-47
Unit I. Deployment

ED
Activation with a key

UT
IB
S TR
DI
RE
If you have a key, than most probably you have more than one of them, and you need to decide which one to add to
the wizard.
OR

It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it
is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be
added later either in the properties of the Administration Server or in the Kaspersky Lab Licenses node.
D

Configuring proxy server for internet access

E
PI
CO
BE
TO
T
NO

The next step prompts to configure proxy server connection parameters for Internet access. The Administration
Server connects to the Internet to download updates and communicate with KSN servers of Kaspersky Lab. Both
features use common proxy server parameters.

The settings are rather typical: the address, the port, optional user name and password for authorization, and
an option to bypass proxy server for local addresses.
I-48 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Checking for new versions

UT
IB
S TR
DI
RE
Kaspersky Security Center installer includes all the recent plug-ins as of the Kaspersky Security Center release.
OR

However, newer versions of products may have been issued since then.

The Quick Start Wizard can check whether more recent versions of managed products are available.

Downloading new plug-ins

E D
PI
CO
BE
TO
T

First, the wizard checks whether newer versions are available for the plug-ins that the administrator selected to
install together with the Administration Server.
NO

In the list of new plug-ins, the wizard shows the program version managed via the plug-in, the version of the
currently installed plug-in, and the version of the latest available plug-in.
 I-49
Unit I. Deployment

ED
Downloading new versions of installation packages

UT
IB
S TR
DI
RE
After the plug-ins, the wizard checks whether new versions of managed products are available, for which it can
download installation packages. The wizard shows only those products whose packages or plug-ins have already
OR

been added to the console.

For some of the managed products, packages may not be available; the Kaspersky Endpoint Security package is
always available though. If there is a newer version of Kaspersky Endpoint Security on the list, download it. For this
purpose, select it on the list.
D

To download the products that are not shown in the list, open the node Advanced, Remote installation,
E

Installation packages in the console; click the button Additional actions and select View current version of
Kaspersky Lab applications.
PI

The wizard will download and display the selected packages. Click the Properties button to configure them if
necessary. The settings of the Network Agent and Kaspersky Endpoint Security packages are described in Chapter 3
CO

of this Unit.
BE
TO
T
NO
I-50 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Kaspersky Security Network

UT
IB
S TR
DI
RE
The wizard prompts the administrator to accept the Kaspersky Security Network (KSN) statement. KSN is the name
OR

of the cloud-assisted protection technologies of Kaspersky Lab.

KSN provides extra protection for the computers by receiving the latest information about new threats before this
information is added into the traditional anti-malware signatures. In return, Kaspersky Lab will receive anonymous
information about the files and URL addresses processed on the client computers. The KSN service is described in
more detail in the Introduction and in Unit II “Protection Management”.
D

If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are
E

activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be disabled in
the Kaspersky Endpoint Security 10 policy; the use of KSN proxy will be enabled nevertheless.
PI

The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server.
The KSN proxy function is implemented as a service named Kaspersky Security Network proxy server in
CO

the Administration Server. It is enabled by default.

BE
TO
T
NO
 I-51
Unit I. Deployment

ED
Configuring email notification

UT
IB
S TR
DI
RE
The next step is to set up email notification and delivery of reports. To receive notifications about important events
OR

by email, specify the administrator’s address and SMTP server parameters: address, port, and, if necessary,
authorization data. These parameters will be used when sending notifications and reports.

By default, event notifications are not sent. To receive the information about events by email, turn on notifications
in the event properties. The parameters of Kaspersky Security Center events are configured in the Administration
Server properties; and parameters of Kaspersky Endpoint Security events, in the Kaspersky Endpoint Security
D

policy.
E

If the notification parameters are left blank, the wizard will not create the Send reports task. If they are filled in,
the wizard will create the task and configure it to send the protection statuses report to the administrator on a weekly
PI

basis.

The wizard does not check the correctness of the specified settings, but allows the administrator to do it with the
CO

Send test message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the
SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to
check the inbox and make sure that the message is actually there.
BE
TO
T
NO
I-52 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Configuring vulnerability and patch management

UT
IB
S TR
DI
RE
This step appears in the Quick start wizard only if the administrator specified a key or code that activates
OR

the Systems Management functionality of Kaspersky Security Center (or selected to add a key later).

The choices define how software patches and Microsoft updates are installed. Kaspersky Security Center can
automatically detect vulnerable programs and operating system modules on computers, and automatically install
the required updates and fixes. Additionally, Kaspersky Security Center can function as a local source of Microsoft
updates (WSUS Server). Detailed information about this is provided in technical training KL 009 “Systems
D

Management”.
E

Creating tasks and policies

PI
CO
BE
TO
T
NO

After all parameters are specified, the Quick Start wizard creates the policies and tasks necessary for endpoint
protection. The following policies and tasks are always created:
 I-53
Unit I. Deployment

ED
Policies

UT
Policy Scope

Kaspersky Endpoint Security 11 for Windows The “Managed devices” group

Kaspersky Security Center 10 Network Agent The “Managed devices” group

IB
Tasks

TR
Task Scope Schedule Parameters

S
Update Managed devices When new updates are Source: Administration Server
downloaded to the Installs only approved module updates

DI
repository

Quick Virus Scan Managed devices Friday at 7:00 p.m. Scans critical areas with the

RE
recommended settings

Find vulnerabilities Managed devices Tuesday at 7:00 p.m. Scans %SystemRoot% and
and required updates %ProgramFiles% folders for all known
vulnerabilities
OR

Download updates to Administration Server Hourly Source: Kaspersky Lab update servers
the repository

Backup of Administration Server Every other day at 2:00 Stores the 3 latest copies, the password
Administration Server a.m. is not specified
D

data

Database maintenance Administration Server Saturday at 1:00 a.m. Optimizes the database without
E

shrinking it
PI

The following three tasks are created depending on the parameters specified in the wizard:
CO

Task Scope Schedule Parameters

Deliver reports Administration Server Daily at Protection status report in HTML format
8:00 a.m.
BE

Install required updates Managed devices Daily at Fixes critical vulnerabilities, installs the updates
and fix vulnerabilities 1:00 a.m. approved by the administrator, security updates,
and critical Microsoft updates

Perform Windows Administration Server Daily at Downloads Windows Update metadata (rather
Update synchronization 3:00 a.m. than the updates themselves) to the
TO

Administration Server
T
NO
I-54 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Exclusions in Kaspersky Endpoint Security policy

UT
IB
S TR
DI
RE
When the wizard creates the Kaspersky Endpoint Security policy, it prompts the administrator to confirm scan
exclusions.
OR

There are two options that help to create recommended exclusions for workstations and servers according to
Microsoft and Kaspersky Lab guidelines. They are enabled by default.

Additionally, there are exclusion templates for remote management software. These templates should be enabled if
D

the listed software is used at the company. Otherwise, remote management using this software may be partially
disrupted by Kaspersky Endpoint Security.
E

Downloading updates to the repository

PI
CO
BE
TO
T
NO

As soon as the tasks and policies are created, the Quick Start wizard starts downloading updates to the repository.

The wizard displays the task progress, but you don’t need to wait for it to finish. If you proceed to the next page of
the wizard, updating will continue in the background.
 I-55
Unit I. Deployment

ED
UT
IB
S TR
DI
What to do next RE
The last page of the Quick Start wizard displays the check box that allows starting the remote installation wizard for
OR

deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is
preferable to adopt a deployment plan and stick to it rather than rush into action:

1. Let the Server discover network computers

2. Check the settings of installation packages to install exactly what is necessary
3. Try various installation methods in a test environment
D

If necessary, the administrator can start the Quick Start wizard again from the shortcut menu of the Administration
E

Server. In this case, the wizard will create only the tasks and policies that are missing.
PI

2.4 What is there in the Administration Console?

CO
BE
TO
T
NO
I-56 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How the console is organized

After the Quick Start wizard, the administrator gets in the Administration Console.

UT
Kaspersky Security Center Administration Console is based on Microsoft Management Console. The leftmost pane
of the window contains the navigation tree, the right part displays the page of the selected node.

IB
The main node in the console is the Administration Server’s node. All the other nodes are within it.

Where to check what is going on

TR
To understand what is happening in the network, open the Administration Server node. Its four tabs contain global

S
statuses, dashboards, reports and events.

DI
Where to look for computers

RE
Managed computers are located in the Managed devices node. This node is a group where you can create tasks,
policies and subgroups. All policies and some of the tasks that have been created by the Quick Start wizard are
designed for the Managed devices group.

If a computer is missing from the Managed devices node, look for it in the Unassigned devices node. None of the
OR

policies and tasks are applied to those computers; that is why you should not leave any of the computers that need to
be protected here. Move them to the Managed devices.

If a computer can be found neither in the Managed devices, nor in Unassigned devices, it means that the
Administration Server has not discovered it yet. Make sure that the computer is powered on, and wait for an hour or
D

two. If the Server cannot find a computer, install the Network Agent on it.
E

Where to look for the applications to be installed

PI

The installation packages to be installed on the computers can be found in the node Advanced, Remote installation,
Installation packages. If necessary, modify the set of components or other installation settings here.
CO

Where to check licenses

The license that you specify in the Quick Start wizard gets in the node Kaspersky Lab Licenses. Here you can find
BE

the license limitations, when it expires, which computers use it, etc. You can also add a new license here when an
old one expires.

Where to look for protection settings

TO

All tasks are gathered in the Tasks node. It contains the tasks that pertain to groups, the Administration Server tasks,
and tasks for specific computers. In the Tasks node, you can create, delete or edit any task.
T

A similar Policies node shows all policies from all groups.

NO

If you need to find computers that match some parameters, use the Search window, which can be started from the
shortcut menu of the Administration Server. If you often look for computers with the same parameters, create a
computer selection in the respective node. This node already contains pre-configured selections of computers with
typical issues.
 I-57
Unit I. Deployment

ED
Chapter 3. How to install Kaspersky Endpoint

UT
Security on computers

IB
TR
3.1 Requirements for the computers

S
DI
Kaspersky Endpoint Security requirements for the
operating system
RE
OR
E D
PI
CO
BE

Kaspersky Endpoint Security can be installed on the following Microsoft Windows operating systems:

Client
TO

— Windows 10 Pro x86 / x64 (all editions)3

— Windows 10 Enterprise x86 / x64 (all editions) 3
— Windows 8.1 Pro x86 / x64
— Windows 8.1 Enterprise x86 / x64
— Windows 8 Pro x86 / x64
T

— Windows 8 Enterprise x86 / x64

— Windows 7 Professional x86 / x64 SP1
NO

— Windows 7 Enterprise x86 / x64 SP1

— Windows 7 Ultimate x86 / x64 SP1

3
The limitations concerning the latest versions of Windows 10 are described in Kaspersky knowledgebase at
https://support.kaspersky.com/13036
I-58 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Server

— Microsoft Windows Server 2016 x64

UT
— Microsoft Windows Server 2012 R2 Standard x64
— Microsoft Windows Server 2012 Foundation / Standard x64
— Microsoft Small Business Server 2011 Standard x64
— Microsoft Windows Server 2008 R2 Standard x64 SP1

IB
— Microsoft Windows Server 2008 R2 Enterprise x64 SP1
— Microsoft Windows Server 2008 Standard x64 SP2
— Microsoft Windows Server 2008 Enterprise x64 SP2

TR
An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky
Security for Windows Server is designed for their protection.

S
The list of operating systems includes most Windows versions from Windows 7 / Windows Server 2008 R2 to
Windows 10 RS4 / Windows Server 2016.

DI
The virtual platforms supported by Kaspersky Endpoint
Security RE
OR
E D
PI
CO
BE

Kaspersky Endpoint Security 11 for Windows can be installed on the following virtual platforms (and later):

— VMware Workstation 12
TO

— VMware ESXi 6.5

— Microsoft Hyper-V 2016
— Citrix XenServer 7.2
— Citrix XenDesktop 7.14
— Citrix Provisioning Services 7.14
T

On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command
NO

line switch. In Kaspersky Endpoint Security 11 for Windows, this parameter can also be enabled in the installation
package properties rather than only via the command line.

To install Kaspersky Endpoint Security, administrative permissions are necessary.

 I-59
Unit I. Deployment

ED
Minimum hardware requirements

UT
General hardware requirements for Kaspersky Endpoint Security 11 are as follows:

— A 1 GHz processor (that supports SSE2 instructions)

— 1 GB of RAM4

IB
— 2 GB of free drive space

Requirements for the Network Agent

S TR
DI
RE
OR
E D

The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint
PI

Security 11 for Windows.

Hardware requirements for Network Agent installation are as follows:

CO

— Processor:
— 1 GHz or higher for 32-bit systems
— 1.4 GHz or higher for 64-bit systems
— Memory: 512 MB
BE

— Hard drive space: 1 GB

RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less
memory.
TO
T
NO

4
The minimum RAM with which the application can be installed is 768 MB
I-60 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
3.2 Installation methods

UT
What to do prior to the installation

IB
S TR
DI
RE
OR

Prior to installing Kaspersky Endpoint Security on the computers, prepare the following:
D

What to do Why
E

Let the Administration Server You will not have to look for and enter names or addresses
PI

discover network computers

Prepare an independent list of The server may fail to discover all of the computers; it is best to have a reference
CO

computers list at hand, where you will be able to check the progress

Find out computer addresses If the Administration Server has not discovered a computer, but you know its
address, you will be able to start remote installation nevertheless

Find out usernames and If there is a domain, the domain administrator password is sufficient
BE

passwords of the administrators For non-domain computers, you need to know the administrator’s password
regardless of whether the installation is remote or local

Find out whether there are Kaspersky Endpoint Security may fail to detect and uninstall antiviruses by other
third-party antiviruses on the manufacturers, in which case you will have to remove them manually
TO

computers, and which ones

If there are many computers, The more computers, the more issues you will encounter, the longer it will take
phase the installation you to solve them, and the longer the total downtime will be

Try to test various installation You will encounter at least some of the issues that can arise in the network, and
T

methods in a test environment you will be able to decide how to avoid or quickly solve them
Select the installation method that is the least troublesome
NO

Start
 I-61
Unit I. Deployment

ED
Available installation methods

UT
IB
S TR
DI
RE
Kaspersky Endpoint Security can be installed in various ways, each with its own specifics and advantages.
OR

Remote You do not need to go to each computer, you can run the installation on many computers
installation using simultaneously, which saves time
Kaspersky Installation can be started at any time and you will start receiving results in mere minutes.
Security Center However, you need to know the administrators’ passwords on the computers, and the
D

computers’ shared folders must be accessible over the network. Often, firewalls or Windows
security settings block access to shared folders
E

Installation via Again, you do not need to go to the computers and the installation can be run on many
PI

Active Directory computers simultaneously.

Moreover, you do not need to ensure access to the computers’ shared folders or know the
computer administrators’ passwords. The computers will download and install the programs
CO

themselves.
On the other hand, the computers must be joined to the domain and the administrator must have
enough permissions within the domain to be able to publish the package. A computer does not
begin the installation immediately; everything starts only the next time it connects to the
domain, meaning, after a restart.
BE

Installation using The administrators do not only install Kaspersky Endpoint Security, and they may have third-
third-party tools party software installation and management tools.
Specifics depend on the tool, but usually the administrator can install applications remotely on
many computers at a time.
TO

Local installation None of the remote installation methods guarantees 100% success. Computers may not be
from a standalone joined to the domain, their shared folders may be blocked by the firewall, and the administrator
package may have no third-party computer management tools.
Sometimes, it is easier to go to the computer and install an application locally than troubleshoot
a remote installation.
T

Standalone packages that are generated in the Kaspersky Security Center save time during a
local installation: the administrator does not need to pass through the installation wizard and
NO

configure parameters. All he or she is to do is to simply run the installer and wait

For remote installation, use a method that fits your network best.

On the computers where remote installation fails, install the products locally using standalone packages.
I-62 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
3.3 How to remotely install Network Agent and
Kaspersky Endpoint Security

UT
IB
Remote installation wizard

S TR
DI
RE
OR
D

There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on
E

the same mechanism. The difference is in the location of their starting points in the Console and the number of
available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard.
PI

Its typical use is described below.

The Administration Server detects computers where protection tools are not installed. This information is displayed
CO

on the Monitoring tab of the Administration Server node, in the Deployment area: the indicator is yellow and
a warning is shown. To fix this, the administrator can click the Enable protection link.
BE
TO
T
NO
 I-63
Unit I. Deployment

ED
Installation packages

UT
IB
S TR
DI
RE
The Enable Protection link opens the Advanced | Remote installation node, where the administrator can start
OR

the remote installation wizard.

The deployment wizard prompts the administrator for the installation package to be installed, target computers and
the installation method.
D

The wizard does not prompt the administrator for all the installation parameters. For example, the wizard does not
prompt which components of Kaspersky Endpoint Security to install. If you need to enable the Citrix Provisioning
Services compatibility mode, the remote installation wizard does not allow that either.
E

That is why, before you start the remote installation wizard, open the list of installation packages and check their
PI

settings. If necessary, change the packages’ settings, or create new packages with the necessary settings. You can
manage installation packages, delete or create new ones in the Installation Packages repository (in the Advanced |
Remote Installation node).
CO

What settings are available in installation packages and how to create new packages, is described in sections How to
change KES components and How to create a new installation package at the end of this chapter.
BE
TO
T
NO
I-64 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Selecting the installation package

UT
IB
S TR
DI
RE
The product to be installed is selected from the list of available installation packages. The standard distribution of
OR

Kaspersky Security Center contains the installation packages of the current versions of Network Agent and
Kaspersky Endpoint Security for Windows.

If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network
Agent. The wizard not only installs the selected package, but also connects the computers to the Administration
D

Server by installing the Network Agent on them. If the computers are already connected, the Network Agent is not
reinstalled.
E

Installation packages of Kaspersky Endpoint Security 11 for Windows and Network Agent can be installed on any
supported operating system: server, workstation, 32-bit or 64-bit.
PI

Due to this universality, the installation package of Kaspersky Endpoint Security 11 is relatively large: just under
200 MB. There are no supported ways to reduce the size. The Network Agent package is much smaller: about 40
CO

MB.
BE
TO
T
NO
 I-65
Unit I. Deployment

ED
Selecting the computers

UT
IB
S TR
DI
RE
After the package, select which computers to install it on.
OR

In the wizard, you can select computer groups (the upper button) or individual computers (the lower button).

If you start the wizard right after the Administration Server has been installed, there is only one computer in the
groups, the Administration Server itself. All the other computers discovered by the Administration Server are in the
D

Unassigned devices node. The Administration Server may fail to detect some computers: they will be absent from
the console.
E

Why does the wizard suggest selecting groups if there are no computers there? For example, if prior to deploying
protection you’ve imported the computers’ structure from Active Directory. Then you already have groups filled
PI

with computers, and you can install Kaspersky Endpoint Security by groups. How to import groups and computers
from Active Directory is explained in the 4th chapter of this Unit.
CO

Let’s now get back to the scenario of when you have no groups. To select computers in the Unassigned devices
node, or specify addresses of undiscovered computers, click the lower button.

As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If
a group is selected, the wizard will create a group task; if computers, a task for specific computers.
BE
TO
T
NO
I-66 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
RE
If you click the upper button, the wizard prompts to select the group. It does not show its contents, so
the administrator must remember which group the target computers are in.
OR
E D
PI
CO
BE
TO
T
NO
 I-67
Unit I. Deployment

ED
UT
IB
S TR
DI
RE
If you click the lower button, the wizard shows all discovered computers: those that have already been added to the
Managed devices groups, and those that are in the Unassigned devices node so far. In the Unassigned devices
node, computers are grouped by domains and workgroups.

Select the target computers. If you select a group, domain or a top-level node, you will select all computers within
OR

that group, domain or node.

E D
PI
CO
BE
TO

To install Kaspersky Endpoint Security on the computers that the Administration Server failed to discover, click the
button Add. In the window that opens, type computers’ addresses or names. To quickly enter numerous addresses,
specify a range or import the list from a text file. In the file, each address or name must be specified on an individual
line.
T

The wizard will add all the addresses you’ve entered, and select them automatically.
NO
I-68 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Installation method

UT
IB
S TR
DI
RE
At the following step, the wizard prompts how to perform remote installation. There are two methods:
OR

Using Network Network Agent must already be installed on the computer and must be connected to the current
Agent Server.
The Server sends a command to the Agent, the Agent downloads packages to a temporary folder
and performs the installation under the Local System account.
D

The administrator’s name and password do not need to be specified, access to the computer’s
shared folders is not required.
E

Using Network access to the computer’s shared folders is required.

PI

operating The Administration Server copies package files to the system shared folder \\<computer
system tools name>\admin$. Then the server uses Remote Procedure Call (RPC) protocol to remotely start a
service process that will perform the installation and inform the server of the results.
CO

To copy files and start the installation, you need to specify the username and password of the
computer administrator.

The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on
the computer, installation using Windows tools is tried.
BE

If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs
the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 11 using the Network
Agent.
TO
T
NO
 I-69
Unit I. Deployment

ED
Selecting the key

UT
IB
S TR
DI
RE
Kaspersky Endpoint Security, unlike the Network Agent, needs to be activated to operate properly. In
OR

the installation wizard, you can explicitly select which code or key should be used to activate the product from
the list of codes and keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary,
you can add another code or key to the storage without quitting the wizard.

Select a key. The wizard will not just use the selected key for this installation, but also save it in the properties of the
Kaspersky Endpoint Security package. The plug-in of Kaspersky Endpoint Security does not support activation
D

codes in the installation package properties.

E

To activate Kaspersky Endpoint Security with a code rather than key, do not select anything in the installation
wizard. Instead, in the node Kaspersky Lab Licenses, open the activation code properties and select the check box
PI

Automatically deployed key.

CO
BE
TO
T
NO

The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky
Endpoint Security 11 installation requires restarting the computer. The Network Agent installation almost never
requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection
program is installed on the computer.
I-70 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
The default choice, Prompt user for action, works well for workstations. When installing the product on servers,
we recommend selecting Do not restart the computer. At a server, a user is unlikely present and no one will react
to the prompt.

UT
For the user not to postpone the restart for too long, the task displays a warning every 5 minutes by default and
forces computer restart in 30 minutes. The administrator can modify these settings and the message text.

IB
Uninstalling incompatible applications

S TR
DI
RE
OR
D

The Kaspersky Endpoint Security 11 installer can detect and uninstall incompatible applications (various protection
E

tools, including anti-viruses, firewalls, etc.), which are not recommended to be used concurrently with Kaspersky
Endpoint Security, because this may result in serious problems for users and computers.
PI

The administrator usually knows which potentially incompatible protection tools are installed in the network and
should uninstall them beforehand. The programs are recommended to be uninstalled either by their built-in
CO

uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer should
be regarded only as a contingency measure.

Detection of incompatible applications cannot be disabled5, since it is intended to prevent conflicts. You can modify
uninstallation settings in the remote installation wizard; this is described in detail at the end of this chapter.
BE
TO
T
NO

5
Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible applications; if
necessary, it can be added to the package description file for remote installations.
 I-71
Unit I. Deployment

ED
Where to place computers after the installation

UT
IB
S TR
DI
RE
As a result of installing the Network Agent and protection software, computers should become manageable: use the
OR

settings of policies and tasks specified on the Administration Server. To actually achieve this, computers must
belong to the Managed devices node rather than the Unassigned devices node.

If a computer has the Network Agent installed, but is not included in an administration group, it will neither send its
events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified
D

by the administrator. It is manageable only locally.

E

If the administrator selects computers rather than groups, the wizard will ask whether it is necessary to relocate
the computers to an administration group, and if yes, into which one.
PI

The selection affects only unassigned devices. If both unassigned and managed computers are on the installation list,
the managed ones will remain in their original groups. This step is displayed only if Network Agent is installed
CO

together with Kaspersky Endpoint Security 11.

Administrator account
BE
TO
T
NO
I-72 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Initially, the Network Agent is installed by Windows tools and you need to specify an account for accessing the
target computers. The deployment wizard allows you to specify several accounts, in case different administrator
passwords are used on the target computers. The installer tries the accounts in succession. If the first account has
insufficient privileges, the next one is tried, and so on.

UT
Before trying the specified accounts, the installer attempts to act under the Administration Server service account,
which you don’t actually see on the list. However, if the administrator used the default settings when installing the
server, the server service account cannot be used for remote installations. As a result of an installation with the

IB
default settings, the server service starts under the KL-AK-* account that is created automatically and receives
the rights of a local administrator (not literally, but effectively the same). It has no rights on remote computers.

TR
So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain
environment, a domain administrator account is the best choice for remote installations. In large companies, there is
usually a special account for remote installations, or the IT personnel accounts have the necessary rights.

S
Where to monitor the installation

DI
RE
OR
E D
PI
CO

Installation task
BE

The installation wizard uses the settings specified by the administrator to create and immediately start the product
installation task on the selected computers. After that, it automatically opens the task page in the Administration
Console.

The task page displays the task progress on the selected computers. An installation can be ready for execution,
TO

running, waiting for reboot, completed successfully or return an error. The number of computers in every status is
displayed on the pie chart and in the table.

Task log
T

To view the task log, click the View results link under the statistics on the task page.
NO
 I-73
Unit I. Deployment

ED
UT
IB
S TR
DI
RE
The upper part of the results window contains the list of all target computers and the current task status for every
one of them; and the lower part shows the task log for the selected computer.

The task log shows the history of each task status change on the computer. The status can be the same, while its
description may vary. For example, an installation task log usually contains several records of the Running status,
OR

where the first one informs of starting file copying to the remote computer; the second one, of starting the installer;
and the third one, of the installation completion.

A typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky
Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer. After the
D

Agent is installed, the Administration Server waits for it to connect and start the installation of Kaspersky Endpoint
Security.
E

Installation results
PI
CO
BE
TO
T
NO
I-74 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Although a single Kaspersky Endpoint Security package fits all Windows versions, installation results differ on the
servers and workstations.

— On workstations, all components selected in the installation package properties are installed.

UT
— On servers, only the following components (if selected in the package):
— Behavior Detection
— Exploit Prevention

IB
— Remediation Engine
— File Threat Protection
— Network Threat Protection
—

TR
Firewall
— BadUSB Attack Prevention
— Application Control
— BitLocker Management
— Endpoint Sensor

S
DI
3.4 How to install the Network Agent via Active
Directory RE
OR

How to install applications via Active Directory

E D
PI
CO
BE
TO

You can also install programs using Active Directory group policies without Kaspersky Security Center.

The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared
T

folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to
a group policy that is applied to the domain computers. When a client computer starts and logs into the domain,
NO

the policy is applied and the installation package is installed automatically, even before the user logs on to
the system.

This installation method can be comparatively easy when implemented manually. Kaspersky Security Center makes
it even more convenient.
 I-75
Unit I. Deployment

ED
How to publish the Network Agent package in Active
Directory using a task

UT
IB
S TR
DI
RE
OR

To publish the Network Agent package to a domain group policy, in the task (or in the installation wizard), select
Assign Network Agent installation in the Active Directory group policies.

For the task to complete successfully, run it under a domain administrator account. For this purpose, add the domain
administrator account to the Account section of the task settings.
D

This method is applicable to the Network Agent only, because after the Agent is installed, other programs are
E

supposed to be installed using the Agent.

PI

What the task changes in Active Directory

CO

The group of target computers

BE
TO
T
NO
I-76 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
If the above mentioned option is selected, the Administration Server creates a new group named
Kaspersky_AK{GUID} in Active Directory and includes in it the accounts of the computers to which the task
applies to.

UT
Group policy object

IB
S TR
DI
RE
OR

Also, the Administration Server creates a new group policy object at the domain level that is named
Kaspersky_AK{the same GUID} in Active Directory and assigns within it the installation of the Network Agent
D

MSI package located in the shared folder on the server.

The permission to apply the policy is granted only to the created group which contains the accounts of the target
E

computers. So, the domain level policy will be applied to the selected domain computers, not all domain computers.
PI

Group policy object parameters

CO
BE
TO
T
NO

After this, the installation is performed as usual. The policy eventually applies to the computers. At the next restart,
computers download the Network Agent MSI package from the shared folder on the Administration Server and
 I-77
Unit I. Deployment

ED
install it. The installation parameters, which include server address and ports, are taken from the answer file located
in the same folder as the MSI package. Thus computers automatically connect to the Administration Server.

If the task is configured to install not only the Agent, but also another program, for example, Kaspersky Endpoint

UT
Security, the installation will resume after the Agent connects to the Server.

The security group and group policy object created by the task persist in the Active Directory until the task is
removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory

IB
group policies option is cleared in the task properties.

TR
3.5 How to simplify local installation

S
DI
Why install locally

RE
If remote installation fails, it often makes sense to simply go to the computer and install the applications locally
instead of troubleshooting. Especially if such computers are comparatively few.

If you use an ordinary installer, you have to complete the installation wizard. Although it doesn’t take long, it is
OR

boring, and you may easily mistype the Administration Server address. It is best to prepare a standalone package
with all the settings, and install from it.

Standalone installation packages

E D
PI
CO
BE
TO

A standalone package in Kaspersky Security Center is a single setup.exe file that includes the installation files and
T

installation parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can
include Network Agent installation files and the Administration Server connection parameters.
NO

This package is designed for local installation by the IT employees, administrators or users who have sufficient
rights. It saves time and reduces the number of errors.
I-78 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
An extremely simple installation procedure is an advantage of standalone packages. No parameters need to be
specified during the installation, as they are already included in the package. This helps to save time and prevent
errors, for example, when specifying the Server connection address.

UT
Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This
eliminates the risk of missing some files, and reduces the overall installation time.

IB
How to create a standalone package

S TR
DI
RE
OR
D

Standalone or ‘1–click’ packages are created from regular installation packages available in the Advanced, Remote
E

installation, Installation packages node of the Administration Server. A special wizard is used that prompts for
the installation parameters.
PI
CO
BE
TO
T
NO

When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include
the Network Agent, so that the target computer could immediately connect to the Administration Server.
 I-79
Unit I. Deployment

ED
UT
IB
S TR
DI
RE
Just like with a remote installation, computers can be moved into the managed category right after the installation.
Leaving protected computers in the unassigned category does not make any sense.

This step appears in the wizard if the Network Agent is installed together with the main package.
OR

If you need to modify the default settings of Kaspersky Endpoint Security or select specific components to be
installed, do it within the properties of the regular installation package before starting the standalone package wizard.
The parameters of the installation packages are described later in this chapter.

After all the parameters are specified, the wizard generates the setup.exe installation file and places it to the PkgInst
D

subdirectory of the shared folder on the Administration Server. The folder that contains the setup.exe file is named
after the package. You can find the package later at the following network path: \\<Administration Server
E

name>\KLSHARE\PkgInst\<standalone package name>\setup.exe.

PI

The Administration Server signs standalone packages with its certificate by default. This certificate is self-signed,
and Windows will display a warning when the package is run. The administrator can select to sign packages with
another certificate. Specify the necessary certificate in the properties of the Advanced | Remote installation
CO

| Installation packages node, in the Signing stand-alone packages section.

BE
TO
T
NO
I-80 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
What to do with standalone packages

UT
IB
S TR
DI
RE
The wizard suggests that the administrator takes one of the following actions:
OR

— Open folder—for example, to copy it to a flash drive

— Sample HTML code for link publication on a website—a text window opens, which contains HTML
code of the link to the package that can be added to a web page
E D
PI
CO
BE
TO

— Email link to standalone installation package—the Administration Server starts the default email client
T

and automatically fills in the message subject and body providing a link to the package located in
the shared folder; the only thing the administrator has to do is to specify the recipients’ addresses
NO
 I-81
Unit I. Deployment

ED
UT
IB
S TR
DI
RE
Later, the list of created standalone packages can be opened from the Installation packages node within the
Advanced, Remote installation container. You can delete unnecessary packages or send another email message to
users.

The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server.
OR

If non-domain users whose accounts have not been added to the Administration Server try to click it, they will not
be able to access the resource.

Replace the link to the network folder with the http link to the package, which can be copied from its properties.
There is a built-in web server on the Administration Server where any user can download the package from. Each
D

standalone package gets a unique http link based on the package id. The administrator can find the link in
the package properties on the list of all standalone packages.
E

If the standalone package creation wizard is started for a package repeatedly, the administrator can select whether to
PI

re-create the standalone package or create another one.

CO
BE
TO
T
NO
I-82 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
3.6 How to select which KES components to install

UT
Installation packages

IB
S TR
DI
RE
OR

Installation packages in Kaspersky Security Center represent the products ready to be installed. A package includes
D

installation files along with the installation parameters and some product setup parameters. Installation package
parameters in a sense replace the local installation wizard and local setup wizard. Every product has its own settings.
E

As you know, installation packages are used in the remote installation wizards and tasks, and for creating standalone
installation packages.
PI

Kaspersky Security Center includes all packages necessary for deploying the protection system:
CO

— Network Agent
— Kaspersky Endpoint Security for Windows
— iOS MDM Server
— Microsoft Exchange Mobile Devices Server

Packages are stored in the Advanced, Remote installation, Installation packages node. The following information
BE

is available for each package: name, language, and version of the product, as well as the unique name of the package.
The package description area also displays its size, which is the total size of all its files.

Packages can be created, modified and removed. If a package is used in an installation task, it cannot be removed
TO

until the associated task is deleted. First, delete all tasks that use the package, and then delete the package.

You can create various installation packages in Kaspersky Security Center. You can use them to install operating
systems, third-party programs, updates and critical fixes for third-party applications, and also to run various scripts
and utilities on the computers. This is described in more detail in KL 009 “Systems Management” course. Within
the framework of this chapter, we describe only the installation packages created for Kaspersky Lab programs.
T
NO
 I-83
Unit I. Deployment

ED
Settings of a Kaspersky Endpoint Security package

UT
IB
S TR
DI
RE
General properties
OR

Each package has general properties and settings that depend on the program for which the package was created. To
be able to review the package settings, the application plug-in must be installed in the console. If the necessary plug-
in is missing, the console will prompt to install it. A plug-in can be installed from the installation shell of Kaspersky
Security Center or downloaded from the application page on the Kaspersky Lab support website.
D

The General section of the package properties shows the program version and file size, and also the path to
E

the package file in the shared folder of the Administration Server. If necessary, an IT employee can download
the installation files over the network and install the application locally.
PI

How to update databases in a package

CO
BE
TO
T
NO

There is the button Update databases in the general properties of a Kaspersky Endpoint Security package. It
updates the signature database within the package.
I-84 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes the
antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky
Endpoint Security is installed, the update task starts and downloads new databases.

UT
Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may
take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that
the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more
important, since it may constitute tens of megabytes if the package contains outdated databases.

IB
In this case, databases can be updated in the package prior to the installation. The date of the last update is also
shown in the general package properties, in the Databases updated field.

TR
The Update databases button copies a complete set of databases from the Server storage to the Kaspersky Endpoint
Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After
an update using the Update databases button, the archive is replaced with a folder named bases. The folder’s

S
volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed.

DI
Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to
the repository. However, this is performed only once for each package. If databases have ever been updated
automatically in a package, they will not be updated automatically any more.

RE
In fact, the Kaspersky Endpoint Security package that is added to the storage during the server installation is
updated automatically shortly after the installation, and any other newly created Kaspersky Endpoint Security
package will be updated soon after it is created.
OR

How to select components in a package

E D
PI
CO
BE
TO

Other parameters of the Kaspersky Endpoint Security package duplicate the interactive installation parameters.
The main parameters are the list of components and the program files folder.

The set of components depends on the Installation type parameter. The administrator can select one of the two pre-
T

set installation types:

NO

— Basic installation:
— Behavior Detection
— Exploit Prevention
— Remediation Engine
— Host Intrusion Prevention
— File Threat Protection
— Mail Threat Protection
 I-85
Unit I. Deployment

ED
— Web Threat Protection
— Network Threat Protection
— Firewall

UT
— Standard installation: All components of Basic installation plus
— Application Control
— Web Control
— Device Control

IB
If you need some other configuration, choose the Custom installation type and select the components you want to be
installed. Some components can only be installed through Custom installation:

TR
— File Level Encryption
— Full Disk Encryption
— BitLocker Management

S
— BadUSB Attack Prevention
— Endpoint Sensor

DI
By default, the standard installation components are selected. The administrator may switch between the preset
installation types, or choose Custom installation and select individual components on the list. Remember that some

RE
of the components only work on workstations, while a package can be installed on any supported operating system.
On server systems, only the following components can be installed:

— Behavior Detection
— Exploit Prevention
OR

— Remediation Engine
— File Threat Protection
— Network Threat Protection
— Firewall
— Application Control
—
D

BadUSB Attack Prevention

— BitLocker Management
— Endpoint Sensor
E
PI

Although Host Intrusion Prevention settings will also show up in Kaspersky Endpoint Security on servers,
the component will not be actually installed. Kaspersky Endpoint Security won’t control application privileges on
servers, e.g., it won’t block Untrusted applications on servers. The reason why Host Intrusion Prevention settings
CO

are visible on servers is that a part of these settings are also used by the Firewall component. Host Intrusion
Prevention and Firewall are described in more detail in Unit II of this course.

In addition to the components, local tasks are installed. They cannot be deselected in the package properties and are
installed on all operating systems:
BE

— Update
— Rollback
— Integrity check
— Virus scan
— Full scan
TO

— Critical areas scan

— Custom scan
— The scan task that users can run from an object’s shortcut menu
T
NO
I-86 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Compatibility settings

UT
IB
S TR
DI
RE
By default, the Kaspersky Endpoint Security components are installed to:
OR

%ProgramFile(x86)%\Kaspersky Lab\Kaspersky Endpoint Security for Windows

If necessary, the administrator can modify this path.

Those administrators who often use the command line interface can select to automatically add the installation
D

folder to the %PATH% environment variable. Then they will be able to carry out product management commands
via avp.com without specifying the complete path.
E

The package has two additional parameters that provide compatibility settings. One of them, Do not protect
PI

the installation process, disables self-defense during the installation. Self-defense prevents applications (primarily
malicious) from modifying Kaspersky Endpoint Security installation files. It also blocks access to the folder where
Kaspersky Endpoint Security files are installed, and to the registry keys of Kaspersky Lab software. Sometimes,
CO

self-defense conflicts with third-party applications, for example, with backup agents. That is why it can be disabled.

Another parameter provides compatibility with Citrix Provisioning Services. If you want to install Kaspersky
Endpoint Security on a virtual machine image in Citrix PVS environment, enable this option.
BE
TO
T
NO
 I-87
Unit I. Deployment

ED
How to add a configuration file to a package

UT
IB
S TR
DI
RE
One more parameter is the Configuration file. This file defines the configuration settings that Kaspersky Endpoint
Security will use after the installation.
OR

The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If a configuration file is not
specified, the product will work using the default settings. However, as soon as the Network Agent connects to
the Server, the Kaspersky Endpoint Security policy will be enforced, which will override the protection settings. So,
the configuration file is necessary if the policy does not regulate some of the product settings, or for unmanaged
D

devices.
E

To create a configuration file, install Kaspersky Endpoint Security on a computer, but do not connect it to the
Administration Server; otherwise, the group policy will not allow you to modify the local settings.
PI

Configure Kaspersky Endpoint Security via the local interface as necessary, and save these settings into a file. The
Save button is located in the Settings window, in the General Settings\Manage Settings section.
CO

How to add a key to a package

BE
TO
T
NO
I-88 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code
or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed
product. One of them is to specify the key file in the installation package properties.

UT
In the package properties, you can add only a key, a code cannot be added.

Also, a key or code can be distributed to the selected computers by a special task.

IB
The third option is to select the check box Automatically deployed key in the properties of key or code in the
Kaspersky Lab licenses node of the Administration Console.

TR
As a last resort, a code or key can be added via the local interface of Kaspersky Endpoint Security.

How to disable uninstallation of incompatible applications

S
DI
RE
OR
E D
PI
CO

By default, the Kaspersky Endpoint Security installer looks for and uninstalls incompatible applications: third-party
antiviruses and firewalls.

The list of programs that Kaspersky Endpoint Security can uninstall is rather large, but it is not exhaustive. Usually,
it does not include the most recent versions of protection tools by other manufacturers, or uncommon software. How
BE

to uninstall applications that Kaspersky Endpoint Security failed to detect is described at the end of this chapter.

If Kaspersky Endpoint Security uninstalls an incompatible application incorrectly, disable automatic uninstallation
and remove the program manually.
TO
T
NO
 I-89
Unit I. Deployment

ED
Network Agent package parameters

UT
IB
S TR
DI
RE
Installation path
OR

The General section of the Network Agent package is the same as that of Kaspersky Endpoint Security, but without
the button Update databases. The Network Agent has no databases.
D

The Settings section allows changing the installation folder and also setting the uninstallation password. If
the Network Agent installation folder is not specified explicitly, the standard path is used:
E

%ProgramFiles%\Kaspersky Lab\NetworkAgent
PI

Password protection
CO

Agent uninstallation can be protected with a password that can be specified in the package properties. Even users
with administrator permissions will not be able to uninstall the Agent using regular tools unless they know
this password. However, users with administrator permissions can make the Agent inoperative if they really want to.
BE

If you have not enabled password protection in the Network Agent installation package, enable it in the Agent
policy, where it is also available.
TO
T
NO
I-90 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Administration Server connection parameters

UT
IB
S TR
DI
RE
The Connection section of the Network Agent installation package properties contains the Administration Server
connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive
OR

installation.

The main connection parameters are the Administration Server address and ports. Initially, they take the values
specified during the Administration Server installation. If the client computers and Administration Server belong to
different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation
D

package properties. These standard parameters include the proxy server address and port, and also the user name and
password for authentication. Remember that these parameters will be used by Network Agents when connecting to
E

the Server, not the other way round.

PI

When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP
port. To prevent Windows Firewall from blocking requests on this port, the Network Agent can automatically create
the necessary exclusions. To modify this behavior, clear the Open Network Agent ports in Microsoft Windows
CO

Firewall check box. By default, the Network Agent accepts connections on UDP port 15000. This value can be
changed both in the package properties and later in the Network Agent policy.

Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted
connections to the Server. SSL is enabled by default. Network Agents automatically download and use
BE

the Administration Server certificate. In networks with strict security requirements, the certificate can be specified
manually to prevent substitution.

The advanced parameters of the Network Agent installation package are useful in networks with a complicated
infrastructure. These are described in the courses KL 009 “Systems Management” and KL 302 “Kaspersky Endpoint
Security and Management. Advanced Skills”.
TO
T
NO
 I-91
Unit I. Deployment

ED
3.7 How to create an installation package

UT
Why create installation packages

IB
S TR
DI
RE
OR

Installation packages included in Kaspersky Security Center are usually enough for protecting most networks.
D

Additional packages can be necessary in the following cases:

E

— A new version of Kaspersky Endpoint Security has been released. For an upgrade, just like for the initial
installation, an installation package is necessary. The administrator can either create the package manually
PI

or download the new version of Kaspersky Security Center that includes a new package version and
reinstall Administration Server over the old one (all settings will be saved).
CO

— You need to remotely install a Kaspersky Lab product that is not included in the distribution of Kaspersky
Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to be created
manually.

— Different parameters are needed in several network parts. For example, according to the deployment plan,
some computers do not need Web Threat Protection and Mail Threat Protection components. To be able to
BE

deploy the system simultaneously on both categories of computers, create an additional installation package
with those non-standard settings.

Package creation wizard

TO

To create an installation package, in the node Advanced \ Remote installation \ Installation packages, click the
button Create installation package. The wizard will ask for the package type, installation files’ location, and some
installation parameters depending on the application. It may also ask to accept the license agreement of
T

the application.
NO

Creating a package requires the management plugin for the same application to be installed in the Kaspersky
Security Center console. The plugin installation file is usually found among the installation files of the application
and sometimes the wizard detects the plugin installer and installs it automatically. If this is not the case, you will
need to install the plugin before creating the package.
I-92 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Package types

UT
IB
S TR
DI
RE
The wizard starts with a choice of the package type. There are three (or four, depending on the Kaspersky Security
OR

Center interface settings), options:

— A package for a Kaspersky Lab application. This package type requires a special package description file,
which is included in the distribution of most Kaspersky Lab applications. A description file can be created
manually, but this is an advanced topic outside the scope of this course.
D

— A package for a program specified by the user. This package type allows running the specified file (not
necessarily an installer, it could be a script or a utility) on remote computers.
E

— A package for a 3rd-party application based on Kaspersky Lab’s application database. This allows
PI

installing 3rd-party applications without the need to look for and manually download their installation files.
This feature is described in course KL 009 “Systems Management”.
CO

The fourth option, which may not be visible depending on the settings, is a package for operating system
deployment based on a disk image. It is also explained in the course KL 009 “Systems Management”.
BE
TO
T
NO
 I-93
Unit I. Deployment

ED
Package settings

UT
Package name

IB
S TR
DI
RE
OR

Now, we are interested in the first option. After you select it, the wizard prompts for the package name and path to
the folder that contains the installation files and the package description file.
D

Installation files
E
PI
CO
BE
TO
T

Installation files may be unpacked (this is how they are usually supplied on a CD), or packed into a self-extracting
NO

archive (they are available in this form when downloading from the Kaspersky Lab website). The package creation
wizard supports both formats. If a self-extracting archive is specified, the wizard will automatically unpack it into
a temporary folder and extract all necessary files.

Installation packages for Kaspersky Lab products are created based on description files having a .kpd or .kud
extension. The files are identical, except for the character encoding: .kpd files use ANSI encoding, while .kud files
I-94 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
are in Unicode. The files contain the product version, the name of the installer, installation parameters, error
descriptions and additional options depending on the application.

A .kpd/.kud file alone is not enough to create a package. It is just a description, not an archive. The description files

UT
are located within the distribution package, and must not be separated from it. To create an installation package
correctly, select the .kpd/.kud file located within the corresponding distribution package. It is a common mistake to
copy just the description file into a separate folder and try to create a package from it.

IB
A way to avoid this mistake is to point the wizard to the self-extracting installer of the application downloaded from
the Kaspersky Lab website. This option is not apparent in the wizard though. What you need to do is when prompted
for the description file, change the file type from .kpd/.kud to Self-extracting archive. And then point to the

TR
downloaded installer. The package creation wizard will automatically unpack the specified file to a temporary folder
and extract the description file from it.

After the package description file is selected, the wizard will show the application name and version for you to

S
check that it is exactly the application you want.

DI
License agreement

RE
OR
E D
PI
CO

At the next step, the wizard may ask to accept the license agreement.
BE
TO
T
NO
 I-95
Unit I. Deployment

ED
Application settings

UT
IB
S TR
DI
RE
Then, depending on the application, the wizard may ask for some installation parameters. In the case of Kaspersky
Endpoint Security, the wizard prompts for the installation type: Basic or Standard. This can be modified later in
OR

the package properties, especially if you need a custom selection of components.

How to download a new version

D

Where to find newer versions

E
PI
CO
BE
TO
T
NO

To create an installation package for a Kaspersky Lab program, the administrator does not need to search for and
download the installation files. Kaspersky Security Center monitors current versions of the Kaspersky Security
Center, Kaspersky Endpoint Security and Kaspersky Security for Windows Server and allows the administrator to
create installation packages right from the distributions available on Kaspersky Lab servers.

In the Installation packages node, there is the Additional actions button, and the View current version of
Kaspersky Lab applications link below it.
I-96 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
RE
This will open the list of available distributions for various versions and localizations 6. The administrator just selects
the necessary distribution and clicks the Download distribution package button; and the Administration Server
automatically completes the job: downloads the files and creates an installation package from them.
OR

How to find the necessary product or update

E D
PI
CO
BE
TO

Kaspersky Security Center manages numerous programs by Kaspersky Lab. The list of updates contains not only
new program versions, but also updates for them, new versions of plug-ins, and various localizations of the same
applications. As a result, the list is rather long.
T

To find what you need, use a filter. In the filter, you can select:

— Components:
NO

— Controls—Kaspersky Security Center components

— Workstations—applications for workstation protection, including Kaspersky Endpoint Security for
Windows

6
By default, basic product localizations are displayed (English, French, German) plus the language of Kaspersky Security Center Console
 I-97
Unit I. Deployment

ED
— File Servers and Storage—programs for protecting servers and storages, for example, Kaspersky
Security for Windows Server
— Virtualization—various versions of Kaspersky Security for Virtualization
— Mobile—applications by Kaspersky Lab for Android and iOS smartphones and tablets

UT
— Embedded Systems—Kaspersky Embedded Systems Security (protection for ATMs and POS systems)

— Update type:

IB
— Application distribution packages
— Management plug-ins
— Patches

S TR
DI
RE
OR
E D

— Updates to display:
PI

— Only the latest versions

— Only updates for software versions in use
— Only updates for software with plug-ins installed in the Administration Console
CO

— Language:

— All languages
— Administration Console language or basic set (English, German, French)
BE

— Administration Console language and the language selected on the list

After you apply the filter, the window will show only the updates that meet the specified conditions. You can also
sort the contents by name, type, language and other parameters.
TO
T
NO
I-98 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to find out if new versions are available

UT
IB
S TR
DI
RE
Kaspersky Security Center notifies the administrator about new versions of distributions. When they are issued,
OR

the corresponding message appears on the Monitoring tab of the Administration Server node, in the Update area.

3.8 How to uninstall incompatible applications

E D
PI

Which programs are incompatible and why uninstall them

CO
BE
TO
T
NO

Kaspersky Endpoint Security is not compatible with other protection tools. Before the installation, the conflicting
programs must be uninstalled. If you do not do this, the computer may operate slowly and unstably. In the worst-
case scenario, though rare, the computer may hang, restart spontaneously, and display a blue screen.
 I-99
Unit I. Deployment

ED
Protection tools co-exist poorly because of the drivers that they install to intercept file operations, network
connections, and system calls. The Network Agent does not install any drivers, and therefore does not conflict with
third-party protection tools.

UT
How to uninstall incompatible applications

IB
To uninstall protection tools by other manufacturers, it is best to use regular tools:

— The applications that have their own centralized management system should be removed via this system
— If possible, uninstall third-party protection using Windows tools

TR
If the incompatible applications cannot be uninstalled using regular tools, the administrator may use the Kaspersky
Security Center functionality for this purpose:

S
— The Uninstall incompatible applications automatically option in the installation package of Kaspersky

DI
Endpoint Security, or

— The Administration Server’s task Uninstall application remotely

RE
The former option is always enabled in the installation package and reliably uninstalls many widespread versions of
third-party antiviruses and firewalls. However, if you have an uncommon antivirus or a recently released version,
Kaspersky Endpoint Security installer may fail to detect it.
OR

Besides, some of the incompatible applications can be detected by the installer, but cannot be uninstalled.

What if there are incompatible applications?

D

Kaspersky Endpoint Security found and uninstalled incompatible applications

E
PI
CO
BE
TO
T

If the installer has detected and uninstalled incompatible applications, it will require restarting the computer to
NO

complete the installation of Kaspersky Endpoint Security. It is the only difference compared to a typical installation.
If there are no incompatible applications on the computer, the installer will install everything without a restart.

The installation task has restart parameters for such cases. By default, the task will show the user a message that the
computer needs to be restarted every 5 minutes, and will force a restart after 30 minutes. The administrator can
adjust all these intervals in the remote installation task properties.
I-100 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Kaspersky Endpoint Security found incompatible applications, but failed to
uninstall them

UT
IB
S TR
DI
RE
OR

If uninstallation of incompatible applications is disabled and a conflicting application is found during the Kaspersky
Endpoint Security 11 installation, the installer returns an error. The error description explains that the product cannot
be installed if incompatible applications are installed on the computer. The administrator needs to uninstall
the conflicting programs and re-start the installation.
D

If it is a task that installs Kaspersky Endpoint Security together with Network Agent, it will install the Network
Agent and only after that inform about the error. This is handy, because you can use the Agent to uninstall
incompatible applications by a special task.
E
PI

Kaspersky Endpoint Security failed to find the installed incompatible

applications
CO
BE
TO
T
NO

If there are incompatible applications on the computer, but the installer fails to detect them, it will complete the
installation as if they did not exist. In this case, the administrator may not know for quite a while about the conflict.
 I-101
Unit I. Deployment

ED
Eventually, the users will complain that a computer works slowly or malfunctions. When investigating the issue, the
administrator will discover that there are several protection applications on the computer.

UT
How to find out if there are any incompatible applications

IB
S TR
DI
RE
OR

The administrator can learn that there are third-party protection applications on the computers from the
Administration Console. The Network Agents send lists of installed software to the server, and the aggregate list can
be found in the console in the node Advanced | Application management | Applications registry.
D

If the administrator suspects that there may be protection tools by other manufacturers in the network, it makes
E

sense to search for them on the list by the manufacturer name. For example, Symantec, McAfee, or MalwareBytes.
PI

The list of computers where the program is installed is available in its properties. After that, the administrator will
only need to uninstall it.
CO

There is an Administration Server’s task that serves this purpose: Uninstall application remotely. However, it will
not be of any help immediately. The list of applications that the Agent can uninstall usually coincides with the list of
programs that can be removed by the Kaspersky Endpoint Security installer. This list is updated only when a new
version or service pack is released, and new versions and service packs for Kaspersky Endpoint Security and
Kaspersky Security Center are almost always released simultaneously.
BE
TO
T
NO
I-102 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to uninstall incompatible applications that have not
been found

UT
What to do

IB
S TR
DI
RE
OR

Each program on the list of incompatible applications has an INI file that tells how to detect and uninstall it.
D

To uninstall an application that is not included in the list, send the program distribution to KL technical support and
request an INI file for it. Kaspersky Lab experts will need some time to examine the application and develop an INI
E

file for it. This service is available only for comparatively large customers.
PI

Copy the received INI file to the folder with other INI files on the Administration
Server: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Data\Cleaner. Then restart the
Administration Server service.
CO

After that, the Network Agent’s “Uninstall application remotely” task will be able to remove this program. Run the
task to uninstall all incompatible applications on all computers. Or, to save resources, make a selection of only those
computers where the incompatible application is installed, and run the uninstallation task there for only this
particular incompatible application.
BE
TO
T
NO
 I-103
Unit I. Deployment

ED
How to contact technical support

UT
IB
S TR
DI
RE
To contact technical support, use the companyaccount.kaspersky.com portal. To sign up, specify your email address
and license: activation key or code.
OR
E D
PI
CO
BE
TO

To request an INI file, create a new request and select the category Make a request for Tech Support.
T
NO
I-104 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
In the request, select

— Scope—for workstations
RE
— Product name and version—Kaspersky Endpoint Security for Windows 11.x.x.xxxx
— Request type and subtype—Installation and Incompatible Software
OR

Then describe the situation and do not forget to attach the installer of the third-party program that you want to
uninstall.

How to display computers with an incompatible

D

application
E
PI
CO
BE
TO
T
NO

Computer selections

To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where
these programs are installed.
 I-105
Unit I. Deployment

ED
To display computers where an incompatible application is installed, create a computer selection (in the respective
node). The Device selections node contains the following pre-configured selections:

— Update agents

UT
— Databases are out of date
— Virus Scan has not been performed for a long time
— Not connected in a long time
— There are unprocessed objects

IB
— Many viruses detected
— Protection is off
— No security application installed

TR
— Unassigned devices with Network Agent
— New networked devices found
— Data encryption errors
— The device has gone out of control

S
— Devices with Critical status
— Devices with Warning status

DI
— Devices with Warning and Critical statuses due to vulnerabilities

These selections are hard-coded: they can neither be modified, nor deleted. There is no selection of computers with
incompatible software among them.

How to create a selection

RE
OR

To create a selection, click the Advanced button and choose Create a selection.
E D
PI
CO
BE
TO

In a selection, you can select to search

— Among all computers

— Only among managed
— Only among unassigned
T
NO

Unassigned devices do not transfer lists of installed programs to the server. That is why you should search for
computers with incompatible applications either among managed, or among all computers.

By default, a selection does not have any conditions, and it finds all the computers within the specified scope.
I-106 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Selection parameters

UT
IB
S TR
DI
RE
To find computers with an incompatible application, change the conditions.
OR

By default, each selection has a macrocondition with numerous microconditions. All microconditions within the
macrocondition are combined with logical AND. Macroconditions are combined with logical OR.

To find computers with an incompatible application, one macrocondition is enough. Open its properties and switch
to the Applications registry section. Select the program name in the list Incompatible security application name.
D

Save the condition and the selection. The computer selection results will contain only the computers where this
program has been detected.
E

To display computers with various incompatible applications in a single selection, add macroconditions and specify
PI

the other incompatible applications there.

CO
BE
TO
T
NO
 I-107
Unit I. Deployment

ED
How to uninstall incompatible applications using a task

UT
Where to create tasks in the console

IB
S TR
DI
RE
OR

Now, create an uninstallation task for this selection. Start the task creation wizard in the Tasks node, and when
prompted for the target computers, choose the created selection. Every time the task runs it will check the contents
of the selection and update the list of target computers.
D

Task types
E
PI
CO
BE
TO
T
NO

The wizard shows all the tasks you can create. Each plug-in installed in the console adds tasks of the respective
application to the list. After the standard installation of the Administration Server, you will be able to create tasks
for Kaspersky Security Center and Kaspersky Endpoint Security 11. The remote installation and uninstallation tasks
are the tasks of Kaspersky Security Center.

To uninstall incompatible applications, select Kaspersky Security Center Administration Server | Advanced |
Uninstall application remotely in the task creation wizard.
I-108 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Uninstallation task subtypes

UT
IB
S TR
DI
RE
This task is used in various scenarios concerning uninstallation of programs and service packs.
OR

— Uninstall incompatible applications

— Uninstall programs by Kaspersky Lab (for example, to then reinstall them)
— Uninstall an application that is listed in the applications registry (usually, you need to know the
uninstallation command)
— Delete an update or a program listed in the database of third-party software (see course KL 009 for details)
D

Here, we are interested in the Uninstall incompatible application option.

E

Selecting the program

PI
CO
BE
TO
T
NO

After that, specify the name of the incompatible application to be uninstalled. You can select several programs or
even all the applications that are included in the list. Selecting more than one program increases the task run time
though, because such a task executes, step by step, the uninstall scripts for all the selected programs.
 I-109
Unit I. Deployment

ED
Restart parameters

UT
IB
S TR
DI
RE
Selecting the computers
OR

The uninstallation task has computer restart parameters. The restart is often necessary to finish the uninstallation. By
default, the user is prompted to restart the computer. If he or she chooses to postpone the restart, the prompt will
reappear every 5 minutes, and the restart will be forced after 30 minutes.
D

The administrator can modify these intervals and the message text. If the administrator selects a forced restart,
the user’s data may be lost. Another alternative is to wait for a regular restart; however, the task will remain
E

uncompleted for a while.

PI
CO
BE
TO
T
NO

Finally, select computers for the task. The available options include:

— Picking computers from the Managed devices group and the Unassigned devices node
— Typing the names or addresses of the computers
— Specifying a computer group name
— Specifying a computer selection name
I-110 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
The last option is convenient for computers that can be defined by conditions relatively easily, e.g. computers where
incompatible applications have been detected.

UT
Account

IB
S TR
DI
RE
OR

The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because the
Network Agent is already installed on the computers and will run the uninstallation task under the local system
account. The account must be specified if the task is run either on computers without a Network Agent, or on
D

computers where the Network Agent has no administrator permissions.

E

Finishing the wizard

PI
CO
BE
TO
T
NO

At the last steps of the wizard, select the schedule, task name, and whether to start the task immediately. The
uninstallation task is to run once.

Once the incompatible applications are uninstalled, Kaspersky Endpoint Security can be deployed by running
the remote installation wizard or a remote installation task, which can be created using the wizard in the Tasks node.
The parameters of a remote installation task are almost the same as those specified in the remote installation wizard.
 I-111
Unit I. Deployment

ED
UT
IB
S TR
DI
RE
By default, the wizard offers the task name that coincides with the task type: Uninstall application remotely. If you
are uninstalling a single program, specify its name in the task name. This way, in the future you will be able to
quickly understand whether this task is still necessary, or you can delete it.

At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are going to do.
OR

To start the task, select the check box Run task after Wizard finishes.
E D
PI
CO
BE
TO
T
NO
I-112 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Chapter 4. How to organize computers into

UT
groups

IB
TR
4.1 How to understand that the deployment has
been completed

S
DI
Now you know everything to be able to install protection on all network computers:

—
—
—
RE
How to select components and installation parameters for Kaspersky Endpoint Security
How to install Kaspersky Endpoint Security and Network Agent remotely
How to install Kaspersky Endpoint Security and Network Agent using Active Directory
— How to create a standalone package for local installation
OR

— How to create several different packages with different parameters

— How to install on discovered and undiscovered computers

Handy monitoring tools supplement this list:

D

— How to understand which programs are installed on which computers

— How to understand that installation has been completed in the network
E

For this purpose, you can use the installation task results, as well as reports, computer selections and event
PI

selections.

Where to look for information about the deployment

CO
BE
TO
T
NO
 I-113
Unit I. Deployment

ED
Task results and the information available on the Managed devices group do not always provide comprehensive
information on the protection deployment in the network. Deployment by a single task on all computers, as well as
managing all computers within one group, is characteristic of small networks only.

UT
For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are:

— Incompatible applications report

— Kaspersky Lab software version report

IB
— Protection Deployment Report

The following selections are also very useful at the deployment stage:

TR
— New networked devices found
— Security application is not installed
— Unassigned devices with Network Agent

S
Global statuses

DI
RE
OR
E D
PI
CO

Information about the protection deployment is also available on the Monitoring tab of the Administration Server
node. The Deployment area contains the number of managed computers where Kaspersky Endpoint Security is not
BE

installed. If it is non-zero, a link to the selection that includes all these computers is also displayed.

If there are any computers with the Network Agent in the Unassigned devices node, this will be reflected in
the Management scheme area with another link to the corresponding selection of computers.
TO

Device selections

Computers with the Network Agent must be located within the Managed devices node. If they are located in the
T

Unassigned devices node, they neither send events to the Administration Server nor receive tasks and policies from
the Server.
NO

That is why the Administration Server displays such computers on the Monitoring page and in the corresponding
selection.
I-114 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Reports

UT
Where to look for reports

Reports are available on the corresponding tab of the Administration Server node.

IB
Kaspersky Lab software version report

S TR
DI
RE
OR
E D

The software version report shows the number of Kaspersky Lab programs installed on managed computers. In
particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security
PI

instances.

Various versions (builds) of the products are represented separately, which is convenient when upgrading
CO

the products. The report shows how many computers use the current versions of the programs, and how many run
older versions.

The graphic part of the report illustrates the statistics table, which lists all versions of managed products and
the number of installations for each of them.
BE

The Details table gives information on every computer: which products are installed, which versions, etc.
TO
T
NO
 I-115
Unit I. Deployment

ED
Protection deployment report

UT
IB
S TR
DI
RE
This report shows three categories:
OR

— Computers with Network Agent and protection tools

— Computers with Network Agent, but without protection tools
— Computers without Network Agent

Computers with protection tools, but without the Network Agent are included in the last category. If the Network
D

Agent is not installed, the Administration Server does not know whether protection tools are installed on the
computer. This category also includes the computers where the Network Agent is installed, but is not connected to
E

the Administration Server. For example, computers where Agents use an incorrect server address.
PI

The chart and the Summary table show the number of computers in every category. The Details table, just like in
the software version report, shows the version of the Network Agent and Kaspersky Endpoint Security on every
computer.
CO

This report is especially useful if the administrator first moves all of the computers into the Managed devices group,
and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed computers
are not connected to the server, and how many of those connected are not yet protected with Kaspersky Endpoint
Security.
BE

If the administrator uses the remote installation wizard for the deployment and always selects the computers from
unassigned devices area, this report is less useful as it does not cover unassigned devices.
TO
T
NO
I-116 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
4.2 How the Administration Server discovers
computers

UT
IB
Polling types

S TR
DI
RE
OR
D

In the deployment wizard or when creating a deployment task, the administrator can select computers from a list.
E

The Administration Server makes up this list by polling the network. Polls are performed periodically in several
different ways:
PI

— Windows network polling

— Active Directory polling
CO

— IP subnet polling
The network is polled by the service of the Network Agent installed on the Administration Server rather than by the
Administration Server service. The Network Agents installed on ordinary network computers do not poll the
network.
BE

Where to configure polling

Polling results are shown in the Advanced | Network poll node separately for each discovery method:
TO

— Domains—computers detected during Windows network polling; workgroups and domains are represented
as folders containing computers

— Active Directory—domains and organizational units are represented as folders containing computers
T

— IP subnets—IP subnets are represented as folders

NO

The discovered computers are also displayed in the Unassigned devices node.

A computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its
address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in
the corresponding folders.
 I-117
Unit I. Deployment

ED
To modify the poll settings for every method, select the Advanced \ Network poll node and then click Configure
polling in the corresponding section. You can also start any type of polling manually on this page.

UT
Windows network polling

What a quick poll does

IB
S TR
DI
RE
OR
D

The Administration Server collects the list of Windows network computers just like the operating system itself.
When a user opens the computer’s network places, the list of neighborhood computers grouped by domains and
E

workgroups is shown. The Administration Server can acquire the same list.
PI

This polling method is called quick Windows network polling. It hardly places any extra load on the network.
The Computer Browser service is responsible for making up and representing the list of computers. In every
network segment there is the main computer that stores the general list and provides it when requested. To receive
CO

the list, Administration Server only needs to send a request.

In Windows Vista/Server 2008 and later versions, the Computer Browser service is disabled by default. If the
Administration Server cannot receive the list of computers from the Computer Browser service, it sends a request to
Active Directory and tries to receive a list of computers from it. Certainly, only if the Administration Server is on an
BE

Active Directory domain.

Quick poll is performed every 15 minutes. After a quick poll, the Server receives the list of NetBIOS names of
computers, domains and workgroups.
TO
T
NO
I-118 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
What a full poll does

UT
IB
S TR
DI
RE
During a full poll, the Administration Server tries to receive as much information as possible about each computer
from the quick poll results.
OR

For each name, the Server resolves the name into the IP address using NetBIOS, DNS and LLMNR protocols. For
the received addresses, the server performs a reverse resolution into the name, and if this name does not coincide
with the original one, receives the IP address for the new name.
D

The Server checks whether the IP addresses are accessible using ICMP requests and finally tries to connect to the
computers using SMB and RPC protocols to find out the operating system.
E

All these numerous requests are necessary because names and addresses of the computers may change. The
PI

Administration Server uses direct and reverse resolution of names and IP addresses to distinguish new network
computers from the old ones that just changed the name or IP address.
CO

As the number of requests is proportionate to the number of computers, the network activity is much higher than
with a quick poll. That is why full poll is performed hourly by default.

How the server displays polling results

BE

In polling results, the Server shows everything it was able to find out about a computer: its name, address, operating
system, etc.
TO
T
NO
 I-119
Unit I. Deployment

ED
Windows network polling parameters

UT
IB
S TR
DI
RE
For each poll type, the administrator can:
OR

— Enable or disable polling completely

— Enable or disable polling for a part of the network (what “a part of the network” is depends on the polling
type)
— Select the polling schedule
— Select when polling data becomes obsolete
D

Polling schedule is defined as a start time and a timespan. A timespan can be as small as a few minutes or as large as
E

several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but will
be useful if polling is performed once a week or a month.
PI
CO
BE
TO
T
NO

Additionally, for Windows network polling the administrator can specify the life span for the information on
the discovered computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by
Windows network polling, the information about this computer is deleted from the server database.
I-120 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
This interval can be specified independently for every domain or workgroup. Also, you can specify a common life
span and use it for the whole Windows network.

Additionally, you can disable polling of a domain or a workgroup in its properties.

UT
Active Directory polling

IB
What Active Directory polling does

S TR
DI
RE
OR
E D

The Administration Server requests from Active Directory the structure of containers (units) and the list of
computers for each of them.
PI

Additionally, the Administration Server requests the list of users and security groups. Working with AD users falls
outside the scope of this course. See courses KL 010 and KL 302 for details.
CO

In a large network, the total volume of all lists (computers, users, groups) may be very large, and that is why Active
Directory polling is performed every 60 minutes by default.
BE
TO
T
NO
 I-121
Unit I. Deployment

ED
Active Directory polling parameters

UT
IB
S TR
DI
RE
Polling parameters for Active Directory are similar to those for Windows network polling. There is an option to turn
off this polling method entirely and a schedule.
OR

There is no explicit lifetime parameter for the polling results. Each polling replaces the previous results:

— Adds missing units and computers

— Deletes the computers and units that have been removed from Active Directory
D

In the Advanced polling parameters, the administrator can select the polling scope:
E

— The Active Directory domain to which the Administration Server belongs (the default choice)
PI

— The domain forest to which the Administration Server belongs

— The specified list of Active Directory domains
CO

To add a domain to the polling scope, specify the address of the domain controller, and the name and password of
the account for accessing it.

You can selectively disable polling for some organizational units in their properties.
BE

When the administrator changes the polling scope, after the next polling, the Server will show only the new scope
contents. For example, if the administrator has disabled polling within a unit, after the next polling, the
Administration Server will delete all the information about the contents of this unit from its database. Also, if the
Server scanned several domains previously and the administrator deletes one of the domains from the list, after the
next polling, the Server will delete all data about this domain from its database.
TO
T
NO
I-122 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
IP range polling

UT
What IP subnet polling does

IB
S TR
DI
RE
OR

IP range polling works similarly to full Windows network polling. However, the original list of computers is not
received as a result of quick polling; it is the list of IP addresses from the IP ranges specified by the administrator.
D

The server tries to resolve each address into a name, and the name into an address again; then checks whether the
address answers ICMP ECHO REQUESTs, etc.
E

To find out the device type, the Server also sends SNMP requests.
PI

The polling results include only those computers that answered the ICMP request.
CO

IP subnet polling parameters

BE
TO
T
NO
 I-123
Unit I. Deployment

ED
Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is
installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0,
the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses
from 192.168.0.1 to 192.168.0.254.

UT
IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When
this polling method is enabled, the default period is 420 minutes (7 hours). The life span for the polling results is 24
hours by default. If an IP address is not verified by polling in 24 hours, it is removed from the results. Such a short

IB
life span tries to account for dynamic IP addresses (assigned over DHCP protocol), which can change frequently.
When modifying the settings, make sure that the information life time exceeds the polling interval.

TR
How to add a network to be polled

S
DI
RE
OR
E D
PI

In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually.
You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also,
the name of the subnet should be specified.
CO

How to modify ranges in an IP subnet

BE
TO
T
NO
I-124 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas
named subnets are not allowed to overlap, Ranges may overlap within a subnet.

You can enable and disable scanning independently for every subnet.

UT
Where to monitor network polling

IB
S TR
DI
RE
OR

When the network is being polled, the Advanced | Network poll page displays the progress. Detailed information is
D

available in the Administration Server statistics (Administration Server properties: Advanced \ Administration
Server operation statistics). There you can find the time of the last poll performed by each method, polling progress
E

percentage and the name of the polled domain for Windows network polling.
PI

How to find out that the Server has discovered new

computers
CO
BE
TO
T
NO
 I-125
Unit I. Deployment

ED
The administrator can configure notifications about new computers found in the network. The corresponding event
is available in the properties of the Administration Server, and you can enable email notification in the event
properties.

UT
To receive information about new computers, open the Event configuration section in the Administration Server
properties. Find the event New device found on the Info tab. Open the event properties and select the check box
Notify by email.

IB
For notifications, the Server uses the parameters that you specified in the Quick Start wizard when installing the
Administration Server. If you are not sure that the correct parameters have been specified, check them in the
Notification delivery settings section of the server properties.

TR
4.3 How to create or import groups

S
DI
Why create groups
RE
OR
E D
PI
CO
BE

After the initial installation, there is only one group on the Administration Server—Managed devices. With a single
group, the same protection policy and task schedule is applied to all computers, which is not always preferred.

Even in small networks, it may be necessary to use different protection settings for servers and workstations. In
TO

large networks, where different groups of users need various types of software, the capability to create policies with
different exclusions for different users is extremely useful. The computers must be placed into different groups to be
able to apply different policies7.

From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into
the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. This
T

way, the administrator can quickly understand where the computer is located to send an IT employee there.
NO

There are also other examples of group use. Often, especially in large networks, the administrators create groups to
organize the deployment process. Computers without the Agent or protection tools are placed into the Deploy Agent
group, where the Network Agent automatic installation task is created. The computers with installed Agent are

7
Starting with version 10 Service Pack 1, Kaspersky Security Center provides the capability to apply different configuration profiles to
different computers within the same group. For more details, refer to course KL 302.
I-126 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible applications is
configured. The computers without incompatible applications are moved into the Deploy KES group, where the task
of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected computers are
moved into the permanent management structure.

UT
How to add a group

IB
S TR
DI
RE
OR

Creation of groups in the Administration Console is as simple as folder creation in Windows Explorer. First, groups
D

are created within the Managed devices node. Then you can create new groups either in the same node or inside the
created groups.
E

In the Administration Console interface, you can use any of the following methods to create a new group:
PI

— Select the Managed devices node or an existing group and click the New group button on the Devices tab;
— On the shortcut menu of the necessary node, click New, Group
CO

Enter the name of the group in the displayed dialog window: it will then appear as a subfolder in the structure of
managed devices. Each group page contains tabs for managing the hosts included into the group, group tasks and
group policies.
BE

If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or
subgroups.

Groups can be moved within the hierarchy of managed devices. For example, if the structure of groups reflects
physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup can be
TO

easily relocated together with its computers from the group Building 1 to the group Building 2. The task can be
accomplished using traditional Cut and Paste or Drag and Drop methods.
T
NO
 I-127
Unit I. Deployment

ED
How to add a computer to a group

UT
IB
S TR
DI
RE
In the Administration Console, you can use any of the following methods to move computers:
OR

— Drag and drop—select a computer among the managed or unassigned hosts and drag it with the mouse to
the necessary group. You can move several computers at once

— Cut and paste—the procedure is almost the same, but you cut the selected computers (using the shortcut
D

menu or CTRL+X keyboard shortcut) and then paste them into the necessary group (once again using
the shortcut menu or CTRL+V keyboard shortcut)
E

— Select one or several computers in the Unassigned devices node or a selection of computers (the method
does not work within the groups), open the shortcut menu, select the Move to Group command and specify
PI

the necessary group

CO

Add Devices Wizard

BE
TO
T
NO
I-128 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Select the destination group, switch to the Devices tab, and click the Move devices to group link to launch the Add
Devices Wizard. In the wizard, you can either select the computers using the polling results or specify their names
or addresses manually

UT
IB
S TR
DI
RE
OR

If you specify a name or an address of a computer that is missing from the Administration Server polling results, the
wizard will inform that it cannot be added.

If a computer exists in the network but cannot be discovered—for example, its firewall allows only outbound
connections—install the Network Agent locally. As soon as the Network Agent connects to the Server, the computer
D

will be added to the database and appear in the network polling results.
E

How to import a group structure

PI
CO
BE
TO
T
NO

If the network is large enough and the planned structure of managed devices requires a large number of groups,
creating a hierarchy using the methods described above can be very labor-intensive. Sometimes it is easier to import
a group structure from the network polling results or from a text file.
 I-129
Unit I. Deployment

ED
If administrators want to arrange the managed devices in the exact same order as their network, to combine them
into the same workgroups or domains and subdivisions, they can use the structure import functionality.

You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In

UT
the first two cases you may import either the entire structure (groups including computers) or just groups. When
importing the topology from a text file, only groups can be created.

Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit

IB
that is being imported are already present in a group of managed devices, the wizard will not relocate them.

To start the wizard, on the shortcut menu of the Managed devices group, select All tasks, Create groups structure.

TR
In the wizard, specify the structure to be imported and the destination group. You can also import only a structure
from Windows network or Active Directory, and disable importing the computers.

S
DI
RE
OR
E D
PI

Windows network topology and a structure defined in a text file are always imported completely. When importing
an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be
ignored.
CO
BE
TO
T
NO
I-130 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
The structure creating wizard is designed for initial creation of the structure of managed devices. It is not intended
for regular synchronization of structures of Kaspersky Security Center, with, for example, Active Directory. If you
need to synchronize, configure the computer relocation rules.

UT
IB
S TR
DI
RE
OR

A structure import via a text file must be prepared manually. Every group or subgroup must be specified on
a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters,
for example:

Office1\Subdivision1\Department1
D

Office1\Subdivision1\Department2
Office2
Office3\Subdivision1
E
PI

If a subgroup path contains groups that do not exist yet, they are created.

Groups created during the import procedure are completely identical to the groups created manually. You can
CO

rename, move, delete them, etc.

BE
TO
T
NO
 I-131
Unit I. Deployment

ED
4.4 How to add computers to groups automatically

UT
Computer relocation rules

IB
S TR
DI
RE
OR

If groups in Kaspersky Security Center are to reproduce IP subnets or Active Directory units, the administrator can
D

easily automate the computers’ distribution into the groups. Computer relocation rules serve this purpose.
E

The list of relocation rules is available through both Unassigned devices and Advanced \ Network Poll nodes. Use
either of the following:
PI

— The Properties command on the shortcut menu of the above-mentioned nodes

CO

— The button Configure rules in the Unassigned devices node

— The link Set up rules of device moving to administration groups at the bottom of the node Advanced \
Network Poll
BE
TO
T
NO
I-132 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Rules created by tasks

UT
IB
S TR
DI
RE
OR
E D
PI
CO
BE

In some cases, computer relocation rules are created automatically in the Kaspersky Security Center. For example,
when the administrator selects to move unassigned devices into a group in the remote installation wizard or when
creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can
be viewed on the list and can be disabled, but cannot be deleted or edited. The server deletes them automatically
TO

when the corresponding task or standalone package is deleted.

T
NO
 I-133
Unit I. Deployment

ED
Configuring relocation rules

UT
IB
S TR
DI
RE
A relocation rule consists of the following basic settings:
OR

— What to move—a set of conditions a computer must meet to be relocated

— Where to move—the name of the group in the structure of managed devices where the hosts matching the
rule conditions will be relocated
D

— When to move—the conditions that will trigger automatic relocation

E

When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on
PI

the rule list. Also, you will need to select the destination group—where to move the computers.

When to apply the rules

CO

Afterwards, decide when to apply the rule to the computers. Three capabilities are available:

— Run once for each device—as soon as the rule is created, it will be applied to all computers in the server
BE

database, and then it will be applied only to new computers when they are discovered

— Run once for each device, then at every Network Agent reinstallation—is similar to the previous option, but
if the Network Agent is reinstalled on a computer, the rule will be reapplied to such a host
TO

— Rule works permanently—the rule is permanent; if a computer matching its conditions is manually moved
to another group, the Administration Server will immediately return it to the location specified in the rule.
If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will
not
T

The rules created by the Administration Server for installation tasks and standalone packages Run once for each
device, then at every Network Agent reinstallation.
NO

Permanent rules are more convenient in a sense, but create a persistent computational load on the Administration
Server.
I-134 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Conditions in relocation rules

UT
Move managed devices

Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is

IB
located in the General section and is named Move only devices that do not belong to an administration group.

With this option selected, a rule—even a permanent one—will not hamper the administrator to manually move

TR
computers in the groups. It affects only unassigned devices. To apply such a rule to a computer within a group, just
delete the computer from the group. When deleted from the managed devices structure, the computer becomes
unassigned and the rule will apply to it.

S
If the Move only devices that do not belong to an administration group check box is cleared, the rule applies to
all computers in the server database and the corresponding computers are moved into the specified group no matter

DI
what happens. This does not prevent the administrator from deleting these computers from the Administration
Server database, though.

Other conditions are located in additional sections of the rule properties.

Move computers by names and IP addresses

RE
OR
E D
PI
CO
BE

Many of the relocation conditions are related to the network attributes of the computers:
TO

— NetBIOS name
— Name of the domain or workgroup
— DNS name
— DNS domain
— IP address
—
T

Server connection IP address (if a computer is behind a NAT gateway, the connection address is
the gateway address)
NO

To apply a rule to several computers, you can specify IP addresses as ranges, and names can be specified as masks
with “*” and “?” wildcards. If these options are insufficient, you can always create several rules with different
conditions that will move computers to the same group.
 I-135
Unit I. Deployment

ED
If the rule is to be applied to unassigned devices, the conditions can be specified in the terms of unassigned
computer representation in Kaspersky Security Center:

— IP subnets specified in the Advanced \ Network poll node

UT
— Subgroups in the Domains structure of the Advanced \ Network poll node—these are names of
the domains and workgroups discovered by the Administration Server when polling the network

IB
Move computers by operating systems

S TR
DI
RE
OR
D

Conditions for devices may include operating system version, architecture and currently installed Service Pack.
Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers
E

into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions
used in the network. For example, Windows Server 2008 R2 and Windows Server 2012 R2.
PI

Also, there is the Network Agent is running condition. This condition can separate the computers already
connected to the Administration Server from those that need to be connected.
CO

Other conditions
BE

A relocation rule has a condition for virtual machines. Virtual machines running on different virtualization platforms
can be moved into different groups. Protection of virtual machines is described in courses KL 014 Kaspersky
Security for Virtualization. Agentless and KL 031 Kaspersky Security for Virtualization. Light Agent.

If these conditions are insufficient, computers can be tagged and you can configure conditions using the tags. For
TO

more details, refer to course KL 302.

T
NO
I-136 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to synchronize groups with Active Directory

UT
IB
S TR
DI
RE
There are similar conditions for the computers within the Active Directory structure:
OR

— Active Directory unit name

— Active Directory group name

Relocation rules allow configuring synchronization with Active Directory. For this purpose, enable additional
D

options under the condition Apply the rule to Active Directory organization unit:

— Including child organization units—if the selected unit has child units, computers within them will be
E

moved into the destination group

PI

— Move computers from child organizational units to corresponding subgroups—if the selected unit has
child units, and the destination group has the corresponding subgroups, computers from the child units will
CO

be moved into the corresponding subgroups

— Create missing subgroups—if the selected unit has child units, and the destination group has no
corresponding subgroups, the Administration Server will create these subgroups and move the computers of
the child unit there
BE

— Delete subgroups that are not present in the Active directory—the opposite of the previous option.
When an organizational unit is deleted from the Active Directory, this option will remove the respective
group from the Kaspersky Security Center.

If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination
TO

group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another,
Kaspersky Security Center will automatically repeat these changes in its group structure.

In addition to units, Active Directory has groups, which may contain computer accounts. To move computers into
groups according to the domain groups, select the condition The device is member of Active Directory group and
T

specify the group name.

NO
 I-137
Unit I. Deployment

ED
Tags

UT
IB
S TR
DI
RE
A tag is an additional attribute that the administrator can assign to devices and use it to configure relocation rules
OR

more flexibly. The administrator can assign tags manually to each device individually or several devices at once, or
configure automatic tag allocation rules. A device can have several tags assigned.

Relocation rules may be applied to devices without the specified tags or to the devices that have at least one of the
specified tags.
D

To assign tags, select one or several devices, open the properties window and switch to the Tags section. There is
also a link there: Set up automatic tagging rules. Automatic tag allocation rules can also be configured in the
E

Administration Server properties.

PI

In some cases, it makes sense to assign tags automatically when deploying the protection application. You can also
do it in the Network Agent package properties. To assign different tags to computers during the installation, create
several installation packages for the Network Agent, specify the necessary tag within each package, and use
CO

different packages for different computers.

Regardless of how a tag was added to the system or assigned to a device, you will be able to assign it to any other
device as well afterwards.
BE
TO
T
NO
I-138 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Rule application order

UT
IB
S TR
DI
RE
The created rules are organized into a list where their order makes a difference. Permanent rules have priority over
OR

the others. Among rules of the same type, the higher the rule is on the list, the higher its priority. In other words, if
a computer meets the conditions of several rules, only the top one is applied.

Rule order can be changed using the arrows on the right. Also, a rule can be applied manually using the Force
button at the bottom of the window. This allows re-applying a non-permanent rule. For the permanent rules, the
D

button does nothing, since permanent rules are constantly forced anyway.

The Rule execution wizard prompts for the group where the rule is to be applied, and moves the computers that meet
E

the rule conditions from the selected group to the group specified in the rule. There is an option that allows skipping
the computers to which this rule has already been applied and only force the rule on new computers.
PI
CO
BE
TO
T
NO
 II–1
Unit II. Protection Management

ED
UT
Unit II. Protection

IB
Management

S TR
DI
Chapter 1. How Kaspersky Endpoint Security 10 protects computers ......................... 4

RE
1.1 How criminals attack a computer............................................................................................................................ 4
How malware gets on a computer .......................................................................................................................... 4
How malware causes harm .................................................................................................................................... 7
OR

1.2 How Kaspersky Endpoint Security counters attacks............................................................................................... 9

How Kaspersky Endpoint Security repels threats .................................................................................................. 9
How Kaspersky Security Network helps to repel threats ..................................................................................... 10
Where are Kaspersky Endpoint Security settings located .................................................................................... 12
D

Chapter 2. How to configure file protection ................................................................ 13

E

2.1 How Kaspersky Endpoint Security protects files .................................................................................................. 13

2.2 What and how to configure in File Threat Protection ........................................................................................... 15
PI

Configure File Threat Protection ......................................................................................................................... 15

2.3 What to do if File Threat Protection slows down the computer ............................................................................ 22
CO

How to exclude an application’s folder ............................................................................................................... 23

How to exclude files that a process accesses ....................................................................................................... 24
How not to scan network drives ........................................................................................................................... 24
How to temporarily stop File Threat Protection .................................................................................................. 25
How to apply settings to computers ..................................................................................................................... 25
BE

2.4 Standard security levels of File Threat Protection ................................................................................................ 26

2.5 How and why configure scheduled file scanning ................................................................................................. 27
Why scan for malware after the File Threat Protection? ..................................................................................... 27
What and how to scan for threats......................................................................................................................... 28
TO

Standard virus scan security levels ...................................................................................................................... 30

How to select an optimal schedule ....................................................................................................................... 30
2.6 What to do with false positives ............................................................................................................................. 33
How to configure an exclusion for an incorrect verdict....................................................................................... 33
T

Exclusions by checksum ....................................................................................................................................... 34

Exclusion by certificate ........................................................................................................................................ 35
NO

2.7 File Protection: Summary ..................................................................................................................................... 35

II–2 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Chapter 3. How to configure protection against network threats ............................... 37
3.1 How network protection works ............................................................................................................................. 37

UT
What network components do ............................................................................................................................... 37
How Kaspersky Endpoint Security intercepts traffic ............................................................................................ 38
3.2 Mail Threat Protection .......................................................................................................................................... 39
What Mail Threat Protection does ....................................................................................................................... 39

IB
Configuring Mail Threat Protection .................................................................................................................... 39
Attachment filter ................................................................................................................................................... 40
Standard security levels........................................................................................................................................ 41

TR
Exclusions for false positives ............................................................................................................................... 41
3.3 Web Threat Protection .......................................................................................................................................... 42
What Web Threat Protection does ........................................................................................................................ 42

S
Configuring Web Threat Protection ..................................................................................................................... 43
How to make a website trusted ............................................................................................................................. 44

DI
3.4 How not to intercept the whole traffic of a program ............................................................................................. 45
3.5 Protection for network connections: Summary ..................................................................................................... 46

RE
Chapter 4. How to configure protection against sophisticated threats ...................... 47
4.1 How Kaspersky Endpoint Security protects against new threats .......................................................................... 47
4.2 What Advanced Threat Protection does ................................................................................................................ 48
OR

How Behavior Detection protects against new threats ........................................................................................ 48

How Exploit Prevention protects against new threats ......................................................................................... 49
How Remediation Engine protects against new threats ....................................................................................... 50
How Host Intrusion Prevention stops new threats ............................................................................................... 51
How to configure Host Intrusion Prevention to stop ransomware ....................................................................... 54
D

4.3 How to exclude a program from monitoring ......................................................................................................... 55

What to do if KES hampers a program ................................................................................................................ 55
E

How to modify a program’s trust category .......................................................................................................... 56

How to make a program trusted for Behavior Detection and Intrusion Prevention ............................................ 59
PI

4.4 Protection against new and sophisticated threats: Summary ................................................................................. 60

CO

Chapter 5. How to control network connections ......................................................... 61

5.1 How Firewall protects against threats ................................................................................................................... 61
5.2 How Firewall works in Kaspersky Endpoint Security .......................................................................................... 62
How Firewall analyzes packets and connections ................................................................................................. 62
BE

How Firewall decides which networks are local .................................................................................................. 64

How Firewall restricts programs ......................................................................................................................... 65
5.3 What Firewall does under default settings ............................................................................................................ 67
Default network packet rules ................................................................................................................................ 67
TO

What it means for applications on the computer .................................................................................................. 68

What if the Firewall impedes an application........................................................................................................ 68
5.4 Why Network Threat Protection is necessary ....................................................................................................... 69
What Network Threat Protection does ................................................................................................................. 69
T

How to unblock a blocked computer .................................................................................................................... 70

5.5 Network Protection: Summary .............................................................................................................................. 71
NO
 II–3
Unit II. Protection Management

ED
Chapter 6. How to protect a computer outside the network ...................................... 73
6.1 Which local networks to trust ............................................................................................................................... 73
6.2 How to create a policy for computers outside the office ....................................................................................... 74

UT
How to create a policy for computers outside the office ...................................................................................... 74
When computers switch to the out-of-office policy............................................................................................... 75
How to set conditions for switching to the out-of-office policy ............................................................................ 76

IB
6.3 Which settings computers should use outside the office ....................................................................................... 77
6.4 Out-of-office policies: Summary .......................................................................................................................... 78

TR
Chapter 7. What else is there in protection and why? ................................................ 79
7.1 What Self-Defense does and why it is necessary .................................................................................................. 79
What Self-Defense does ........................................................................................................................................ 79

S
How to manage KES over Remote Desktop ......................................................................................................... 80
7.2 How to protect Kaspersky Endpoint Security from the user ................................................................................. 81

DI
How the user can stop protection ......................................................................................................................... 81
How to enable password protection ..................................................................................................................... 82

RE
Configuring password protection for Network Agent .......................................................................................... 83
7.3 Which other protection settings are available ....................................................................................................... 84
Actions.................................................................................................................................................................. 84
Other settings ....................................................................................................................................................... 84
OR

Computer protection: Summary ........................................................................................................................... 86

E D
PI
CO
BE
TO
T
NO
II–4 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
Chapter 1. How Kaspersky Endpoint Security 10
protects computers

IB
TR
1.1 How criminals attack a computer

S
How malware gets on a computer

DI
RE
OR
E D
PI
CO

Malware gets on a computer via everything that connects the computer to the external world. Specifically, via
network connections and removable drives. Let us examine typical scenarios of how malware penetrates a computer,
BE

and how to prevent this.

Via a browser
TO

A vulnerable web browser

The user has installed a vulnerable browser. A web page may use a vulnerability to make the browser download and
run any software on the computer. The user opens a dubious website, and the website starts malware on the user’s
computer. Malicious code can reside in the ad blocks that the website receives from other sites rather than on its
T

own pages.
NO

To protect against such an attack:

— Install updates for web browsers

— Do not allow the users to start whichever browsers
— Do not allow the users to open whichever web pages
— Do not allow the users to open known infected websites
— Do not allow web browsers to start child processes
 II–5
Unit II. Protection Management

ED
An infected file

The user looks for free software on the Internet. For example, a handy free utility, or a pirate version of an expensive

UT
program, or a key generator for an expensive application. Finds, downloads and starts it on the computer. The
program turns out to be malicious.

Maybe the user has downloaded a seemingly appropriate file from an “Internet garbage”. Or maybe criminals have
altered freeware code or cracked the site and replaced the program.

IB
To protect against such an attack:

TR
— Do not allow the users to open whichever web pages
— Do not allow the users to open websites that are known of distributing malware
— Scan the files that the users download from the Internet by protection software

S
Via email

DI
The user receives an email message that looks like a message from a bank, shop, delivery service, from a partner,

RE
acquaintance, etc. The message prompts to click a link or open an attachment. The link leads to a malicious or
phishing website. The attachment contains malware or a document with embedded malware.

To protect against such an attack:

OR

— Filter email by antispam tools (software that protects against anonymous bulk unsolicited emailing)
— Scan files attached to email messages by protection software
— Do not allow the users to save executable files from email messages to the drive
— Protect against links in the messages the same way as against attacks via web browsers
D

From other computers over the network

E

From a shared folder

PI

The user copied a program from a shared folder on another computer and started it. The program turned out to be
malicious.
CO

The user opened a document from a shared folder on another computer. The document contained malicious code.

To protect against such an attack:

BE

— Install protection tools on all computers

— Scan the files that the users copy, open or start

A network attack
TO

There is a vulnerability in the operating system on the user's computer. If a special sequence of packets is sent to a
specific port, one can make the vulnerable service run the code within these packets. An infected computer will also
attack the vulnerable service on all other network computer and infect them.
T

To protect against such an attack:

NO

— Install security updates for the operating system

— Prohibit connections to the ports that the users do not need for their work
— Use protection software to check inbound packets for network attacks
II–6 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
From external media

A user’s USB memory drive

UT
The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains malware
that uses a vulnerability in the operating system to automatically run on the computer.

IB
Or the user simply connected a USB flash drive to find out what it contains, found a document or an executable file
with an intriguing name and decided to open it. The file turned out to be infected.

TR
To protect against such an attack:

— Do not allow the users to connect unknown (or all) USB flash drives to the computers
— Scan files on USB drives by protection software

S
— Install security updates for the operating system

DI
BadUSB

RE
The user connected a USB device that looks like a USB flash drive to the computer. The device registered with the
operating system as a USB flash drive and as a keyboard. After a while, the device started to execute commands on
the computer by sending keystrokes.

To protect against such an attack:

OR

— Use protection against BadUSB attacks

How to protect against threats

D

All threat prevention methods can be grouped as follows:

E
PI

Eliminate potential attack targets

Install security updates for the operating system
Install updates for web browsers and other programs
CO

Do not allow the users to start whichever browsers

Do not allow the users to open whichever web pages
Do not allow web browsers to start child processes
Do not allow the users to save executable files from e-mail messages to the drive
BE

Prohibit connections to the ports that the users do not need for their work
Do not allow the users to connect unknown (or any) USB flash drives to the computers
Use protection tools to detect attacks
Install protection on all computers
TO

Scan the files that the users copy, open or start

Scan files on USB drives by protection software
Scan files attached to email messages by protection software
Scan the files that the users download from the Internet by protection software
T

Do not allow the users to open known infected websites

NO

Do not allow the users to open websites that are known for distributing malware
Use protection software to check inbound packets for network attacks
Use protection against BadUSB attacks
 II–7
Unit II. Protection Management

ED
How malware causes harm

UT
IB
S TR
DI
RE
No protection tool can protect against 100% of threats. Criminals may always be half a step ahead since they:
OR

— Register new domains and websites

— Write new malware
— Use zero-day vulnerabilities for which updates have not been issued yet
D

Even if protection works properly, there is always risk that a computer may be infected with a new malware. If
protection is not installed on some computers, if databases are outdated on computers, if important protection
components are disabled, the risk grows.
E

Let us study the harm that malware can cause and how it can be decreased.
PI

Ransomware
CO

Ransomware encrypts documents and other files on the computer and in shared folders, and demands money in
return for the encryption key. The key is stored on the criminals’ server. Malware either downloads the key from the
server, encrypts files and deletes the key; or generates a random key, sends it to the server, encrypts files and deletes
BE

the key. Anyway, ransomware connects to its server over the network.

To protect against such an attack:

— Regularly back up all important files

TO

— Do not allow unknown programs to establish and accept network connections

— Use protection tools that detect encryption heuristically

Spyware
T

Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on the drive.
NO

Malware intercepts everything the user enters, takes screenshots and shoots through the web camera. The program
sends all this to the criminals’ server.
II–8 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections

— Use protection tools that detect spying heuristically

UT
Network malware

IB
Malware writes itself to the USB flash drives connected to a computer and to shared folders over the network.
Malware infects neighbor computers via vulnerable services. Malware sends spam and participates in DDOS attacks
at a control center’s command.

TR
To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections

S
— Use protection tools that heuristically detect dangerous activities

DI
Loaders

RE
Criminals often use very simple files, which do not impose any direct threat, to get around protection tools and
infect a computer. But these files may download additional malicious files, which can encrypt documents, steal
passwords, etc.
OR

To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections

Low-grade malware
E D

Malware makes other programs hang or malfunction, a computer run really slow, spontaneously restart or display a
blue screen.
PI

To protect against such an attack:

CO

— Regularly scan files on the computer by protection software

How to reduce losses

BE

The loss reduction methods may be grouped similarly to attack prevention methods:

Eliminate potential attack targets

TO

Do not allow unknown programs to establish and accept network connections

Use protection tools to detect attacks

Use protection tools that heuristically detect dangerous activities

T

Regularly scan files on the computer by protection software

NO
 II–9
Unit II. Protection Management

ED
1.2 How Kaspersky Endpoint Security counters
attacks

UT
IB
How Kaspersky Endpoint Security repels threats

S TR
DI
RE
OR
D

Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect against attacks
E

and prevent losses:

PI

Eliminate potential attack targets

Install security updates for operating systems Kaspersky Security Center

CO

(see course KL 009)

Install updates for web browsers and other programs Kaspersky Security Center
(see course KL 009)

Do not allow the users to start whichever browsers Application Control

BE

Do not allow the users to open whichever web pages Web Control

Do not allow web browsers to start child processes Behavior Detection

Exploit Prevention
TO

Do not allow the users to save executable files from email messages to the drive Mail Threat Protection

Prohibit connections to the ports that the users do not need for their work Firewall

Do not allow the users to connect unknown (or any) USB flash drives to the Device Control
T

computers
NO

Do not allow unknown programs to establish and accept network connections Firewall

Use protection tools to detect attacks

Install protection on all computers Kaspersky Security Center

(see Unit I)
II–10 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Scan the files that the users copy, open or start File Threat Protection
Host Intrusion Prevention

UT
Scan files on USB drives by protection software Virus scanning

Scan files attached to email messages by protection software Mail Threat Protection

Scan files that the users download from the Internet by protection software Web Threat Protection

IB
Do not allow the users to open known infected and phishing websites Web Threat Protection

Do not allow the users to open websites that are known of distributing malware Web Threat Protection

TR
Use protection software to check inbound packets for network attacks Network Threat Protection

Use protection against BadUSB attacks BadUSB Attack

S
Prevention

DI
Use protection tools that heuristically detect dangerous activities Behavior Detection
Host Intrusion Prevention

Regularly scan files on the computer by protection software Virus scanning

RE
This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack surface, or
actively scan, detect and block threats.
OR

Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To protect against
spam, use Kaspersky Lab products for mail systems:

— Kaspersky Security for Microsoft Exchange Servers

— Kaspersky Secure Mail Gateway
D

How Kaspersky Security Network helps to repel threats

E
PI
CO
BE
TO
T
NO

To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to regularly
update the signature databases.

It is also important to allow Kaspersky Endpoint Security to use the Kaspersky Security Network.
 II–11
Unit II. Protection Management

ED
Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all
protection components.

Kaspersky Security Network servers collect information about files on the protected computers, analyze it using

UT
machine learning technologies, consider when a file was detected for the first time, whether it is widespread, in
which regions, whether the users of personal versions of Kaspersky Security trust the file, whether the file is signed
with a certificate and which one, etc. Suspicious files are additionally analyzed by Kaspersky Lab experts.

IB
After that, Kaspersky Security Network assigns a trust group to the file:

— Trusted

TR
— Low Restricted
— High Restricted
— Untrusted

S
This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to the
network, which programs may install drivers, and which of the trusted programs are to be scanned especially

DI
thoroughly, because they may contain vulnerabilities.

Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky Lab receives

RE
checksums of reference files from many known software manufacturers, such as Microsoft, Adobe, Google, etc.
That is why Kaspersky Endpoint Security components know which files are not infected for sure and do not hamper
the respective programs.

Except for files, Kaspersky Security Network forms reputation for web pages and software activity patterns.
OR

If Kaspersky Lab detects a new threat, checksums of all malicious files and web pages get to the Kaspersky Security
Network in a split second and are available to all products that use the Kaspersky Security Network. Products learn
about new threats via Kaspersky Security Network a few hours earlier than the threat signatures that are downloaded
with updates.
D

The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and anonymous.
E

The complete list can be found in the Kaspersky Security Network agreement that the administrator must accept
prior to enabling Kaspersky Security Network in the Kaspersky Endpoint Security policy.
PI

To be able to use Kaspersky Security Network without sending anything to Kaspersky Lab, there is the Kaspersky
Private Security Network service.
CO
BE
TO
T
NO
II–12 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Where are Kaspersky Endpoint Security settings located

UT
IB
S TR
DI
RE
In this chapter, we will study which settings are available in the Kaspersky Endpoint Security components:
OR

— The default values

— How the parameters influence the components’ behavior
— When and how to modify settings to improve computer protection or user experience
D

Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example, scheduled virus
scan or update settings, are set up in tasks.
E

Policies (all) and tasks (mostly) are configured within groups. Also, they can be found in the first-level tree nodes:
PI

Policies and Tasks. In these nodes, you can see which group each policy and task belongs to.
CO
BE
TO
T
NO
 II–13
Unit II. Protection Management

ED
Chapter 2. How to configure file protection

UT
IB
2.1 How Kaspersky Endpoint Security protects files

S TR
DI
RE
OR
E D
PI

File Threat Protection intercepts all file operations (such as reading, copying, executing) using the klif.sys driver
and scans the files being accessed. By default, if the file is infected, the operation will be blocked, and the file will
CO

be either disinfected or deleted.

Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malicious files on
the computer drive. And even those attacks that start with executing code in the memory, can load only small
amount of code there and use it as the first step of the attack, which then downloads additional modules in files and
saves them to the drive.
BE

Even if Mail Threat Protection and Web Threat Protection are disabled, the user will not be able to start an infected
file received by email or downloaded from the Internet, because a file cannot be started either from an attachment or
from a web page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and
blocked by the File Threat Protection.
TO

This makes File Threat Protection one of the most important components of Kaspersky Endpoint Security.

File Threat Protection scans for malware using:

T

— Malware signatures—a signature database is a “black list” of known malicious files. If a file does not match
any of the database records, it is not malicious. A complete black list, where each known malicious or
NO

infected file is described thoroughly, requires too much space; that is why a signature database is optimized
and narrowed down to a size that can be easily downloaded to a computer. Each record identifies a family
of similar threats.
II–14 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
— Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which change
their code during the execution, and which are therefore difficult to detect using signatures. File Threat
Protection starts executable files in a special isolated environment and checks whether code changes in the
memory to match a signature.

UT
— KSN checks—File Threat Protection sends the file checksum to KSN and receives an answer: whether such
a file is found in the KSN database, and what reputation it has. The KSN database is a huge list of all files
(to be more exact, their checksums) known to Kaspersky Lab. This list includes files with an untrusted

IB
reputation. It is a black list, and File Threat Protection blocks such files. There are also files with a trusted
reputation. It is a white list, which includes known harmless files of operating systems and widespread
software. File Threat Protection does not block these files even if they match malware signatures. KSN

TR
verdict has higher priority, because KSN contains more information than a local signature database.

To receive a verdict from KSN, a computer needs a connection to the Internet, which may be unreliable. For this
reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature database and

S
emulation.

DI
KSN verdicts may change with time. A file that has just appeared in the Internet has no reputation at first.
Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes and may
become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the KSN verdict at

RE
each file operation. But it would scale up the computer’s network traffic. Besides, sending a request and receiving
an answer takes time, which depends on the quality of communication channel.

To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN verdicts in the
local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky Endpoint Security re-
OR

check the verdict often. For the files that have long been known, this time is large.

To avoid slowing down the computer, File Threat Protection does not scan all files; it scans only those files that may
infect a computer. For example, File Threat Protection does not scan archives, because files must be extracted prior
to being started. It is either the user who extracts the file from the archive, or the operating system does this for the
D

user. Anyway, File Threat Protection will scan the extracted files (and block them if necessary).

Scan the files that are not scanned by File Threat Protection by virus scan tasks. Virus scanning checks files within
E

the specified scope and uses the same methods as File Threat Protection.
PI
CO
BE
TO
T
NO
 II–15
Unit II. Protection Management

ED
2.2 What and how to configure in File Threat
Protection

UT
IB
S TR
DI
RE
OR

Configure File Threat Protection

D

File Threat Protection, as well as Kaspersky Endpoint Security in general, solves two tasks:
E

— Prevent malware from causing harm

PI

— Not to hamper the user or legitimate software

The more files File Threat Protection scans, the better it solves the former task, and the worse the latter, and vice
CO

versa. The default settings balance protection and performance. By adjusting the settings, the administrator can tilt
the balance one way or the other.

You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are located in the
respective sections: File Threat Protection, in Essential Threat Protection. To adjust its parameters, click the
BE

Settings button in the Security level area.

Let us first talk about the parameters that should not be changed and explain why.

File Threat Protection does not scan all file types

TO

General \ File types

All files File Threat Protection scans all files belonging to the Protection scope that
T

the user or programs access

NO

Files scanned by format (by default File Threat Protection checks the extension and file header to decide which
with the Recommended security format the file has. If files of this format may harm the computer, File Threat
level) Protection scans the file

Files scanned by extension File Threat Protection checks only the file extension and decides on the
II–16 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
format based on the extension only. If files of this format may harm the
computer, File Threat Protection scans the file

UT
Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may contain
executable code (macros), which can be malicious. Even documents without code, some graphic files for example,
may use vulnerabilities of the applications that open them and make these programs run a part of the file as code.

IB
By default, File Threat Protection scans files by format. This way, Kaspersky Endpoint Security reliably protects the
computer, because it scans all dangerous files, but does not slow down the computer, since it does not scan all the
files.

TR
Scanning files by extension only is dangerous. For example, a malicious Word document may have extension .123,
which is not included in the scan list, but the user can open it nevertheless via its shortcut menu (Open with). Also,
scanning by extension is not significantly faster than scanning by format. The user will not perceive any difference

S
in performance.

DI
If the administrator wants to improve performance of slow computers, better start with exclusions for the programs
with which users work. How to create exclusions is explained at the end of this section.

The list of scanned extensions:

com
exe
RE
Program executable file whose size does not exceed 64 KB
Executable file, self-extracting archive
sys System file of Microsoft Windows
OR

prg Text of the dBase™, Clipper or Microsoft Visual FoxPro® application, a program from WAVmaker suite
bin Binary file
bat File that contains one or more commands
cmd Command file of Microsoft Windows NT (a counterpart of a bat file for DOS), OS/2
dpl Packed Borland Delphi library
D

dll Dynamic-link library

scr Microsoft Windows screen saver file
E

cpl Control panel module in Microsoft Windows

ocx Microsoft OLE object (Object Linking and Embedding)
PI

tsp Time-shared program

drv Device driver
vxd Driver of a Microsoft Windows virtual device
CO

pif File with information about a program

lnk Link file in Microsoft Windows
reg File for importing and exporting Microsoft Windows registry keys
ini Configuration file that contains settings for Microsoft Windows, Windows NT and some other software
cla Java class
BE

vbs Visual Basic script

vbe Video BIOS Extension
js, jse JavaScript source text
htm Hypertext document
htt Microsoft Windows hypertext template file
TO

hta Hypertext program for Microsoft Internet Explorer

asp Active Server Pages script
chm Compiled HTML file
pht HTML file with built-in PHP scripts
php Script built into an HTML file
T

wsh Microsoft Windows Script Host file

wsf Microsoft Windows script
NO

the Screensaver file for Microsoft Windows 95 desktop

hlp Help file in Win Help format
eml Microsoft Outlook Express message
nws Microsoft Outlook Express news message file
msg Microsoft Mail email message
plg Email message
mbx Extension for a saved message of Microsoft Office Outlook
 II–17
Unit II. Protection Management

ED
doс* Microsoft Office Word document, such as:
doс Microsoft Office Word document
docx XML-based Microsoft Office Word 2007 document

UT
docm Macro-enabled Microsoft Office Word 2007 document
dot* Microsoft Office Word 2007 document template
dot Microsoft Office Word document template
dotx Microsoft Office Word 2007 document template
dotm Microsoft Office Word 2007 macro-enabled document template

IB
fpm Database program, a startup file of Microsoft Visual FoxPro
rtf Document in the Rich Text Format
shs Windows Shell Scrap Object Handler file

TR
dwg AutoCAD drawing database
msi Microsoft Windows Installer package
otm VBA project for Microsoft Office Outlook
pdf Adobe Acrobat document

S
swf Shockwave Flash object

DI
jpg, Graphic file for storing compressed images
jpeg
emf Enhanced Metafile. The next generation of Microsoft Windows operating system metafiles. EMF files are
not supported in 16-bit Microsoft Windows
ico
ov?
xl*
Icon
Microsoft Office Word executable files RE
Microsoft Office Excel documents and files, such as:
xla Microsoft Office Excel add-in
OR

xlc Microsoft Office Excel chart

xlt Microsoft Office Excel template
xlsx Microsoft Office Excel 2007 workbook
xltm Microsoft Office Excel 2007 macro-enabled workbook
xlsb Microsoft Office Excel 2007 workbook in binary (non-XML) format
D

xltx Microsoft Office Excel 2007 template

xlsm Microsoft Office Excel 2007 macro-enabled template
xlam Microsoft Office Excel 2007 macro-enabled add-in
E

pp* Microsoft Office PowerPoint documents, such as:

PI

pps Microsoft Office PowerPoint slide

ppt Microsoft Office PowerPoint presentation
pptx Microsoft Office PowerPoint 2007 presentation
CO

pptm Microsoft Office PowerPoint 2007 macro-enabled presentation

potx Microsoft Office PowerPoint 2007 presentation template
potm Microsoft Office PowerPoint 2007 macro-enabled presentation template
ppsx Microsoft Office PowerPoint 2007 slide show
ppsm Microsoft Office PowerPoint 2007 macro-enabled slide show
BE

ppam Microsoft Office PowerPoint 2007 macro-enabled add-in

md* Microsoft Office Access documents, such as:
mda Microsoft Office Access workgroup
mdb Microsoft Office Access database
sldx Microsoft Office PowerPoint 2007 slide
TO

sldm Microsoft Office PowerPoint 2007 macro-enabled slide

thmx Microsoft Office 2007 theme

File Threat Protection uses the lowest heuristics level

T

Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment and
NO

watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can change its code
during the execution.

When criminals email new malware, or upload a new version of a malicious module to an infected computer, they
may generate a file with a unique checksum for each computer or addressee. Signatures and even Kaspersky
II–18 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Security Network will not help in this case. But heuristic analysis clearly shows that all these versions restore the
same malicious code when running.

That is why you should not turn off Heuristic analysis in File Threat Protection.

UT
On the other hand, Heuristic analysis delays file start. Heuristics levels—Light, Medium or Deep—define
the period of observing the object in the virtual environment. In the context of the File Threat Protection operation
this means an increased delay when a program is run. To avoid slowing down the computer, the lowest level is

IB
selected in the default settings.

File Threat Protection does not scan files that have already been scanned

TR
Performance \ Scan optimization \ Scan only new and changed files

S
Enabled (by File Threat Protection does not scan files that have already been scanned if they have not been

DI
default) modified since then

Disabled File Threat Protection scans files on the drive when the user or a program accesses them

RE
Most of the files a rarely changed on the computer, and if File Threat Protection scans only new and changed files, it
almost does not load the computer. In the first few days, while all files are new for Kaspersky Endpoint Security, the
user may feel that the computer works slower. But File Threat Protection stops influencing performance soon.
OR

Do not turn off the option Scan only new and changed files in File Threat Protection, it will slow down the
computer.

How does Kaspersky Endpoint Security learn which files have been changed and
which have not?
E D

The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of these
records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file modification date.
PI

FAT32 file system cannot log the modification date; neither can it protect the modification date against unsolicited
changes. Malware may modify a file, and then assign any modification date to it. For this reason, Kaspersky
CO

Endpoint Security saves checksums of scanned files into a special database for FAT32 drives. When the file is
accessed next time, Kaspersky Endpoint Security re-calculates the checksum and compares it with that saved. If the
sums differ, the file has been changed, and File Threat Protection scans it.

Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint Security
receives its signatures, File Threat Protection will scan it, consider to be clean, and will not scan at the next start.
BE

To prevent this, even if the option Scan only new and changed files is enabled, File Threat Protection scans all
new files repeatedly, at least twice, or even several times.
TO

For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file was
scanned fist and last. If a file has been scanned only once, or if the current version of signatures was issued less than
24 hours after that with which the file was scanned for the first time, File Threat Protection re-scans the file.

What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides, except for
signatures, Kaspersky Endpoint Security uses data from Kaspersky Security Network, which contains most recent
T

information about threats.

NO

To further reduce the risk, use a virus scan task to check all files on the computer, including those that have not been
changed, and which File Threat Protection scanned already.
 II–19
Unit II. Protection Management

ED
iSwift and iChecker
Additional \ Scan technologies \ iSwift Technology

UT
Enabled (by If the option Scan only new and changed files is disabled, File Threat Protection uses a special
default) algorithm to scan files in the NTFS file system not every time they are accessed

Disabled If the option Scan only new and changed files is disabled, files in the NTFS file system are
scanned every time they are accessed

IB
Additional \ Scan technologies \ iSwift Technology

TR
Enabled (by If the option Scan only new and changed files is disabled, File Threat Protection uses a special
default) algorithm to scan files in the FAT32 file system not every time they are accessed

Disabled If the option Scan only new and changed files is disabled, files in the FAT32 file system are
scanned every time they are accessed

S
DI
iSwift and iChecker scanning technologies are responsible for collecting data about the changes made to files.
The iSwift technology extracts the data about changes from the NTFS and ReFS file systems. The iChecker
technology is used for executable files located on the drives with other file systems, for example, FAT32. For this

RE
purpose, iChecker calculates and saves the checksums of the scanned executable files. If the checksum remains
the same during the next check, this means that the file has not been changed. Both technologies save the file scan
time and the version of signatures used for scanning into a special database.

If the Scan only new and changed files checkbox is selected, the iSwift Technology and iChecker Technology
OR

check boxes are of no importance. Even if they are cleared, Kaspersky Endpoint Security will still monitor whether
files have been changed, and will log the versions of signatures used for scanning files in the iSwift and iChecker
databases.

Why are the iSwift Technology and iChecker Technology parameters necessary? Suppose the administrator
believes that scanning new files only the first 24 hours is too dangerous, and disables the option Scan only new and
D

changed files. However, he or she does not want to scan files at each access either, because it will slow down the
computer. The iSwift Technology and iChecker Technology parameters enable the mode when File Threat
E

Protection does not scan files at each access, but never completely trusts already scanned files; it re-scans them
sometimes with newer databases. It works as follows.
PI

Kaspersky Endpoint Security does not trust new files, and scans them at each access, if the signatures’ version has
changed since the last scanning. It does not make any sense to scan a file with the same signatures. It goes on like
CO

that for several days.

If the file does not change and is found to be clean at each scanning, Kaspersky Endpoint Security assigns a trust
period to the file. During the trust period, if the file does not change, File Threat Protection does not scan it.
BE

When the trust period is over, File Threat Protection rescans the file at the next access with the latest signatures. If
the file is still clean, it receives a new trust period, longer than the previous.

This way, files that are stored on the computer for a long time without being changed are eventually scanned rarer
and rarer.
TO

Using the parameters iSwift Technology and iChecker Technology instead of Scan only new and changed files is
safer. With the lapse of time, File Threat Protection will load the computer almost as little as with the option Scan
only new and changed files. However, performance improves considerably longer.
T

Do not disable the iSwift and iChecker technologies in File Threat Protection. This will either have no effect (if the
Scan only new and changed files feature is enabled) or will lead to more scans and slow down the computer.
NO
II–20 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
File Threat Protection does not scan compound files (archives, etc.)

UT
Performance \ Scan of compound files \ Scan archives

Enabled File Threat Protection scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE archives. For this
purpose, File Threat Protection unpacks an archive into a temporary folder or into the memory

IB
Disabled File Threat Protection neither unpacks archives nor scans files within them
(by
default)

TR
To scan archived files, File Threat Protection unpacks the archive, which consumes considerable computer resources.
Archives are not dangerous as they are. A malicious file cannot be started from the archive. The user either unpacks
the archive manually, or the operating system does this for the user. Anyway, a malicious file gets on a drive prior to

S
run, and File Threat Protection scans it as any other file.

DI
Do not enable the Scan archives option in File Threat Protection. It will slow down the computer, but will not
improve protection

Enabled
RE
Performance \ Scan of compound files \ Scan installation packages

File Threat Protection scans files within self-extracting archives and installation packages, such as
MSI. For this purpose, File Threat Protection unpacks an archive into a temporary folder or into the
OR

memory

Disabled File Threat Protection does not scan self-extracting archives and installation packages
(by
default)
D

Installation packages are executable files, and File Threat Protection scans their executable part anyway. However, a
E

large part of data within an installation package consists of archived files of the program to be installed by the
package. To scan them, File Threat Protection extracts them from the package, similar to archives.
PI

Installation packages need not be scanned by File Threat Protection. If the user copies a package, it cannot infect the
computer. If the user starts a package, it will extract files itself and save them on the drive, where they will be
CO

scanned by File Threat Protection.

Performance \ Scan of compound files \ Scan Office formats

Enabled File Threat Protection scans executable parts not only within Microsoft Office documents, but also in
(by default) the objects embedded into them
BE

Disabled File Threat Protection scans executable parts only within Microsoft Office documents, and skips
embedded objects
TO

Microsoft Office files have a complicated structure. We can even say that there is a file system with additional files
within a Microsoft Office document. When the user pastes an Excel chart into a Word document, Microsoft Office
can add the whole Excel document to the Word document, with all its data, formulas and macros.

Do not disable scanning for office documents. Not scanning objects embedded in office documents is dangerous.
T

They may contain malicious macros, which Office programs can start without saving to the drive.
NO

New and changed archives

If you disable the option Scan only new and changed files, you receive the capability to scan only new and
changed archives, installation packages and office files.
 II–21
Unit II. Protection Management

ED
Archive scan settings

If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the operation will

UT
not start until File Threat Protection unpacks the archive and scans all files within it. Meanwhile, the user cannot do
anything with the archive.

If the administrator wants to scan archives, the user experience can be improved by changing additional archive scan
settings.

IB
Performance \ Scan of compound files \ Additional \ Background scan

TR
Unpack File Threat Protection will detain operations with small archives only. If the user opens a large
compound archive, File Threat Protection will allow access, but at the same time will unpack the archive and
files in the scan the files. The user will not have to wait. Large archives are those that are larger than the
background Minimum file size value

S
mode

DI
Minimum file By default, is not specified. Meaning, if you select to unpack compound files in the background,
size File Threat Protection will scan all archives in the background mode

Do not
unpack large
RE
Performance \ Scan of compound files \ Additional \ Size limit

File Threat Protection will scan only those archives that are less than the Maximum file size

compound
OR

files

Maximum file 8 MB by default.

size:
D

File Threat Protection does not scan files at each read or write operation
E

The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse
PI

order of their appearance:

Additional \ Scan mode

CO

On execution File Threat Protection scans a file before it is started. When the user or an application copies or
edits a file, File Threat Protection does not scan it

On access File Threat Protection scans a file before a read operation. To copy or start a file, it must be
BE

read, meaning, File Threat Protection scans executable files before they are started and all
potentially dangerous files before they are copied. When the user or a program edits a file, File
Threat Protection does not scan it

On access and File Threat Protection scans files at every read or write operation. This is the safest mode, yet
on modification the most resource-consuming
TO

Smart mode File Threat Protection analyzes file operations. If a file is opened for writing, the scan will be
performed after it is closed and all changes to it are made. Intermediate changes made to the file
are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not
be rescanned on intermediate read operations until the file is closed
T
NO

Smart mode ensures the same protection as On access and modification, but consumes less resources. It is the best
choice for most computers.

You can use the modes On access and On execution on the computers where performance is more important than
security at your peril.
II–22 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
File Threat Protection has detected and deleted the malware

Malware detected by File Threat Protection should not be left unprocessed, and the settings that regulate File Threat

UT
Protection actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete
infected files. Most of the malicious files cannot be disinfected, because they contain nothing but the infected code.

Before a file is disinfected or deleted, its copy is placed into the Backup repository. In case a file contains important

IB
information or is deleted because of a false positive, it can be recovered.

If the Remediation Engine component is enabled in Advanced Threat Protection, Kaspersky Endpoint Security not

TR
only deletes malicious files, but also rolls back their actions1.

S
2.3 What to do if File Threat Protection slows down

DI
the computer

RE
OR
E D
PI
CO
BE

First, find out whether File Threat Protection actually slows down the computer (or a program):

— Find the computer that works slowly

— Disable the policy on it (see the section How to Protect Kaspersky Endpoint Security from the User)
— Stop (disable) File Threat Protection
TO

— Check whether the computer (program) works any faster

Even if programs work faster on the computer without File Threat Protection, do not leave File Threat Protection
disabled. Configure exclusions for applications. Try various exclusion types:
T

— If all program files are located in a single folder, exclude the program’s folder from scanning
NO

— If the program works with files in various folders or in a temporary folder, make the executable file of the
program trusted

1
The rollback procedure is described in Chapter 4 of this Unit.
 II–23
Unit II. Protection Management

ED
Never exclude the operating system’s temporary folder from scanning. Malware is often started from it.

— If the program works with files in shared folders, try to disable scanning of network drives

UT
— For the programs that start on the specified schedule during off business hours, pause File Threat Protection
while the program runs

IB
How to exclude an application’s folder

S TR
DI
RE
OR
D

Exclusions are configured in Kaspersky Endpoint Security policy: in the General Settings | Exclusions section,
E

click the Settings button in the Scan exclusions and trusted zone area.
PI

Exclusions for folders are located on the tab Scan exclusions and are applied to all protection components. A scan
exclusion consists of three attributes:
CO

— File or folder—the name of the file or folder to which the exclusion applies. The name of the object may
include environment variables (%systemroot%, %userprofile% and others) and also “*” and “?” wildcard
characters

— Object name—the name of the threat to be ignored (usually corresponds to a malware name), which can
BE

also be specified using wildcard characters

— Object hash—checksum (SHA-256) of the file to which the exclusion applies.

— Protection components—the list of protection components to which the rule applies

TO

Of the four attributes, any of the first three and the last one must be specified. You can create a scan exclusion for
a file or folder without specifying the threat type; then the selected components will ignore any threats in
the specified file or folder. Alternatively, you can create a scan exclusion for a threat type, for example, for
the UltraVNC remote administration tool, so that the selected protection components would not respond to this
T

threat regardless of where it is detected.

NO

All attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for
widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object
(typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security
would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from
another folder, Kaspersky Endpoint Security would consider it a threat.
II–24 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How to exclude files that a process accesses

UT
IB
S TR
DI
RE
If the computer runs resource-consuming programs, their operation can be slowed down by the File Threat
OR

Protection. This is especially true for the programs that perform numerous file operations, for example, backup
copying or defragmentation. To avoid slowdowns, make these applications trusted.

For this purpose, in the exclusion settings window, add the executable file to the list on the tab Trusted
applications. Within the Scan exclusions for application window, specify the path to the executable file, and select
the Do not scan opened files action. The path may contain environment variables and “*”, “?” wildcards.
E D

How not to scan network drives

PI
CO
BE
TO
T
NO

Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that protection
tools are installed on all network computers. Do not disable network drive scanning “just in case”; do it only if it
solves the users’ issues

To exclude network drives from scanning, edit the protection scope in the security level settings.
 II–25
Unit II. Protection Management

ED
By default, Protection scope of the File Threat Protection includes:

— All removable drives

— All hard drives

UT
— All network drives

In other words, all drives from which malware can be run. A protection area allows adding individual drives and
folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection

IB
level.

How to temporarily stop File Threat Protection

S TR
DI
RE
OR
E D
PI

If the desired effect is not achieved by setting up exclusions, as a last resort, configure pausing File Threat
Protection while the program runs (in the Security Level settings, on the Additional tab).
CO

File Threat Protection can be paused while a resource-consuming operation is performed using the settings in
the Pause task area:

— By schedule—the schedule (daily only) is set by specifying the time when the File Threat Protection is to
be paused and when it is to resume its normal operation. The time is specified in hours and minutes
BE

— At application startup—File Threat Protection will pause when the specified program loads in
the memory and will resume its operation when this program is unloaded from the memory

How to apply settings to computers

TO

Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers.
T

Since all locks are closed in a policy by default, the administrator may not even notice them. While you edit settings
without touching the locks, all settings remain required and are enforced on the computers.
NO

However, you should remember that if locks are open, the configured settings are not applied. If you have changed
settings in a policy, and they have not changed on the computers, check the locks in the policy.
II–26 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
2.4 Standard security levels of File Threat
Protection

UT
IB
The security levels can be managed using the three-position switch: Low, Recommended and High. Depending on
the switch position, the File Threat Protection settings adopt the following values:

TR
Low Recommended High

File types Files scanned by extension Files scanned by format All files

S
Protection scope All removable drives All removable drives All removable drives
All hard drives All hard drives All hard drives

DI
All network drives All network drives All network drives

Heuristic analysis Light scan Light scan Medium scan

Scan only new and

changed files

Scan of compound files

+
RE
+

Scan Office formats

—

Scan new archives

Do not unpack large Scan new installation
OR

compound files: 8 MB packages

Scan all Office formats
Unpack compound files of
any size

Scan mode Smart Smart Smart

D

Scan technologies iSwift technology iSwift technology iSwift technology

E

iChecker technology iChecker technology iChecker technology

PI

Pause task — — —

If any setting is modified, the security level is changed to Custom. In order to return to the Recommended level,
CO

click the By default button.

BE
TO
T
NO
 II–27
Unit II. Protection Management

ED
2.5 How and why configure scheduled file scanning

UT
Why scan for malware after the File Threat Protection?

IB
S TR
DI
RE
OR

How can virus scanning help if File Threat Protection scans all dangerous files anyway? Virus Scan:
D

— Prevents users from spreading archived malware

E

— Updates caches of KSN, iSwift and iChecker, after which File Threat Protection can scan fewer files
PI

— Scans files that have not been changed. The File Threat Protection does not scan such files, which may be
dangerous
CO

Virus scan tasks check objects using the same methods as File Threat Protection: signature and heuristic analysis
and KSN. The difference is that File Threat Protection checks files on-the-fly when they are accessed while virus
scan tasks inspect the files by schedule or on demand.

File Threat Protection works with the user. The more actively work the user’s applications, the more files are
BE

scanned by the File Threat Protection and the more resources it consumes. Therefore, the File Threat Protection
settings are optimized to ensure protection against immediate threats only. If the user copies an archive, there is no
immediate infection risk and the archive need not be scanned.
TO

Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be
performed. That is why the scan task will wait for the answer from KSN before returning the final verdict,
regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from
the scan scope of the File Threat Protection—archives, installation packages, files in non-infectable formats, etc.

A virus scan task can be configured to check the processes in the memory and be scheduled to run after each
T

successful database update.

NO
II–28 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
What and how to scan for threats

UT
IB
S TR
DI
RE
Configure malware scan settings in virus scan tasks. The Quick Start wizard creates one of these tasks in the
OR

Managed devices group. Adjust this task until you decide that you need more tasks.

Scan scope
D

Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for
example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select
E

whether to scan all the contents, including subfolders, or just the folder itself without subfolders. If subfolders are
not selected to be scanned, the object icon is marked with the little red "minus" sign.
PI

In addition to files and directories, the following scan objects can be specified:
CO

— My email—Outlook data files (.pst and .ost)

— Kernel Memory—the kernel memory of the operating system
— Running processes and Startup Objects—the memory area allocated for processes and executable files
of applications that start at the operating system start. Additionally, if this object is selected in the task
properties, rootkit scanning will also be performed (rootkits are hidden objects of the file system)
BE

— Disc boot sectors—boot sectors of hard and removable drives

— System Backup—System Volume Information folders
— All removable drives—the removable drives connected to the computer at the moment
— All hard drives—computer hard drives
— All network drives—all network drives connected to the computer
TO

— Computer—all the above objects, except for My email and All network drives

Create a task that scans the whole computer weekly or every other week. If you cannot find proper time for such a
task, scan at least critical areas:

—
T

Kernel Memory
— Running processes and Startup Objects
—
NO

Disk boot sectors

— %systemroot%\
— %systemroot%\system\
— %systemroot%\system32\
— %systemroot%\system32\drivers\
— %systemroot%\syswow64\
— %systemroot%\syswow64\drivers\
 II–29
Unit II. Protection Management

ED
Security level

Security level parameters in virus scan tasks are almost identical to the security level parameters specified for File

UT
Threat Protection. There are only a few virus scan parameters in the tasks that are not available in File Threat
Protection:

— Skip files that are scanned for longer than N s.—on the Scope tab in the Scan optimization area. Enable

IB
this parameter if virus scanning takes long and does not complete within the allocated time

— Parse email formats—on the Scope tab in the area Scan of compound files. It is disabled by default,

TR
because mail formats also include mailbox files, whose scanning takes too much time

Some malicious files are spread within office documents with an embedded mail file, which contains an
executable attachment. To completely prevent running such a file, enable scanning for office documents

S
and mail formats

DI
— Password-protected archives—when scanning these, Kaspersky Endpoint Security will prompt the active
user for the password to unpack the archive. Since scheduled scans usually run in off hours when there is
no user, this option should be reserved for manual scans performed locally.

RE
Virus scan tasks are also used to check archives. This is important because the File Threat Protection usually does
not scan archives. A virus scan task can check the same types of compound objects as the File Threat Protection.

Processing of compound objects is regulated by another option that becomes available after clicking the Additional
OR

button—Do not unpack large compound files.

The other security level parameters are identical to those of File Threat Protection.

Since the objective of virus scanning is to scan the files that have not been scanned by File Threat Protection, and
D

update caches of KSN, iSwift and iChecker, use the following settings for File Threat Protection to scan fewer files:
E

— Scan all files

— Do not scan only new and changed files
PI

— Scan all archives, installation packages and Office files

If time permits, on the Additional tab:

CO

— Set the deep heuristic analysis level

— Disable iSwift and iChecker technologies to make the task really scan all the files

Account
BE

By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes
network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem,
specify an account that has the necessary rights within the task properties.
TO
T
NO
II–30 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Standard virus scan security levels

UT
You can also change the scan settings using the Security level slider. In that case the following settings will be used:

Low Recommended High

IB
File types Files scanned by All files All files
format

– –

TR
Scan only new and changed files +

Skip files that are scanned for longer than 180 sec – –

Scan archives New All All

S
Scan installation packages New All All

DI
Scan embedded OLE objects New All All

Parse email formats – – +

Scan password-protected archives

Do not unpack large compound files

–

–
RE –

–
–

–
OR

Heuristic analysis Light scan Medium scan Deep scan

iChecker technology + + +

iSwift technology + + +
D

How to select an optimal schedule

E
PI
CO
BE
TO
T
NO

Virus scan tasks may use any regular schedule: every N minutes, every N hours, every N days, weekly, monthly.
They can also be started once: either automatically at the specified time, or manually.
 II–31
Unit II. Protection Management

ED
In addition, special schedule types are available:

— After application update—the task will start after new threat signatures are downloaded and applied. This
is convenient for the scanning of memory and other locations where active threats may appear

UT
— At application start—the task will start immediately after the launch of Kaspersky Endpoint Security (or
in a few minutes). This is another opportunity for the scanning of the most vulnerable computer areas

IB
— On completing another task—a universal schedule that allows arranging tasks into a chain. From
the practical viewpoint, the best approach would be to link virus scan to update completion, but there is
already a special schedule option for that purpose

TR
— On virus outbreak—when the Virus outbreak event is registered on the Administration Server

There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task

S
will start as soon as the computer is switched on. Use this option cautiously. If virus scanning starts in the morning
when the user turns on the computer, scanning will hamper the user.

DI
The mode Define task launch delay automatically makes more sense for an update task than for a virus scan task.
See Unit IV for details.

RE
The Advanced window contains a few other useful settings:

— Activate computer before the task is launched by the Wake On LAN function (min)—the option
allows you to schedule scan start for the night time or weekends without needing to worry whether
OR

the computer is on. However, to use this feature, you need to enable its support in the BIOS settings of
the target computers

— Turn off computer after task is complete—the option may supplement the previous one. If a scan is
scheduled for the night or a weekend, the computer can be turned off after its completion
D

— Stop if the task is taking longer than (min)—the option allows guaranteed task completion before
E

the working day begins, so that the running scan does not interfere with the user activity
PI

On servers, perform virus scanning on weekends, when they are less loaded.

On workstations, try to find such a time when computers are on, but virus scanning will not hamper the users:
CO

— Quick virus scanning can be performed during the lunchtime

— Full scanning should run at night. Explain the users which day of the week they should not shut down their
computers
BE
TO
T
NO
II–32 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
What if none schedule is optimal

UT
IB
S TR
DI
RE
If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the computers
at night and run the virus scan task. If this capability cannot be used either, use so-called idle scanning.
OR

To enable idle scanning, open the Properties section in the task and select the check box Scan when the computer
is idling (in the Run mode area). In this mode, virus scanning will be performed only when the computer is not
used (locked or a screensaver is active), otherwise, the task will be Paused.
D

Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than not to scan a
computer at all.
E
PI
CO
BE
TO
T
NO
 II–33
Unit II. Protection Management

ED
2.6 What to do with false positives

UT
How to configure an exclusion for an incorrect verdict

IB
S TR
DI
RE
OR

If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false positive.
D

False positives hamper work considerably. Kaspersky Lab very thoroughly tests new signatures on a huge number
E

of files of operating systems and popular software to prevent false positives. During a scanning, Kaspersky Endpoint
Security checks files against Kaspersky Security Network and ignores threats in the files which KSN considers to be
PI

trusted.

False positives happen extremely rarely, and usually concern files of infrequent software: for example, homeware.
CO
BE
TO
T
NO
II–34 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
If File Threat Protection or a virus scan task finds a threat in a clean file, create an exclusion for it:

1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Settings | Exclusions
Scan exclusions and trusted zone | Settings

UT
2. Add the file that gets a false positive to the list on the Scan exclusions tab. Select the File or folder check
box. Click the link select file or folder in the lower part of the window to specify the complete path to the
file. Use environment variables, for example, %ProgramFiles%

IB
It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected erroneously rather
than exclude the file entirely. For this purpose:

TR
3. Select the check box Object name in the exclusion window. Click the link enter object name in the lower
part of the window to specify the threat name. The threat name can be found in the event about detected
threat by Kaspersky Endpoint Security in the Result \Name field.

S
Exclusions by checksum

DI
RE
OR
E D
PI
CO

What to do if a file for which you need to configure an exclusion may be installed into different directories on
different computers?
BE

If the same file version is used on all computers, use the file checksum:

1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Settings | Exclusions
Scan exclusions and trusted zone | Settings
TO

2. Add the file that gets a false positive to the list on the Scan exclusions tab. Select the Object hash check
box Specify the file checksum in the Object hash field in the lower part of the window. You can calculate
the file’s checksum or copy it from a detection event.
T

Kaspersky Endpoint Security calculates checksums of the scanned files and displays them in the detection events.
NO
 II–35
Unit II. Protection Management

ED
Exclusion by certificate

UT
What to do if you configured an exclusion, but a new program version has been issued with new names of the folder
and executable file, which also gets a false positive?

If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of symbols,

IB
and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask matches all files
whose names start with “file” and have the .exe extension.

TR
If file names are entirely different, but all files are signed by a certificate, place the certificates to the certificate store
on the computers where the program is used and configure Kaspersky Endpoint Security to trust these certificates:

1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Settings | Exclusions

S
Scan exclusions and trusted zone | Settings

DI
2. Switch to the tab Trusted system certificate store, select the check box Use trusted system certificate
store and select a store. The default choice is Enterprise Trust

3. Place the certificate(s) with which program files are signed to the selected store on the client computer.

RE
You can use, for example, Active Directory group policies for this.

Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint Security
trusts only the certificates that are located in the computer’s store
OR

For homeware, you can use even self-signed certificates.

2.7 File Protection: Summary

E D
PI
CO
BE
TO
T
NO

File Threat Protection scans files on the drive that the user, operating system, and programs access. To avoid
slowing down the computer, File Threat Protection scans only those files that pose an immediate threat. However, it
does not prevent the user from copying archived malicious files.
II–36 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for example,
archived malicious files.

If you cannot figure out a suitable schedule for running the scan task, use idle scanning.

UT
If File Threat Protection slows down the computer or programs:

— Schedule virus scanning. It updates the cache of scanned files and permits File Threat Protection not to scan

IB
them repeatedly if they have not been changed

— Configure exclusions for applications: for folders, executable files or certificates

TR
— If files (for example, user profiles) load slowly over the network, and protection is installed on network
servers, do not scan network drives

S
— As a last resort, pause File Threat Protection while a resource-consuming program runs

DI
Do not disable File Threat Protection. Schedule virus scanning on computers

RE
OR
E D
PI
CO
BE
TO
T
NO
 II–37
Unit II. Protection Management

ED
Chapter 3. How to configure protection against

UT
network threats

IB
TR
3.1 How network protection works

S
DI
What network components do

RE
OR
E D
PI
CO

A network is one of the main ways of malware spreading. That is why network protection and network traffic
scanning are so important for computer security. In Kaspersky Endpoint Security, Mail Threat Protection and Web
BE

Threat Protection components are responsible for anti-malware scanning of network traffic:

Mail Threat Protection Deletes malicious code from email messages and attachments
Renames potentially dangerous attachments
TO

Web Threat Protection Blocks attempts to download malicious files

Does not permit visiting malicious and phishing websites
T
NO
II–38 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How Kaspersky Endpoint Security intercepts traffic

UT
IB
S TR
DI
RE
Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts outbound
OR

connections from the computer programs and transfers packets to the network protection components. Kaspersky
Endpoint Security detects the connection protocol and transfers packets to the corresponding component:

HTTP, FTP Web Threat Protection, Web Control

D

SMTP, POP3, IMAP, NNTP Mail Threat Protection

E

Other packets are sent directly to the programs and applications for which they are destined.
PI

Kaspersky Endpoint Security does not scan data in secure connections (SSL/TLS)

Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the outbound
CO

connections. To achieve this, in the Kaspersky Endpoint Security policy, select General Settings | Exclusions and
in the Monitored ports area, select Monitor only selected ports. Click the Settings button and specify the ports
which need to be controlled.

If you do not know which ports a program uses, select the check box Monitor all ports for specified applications,
BE

and add the path to program’s executable file to the list.

Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or programs are used,
add them to the list.
TO
T
NO
 II–39
Unit II. Protection Management

ED
3.2 Mail Threat Protection

UT
What Mail Threat Protection does

IB
S TR
DI
RE
OR

The Mail Threat Protection protects from email threats. Messages are intercepted at the protocol level (POP3, SMTP,
D

IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI).
E

Mail Threat Protection detects and deletes malware using malware signatures, heuristic analysis and Kaspersky
Security Network. Additionally, Mail Threat Protection can block or rename email attachments that match the
PI

specified masks.

Mail Threat Protection changes the subject of infected messages. The action taken is described in the message
CO

subject.

Configuring Mail Threat Protection

BE

Protection scope

Security settings, among other options, determine the Protection scope. Mail Threat Protection can scan either
TO

— Incoming and outgoing messages

— Incoming messages only

To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing messages can
prevent inadvertent sending of an archived infected file and save the embarrassment. Additionally, you can select to
T

scan outgoing messages if you want to block attachments of certain types, for example, music or videos.
NO
II–40 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
Connectivity

The Connectivity group of settings more precisely defines the protection scope:

UT
— POP3/SMTP/NNTP/IMAP traffic—enables scanning of mail and news messages transferred over
the specified protocols

IB
— Additional: Microsoft Office Outlook extension—scan objects2 when they are received, read and sent at
the level of Microsoft Office Outlook client.

TR
Scanning at the protocol level operates independent of the mail clients used. However, messages transferred over
unsupported protocols (for example, through Microsoft Exchange or Lotus Notes servers) will not be scanned.

Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of

S
supported mail clients is rather limited.

DI
Scanning methods

These settings concern attached compound files.

RE
If archives are attached, they can be unpacked and scanned. This behavior is controlled with the following settings:

— Scan attached archives—this setting allows the administrator to fully disable archive scanning. As a rule,
OR

it is better to leave this check box selected and to scan archives “on the fly” using Mail Threat Protection. It
is much easier not to allow any infected archive to penetrate into the mail database than to remove it from
the database later using a virus scan task

— Scan attached Office formats

D

Do not turn off these parameters. Malicious files are often spread in attached archives and office documents
E

— Do not scan archives larger than NN MB—limits the volume of archives or office files to be scanned.
PI

Malware is rarely spread in big files. Enable this limitation to avoid waiting too long when receiving large
compound files
CO

— Do not scan archives for more than NN sec.—this option implements protection against “archive bombs”
whose scanning requires a very long time and a lot of resources, which slows down the computer.

Attachment filter
BE

These settings concern only attached files. You can:

— Disable filtering—let through all kinds of non-malicious attachments

TO

— Rename specified attachment types3—is used by default and renames attachments of executable types
(.exe, .bat, .cmd, etc.) This is a preventive measure against unknown malware. The user will not be able to
start an attached file without consciously renaming it.
T

If archive scanning is enabled, Mail Threat Protection will rename archived files with the specified
extensions.
NO

2
Not only mail messages are scanned, but also the objects within Public folders and Calendar: any objects received over MAPI
from the Microsoft Exchange storage.
3
Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes
file.ex_
 II–41
Unit II. Protection Management

ED
This option can also be used to fight outbreaks of new malware. If names of the attachments used by
the malware are known, they can be added to the list and then renamed so that the users are unable to open
these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless
attachment matches the specified mask, renaming would not cause any serious problems. The user can

UT
consult the administrator and receive instructions on how to rename the file back

— Delete specified attachment types is a safe way to prevent infections, which can also be used to prevent
exchange of files of certain types: for example, music or video files

IB
If archive scanning is enabled, Mail Threat Protection will delete files of the specified types from attached
archives

TR
The list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-defined
masks can contain parts of names. “*” and “?” wildcard characters can be used. The added masks will go to
the beginning of the list and will be enabled immediately.

S
DI
Standard security levels

Protection scope
Low
RE
Incoming messages
Recommended

Incoming and
High

Incoming and
only outgoing messages outgoing messages
OR

POP3 / SMTP / NNTP / IMAP traffic + + +

Additional: + + +
Microsoft Office Outlook plugin
D

Scan attached archives – + +

E

Scan Office formats + +

Do not scan archives larger than 8 MB + – –

PI

Do not scan archives for more than 5 sec + – –

CO

Attachment filter Rename specified Rename specified Rename specified

attachment types attachment types attachment types

Heuristic analysis Light scan Medium scan Deep scan

BE

Exclusions for false positives

Exclusions for Mail Threat Protection are configured the same way as in File Threat Protection: in the General
TO

Settings | Exclusions, Scan exclusions and trusted zone. In the scan exclusion settings, specify the file name only
(wildcards are allowed) to exclude all attachments with matching names from scanning. The same exclusion must be
configured for File Threat Protection, or else the received attachments will not be saved or opened.
T
NO
II–42 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
3.3 Web Threat Protection

UT
What Web Threat Protection does

IB
S TR
DI
RE
OR

The Web Threat Protection component performs two important functions:

D

— Analyzes addresses of web pages opened by the user or applications, and blocks access to phishing and
E

malware-spreading sites
PI

— Scans the objects downloaded over HTTP and FTP (the objects downloaded over HTTPS are not scanned)
and blocks malicious files
CO

Four technologies are used for scanning the links:

— Check against the database of malicious web addresses—compare the address of the site to be opened with
the addresses of the websites known for hosting malware, attacking computers, or other harmful activities

— Check against the database of phishing web addresses—is similar to the previous check, but against the
BE

database of sites on which phishing pages have been detected

— Heuristic analysis for detecting phishing links—analysis of the site contents for HTML code characteristic
of phishing
TO

— KSN check—addresses of the opened sites are checked against KSN. Dangerous links are blocked. The
received answer is saved in the local cache and is used for further checks.

Downloaded files are scanned using all the available methods: signature and heuristic analysis as well as KSN.
T
NO
 II–43
Unit II. Protection Management

ED
Configuring Web Threat Protection

UT
Actions

You can select the action to be taken against all detected dangerous objects:

IB
— Block download,
or
— Inform

TR
You should select the Block download action in the policy and lock it so that the users are not able to download
hazardous objects or visit hazardous websites.

S
When the user attempts to open a black-listed website or download an infected object, a notification will be

DI
displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.

Security level
RE
Web Threat Protection behavior is regulated by only a few settings:

— Check if links are listed in the database of malicious URLs—we recommend that you do not disable this
OR

setting. If a website was added to the list of malicious web addresses by mistake, create an exclusion for it

— Heuristic analysis for detecting viruses—enables heuristic analysis. This is the same analysis as in
the File Threat Protection: executable files are started in the virtual environment and their operations are
supervised. The depth of the analysis defines the monitoring time
D

— Check if links are listed in the database of phishing URLs—this setting is similar to the first parameter
E

and should also remain enabled

PI

— Heuristic analysis for detecting phishing links—enables the use of heuristics when detecting phishing
sites.
CO

Web Threat Protection settings can be modified using the Security level switch. The table below explains how
the settings’ values change depending on the level selected:

Low Recommended High

BE

Heuristic analysis for detecting viruses Light scan Medium scan Deep scan

Scan archives – + +

Scan archives is a hidden setting. If the Security level is switched into the Low position, in addition to the visible
TO

parameter changes, archive scanning is disabled.

The following parameters:

— Check if links are listed in the database of malicious web addresses

T

— Check if links are listed in the database of phishing URLs

— Heuristic analysis for detecting phishing links (as well as the depth of the analysis)
NO

do not depend on the Security level and do not change the position of the Security level when modified.
II–44 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How to make a website trusted

UT
IB
S TR
DI
RE
If Web Threat Protection erroneously considers a website to be malicious or phishing, add its address to the trust list:
OR

1. In the security level settings, open the tab Trusted web addresses
2. Select the check box Do not scan web traffic from trusted web addresses
3. Add the website address to the list. To specify a mask, use “*” and “?” wildcards
D

The listed sites and the objects downloaded from them will not be scanned by Web Threat Protection.

If Web Threat Protection erroneously considers a file that a user downloads from a website to be malicious, make an
E

exclusion for the file in General Settings | Exclusions. Apply the exclusion at least to Web Threat Protection, File
PI

Threat Protection and Virus scan.

CO
BE
TO
T
NO
 II–45
Unit II. Protection Management

ED
3.4 How not to intercept the whole traffic of a
program

UT
IB
S TR
DI
RE
OR

Kaspersky Endpoint Security 11 uses a driver that does not disrupt the connection; it uses the operating system
functions to receive access to all packets.
D

This interception method usually does not affect network applications 4.

E

If you have a program that conflicts with the new interception method too, disable traffic interception for it:
PI

1. Open the list of trusted processes in the Kaspersky Endpoint Security policy: in the General Settings |
Exclusions section, click the Settings button in the Scan exclusions and trusted zone area.
CO

2. Add the application executable file to the list of Trusted applications: specify the full path to the file. You
can use environment variables, such as %SystemRoot%

3. In the properties of a trusted program, select the check box Do not scan network traffic and clear the other
check boxes
BE

4. If servers with which a program works have permanent addresses (or a range of addresses) and ports,
specify them in the lower part of the window: It is safer this way

This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control components.
TO
T
NO

4
In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2), the driver that intercepts connections for network protection components acts as
a local proxy.
When a program establishes connection to a remote server, Kaspersky Endpoint Security replaces the server address with its own address to receive the
packets, and then establishes another connection to the remote server to send the scanned packets. The answer packets from the server are processed in a
similar manner: first through the connection established by Kaspersky Endpoint Security, and then from Kaspersky Endpoint Security to the program.
Some network programs are incompatible with this interception method.
II–46 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
3.5 Protection for network connections: Summary

UT
IB
S TR
DI
RE
OR

The network components Mail Threat Protection and Web Threat Protection consume few resources. On the
contrary, they enable File Threat Protection to scan fewer files, and improve computer performance.

Web Threat Protection is the only component that protects against phishing. It also protects against new threats that
are spread through known malicious websites.
D

Do not turn off network protection components, it will not improve performance, but will affect protection
E
PI

If Web Threat Protection or Mail Threat Protection erroneously delete files, block safe websites or hamper network
programs, configure exclusions:

— Exclusions for websites in the Web Threat Protection settings

CO

— Exclusions for programs in General Settings | Exclusions

— Exclusions for ports in General Settings | Exclusions
BE
TO
T
NO
 II–47
Unit II. Protection Management

ED
UT
Chapter 4. How to configure protection against
sophisticated threats

IB
TR
4.1 How Kaspersky Endpoint Security protects

S
against new threats

DI
RE
OR
E D
PI
CO

Criminals continually create new malicious files. Kaspersky Lab is famous for detecting new threats and adding
their signatures to the database very quickly. Checksums of malicious files get to Kaspersky Security Network even
BE

more promptly. However, criminals are still half a step ahead. How does Kaspersky Endpoint Security protect
against new threats and especially against ransomware?

Ransomware that encrypts documents and demands money in return for the key cause immediate and direct harm
TO

Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack:

Criminals publish malware on websites. Often these Web Threat Protection uses the database of known
websites have also been used previously malicious websites and websites’ reputation in KSN and
prevents the users from opening them
T

Criminals email new malware Mail Threat Protection renames executable attachments,
NO

including archived ones

Criminals use software vulnerabilities to run malicious Exploit Prevention blocks attempts to infect the machine
code through known and some unknown application
vulnerabilities
II–48 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
New malware have different code to get round signature Behavior Detection monitors what a programs does, and
scanning, but behave similarly to other malware detects new malware by behavior

UT
Encrypted data are statistically homogeneous, as if Behavior Detection uses heuristic and statistical analysis
produced by a random-number generator. This makes as well as machine learning technologies to detect
them different from most ordinary files encryption in files

New malware does not have any reputation in KSN Host Intrusion Prevention does not allow the programs

IB
without a reputation to use many of the operating system
functions

TR
New threats are mainly opposed by Behavior Detection, Exploit Prevention, and Host Intrusion Prevention, with the
help of Kaspersky Security Network.

S
4.2 What Advanced Threat Protection does

DI
RE
The components and technologies that help to counter new malware not yet added to the signature databases or
minimize their impact are called proactive defense.

Heuristic analysis which we’ve studied already is an example of a proactive defense technology. However, the main
OR

role in this protection aspect belongs to Behavior Detection, Exploit Prevention, Remediation Engine, Host Intrusion
Prevention, and to some extent to the Control components and Firewall.

How Behavior Detection protects against new threats

E D
PI
CO
BE
TO
T

Behavior Detection performs several functions:

NO

— Logs application activity for comparison with the behavior signatures database
— Detects malware and blocks their actions
— Protects shared folders against external encryption

Malware detection is the main task. For this purpose, Behavior Detection monitors program actions and compares
them with dangerous activity patterns. The application activity log includes file access operations, established
network connections, and system function calls.
 II–49
Unit II. Protection Management

ED
The database of patterns is updatable, but updates are rarely issued for it. Efficiency of the Behavior Detection
almost does not depend on the databases’ update regularity.

UT
Settings

Behavior Detection settings are few: in substance, you can only enable or disable the entire component, or

IB
protection of shared folders against external encryption.

Actions

TR
If Behavior Detection detects malicious behavior, it stops the program, deletes its executable file, and moves it into
the Backup repository.

S
Other possible actions:

DI
— Inform—do nothing, only log the detection of malicious activity
— Terminate the program—stop the malware and unload it from the memory

RE
— Delete file—stop the program, delete the malicious file, and place its copy into the Quarantine repository

If Protection of shared folders against external encryption detects an attempt to encrypt files in a shared folder over
the network, it blocks the write and delete operations for this session for 60 minutes. Then it tries to restore non-
encrypted file versions from a backup copy using the Remediation Engine component.
OR

Do not disable Behavior Detection. It protects against threats that other components may fail to counter.

To prevent false positives or improve performance, create exclusions.

D

How Exploit Prevention protects against new threats

E
PI
CO
BE
TO
T
NO

Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative permissions in
the system or conceal code execution.

Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or service,
which processes them and therefore executes some parameters as code. Specifically, such attacks against system
II–50 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
services running under the local system account enable criminals to receive administrative permissions on the
computer.

Typically, malware tries to start itself under the administrator account as a result of such an attack. When this option

UT
is enabled, start operations are being monitored and if a vulnerable program starts another program without the
user’s explicit command, the start is blocked.

IB
How Remediation Engine protects against new threats

S TR
DI
RE
OR
D

Remediation Engine—rolls back actions taken by the programs deleted by File Threat Protection, Virus Scan tasks,
E

and Behavior Detection.

PI

Actions to be rolled back are any changes made to the file system (creating, relocating, renaming files) or registry
keys (the records created by the malware are deleted). Also, a backup copy of some files and keys is created at the
time of the system start, which allows rolling back to this version if malware changes these files and keys. These
CO

special objects include hosts and boot.ini files and registry keys responsible for starting programs and services
during the system start.

This option also restores files encrypted by ransomware, which encrypt files on drives and in shared folders, and
then demand a ransom.
BE

Remediation Engine uses the application activity log written by the Behavior Detection component.
TO
T
NO
 II–51
Unit II. Protection Management

ED
How Host Intrusion Prevention stops new threats

UT
IB
S TR
DI
RE
The main purpose of the Host Intrusion Prevention is to regulate the activities of the running programs, namely,
OR

access to the file system and registry as well as interaction with other programs.

How Host Intrusion Prevention calculates a programs reputation

D

Host Intrusion Prevention categorizes applications into trust groups, for which limitations are specified. Every
program receives one of the four trust levels:
E

— Trusted
PI

— Low Restricted
— High Restricted
— Untrusted
CO

Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time. The main
categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program,
the assigned category depends on the policy settings:
BE

— If trust group cannot be defined, automatically move applications to—this settings permits the
administrator to select which category to assign to the programs that do not yet have a reputation.
The administrator can select (High Restricted, Low Restricted, or Untrusted) to all unknown programs
without the analysis
TO

— Trust applications that have a digital signature—if this parameter is enabled, the programs signed by
trusted certificates will be automatically placed in the Trusted group

Trusted certificates are certificates that Kaspersky Security Network trusts. To trust other certificates, use the Scan
exclusions and trusted zone (General Settings | Exclusions)
T

The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted
NO

depending on the following settings:

— Update control rules for previously unknown applications from KSN databases—programs trust group
will be changed automatically if it appears in the KSN
II–52 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
— Delete rules for applications that are not started for more than 60 days—allows wiping out the trust
group information for the programs that have not been started for a long time. The lifetime is adjustable

— Programs launched before Kaspersky Endpoint Security for Windows are automatically moved to

UT
the trust group— permits configuring the trust group for programs that start earlier than Kaspersky
Endpoint Security5

IB
How Host Intrusion Prevention limits applications

TR
Host Intrusion Prevention limits interaction with other programs and operating system services depending on the
trust group. Generally, the default restrictions for trust categories are as follows:

Trusted No limits

S
Low Restricted Almost everything is allowed, except for building into operating system modules and

DI
accessing recorders: web cams and microphones

High Restricted Interaction with operating system modules and other programs is prohibited. A program is
allowed to work only with its own segment of the system memory

Untrusted The program is prohibited even from starting RE

Host Intrusion Prevention helps limit access to files, folders and registry keys on the hard drives. Host Intrusion
OR

Prevention has a list of protected resources. They are grouped into two categories:

— Operating system
— Personal data

Each category has its subcategories and resource descriptions: paths to folders, file masks, registry key masks.
D

Initially, the list of protected resources contains groups of most important files and registry keys. For example, the
Operating system category has a subcategory Startup settings, which lists all registry keys related to startup.
E

Rights to access groups of resources are defined for operations: Read, Write, Remove and Create.
PI

By default, Host Intrusion Prevention protects resources as follows:

CO

Operating System Personal data

Trusted Full access Full access

Low Restricted Full access to everything except critical operating system files Full access
BE

For critical operating system files, Read only

High Restricted Read only Full access

Untrusted No access No access

TO

Program limitations automatically apply to its child processes. If a program with limitations starts a trusted program,
this trusted program will also be restricted. If a trusted application is started by the user or another trusted program,
there will be no limits
T
NO

5
Drivers of the Firewall and Intrusion Prevention start before any other software, while the Kaspersky Endpoint Security module responsible for the
reputation of executable files, later. To protect the computer while the reputation module is not running, drivers apply the limitations of the specified trust
group to all programs.
 II–53
Unit II. Protection Management

ED
How to configure Host Intrusion Prevention

The administrator can modify limitations for any trust group and even for any individual program.

UT
Do not change the Host Intrusion Prevention settings unless you know precisely what you are doing

IB
To find the trust groups and their limitations:

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
Security policy

TR
2. Click the upper Settings button in the Application rules area
3. Select the trust group and click Edit
4. Switch to the Rights tab

S
The administrator can limit or extend rights for a program having the selected reputation here. For example, you can
allow low restricted programs to access the web cam.

DI
RE
OR
E D
PI
CO

To view protected resources:

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
BE

Security policy
2. Click the lower Settings button in the Application rules area

On the managed computers, the list of resources is updated together with the signature databases. To update the list
of resources in the policy, click the button Update above the list.
TO

Do not delete or edit the pre-configured resources. To stop controlling pre-defined resources, add them to exclusions:
click the Exclusions button in the upper-right corner of the window.

To protect other files or registry keys, add them to the list. Keep your resources in an individual category.
T

To add your own protected resources:

NO

1. Click the Add button to create your categories and resource descriptions
2. Configure access rights for the resource in the table on the right
II–54 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
To be informed when Host Intrusion Prevention blocks an operation, enable logging. For this purpose, right-click an
action in the table and select Log events. You can log allow events of Host Intrusion Prevention 6 to understand
which programs work with a resource.

UT
Note: The limitations configured for a program are inherited by all its child processes, even if their executable files
are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions by
using the privileges of programs having higher trust levels.

IB
How to configure Host Intrusion Prevention to stop

TR
ransomware
With the default settings, Host Intrusion Prevention protects the operating system and other software on the

S
computer against programs that have a bad reputation.

DI
The administrator can also easily protect users’ files against unknown programs. This way, they will be protected
against ransomware that encrypt documents.

The idea is simple. Ransomware:

RE
— Either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit starting it

— Or does not have any reputation in KSN and Host Intrusion Prevention will make it Low Restricted (by
OR

default) or High Restricted, depending on the administrator’s choice

Programs designed for working with documents, such as Microsoft Office, are well-known and have a Trusted
reputation.
D

Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose:
E

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
Security policy and click the second Settings button
PI

2. Add documents to the list of protected resources in Host Intrusion Prevention: in the list on the left, select
the category Personal data \ User files and add a new category named Documents
CO

3. Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose, add File or
folder to the category and specify the extension in the Path field. Repeat for all extensions

4. Prohibit restricted applications from editing documents. For this purpose, select the category in the list on
BE

the left and change the rights in the table on the right: Prohibit High Restricted and Low Restricted
applications from Writing and Deleting
TO
T
NO

6
Be careful not to create an overwhelming stream of events from computers to the Administration Server. If you need to analyze access allow events, save
them only into the local log of Kaspersky Endpoint Security rather than sending to the Administration Server
 II–55
Unit II. Protection Management

ED
4.3 How to exclude a program from monitoring

UT
What to do if KES hampers a program

IB
S TR
DI
RE
OR

Almost any heuristic analysis returns false positives. To reduce them, exclude known clean programs from analysis:
D

— Programs that are considered to be trusted in Kaspersky Security Network

E

— Programs signed with trusted certificates

PI

To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed programs,
use the following Host Intrusion Prevention setting: Application processing rules \ Trust applications that have a
digital signature.
CO

Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates rather than
all of them. Trusted certificates are those issued by trusted certification centers.

Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates in the local
store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky Endpoint Security
BE

learns about this from Kaspersky Security Network, and will not trust files signed with this certificate.

Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software with a self-
signed certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as described in “Exclusion
TO

by certificate”, in section 2.6.

If a program does not have a digital signature, you can manually add it to the Trusted group in the Host Intrusion
Prevention policy. Alternatively, you can completely exclude a program from scanning by Behavior Detection and
Host Intrusion Prevention. How to do it will be explained later.
T
NO
II–56 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How to modify a program’s trust category

UT
IB
S TR
DI
RE
Most of the widespread commercial programs have a Trusted reputation. However, some open-source programs
OR

have a Low Restricted reputation. Homeware may not have any reputation in KSN, and may receive a Low
Restricted reputation (or High Restricted, depending on the policy settings).

If the reputation hampers working with a program, change its reputation in the Kaspersky Endpoint Security policy:
D

1. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint
Security policy
E

2. Click the upper Settings button in the Application rules area

PI

3. Click Add above the list of categories

Enter a part of the program’s executable file name and click Refresh
CO

4.

5. Select the executable file in the search results

6. Select a reputation for the file in the lower-right corner of the window and click OK
BE

If the administrator has selected a reputation for a file in the policy, Host Intrusion Prevention will use this
reputation on the computers instead of the KSN reputation. Reputation from KSN is used only for files that are not
explicitly specified in the policy. Meaning, for most files, because by default the policy has only reputation groups,
and no files.
TO

If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its restrictions as
desired. For example, the administrator can add a program to the Trusted group, but then open its properties and
prohibit it from accessing the web cam.
T
NO
 II–57
Unit II. Protection Management

ED
What to do if the list of known programs is empty in the policy

UT
IB
S TR
DI
RE
If you use policies with the default settings, the list of executable files is likely to be empty in the policy.
OR

Kaspersky Endpoint Security intercepts all executable files on the computers, and Host Intrusion Prevention assigns
a reputation to all of them. However, this data is not sent to the Administration Server by default. And the policy
shows only those executable files about which Kaspersky Endpoint Security has informed the Administration Server.

To make Kaspersky Endpoint Security send the list of computer’s executable files to the server:
D

1. Open the policy, go to the General Settings | Reports and Storage section, and click the Settings button
E

in the Data transfer to Administration Server area

PI

2. Select the About started applications check box

3. To view executable files in the policy, wait for two synchronization intervals (30 minutes)
CO

The lists of computer executable files are rather large. If all managed computers send them to the server, it will
increase the load on the network considerably. Usually, this is not necessary. To receive only the necessary files,
move a reference computer to a special group and apply a policy with the selected check box Inform about started
applications to it, and after you receive the list, move the computer to its original group
BE
TO
T
NO
II–58 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How to get the list of applications from a computer

UT
IB
S TR
DI
RE
When the user starts a program, Kaspersky Endpoint Security adds it to the local list of known applications. If the
administrator has selected to inform the server about started applications, the Network Agent will periodically
OR

synchronize the list of files with the server.

However, it is not recommended to collect lists of files from all computers, and creating a special group with a
special policy for a single workstation is not always desired.
D

Administrators often have test computers where all typical programs are installed. If you have such computers,
gather lists of executable files from them. To fill the local list of known programs on a test computer, do not start all
E

the programs manually, use the Inventory task.

PI

The Inventory task scans files in the specified folders, finds the executable files and adds them to the local list of
known executable files. It does not send anything to the Administration Server. To have scans results sent to the
server, select the check box Inform Administration Server about started applications in the Kaspersky Endpoint
CO

Security policy.

To create an inventory task, run the task creation wizard in the Tasks node. Select the Inventory task type under
Kaspersky Endpoint Security 11 for Windows. If it is a task for a test computer, specify the All hard drives scope.
Assign the task to individual test computers.
BE
TO
T
NO
 II–59
Unit II. Protection Management

ED
How to make a program trusted for Behavior Detection
and Intrusion Prevention

UT
IB
S TR
DI
RE
OR

If the limitations set by the Host Intrusion Prevention still block a necessary program, you can configure
the corresponding exclusion. There are two types of exclusions in Host Intrusion Prevention:

— Exclusions for resources—allow any program to perform any operation with the specified group of
resources
D

— Exclusions for programs—allow the specified programs to perform any operation

E

Exclusions for resources are configured in the properties of Host Intrusion Prevention, on the Protected resources
PI

tab. You can configure exclusions for folders, files and registry keys.

Exclusions for programs are configured in the General Settings | Exclusions section (Exclusions and trusted
CO

zone), and provide several additional capabilities:

— Do not monitor application activity—disable all restrictions for the specified program

— Do not inherit restrictions of the parent process (application)—disable the limitations inherited from
BE

the process that started the program and the parent processes of higher levels

— Do not monitor child application activity—disable the restrictions for the processes started by
the program for which the exclusion is created
TO

These exclusions apply to Behavior Detection and Host Intrusion Prevention.

T
NO
II–60 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
4.4 Protection against new and sophisticated
threats: Summary

UT
IB
S TR
DI
RE
OR

Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily Behavior
Detection and Host Intrusion Prevention. Both components monitor the operations performed by the programs.
D

Host Intrusion Prevention calculates the reputation of executable files and limits actions of programs that have bad
or unknown reputations. Program reputation is supplied by Kaspersky Security Network, or the administrator
E

specifies it in the policy settings.

PI

Behavior Detection monitors what programs do in general rather than their individual actions. For this purpose, it
logs everything that programs do and then checks whether sequences of actions resemble malicious activities.
Remediation Engine uses the log of actions to roll back malicious activities.
CO

Behavior Detection has special heuristics that permit detecting ransomware (malware that encrypts documents and
demands a ransom). In many cases, Behavior Detection can recover encrypted documents with the help of
Remediation Engine.
BE

To better protect against ransomware, configure Host Intrusion Prevention to block access to documents for
programs that have a bad reputation.

Do not disable Behavior Detection and Host Intrusion Prevention. These components implement state-of-the-art
technologies that protect against most sophisticated threats
TO
T
NO
 II–61
Unit II. Protection Management

ED
Chapter 5. How to control network connections

UT
IB
5.1 How Firewall protects against threats

S TR
DI
RE
OR
E D
PI

From the security point of view, the Firewall performs two functions:

— Block unauthorized network connections to the computer, thus decreasing the infection probability
CO

— Block unauthorized network activity of the programs on the client computer. This decreases the risk of
an outbreak, and also limits actions of the users that consciously or unconsciously violate the security
policy
BE

The Firewall is tightly integrated with Host Intrusion Prevention. Host Intrusion Prevention does not limit programs’
access to the settings of the operating system, other programs and user files. Firewall checks the program reputation
and limits its access to the network. This way, the Firewall prevents already running malware from causing harm:
for example, sending the user’s passwords to criminals.
TO

The Network Threat Protection component complements the Firewall and analyzes packets. While Firewall uses
relatively simple rules to block packets and connections, Network Threat Protection checks sequences of packets for
signs of a network attack, for example, buffer overflow attack via known vulnerabilities, and blocks connections
through which an attack is performed.
T
NO
II–62 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
5.2 How Firewall works in Kaspersky Endpoint
Security

UT
IB
Firewall controls connections at the network and transport level using packet rules. It analyzes inbound and
outbound packets, compares them with the rules and takes one of the two actions:

— Allow

TR
— Block

How Firewall analyzes packets and connections

S
DI
RE
OR
E D
PI
CO

The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it, open the
Firewall section in the Kaspersky Endpoint Security policy and in the Firewall rules area, click the second Settings
button.

A packet rule consists of the following attributes:

BE

Action Allow, Block or According to the application rule

According to the application rule means that Firewall will look for an appropriate rule in the
settings of the program to which the packet pertains, and if this program has no settings, in the
TO

settings of the reputation group to which the program belongs

Protocol TCP, UDP, ICMP, ICMPv6, IGMP, GRE

Direction Inbound (packet)—applies to all inbound packets

Inbound—applies to all packets within inbound connections
T

Inbound/outbound—applies to all packets

Outbound (packet)—applies to all outbound packets
NO

Outbound—applies to all packets within outbound connections

The TCP protocol establishes connections; use the directions Inbound, Outbound and
Inbound/Outbound together with the TCP protocol
Other protocols do not establish connections; they send packets. Use Inbound (packet), Outbound
(packet) and Inbound/Outbound with them
 II–63
Unit II. Protection Management

ED
Remote Ports on a remote computer
ports Can be specified for TCP and UDP protocols
To specify several ports, separate them by comma: for example, 25, 110

UT
To specify a range, use a hyphen: 0-1024

Local ports Ports on the local computer

Can be specified for TCP and UDP protocols

IB
ICMP type Echo, Echo Reply, Time Exceeded, Destination Unreachable, etc.
Can be selected for ICMP and ICMPv6 protocols

TR
ICMP code Code for some ICMP types. You can select code 0, 1 or 2
For example, for a Destination Unreachable ICMP packet, code 0 means Net Unreachable, code
1—Host Unreachable, code 2—Protocol Unreachable7

Network Permits specifying the network adapter by Interface type, IP address and MAC address

S
adapters Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP connection,
PPPoE connection, VPN connection, Modem connection

DI
TTL Packet lifetime

Remote
addresses
RE
Addresses of remote computers, which can be specified directly or indirectly
To specify addresses directly, select Addresses from the list and fill the list of IP addresses
To specify addresses indirectly, select Any address or Subnet addresses. Subnet addresses are:
Trusted networks, Local networks or Public networks
OR

Local Addresses of a local computer (a computer can have many addresses)

addresses You can select either Any address, or Addresses from the list, and fill the list

Both IPv4 and IPv6 can be specified for IP addresses

D

The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports, direction,
network adapter, local address, remote address), applies the action specified in the rule.
E

Rule application will be registered in the Firewall log if the Log events check box is selected.
PI

The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules, select a rule
and move it using the Up and Down buttons.
CO

A default policy contains a list of packet rules that provides reasonable security for computers both on and off
the corporate network. The standard settings are described in detail in the end of this chapter.

Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. For
BE

convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity,
Browsing web pages, Remote Desktop network activity, etc.) To select a template, click the button to the right of the
Name field in the rule settings.
TO
T
NO

7
For ICMP message types and code values, consult protocol documentation
II–64 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How Firewall decides which networks are local

UT
IB
S TR
DI
RE
Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted networks,
OR

Local networks or Public networks. How does the Firewall decide which addresses belong to which networks?

Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the policy does not
describe a network status, the Firewall defines it itself on the client computer.
D

To add a network to the policy and select a status for it:

1. Click the Settings button in the Available networks area

E

2. Click the Add button above the list

PI

3. Type a name for the subnet and select its status

4. Specify subnet address in the following format: <IP address>/<netmask length in bits>, for example
192.168.0.0/24 or 1234::cdef/96 for IPv6 networks
CO
BE
TO
T
NO

On the computer, the Firewall adds the networks configured for the computer's network adapters to the networks
specified in the policy. If an adapter’s network coincides with or belongs to a network from the policy, it receives
the status specified in the policy.
 II–65
Unit II. Protection Management

ED
If the adapter’s network does not belong to any of the networks described in the policy, the Firewall assigns it a
status based on its status in the operating system. If it is a domain, work or home network, the Firewall assigns it the
Local status. If the network is public in the operating system, it will also be public for Kaspersky Endpoint Security
Firewall.

UT
All other addresses are considered to be addresses of public networks.

For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And

IB
a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24
respectively. Let’s say Kaspersky Endpoint Security automatically assigned the Public status to both these networks.
Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network effectively

TR
becomes Local network, because there is an entry in the policy for network 172.16.0.0/16 that includes
172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching
entry in the policy.

S
In the default policy settings, there are three network entries, all of which have the Local network status:

DI
— 10.0.0.0/8
— 172.16.0.0/12
— 192.168.0.0/16

RE
These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered
for computers outside the perimeter, e.g., the computers connected via VPN or laptop computers on a business trip.

How Firewall restricts programs

OR
E D
PI
CO
BE
TO

If the Firewall does not find a matching rule for a packet, or finds it, but the action specified in the rule is According
to the application rule, it starts looking for the packet rule configured for this application. And if the application has
no settings in the policy, it checks the program’s reputation and looks for a matching packet rule in the reputation
settings.
T

The Firewall uses the same reputations as Host Intrusion Prevention. The settings that Host Intrusion Prevention
NO

uses to select a reputation are also applied to the Firewall. If Host Intrusion Prevention is not installed, Firewall
defines the reputation itself using the Host Intrusion Prevention settings. A program cannot be Trusted for Host
Intrusion Prevention and at the same time High Restricted for the Firewall. Each program has only one reputation.
II–66 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
To view packet rules for applications and reputations:

1. Click the upper Settings button in the Application rules area

2. Select an application or reputation and click Edit

UT
3. Switch to the Network rules tab

There are no applications in a policy by default; there are only reputations and settings for reputations. The
administrator can add programs to a reputation and after that he or she will be able to add whichever packet rules to

IB
the program properties. Applications can be added in the same manner as in Host Intrusion Prevention.

Each program and reputation in the list of rules has three rules that are always located at the bottom of the list:

TR
— Any network activity in Trusted networks
— Any network activity in Local networks
— Any network activity in Public networks

S
For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for the High

DI
Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or modified, except for
the Action attribute, which can be changed by the administrator.

RE
By default, if only reputations are configured in the policy, reputations have only these three rules. These rules
intercept any network activity, because any address belongs to either a trusted, or a local, or a public network. That
is why there is always a rule for any packet: a packet belongs to a process, the process has a reputation, and the
reputation has at least one rule for any remote address according to the network type.
OR

The administrator can add custom rules to the list of reputation or application rules. These rules have only the
following attributes:

Action Allow or Block

Protocol TCP, UDP, ICMP and ICMPv6
D

Direction Inbound, Outbound or Inbound/Outbound

E

Remote ports for TCP and UDP

PI

Local ports for TCP and UDP

ICMP type for ICMP and ICMPv6
ICMP code for ICMP and ICMPv6
CO

Remote addresses
Local addresses for TCP and UDP
Action Allow or Block
BE
TO
T
NO
 II–67
Unit II. Protection Management

ED
5.3 What Firewall does under default settings

UT
Default network packet rules

IB
S TR
DI
RE
OR

A standard policy does not contain rules for applications (except for the standard ones specified for the reputations).
D

That is why the ultimate network status and application reputations are defined locally in the Firewall.
E

Packet rules are inherited from the policy, and accordingly, packets are filtered as follows:
PI

1. The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external
port 53) and email (over TCP protocol, external ports 25, 465, 143, and 993). The According to the
application rule action is selected in these rules, that is, programs from the Trusted and Low Restricted
CO

groups will be able to send DNS requests and email, while the others will not

2. Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted networks,
any activity is allowed by default, except for DNS and email limitations for Untrusted and High
Restricted programs
BE

3. The fifth rule defines the order of packet processing in local networks. Such packets are processed
according to the application rules. The default application rules say that the programs from the Trusted and
Low Restricted groups have no limitations in local networks, while High restricted and Untrusted have
no access
TO

4. The rest of the rules effectively regulate program behavior in the Public networks, since all packets from
Trusted and Local networks are processed one way or another by the above rules. Rules 6-8 block remote
desktop connections to the computer from public networks, and also block connections to the local DCOM
service, NetBIOS packets, access to Windows shared folders, and access to Universal Plug & Play devices
T

5. Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the Trusted and
Low Restricted groups. Considering the default application rules, this means that Trusted and Low
NO

restricted applications can receive incoming connections from Public networks, whereas High restricted
and Untrusted applications cannot.

6. Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to test
connection to remote computers
II–68 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
What it means for applications on the computer

UT
IB
S TR
DI
RE
Trusted and Low Restricted programs have full access to all networks. That is why the Firewall does not hamper
OR

well-known programs by default.

Untrusted and High restricted programs are allowed to access only trusted networks, and even there may not work
with email and DNS. However, there are no trusted networks in a policy by default, and Untrusted and High
restricted programs have no network access.
D

Thus Firewall prevents unknown malware from stealing passwords, downloading additional modules, receiving
E

commands from the control center and sending spam

PI

Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop, DCOM,
etc.) and blocks ICMP requests from public networks.
CO

What if the Firewall impedes an application

BE
TO
T
NO
 II–69
Unit II. Protection Management

ED
Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed
to exchange data over the network.

However, little-known open source programs or tailor-made software may receive the High Restricted reputation

UT
and will not be able to work with the network.

To grant access to the network to a program that has High Restricted reputation, use one of the following approaches:

IB
— Change the program reputation, add its executable file to the Low Restricted or Trusted reputation as
described in section 4.3

TR
— If the program’s files are signed with a certificate, use Host Intrusion Prevention settings to trust these files

— If files are not signed with a certificate, think about signing them with a self-signed certificate and use the
exclusion settings to trust this certificate

S
— Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet rules are

DI
processed earlier than the rules for applications and reputations.

Move your rules to the top of packet rules list

RE
5.4 Why Network Threat Protection is necessary
OR

What Network Threat Protection does

E D
PI
CO
BE
TO
T

The purpose of the Network Threat Protection component is to block network attacks including port scanning,
denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and
NO

services running on the computer.

Network Threat Protection uses signatures and blocks all connections that correspond to the descriptions of known
network attacks.
II–70 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect
a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory
and thus execute the malicious code. The Network Threat Protection component is able to prevent infections from
spreading this way. That is why it must be enabled, and its settings must be locked.

UT
Network Threat Protection has a few configurable parameters. If the component is enabled, attacks are blocked
automatically.

IB
Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for some time.
The Add the attacking computer to the list of blocked computers option regulates this behavior; by default, it is
enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but

TR
only in the local interface of Kaspersky Endpoint Security.

Sometimes, Network Threat Protection considers numerous packets sent by surveillance cameras and other similar
devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses to exclusions. Network

S
Threat Protection will not analyze packets from trusted addresses.

DI
How to unblock a blocked computer

RE
OR
E D
PI
CO

When a client computer blocks another client computer because of a network attack, the administrator can see only
BE

an event informing of a network attack in the console. There is no list of blocked computers, or events informing
that a computer was blocked and later unblocked.

You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security:
TO

1. In Kaspersky Endpoint Security window, click Protection components and select Network Monitor

2. In the Network Monitor window, open the Blocked computers tab

3. To unblock a computer, select it and click Unblock

T
NO
 II–71
Unit II. Protection Management

ED
UT
IB
S TR
DI
RE
To unblock a computer from the Administration Console, restart the Network Threat Protection component on the
computer that blocked an attack:

1. Find the event informing about the attack and check which computer sent the event (not which computer
attacked)
OR

2. Find this computer in the console and open its properties

3. Switch to the Tasks section and find the Network Threat Protection component
D

4. Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list)
E
PI

5.5 Network Protection: Summary

CO
BE
TO
T
NO
II–72 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
At the network level, packets are scanned by the Firewall and Network Threat Protection components. Other
essential protection components (Web Threat Protection and Mail Threat Protection) scan data at the application
level.

UT
Firewall protects computer services in public networks, and also does not allow Untrusted and High Restricted
programs to use network. Thus it prevents unknown malware from connecting to its control center.

Network Threat Protection analyzes sequences of packets within allowed connections and blocks known types of

IB
attacks.

If these components impede a program:

TR
— Make the program trusted for Host Intrusion Prevention. The Firewall uses the same reputations as Host
Intrusion Prevention.
— Open ports and addresses with which the program works using simple packet rules

S
— Add the application’s address to exclusions of Network Threat Protection

DI
RE
OR
E D
PI
CO
BE
TO
T
NO
 II–73
Unit II. Protection Management

ED
UT
Chapter 6. How to protect a computer
outside the network

IB
TR
6.1 Which local networks to trust

S
DI
RE
OR
E D
PI
CO

The risk of computer infection is lower within a corporate network than outside. Thus, applying different settings to
the computers that are taken out of office seems reasonable.

Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12 and
BE

192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within them.

However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may belong to
hotels, bars, airports and other public places. It is dangerous to trust them similarly to local networks.
TO

Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is taken outside
the corporate network.
T
NO
II–74 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
6.2 How to create a policy for computers outside
the office

UT
IB
S TR
DI
RE
OR

Out-of-office is the third possible policy status, in addition to the Active and Inactive status.

An out-of-office policy may be created for any group. There can be only one out-of-office policy for each version of
Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner as an active policy.
However, while an active policy is enforced immediately, a policy for out-of-office computers starts working only
D

when the computer meets the specified conditions (which will be described later).
E

If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if
an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever settings
PI

are locked in the parent group policy, they do not restrict the policy of the out-of-office users within the child group.

In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy,
CO

where the locked settings are inherited by the policies of child groups. Out-of-office policies are inherited only
completely by those subgroups where an out-of-office policy is not configured.

How to create a policy for computers outside the office

BE

To create an out-of-office policy:

1. Run the New Policy Wizard: select the Policies node or the Policies tab in the administration group and
TO

click the button Create a policy

2. Select the Kaspersky Endpoint Security for Windows application
3. Name the policy comprehensibly
4. Create a policy with the default settings
5. Accept the KSN agreement
T

6. Confirm the default exclusions

7. Select a group for the policy (if you are creating a policy in a group, this step will not be displayed)
NO

8. Select the policy status: Out-of-office policy

Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for Windows.
Policies of the Network Agent or, for example, Kaspersky Security for Windows Servers Enterprise Edition do not
have such an option.

To modify the status of a ready policy, open the General section in its properties.
 II–75
Unit II. Protection Management

ED
When computers switch to the out-of-office policy

UT
IB
S TR
DI
RE
By default, computers will never switch to the out-of-office policy. To make them switch to such a policy, specify
OR

conditions in the Network Agent policy using either of the following methods:

1. Select the check box Enable out-of-office mode when Administration Server is not available

A computer will switch to the out-of-office policy if it is not connected to any network, or if the Network
D

Agent cannot synchronize with the Administration Server three times in a row.

In practice, this happens when a computer is disconnected from the corporate network. By default, the
E

synchronization period is 15 minutes. Therefore, a client will switch to the out-of-office mode instantly
after disconnected from the network or in 30 to 45 minutes if the network has not been disconnected.
PI

2. Configure network locations for the <Offline mode> profile

CO

Configuring network locations is the best choice. They can describe more precisely when a computer is located in a
corporate network, and when it is not.

If there are many computers in the network and the Administration Server is overloaded, some of the computers
may fail to connect to the Server at every regular synchronization. It might happen that a computer fails to
BE

synchronize three times in a row and will switch to the out-of-office policy within the corporate network. Depending
on the out-of-office policy settings, such a computer can, for example, block access to its shared folders, which
would make quite a lot of trouble if it happens to a file server or a domain controller.

Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be solved 8.
TO

However, improperly configured conditions of switching to the out-of-office mode may aggravate the issue.
T
NO

8
Course KL 302 explains how to correctly scale Kaspersky Security Center to large networks.
II–76 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How to set conditions for switching to the out-of-office
policy

UT
IB
S TR
DI
RE
OR

Instead of using the option Enable out-of-office mode when Administration Server is not available, configure
network locations that precisely describe when a computer is located within the corporate network, and when
outside.

Network Agents can use different connection profiles in different network locations. See course KL 302 for details.
D

To make computers switch to the out-of-office mode, configure network locations for the <Offline mode> profile.
E

The Network Agent policy provides various conditions to describe network locations. Many of them are simple and
clear, for example, subnet address or main gateway address. However, they may fail to unambiguously define the
PI

corporate network. Suppose, subnet 192.168.0.0/24 is used in the internal network. However, there can be the same
network in a hotel, bar or a free hotspot in the street. That is why the conditions by subnet, gateway or DNS server
address are insufficiently reliable.
CO

You had better use the condition Name resolvability and specify a name that can only be resolved on the internal
DNS server of the company. Configure computers to switch to the out-of-office mode when they cannot resolve this
name:
BE

1. In the Network Agent policy, in the Network \ Connection section, add a network location description:
click the Add button below the upper list

2. Name the network location comprehensibly, for example, “<an internal DNS name> unresolvable”
TO

3. In the Use connection profile drop-down list, select the <Offline mode> profile

4. Add a Name resolvability condition

5. Add a name that can only be resolved in the internal network to the list
T

6. For Condition is true if parameter, select Does not match any of the values in the list. This means that
NO

the condition is met if the specified name cannot be resolved

7. Save the condition, select the check box Description enabled, save the description, and save the policy
 II–77
Unit II. Protection Management

ED
6.3 Which settings computers should use outside
the office

UT
IB
S TR
DI
RE
OR

The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer
restrictions. This may not be a safe assumption out of office. These can be networks in hotels, bars or other public
places which cannot be trusted. Make these networks public in the out-of-office policy. Alternatively, if you trust the
D

users, delete all networks from the policy: Firewall will check the statuses of networks in the operating system,
which are specified by the user.
E
PI
CO
BE
TO
T
NO

A policy for out-of-office computers must take into account the fact that while the host is outside the corporate
network, it is the user who manages Kaspersky Endpoint Security. Consequently, the policy must allow the user
access to the information about the protection status and to the product management tools. The user should at least
be allowed to scan suspicious files/drives and start updates. For this purpose, allow the user to manage group or
local tasks, or both. The corresponding settings are located in the policy section Local tasks.
II–78 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
To help the users make rational decisions about protection, it is necessary to provide them with more information
about incidents. The user should be warned about detected threats, the need for advanced disinfection and about
outdated databases:

UT
— Open the list of local Kaspersky Endpoint Security events in the policy section General Settings |
Interface (the Settings button in the Notifications area)

— Select all events that are important for the user in the Notify on screen column

IB
Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a yellow triangle on the
application icon in the notification area. Select about which issues to inform the user in the Interface section of the

TR
policy, Warnings area.

S
6.4 Out-of-office policies: Summary

DI
RE
OR
E D
PI
CO

When the users work outside the corporate network, they need other settings for Kaspersky Endpoint Security.
Kaspersky Security Center has out-of-office policies for this purpose.
BE

By default, out-of-office policies are not used. To make them used, configure conditions in the Network Agent
policy. Configure network locations for the <Offline mode> profile. In the network location descriptions, specify
the conditions that reliably describe when a computer is located within the corporate network, and when outside.
Use the Name resolvability and Availability of SSL connection address conditions.
TO

In the out-of-office policy, strengthen the protection settings:

— Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12
T

Give the users more information and more control over Kaspersky Endpoint Security:
NO

— Inform about threats on the computer screen

— Signal about issues on the icon in the notification area
— Allow the user to start and stop tasks
 II–79
Unit II. Protection Management

ED
UT
Chapter 7. What else is there in protection and
why?

IB
TR
7.1 What Self-Defense does and why it is necessary

S
DI
What Self-Defense does

RE
OR
E D
PI
CO
BE
TO
T
NO
II–80 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
A self-defense technology is implemented within Kaspersky Endpoint Security, which prevents unauthorized
product disabling and other attempts to hamper its operation. Self-defense is configured using two options in
General Settings \ Application Settings:

UT
— The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security
processes in the computer system memory, its files on the hard drive and its registry keys

— The Disable external management of the system services option does not permit stopping Kaspersky

IB
Endpoint Security services unless the command is carried out via the product interface

If self-defense is disabled, the computer protection level decreases. By default, both parameters are enabled and

TR
locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with remote
management utilities, though there are better ways for handling those) or for troubleshooting.

How to manage KES over Remote Desktop

S
DI
RE
OR
E D
PI
CO

To prevent malware from disabling protection by simulating the user’s commands in the product window, self-
defense accepts mouse and keyboard events only directly from a device rather than from other processes by default.
Therefore, when the administrator tries to manage Kaspersky Endpoint Security via a remote access program, such
as UltraVNC or TeamViewer, self-defense does not permit clicking anything in the Kaspersky Endpoint
BE

Security window.

If you need to manage Kaspersky Endpoint Security via a remote access program, and self-defense will not allow
this, configure an exclusion. Add the executable file of your remote access tool to the list of trusted applications.
TO

The process that the administrator starts on his or her computer is not necessarily the same as the process on the
remote computer that accepts the connection and provides access to the desktop. Add the process that runs on the
remote computer

In the properties of the trusted program, select the check box Do not block interaction with the application
T

interface. Clear the other check boxes. Do not allow programs more than they need for their work.
NO
 II–81
Unit II. Protection Management

ED
7.2 How to protect Kaspersky Endpoint Security
from the user

UT
IB
How the user can stop protection

S TR
DI
RE
OR
D

The default settings provide the users with at least two methods to disable the protection.
E

— Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in the notification
PI

area.) This action doesn’t even ask for elevated permissions, any user can do this.

— Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However, some users
CO

may have them, especially on laptops.

To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password protection for
the mentioned actions in the policy and make these settings required (close the lock). Though a user with
administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way or another,
the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which doesn’t
BE

allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and processes
in the memory. Together, password protection and self-defense are mostly able to prevent any damage a user might
try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas password
protection is not.
TO

Another (a less evident) way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes
after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and
the user will be able to change any setting. There is password protection for the Network Agents too, and it is not
enabled by default either.
T
NO
II–82 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
How to enable password protection

UT
IB
S TR
DI
RE
Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its
OR

settings, exiting, and uninstalling.

To enable password protection for Kaspersky Endpoint Security:

1. Open the policy, go to General Settings \ Interface and click the Settings button in the Password
D

protection area

2. Select the check box Enable password protection

E
PI

3. Set a username and password

4. Select which operations will prompt the user for password:

CO

— Configure application settings—protects against any attempts to modify Kaspersky Endpoint

Security settings, including the options that enable and disable the components (e.g. File Threat
Protection); but the user will still be able to stop a component via its shortcut menu

— Exit the application—protects the Exit command on the shortcut menu of the product's icon.
BE

Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its
processes or files

— Disable protection components—the user can start protection components and local tasks (if they are
displayed); the password window appears only if the user attempts to stop them. The update tasks lack
TO

this protection

— Disable control components—the password is necessary to disable the Device Control, Application
Control, or Web Control
T

— Disable Kaspersky Security Center policy—adds the option to temporarily disable the policy via
the shortcut menu of Kaspersky Endpoint Security icon after entering the password.
NO

This capability is useful for local troubleshooting. When a policy is active, the administrator can’t
change Kaspersky Endpoint Security parameters to see which component or which particular setting is
causing troubles for the user. Moving a problem computer to a special group for diagnostics and then
returning it back after the problem is solved is an awkward solution, especially if different IT units are
responsible for centralized protection management and local diagnostics. The capability to temporarily
 II–83
Unit II. Protection Management

ED
disable a policy using a special password on a computer helps to carry out diagnostics without
changing the settings on the Administration Server.

— Remove key—the user cannot stop protection by deleting the key unless the password is entered

UT
— Remove/Modify/Restore the application—the password prompt is added to the uninstall wizard of
Kaspersky Endpoint Security

IB
— Restore access to data on encrypted drives—prevents the user from starting the data recovery tool. It
is the administrator’s job to recover data, not user’s

TR
— View reports—prompt for the password prior to showing events in the local interface of Kaspersky
Endpoint Security

The password protects both graphic interface of Kaspersky Endpoint Security and the command line interface.

S
DI
The advantage of password protection is that it remains active even when the policy is disabled. Once the password
protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product
without a valid password even if the administrator disables the policy.

Configuring password protection for Network Agent RE

The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of
OR

installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be
sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges,
the attempt will succeed.

To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates the
D

Network Agent policy automatically in the Managed computers node.

E

The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not specified.
Enable the Use uninstall password option, click the Modify button to enter the password and don’t forget to lock
PI

this group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’ has
zero effect on the local Network Agent settings.
CO

Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An attempt to
uninstall the Network Agent using the command line without the password will also fail.
BE
TO
T
NO
II–84 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
7.3 Which other protection settings are available

UT
IB
S TR
DI
RE
OR

Kaspersky Endpoint Security policy has more settings than we have described in this chapter.

Actions
D

For most of the protection components, you can select what to do with malicious files and other threats.
E

By default, all components try to disinfect malicious files, and if disinfection fails or is impossible, delete them. The
PI

administrator can select to delete all malicious files immediately, or only block them rather than delete. Blocking
instead of deleting makes sense only if you are testing something. On the protected computers, use the action that
deletes malicious files. We recommend that you leave the default action.
CO

Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup. It is a special folder on
the computer, where to Kaspersky Endpoint Security stores encrypted copies of malware. If Kaspersky Endpoint
Security deletes a file mistakenly, the administrator will be able to restore it from the Backup after configuring an
exclusion.
BE

Other settings
TO

The settings that we have not mentioned usually should not be changed. They are described in the help system of
Kaspersky Endpoint Security.
T
NO
 II–85
Unit II. Protection Management

ED
The following table briefly describes some of the settings:

General Settings | Exclusions | Objects for detection | Settings

UT
Viruses and worms (cannot be Do not change these settings.
disabled) All these objects at least hamper the user, and may cause significant harm if worst
Trojans (cannot be disabled) comes to worst.
Malicious tools (enabled) If the administrators use testing utilities that the antivirus considers to be malicious,

IB
Adware (enabled) configure exclusions for them instead of disabling detection of the whole category of
Auto-dialers (enabled) objects.
Other (disabled) The Other category includes remote management utilities, such as RAdmin,
Packed files that may cause harm

TR
UltraVNC, DameWare, etc. Criminals may use these legitimate tools for unauthorized
(enabled) access to computers. However, administrators and users may need them for their
Multi-packed files (enabled) work. Configure as necessary.

<Component name> | Action on threat detection

S
Disinfect Do not modify the action settings. Let the components delete all malicious objects.

DI
Delete if disinfection fails If false positives occur, configure exclusions. Restore erroneously deleted files from
the Backup repository after configuring an exclusion.

Local tasks | Removable drives scan

Action when a removable drive is
connected: (by default) Do not scan
Maximum removable drive size: (by
RE
Change the action to Quick Scan or Detailed scan.
Although File Threat Protection scans everything the user starts or copies from a
removable drive, it is not recommended to leave passive malicious files on removable
default) 4096 MB drives. The user may, for example, take this drive to a customer and accidentally
OR

infect a computer.
To save employees’ time and prevent Kaspersky Endpoint Security from scanning
large drives, limit the maximum size of the drive to be scanned, for example, to 32
MB.

Local tasks | Task management | Allow use of local tasks

D

(By default) Is disabled Do not enable. Local tasks are difficult to manage with the Administration Server and
they confuse the administrator.
E

If you need to enable the users to start updates or stop virus scanning, you had better
select the check box Allow group tasks to be displayed in this list.
PI

General Settings | Application Settings | Performance | Postpone scheduled tasks while running on battery
power
CO

(By default) Is enabled Lots of contemporary laptops boast 10-plus hours battery life. It may be dangerous to
postpone virus scanning, let alone updates, until the user plugs the notebook in.
Disable this option for such computers.
At the same time, old laptops may have short battery life; this parameter was designed
for them. Place old and modern notebooks into different groups and specify proper
BE

settings for them via dedicated policies.

General Settings | Application Settings | Performance | Concede resources to other applications

(By default) Is enabled Do not disable.
TO

General Settings | Reports and Storage | Reports

Store reports no longer than: (by For most companies, event history of 30 days is enough.
default) 30 days If you need to store events longer, increase the storage time and maximum file size.
Maximum file size: (by default) 1024 Think about sending events to a SIEM system (see course KL 009).
MB
T

General Settings | Reports and Storage | Backup

NO

Store objects no longer than: (by If you suspect a file to be malicious, but Kaspersky Endpoint Security does not react
default) 30 days to it, receive its reputation from KSN in real time or send the file to technical support
Maximum storage size: (by default) is via the companyaccount.kaspersky.com portal.
not specified
II–86 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
General Settings | Reports and Storage | Data transfer to Administration Server
About files in Backup Enable the first two lists: they inform about threats and false positives.

UT
About unprocessed files Send the lists of devices and encryption errors only if you use Device Control and
About installed devices Encryption.
About started applications We recommend that you send the list of started applications only from individual
About file encryption errors computers, do not enable it for the whole network.

IB
General Settings | Interface | Notifications | Settings | <Event>
Save in local log Store all events in the local log.
Save in Windows Event Log In Windows log, store at least functional failure events to be able to view them if

TR
Notify on screen Kaspersky Endpoint Security does not work.
Notify by email Notify on screen only about control events. The less messages by Kaspersky Endpoint
Security the user sees, the better.
Do not configure email notifications here. To receive email notifications, enable them

S
in the section Event notification (the second section in the policy).

General Settings | Interface | Interaction with user

DI
Display program interface: is enabled Turn off Display application interface if users complain that Kaspersky Endpoint
by default Security hampers them

RE
Simplified program interface: Is If the corporate policy prohibits completely hiding software interface from the users,
disabled by default enable Simplified application interface: The users will see the Kaspersky Endpoint
Security icon in the notification area, but will not be able to open its window or
understand which components and tasks are running

General Settings | Interface | Warnings

OR

Unprocessed files Disable on the network computers. It is the administrator who needs to be informed
Computer restart required about issues rather than the user, and they are to be displayed in the Administration
Problems with signature databases Console rather than in the local interface.
Problems with protection level Enable in an out-of-office policy to permit the users take care of protection on
Problems with license notebooks.
D

Updates available
E

Computer protection: Summary

PI
CO
BE
TO
T
NO

All protection components in Kaspersky Endpoint Security either detect and block threats, or reduce the attack
surface, meaning, prevent the user and applications from taking actions that are potentially dangerous to the
computer.
 II–87
Unit II. Protection Management

ED
Therefore, do not disable the protection components. Instead, create exclusions for those programs that are slowed
down by the antivirus.

Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of scanned files, after

UT
which File Threat Protection and other components work faster.

All components do well with the default settings. Usually, these settings can hardly be improved, and should not be
changed. However, to better counter ransomware, you can configure Host Intrusion Prevention to guard your

IB
documents.

The default settings can be improved for notebooks, which are taken outside the corporate network. Create an out-

TR
of-office policy for them.

Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user. Configure
password protection for Kaspersky Endpoint Security and Network Agent.

S
DI
RE
OR
E D
PI
CO
BE
TO
T
NO
II–88 KASPERSKY LAB™
KL 002.11 Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
RE
OR
DE
PI
CO
BE
TO
T
NO
 III-1
Unit III. Security Controls

ED
UT
IB
Unit III. Security Controls

TR
Chapter 1. Overview ....................................................................................................... 3

S
1.1 Purpose of the control components ......................................................................................................................... 3

DI
1.2 Licenses and installation types ................................................................................................................................ 4
1.3 Installing the control components ........................................................................................................................... 5

RE
Chapter 2. Application Control ....................................................................................... 7
2.1 How Application Control works ............................................................................................................................. 7
Operation principles .............................................................................................................................................. 7
How to configure Application Control ................................................................................................................... 8
OR

2.2 How to configure application categories ................................................................................................................ 9

A category that is created and updated manually ................................................................................................ 10
Category based on a reference computer ............................................................................................................ 18
Automatically filled folder-based category .......................................................................................................... 20
D

What you can do with programs and categories after the initial configuration................................................... 21
2.3 How to create control rules ................................................................................................................................... 27
E

Two control modes ............................................................................................................................................... 27

PI

Application Control rules ..................................................................................................................................... 28

2.4 How it will work ................................................................................................................................................... 30
CO

How to find out what a particular user is prohibited from .................................................................................. 30

Local notifications and complaints ...................................................................................................................... 30
User requests selection ........................................................................................................................................ 31
Events ................................................................................................................................................................... 32
Report on blocked runs ........................................................................................................................................ 33
BE

2.5 Default deny mode ................................................................................................................................................ 34

Chapter 3. Device Control ............................................................................................ 36

3.1 What can be blocked and how .............................................................................................................................. 38
TO

Additional options ................................................................................................................................................ 39

USB flash drive access log ................................................................................................................................... 41
How to specify trusted Wi-Fi networks ................................................................................................................ 41
What Anti-Bridging does ...................................................................................................................................... 42
T

3.2 How to specify a trusted device ............................................................................................................................ 43

3.3 How to configure interaction with users ............................................................................................................... 46
NO

3.4 How to configure temporary access ...................................................................................................................... 47

How can the user send a request to get access to a blocked device? ................................................................... 48
How to create activation code.............................................................................................................................. 48
How to activate temporary access ....................................................................................................................... 49
3.5 Monitoring Device Control ................................................................................................................................... 50
III-2 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 4. Web Control ................................................................................................ 52

ED
4.1 Blocking criteria ................................................................................................................................................... 53
4.2 Configuring exclusions and trusted servers .......................................................................................................... 56
4.3 Diagnostics and testing ......................................................................................................................................... 57

UT
4.4 Configuring interaction with users ........................................................................................................................ 57
4.5 Web Control statistics ........................................................................................................................................... 60
4.6 Web control report ................................................................................................................................................ 61

IB
S TR
DI
RE
OR
E D
PI
CO
BE
TO
T
NO
 III-3
Unit III. Security Controls

ED
Chapter 1. Overview

UT
IB
1.1 Purpose of the control components

S TR
DI
RE
OR
E D
PI

In addition to anti-malware protection, Kaspersky Endpoint Security 11 contains control components that restrict
actions harmful to the computers or the company in general.
CO

— Application Control monitors users’ attempts to start programs and regulates software start through the
rules configured by the administrator. You can also control DLL and drivers.

— Device Control brings the use of various devices to conformity with the company policy. The Anti-
Bridging component prohibits unauthorized network connections.
BE

— Web Control limits access to websites depending on their content; you can also block addresses by masks.
TO
T
NO
III-4 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

1.2 Licenses and installation types

ED
UT
IB
S TR
DI
RE
There are five functional areas in Kaspersky Security Center 10:
OR

— Protection from threats

— Control components
— Encryption
— Systems management
D

— Mobile device management

E

The control components require KESB Select license and are automatically installed if the Standard installation
type is selected.
PI
CO
BE
TO
T
NO
 III-5
Unit III. Security Controls

1.3 Installing the control components

ED
UT
IB
S TR
DI
RE
To install the control components on the computers, Standard installation or Custom installation type must be
OR

selected in the properties of the Kaspersky Endpoint Security 11 installation package that will be used for
deployment.
E D
PI
CO
BE
TO

If only Basic components are installed on the computers, the administrator can upgrade the installation type to
Standard.
T

Using the Change application components task of Kaspersky Endpoint Security 11. This task is designed
especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product.
NO

The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on
the client computer during the initial installation.

In the task properties, you can select either the installation type or the components that you need to be installed, just
like in an installation package. However, you cannot select individual components while creating the task in
the wizard. To specify the necessary components, complete the task creation wizard and then open the task
properties: the choice of components is not limited there.
III-6 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
RE
OR
ED
PI
CO
BE
TO
T
NO
 III-7
Unit III. Security Controls

ED
Chapter 2. Application Control

UT
IB
Application Control helps to implement the corporate security policy, in particular, restrict software start on
the endpoints. At the same time, Application Control reduces the computer infection risk by decreasing the attack
surface.

TR
2.1 How Application Control works

S
DI
Operation principles
RE
OR
E D
PI
CO
BE

Application Control allows the administrator to restrict the program start on the client computers. Software start
permissions are specified in special rules.

When a program starts, Application Control checks:

TO

— The category the program belongs to (the categories are configured by the administrator)
— The account under which the program was started
— Whether the Kaspersky Endpoint Security policy contains any rules that regulate the start of this program
category for this account
T

Application Control can operate in either of the two modes:

NO

— Black list: everything is allowed by default. Only the programs that belong to categories that the
administrator prohibited in the Kaspersky Endpoint Security policy are blocked. Meaning, if there is no
matching block rule, the program will be permitted to start

— White list: everything is blocked by default. Only the programs that belong to categories that the
administrator allowed in the Kaspersky Endpoint Security policy are permitted to start. If there is no
matching allow rule, the program will be blocked
III-8 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

The white list mode is used in the default deny approach. It is described in the respective section of this

ED
chapter, and much more detail is available in a dedicated training course KL 032 Default Deny.

How to configure Application Control

UT
IB
S TR
DI
RE
OR

In two stages:

1. Create application categories

D

1.1. Make up the list of categories. For example, Web browsers, Games, Third-party messengers, Allowed
programs, etc.
E

1.2. Add all programs that we want to control to these categories. How to do it is described in the next
PI

section.

Categories are configured for the whole Administration Server at once: In the container Advanced /
CO

Application management / Application categories

2. Make up the list of rules: In the Kaspersky Endpoint Security policy, you can specify what Kaspersky
Endpoint Security is to do with the applications that belong to each application category: allow, block, or
just notify Kaspersky Security Center about each start.
BE

Note: categories are specified for the whole server, while different rules may be configured for different computer
groups. For example, Skype can be prohibited for everybody except individual users; additionally, marketers can be
allowed to use it, but every time when they start it, the administrator will receive the respective notification.
TO
T
NO
 III-9
Unit III. Security Controls

2.2 How to configure application categories

ED
UT
IB
S TR
DI
RE
An application category is a list of conditions and exclusions that allows identifying a program or a group of
OR

programs. The list is displayed in the Advanced, Application management, Application categories container and
is empty by default. New categories are created using a special wizard. There are three types of categories:

— Filled manually—their conditions are added and changed only manually. For example, all programs that
have “zombies” in their names, or all programs signed with the specified certificate;
D

— Filled automatically from a folder—the administrator selects a directory, which is scanned for the
E

following files: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL, HTML, HTM,
DRV, OCX, SCR. The Administration Server will also check the contents of this directory on schedule,
PI

calculate checksums of executable files (SHA256 and/or MD5), and update the list of the category criteria.
A network folder whereto all prohibited or allowed programs are copied may come in handy;
CO

— Filled automatically from the selected devices—the administrator selects one or several managed
computers, and the Administration Server automatically includes executable files found on the computers
into the category. Meaning, you can specify a reference computer.
BE
TO
T
NO
III-10 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
Categories are created on the Kaspersky Security Center Administration Server and are transferred to client

RE
computers similarly to policies and tasks. The chart visualizes the process of distributing categories to devices.
Advanced / Application management / Application categories.

You can send the complete list and contents of categories every time, or only the changes. This is configured in
the Administration Server properties, in the Application categories section.
OR

This transfer option appeared in Kaspersky Security Center 10 SP2 MR1 and Kaspersky Endpoint Security 10 SP2;
in earlier versions, the full set of categories is always transferred, even if changes are few and minor. That is why
everything is transferred by default; otherwise, if there are older clients in the network, they will not be able to
receive changes only, and will receive nothing.
D

A category that is created and updated manually

E
PI

For a manually filled category, conditions for the programs are specified in the list; each condition can contain
several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set
CO

by various methods, but all of them can be boiled down to the following general types:
BE
TO
T
NO

— Checksum—the checksum returned by SHA-256 function that allows unambiguous identification of

the file (the checksums of different files are different)
 III-11
Unit III. Security Controls

ED
Note: in Kaspersky Endpoint Security version 10 SP1 MR3 and earlier, MD5 checksum was used for file
identification in Application Control instead of SHA-256. Starting with Kaspersky Endpoint Security 10
SP2, only SHA-256 is used.
If there are various KES versions in the network, select the corresponding check box in the category

UT
properties, for example, collect not only SHA-256, but also MD5. Then the same category will be usable
for policies configured for different KES versions.
On the other hand, if application categories become too large as a result, you can create different categories
for different versions of KES.

IB
— Certificate—this function is available since Kaspersky Endpoint Security 10 SP2. You can specify a folder

TR
on a client device that contains executable files signed by certificates. Certificates of executable files will
be added to the category conditions. You can also add certificates from a certificate store.

— Metadata—file name, its version, name of the program and manufacturer. The version does not have to be

S
specified exactly. You can select all files older or younger than the specified version. Various file
characteristics constitute a single condition, rather than several individual conditions. When specifying

DI
metadata, you can allow only files signed with a valid certificate, or those for which KSN returns the
Trusted verdict

— Application folder—all programs from the specified directory will be added to the category

RE
— Drive type—a special parameter that allows the administrator to create a separate category for the files
started from a removable drive

— KL category—Kaspersky Lab experts group white lists into categories according to programs’ purpose.
OR

The category catalog helps to categorize an application or an individual file. In most cases, KES defines the
category locally using the update databases, which include the classification algorithm, or requests the
verdict from Kaspersky Security Network.
D

From applications registry

E
PI
CO
BE
TO
T

The Applications registry node contains programs installed on computers and displayed in their Programs and
NO

Features. Network Agents gather names and attributes of these programs and transfer them to the Administration
Server. The gathered information about the installed programs does not contain data about the program executable
files, but it is the data about executables that is necessary to create a condition. That is why the Administration
Server compares data about installed programs and data about executable files detected on the computers, and after
that creates a condition based on the hash sum of the program executables.
III-12 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

To add a program from the Applications registry container to a category, click the button Add / From file

ED
properties; in the window that opens, click the arrow next to the button Get data, and select From applications
registry.

It might happen that a program is considered to be installed by mistake, or a program is installed but started

UT
extremely rarely and the data about its executable file is missing on the Administration Server.

In this case, a condition for this program may fail to be created. On the other hand, if a program has several
executable files, the applications registry simplifies rule creation. The Administration Server automatically adds

IB
conditions for all executable files associated with the program.

If a program is installed but its executable files haven’t been reported to the Administration Server yet,

TR
the administrator may consider running an Inventory task to speed up the process.

We will describe inventory tasks in detail later.

S
From the executable files list

DI
RE
OR
E D
PI
CO

The administrator can create a condition based on individual files. The files can be selected using several methods:

 From the executable files list—the list of executable files that have ever been started on the client
computers or detected by an Inventory task. This list of files is displayed in the Advanced | Application
BE

management | Executable files container

 From file properties—you can add certificate data or a checksum or metadata of a local or network file to
the condition list
TO
T
NO
 III-13
Unit III. Security Controls

ED
UT
IB
S TR
DI
When selecting a file on the drive, the administrator can specify a simple SHA-256 (MD5) condition for it, or
a more flexible condition based on the attributes.
RE
A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For
example, hash sums are used in automatically filled categories described earlier, because it is important to allow
starting the exact file versions installed on the reference computer or included in an approved distribution. Any
OR

changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file
start.

Hash sums are also convenient if you need to prohibit renamed files from starting. Renaming does not influence
the hash sum and the blocking rule will still work.
D

At the same time, you may need to include several application versions in a category. In this case you should create
E

a condition based on file attributes, such as name, manufacturer name, and version number. The version number
may not only coincide with the specified value, but also be more or less than the specified value, or start from it,
PI

etc.; so you will be able to block old program versions or recent releases that have not been approved yet.

Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file
CO

metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files
will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create
a condition based on the file name and then be surprised that a file with a matching name is not treated as expected.
Most probably, this means that the file has no digital signature.
In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by
BE

the vendor’s certificate. To control open-source and freeware programs, use other condition types.
TO
T
NO
III-14 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

How to add all files from a folder to a category at once

ED
UT
IB
S TR
DI
RE
You can select not only a file, but also a whole folder. If a file or several files are located within an MSI package,
you can specify this MSI package. The wizard will scan the specified folder or package for executable files and
create a condition for each of them. The condition can be created based on the hash sum or on the attributes.
OR

These capabilities are similar to creating an automatic category based on folder; but in an automatically filled
category, the Administration Server monitors the changes within the folder and updates the condition
correspondingly. An automatically filled category cannot have conditions other than those retrieved from the files
located in the folder.
D

Use metadata or checksum of files in an MSI

E
PI
CO
BE
TO
T
NO

If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be
scanned once when creating the category, and later will not be rescanned. The administrator can add any other
condition to such a category.
 III-15
Unit III. Security Controls

Use KL categories

ED
UT
IB
S TR
DI
RE
The described conditions enable the administrator to allow or prohibit known programs—programs whose hash
sum, or attributes, or location on the drive, etc. are known or can be found out.
OR

In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for
one, etc. This task is not easy to solve using the described tools.

The solution is to use KL categories. These categories define program class or type: email programs, web browsers,
development tools, electronic payment systems, etc. ‘KL category’ means that the programs are categorized by
D

Kaspersky Lab experts.

E

The program categorization information is a part of the downloadable databases. That is why the Download
updates to the repository task must run at least once before you can create conditions based on KL categories.
PI

Programs started on each computer are independently scanned for correspondence to the conditions, and if different
database versions are used on different computers, application control rules can work to different effects. Also, if
CO

the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time.

Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All
uncategorized files are automatically associated with the Other Software KL category.
BE
TO
T
NO
III-16 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

Specify the path to the files explicitly

ED
UT
IB
S TR
DI
RE
So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file
location. Copying or moving the executable file would not influence the file start regulations based on
these conditions.
OR

The following two types of conditions consider only the file location:

— Application folder—defines the local path to the file. The administrator can, for example, prohibit starting
executable files from the desktop or from the whole user’s home directory.
D

Alternatively, the administrator can permit starting executable files from the system folders: C:\Windows,
E

C:\Program Files and prohibit from all other computer locations.

PI

The condition is recursive, meaning, it works for the files in subfolders of the specified folder.

— Device type—can have only one value: Removable device. Essentially, its purpose is to enable
CO

the administrator to prohibit starting programs from removable drives.

Specify certificates
BE
TO
T
NO
 III-17
Unit III. Security Controls

A more reliable method than using file path, but less reliable than SHA-256, is selecting files by certificates. You

ED
can select from among the certificates on the Administration Server.

UT
IB
S TR
DI
How to specify exclusions from a category
RE
OR
E D
PI
CO
BE

If you need to prohibit all programs that match the specified conditions except for one, add an exclusion to
the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion
TO

condition will be excluded from the category.

T
NO
III-18 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

Category based on a reference computer

ED
UT
IB
S TR
DI
RE
In addition to the repository of allowed program distributions, there may be a reference computer in the organization
where all the programs used in the company are installed. Such a reference computer is usually necessary for
OR

creating images to be deployed on new computers. As a result of such a deployment, the operating system and all
programs necessary for work are installed on the computer, and the whole process takes much less time than
installing everything from distributions. The administrator periodically upgrades programs on the reference
computer and updates the image accordingly.
E D
PI
CO
BE
TO

With this approach, it is logical to automatically make all programs installed on the reference computer allowed. For
this purpose, you need to scan the computer, add all programs to a category, and then create an allow rule for it in
T

the policy. This is what a category automatically filled with files from selected computers is designed for.
NO
 III-19
Unit III. Security Controls

ED
UT
IB
S TR
DI
Sometimes it is necessary to split the files found on the reference computer into a few categories. For example,

RE
separate Windows files from Program files. In this case, you can configure a filter based on the folder where a file is
located. The category will include only the files that are located in the specified folder of the reference computer.

Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with
a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky
OR

Endpoint Security. That means that a reference computer must be equipped with Kaspersky Endpoint Security for
file detection and with Kaspersky Network Agent for sending the data to the Administration Server. There will be
more details on how this works later in this chapter.

The administrator can specify the scanning interval, the same way as within a category filled from a folder.
D

The detected files will be added to the category and will later be identifiable by SHA-256 (for the latest versions of
E

KES) or MD5 sums (for Kaspersky Endpoint Security 10 SP1 MR3 and earlier)—depending on the KES version
installed on the reference computer.
PI

Note: unlike for a folder-based category, here you must select either SHA-256 or MD5 (depending on the KES
version installed on the reference computer). Which means that if Kaspersky Endpoint Security of different versions
CO

is installed in the network, you need to use two reference computers for a category
BE
TO
T
NO
III-20 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

Automatically filled folder-based category

ED
UT
IB
S TR
DI
RE
The contents of an automatically filled category are updated when the source folder contents change (executable
files are deleted or added). Also, you can make a category update to schedule.
OR

If the specified folder contains archives or installation packages (for example, .msi), the Administration Server will
automatically unpack them (into a temporary folder) and include in the category data about the executable files
within the archive or package. So, if you place program distribution into the folder, the category will include not
only the installation file, but also program files.
D

This method of creating a category is useful if the company has a repository of program distributions to be installed
on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add
E

programs to the list or replace them with newer versions.

PI

To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make
the Administration Server automatically monitor the changes and add parameters of the detected files to
the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in
CO

the policy to allow start of all the used programs.

BE
TO
T
NO
 III-21
Unit III. Security Controls

You can also select to Include dynamic-link libraries (DLL) in this category. If this check box is selected,

ED
Kaspersky Security Center will calculate checksums of .dll files and add them to the category along with executable
files.

It makes sense to care about .dll files because Windows allows starting processes from them through

UT
the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others
blocked.

In this regard .dll files are similar to script files (.js or .vbs), which are not executable, but are started via

IB
the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked.

To include scripts into a category, select the check box Include script data in this category.

TR
Similar to other category types, you can use hash sums. If various KES versions are installed in the network, 10 SP2
and older, you can select both check boxes. Then the category will be larger, but will work for all KES versions.

S
What you can do with programs and categories after the

DI
initial configuration

How to find out which KL category a file belongs to RE

OR
E D
PI
CO
BE

If the administrator wants to know which KL category includes a specific executable file, they can find this
information both locally on the computer and in the Administration console. The local verdicts (which may vary
slightly on different computers because of different database versions) are available in the Application Activity
Monitor window.
TO

Information in the Administration Console can be used for troubleshooting as well as for planning the rules. The list
of executable files is located in the Advanced | Application management | Executable files node. The
administrator can view the attributes and KL category of each file.
T

Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering
options may help finding the necessary one. The administrator can search for a file using a part of its name, or apply
NO

a filter and search by the values of various file attributes.

You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as
when the file was first detected on the computers, but also to add or exclude the file to or from an administrator-
defined category. There is a button that adds the file to administrator-defined categories. You can add the file to
an existing category or create a new one. And when modifying an existing category, you can either add the file to
III-22 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the file’s SHA-256

ED
or MD5 sum or certificate data.

How to add a program to an existing category

UT
IB
S TR
DI
RE
OR

If the administrator notices something new when looking through the list of executable files detected on computers
connected to Kaspersky Security Center, and decides to add the program to a category, he or she does not need to
memorize its name and go to the container with program categories. You can simply right-click it and select Add to
category.
D

You can add programs to categories and exclusions this way.

E

The program will be added by hash sum or certificate with which its executable file is signed.
PI
CO
BE
TO
T
NO

How to find out which category a file belongs to

There are two handy lists in Kaspersky Security Center Administration Console: applications registry and
executable files. When you need to do something with a specific program, it is logical to use the Applications
registry. However, a program may have several executable files.
 III-23
Unit III. Security Controls

KES can be configured to work with individual executable files as well as with programs at the same time.

ED
Via the applications registry

UT
IB
S TR
DI
RE
Select the necessary program in the Applications registry, open its properties, and go to the list of executable files
OR

that correspond to this program. Application categories are filled with executable files.

Via the list of all executable files

E D
PI
CO
BE
TO

The list of executable files that we can see on the Kaspersky Security Center Administration Server consists of all
executable files detected by Kaspersky Security Center and Kaspersky Endpoint Security on all computers
T

connected to this Administration Server. Meaning, this list can be very long.
NO

However, when you know what you are looking for, it is very handy. You can sort it by names, or use filters.
III-24 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
Which other useful information is available about a file

RE
OR
E D
PI
CO
BE

On which computers and when it was detected for the first time (but not how), when it undertook network activity
for the first time, whether it is signed with a certificate.

How to make sure that all files have been collected

TO

Right after the installation, the Executable files container will be empty on the Administration Server. Gradually,
when new clients are connected, new data will be sent to the Administration Server.
T
NO
 III-25
Unit III. Security Controls

Where to enable sending information about found executable files

ED
UT
IB
S TR
DI
RE
Information about found executable files is not sent by default. You can enable it in the Kaspersky Endpoint
Security policy: General Settings / Reports and Storage / Data transfer to Administration Server, click the
button Settings, select About started applications. This check box enables sending information about running
OR

applications, as well as results of the Inventory task.

Note: we recommend that you do not enable sending information about installed applications for all client
computers; exclude, for example, weak computers or non-persistent virtual machines.
D

How to view all executable files found on a computer

E
PI
CO
BE
TO
T

There is a list of executable files in the properties of each managed computer. This list is supplemented by:
NO

1. The Inventory task, which scans the client computers’ folders specified in it properties
2. Application Control which, when enabled, collects information about all executable files started on the
client computers.
Network Agent also gathers information about software, but only about installed applications, for which it scans the
registry.
III-26 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

Inventory task

ED
UT
IB
S TR
DI
RE
It is not created by default. Executable files are reported to the Kaspersky Security Center by Kaspersky Endpoint
Security via the Network Agent. When a file is launched, Kaspersky Endpoint Security collects its data and sends
them to the Administration Server. However, some files may start very rarely. It may take a very long time until all
OR

executable files are intercepted and reported to the Administration Server. A faster way to detect files is by using an
Inventory task.
E D
PI
CO
BE
TO

This is a Kaspersky Endpoint Security task, which can be created for a group or computer selection. With standard
settings, the task searches for executable files in the following directories:

— %SystemRoot%
T

— %ProgramFiles%
— %ProgramFiles(x86)%
NO

The list of folders is configurable. The information about discovered files is sent to the Administration Server and is
available in the Advanced | Application management | Executable files container.

Unlike the monitoring components, this task can detect executable files within archives and installation packages.
Click the Additional button and select the Scan archives and Scan distributions check boxes.
 III-27
Unit III. Security Controls

When executable files are being searched for, their checksums are calculated, which may slow down the computers.

ED
To reduce resource consumption, you can use the option to Scan only new and changed files. The information
about changes is obtained using the iSwift technology and requires almost no calculations.

Alternatively, you can schedule the task to run during nonworking time, or use the option that suspends scheduled

UT
scanning when the computer is being used and resumes it when screensaver is on and the computer is locked.

Note: There are settings in the Kaspersky Endpoint Security policy that control which types of data are sent and
which are not. It is critically important that informing the Administration Server about executable files is disabled by

IB
default. For this reason, even a successful execution of an Inventory task will not fill the list of executable files
unless you enable sending information About started applications in the Kaspersky Endpoint Security policy.

TR
2.3 How to create control rules

S
DI
Two control modes
RE
OR
E D
PI
CO
BE
TO
T
NO
III-28 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

Note that Application Control is disabled by default in Kaspersky Endpoint Security starting with version 10

ED
Service Pack 1. That is one of the reasons why sending the information about executable files is disabled by default.
The first thing the administrator needs to do before configuring rules is to enable the component and select the
mode: White list or Black list (for detailed information about these modes, see section 2.1 “How Application
Control works”.)

UT
By default, right after you enable Application Control, the Notify mode will be used. It is recommended to test the
rules first. Instead of real denies, only events will be sent to the Administration Server: Application startup
prohibited in test mode or Application startup allowed in test mode. You can generate a report based on these

IB
events, analyze it, adjust the rules if necessary, and then switch them to the block mode. Later, to test new rules
without interrupting whose already applied, the administrator can add a rule with the Test status. After you make
sure that the new rules do not interrupt useful applications, switch them On.

TR
Each rule (regardless of the selected mode, white or black list) can use one of the following three statuses:

— On means that the Application Control component uses the rule.

S
— Off means that the Application Control component does not use the rule.
— Test means that Kaspersky Endpoint Security will always permit starting the programs to which this rule

DI
applies, but will send information about starting these programs to the Administration Server.

The check box Control DLL and drivers enables you to restrict start of DLL libraries and drivers, but increases the

RE
load on the computer, and is recommended to be used only if it is really indispensable. For example, with rigid
Default Deny.

Application Control rules

OR

There can be as many rules as you wish; prohibition always has a higher priority. The black and white lists have
different sets of rules. For example, if you first selected the Black list, added a rule, and then switched to White list,
your rule will not be there.
E D
PI
CO
BE
TO

Each rule has the following parameters:

T

— Category—an application category created on the Administration Server beforehand. A policy may contain
NO

only one rule for each category

— Users and/or groups that are granted permission—the list of local or domain users and groups who are
allowed to start the programs belonging to the selected category. If more than one entity needs to be
specified, separate them with a semicolon (;)
 III-29
Unit III. Security Controls

— There is a related option Deny for other users. When enabled, it automatically denies permission to all

ED
unlisted users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this
option were always enabled. In Kaspersky Endpoint Security 11, this option is configurable and disabled by
default. Unlisted users are granted or denied permission based on the rest of the rules

UT
— Users and/or groups that are denied permission—this parameter explicitly defines the list of users and
groups who are prohibited from starting the programs

— Trusted updaters—consider all programs of this category to be trusted updaters1

IB
Denial has a higher priority than permission. For example, if a rule is configured to allow program start to all users
and prohibit for the Tom user, this user will not be able to start the program according to this rule.

TR
The list of rules is initially empty for the black list mode; for the white list, it contains two system rules that cannot
be deleted:

S
— Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not be blocked
even if there are no allowing rules for them. It is a special KL category2 that includes programs that

DI
download and install module updates, for example, Adobe Updater, Chrome Component Updater, etc.
The rule is enabled by default, meaning, Trusted updaters are allowed.

— Golden Image—contains the executable files necessary for the operating system, as well as executable

RE
files supplied with the system—various standard utilities and applications, To prevent Kaspersky Endpoint
Security from accidentally blocking files important for the operating system.

The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on
OR

a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of
different application categories; but some programs may belong to several categories at once. If there is at least one
rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say.

If a program does not belong to any category, in the black list mode, it will be allowed, and in the white list mode,
blocked.
E D
PI
CO
BE
TO
T
NO

1
This option is described in detail later in this chapter.
2
This KL category cannot be selected when configuring program category conditions.
III-30 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

2.4 How it will work

ED
UT
How to find out what a particular user is prohibited from

IB
S TR
DI
RE
OR

There is the Static analysis button next to the list of startup control rules in the Kaspersky Endpoint Security policy.
It opens the window where you can select a user or a group; in the right pane, the list of prohibited categories and
D

blocked files will be displayed.

E

Local notifications and complaints

PI
CO
BE
TO
T
NO

When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up notification
so that the user is not confused about the reason for the application behavior.
 III-31
Unit III. Security Controls

If the user needs this program for work, the pop-up notification permits sending the administrator a request to allow

ED
program start. The user should click the Request access link in the notification window and then click the Send
button.

The text of the pop-up notification, as well as the request to allow a program start, can be modified in the Kaspersky

UT
Endpoint Security policy. You can use variables there, which provide information about a specific event, for
example, the name of the blocked program, the computer where the event was registered, etc.

User requests selection

IB
S TR
DI
RE
OR
D

The standard User requests event selection contains the Application startup blockage message to administrator
E

events registered over the last 7 days. The Application startup blockage message to administrator event is
registered when a user sends a request to allow program start, and contains the request text along with
PI

the information about the computer, username and the program in question: Complete information necessary for the
administrator to make a decision.
CO
BE
TO
T
NO

It may happen that a user would need a program urgently. That is why, if the administrator rarely opens the User
requests selection, it might be worthwhile to configure email notification for the Application startup blockage
message to administrator event. This will enable the administrator to process the requests as soon as possible.
III-32 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

It is possible to use the request events to modify application categories. An event contains complete important

ED
information about the blocked file, including its SHA-256 (MD5 for older versions of KES). The administrator can
use the Add file to category link to immediately add the blocked file to an existing or a new category either as
an inclusion condition or as an exclusion.

UT
Events

IB
S TR
DI
RE
OR

Application Control generates five types of events:

D

— Application startup prohibited

— Application startup blockage message to administrator
—
E

Application startup allowed

— Application startup prohibited in test mode
PI

— Application startup allowed in test mode

By default, all the events except for Application startup allowed are transferred to the Administration Server.
CO

If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup
prohibited in test mode or Application startup allowed in test mode events.
BE
TO
T
NO
 III-33
Unit III. Security Controls

Report on blocked runs

ED
UT
IB
S TR
DI
RE
Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked runs,
which shows the distribution of the number of blocked starts on the client computers by applications. Click the
program name in the Summary table to open another report in the browser, which contains information about all
OR

computers where start of this program was blocked.

Starting with Kaspersky Security Center version 10 SP2 MR1, you can generate a report on program starts blocked
in the test mode. It will contain only events about blocked starts, regardless of the selected mode: black list or white
list.
E D
PI
CO
BE
TO
T
NO
III-34 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

2.5 Default deny mode

ED
UT
IB
S TR
DI
RE
Default deny is a scenario when Application Control prohibits devices from running any programs except those
OR

specified in allowing rules configured in the white list of Application Control.

The main difficulty when working in the white list mode (when the start of uncategorized programs is prohibited by
default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked
along with other programs. That is why there is an allow rule for operating system files in the white list by default.
D

For example, there can be a policy for using programs on the computers that are used as point-of-sale (POS)
E

terminals. Only special programs must be allowed to start on them, and all unknown programs must be prohibited.
PI
CO
BE
TO
T
NO
 III-35
Unit III. Security Controls

Various configurations of allowing rules are possible; it will be necessary to create one or several categories for

ED
system executable files and configure allowing rules for them using one of the following methods:

 Use a «reference» computer with the operating system and allowed programs installed for creating
an automatically filled category

UT
 Use a directory with distributions of allowed programs for creating an automatically filled category

IB
S TR
DI
RE
OR

For those programs for which allowing rules are configured not to be blocked after upgrades, use the Trusted
updaters standard rule. This rule exists by default in the list and cannot be deleted; but it is disabled by default.
When enabled, the programs downloaded and installed by the applications included in the Trusted updaters
D

category will not be blocked even if the corresponding allowing rules are not configured.
E

The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allowing
rule.
PI

For more details about configuring Kaspersky Endpoint Security to default deny, refer to course KL 032.
CO
BE
TO
T
NO
III-36 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Chapter 3. Device Control

UT
IB
S TR
DI
RE
OR

The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various
devices in the corporate network and, if necessary, prohibit using some of them.
E D
PI
CO
BE
TO
T
NO
 III-37
Unit III. Security Controls

ED
UT
IB
S TR
DI
The most popular use case for this component is blocking USB flash drives. A user may bring an infected file from
home; accidentally or deliberately, a user can take away files that are of commercial value for the company on

RE
a USB drive or other removable media. Users could also connect a workstation to the internet via a smartphone.
Restrictions help prevent such problems.
OR
E D
PI
CO
BE

The Device Control component in Kaspersky Endpoint Security allows the administrator to enforce the corporate
security standards by specifying who can use which devices on the computers and when. The rules may be applied
to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc.
TO
T
NO
III-38 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

3.1 What can be blocked and how

ED
UT
IB
S TR
DI
RE
Almost all peripheral devices can be blocked, either by type (removable drives, CD/DVD, Wi-Fi, portable devices
OR

(MTP), etc.), or by bus: for example, you can entirely disable all USB devices or unauthorized network connections.
E D
PI
CO
BE

Some devices can be allowed, but with limitations: you can explicitly specify the prohibition schedule, restrict only
TO

writing operations, or make exclusions for some users but not others. You can do that for:

— Hard drives
— Removable drives
— Floppy disks
T

— CD/DVD drives
NO

All other device types you can only disable completely:

— Printers
— Modems
— Tape devices
— Multifunctional devices
— Smart card readers
 III-39
Unit III. Security Controls

— Windows CE USB ActiveSync devices

ED
— Wi-Fi
— Cameras and scanners
— Smart card readers
— Portable devices (MTP)

UT
— Bluetooth

Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as
removable drives, if connected as external data carriers.

IB
The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking
their connection buses.

TR
Kaspersky Endpoint Security allows blocking connected devices by interface type (bus):

— USB

S
— FireWire
— Infra Red

DI
— Serial Port
— Parallel Port
— PCMCIA

RE
OR
E D
PI
CO

The administrator can totally block, for example, all USB devices.
BE

Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules. To protect against
attacks when an infected USB flash drive pretends to be a keyboard, install and use a special component, BadUSB
Attack Prevention.
TO

Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash
drive will work correctly.

By default, all devices work in the “Depends on bus” mode, and all buses are allowed.
T

Additional options
NO

Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list
cannot be edited to add new devices.
III-40 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

You can partially restrict the use of removable drives, CD/DVD, hard drives, and floppy disks by specifying:

ED
 What can be done. You can select to prohibit only reading or writing

 The list of accounts that are allowed to use the device type. You can select accounts from the domain to

UT
which the computer where the Administration Console is started belongs, or among local users if there is
no domain. The rule will work on any computer where the policy is enforced. The Everyone universal
account is always available.

IB
 Operation types and access schedule. You can manage Read and Write permissions separately.
The schedule is specified by hours and days of the week. For example, you can allow Read operations for
removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to

TR
the Administrators and only during business hours

S
DI
RE
OR
E D

If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means “always
PI

allow everyone to perform any operation.”

You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for
CO

the administrators: allow them using USB flash drives during business hours.

The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are
blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable
as soon as the policy is enforced and the next operation will be blocked.
BE
TO
T
NO
 III-41
Unit III. Security Controls

USB flash drive access log

ED
UT
IB
S TR
DI
RE
If USB flash drives are allowed at the company in principle, but the company does not welcome using them, you can
configure logging access to USB flash drives. Then for each of the selected operations the corresponding event will
be sent to the Administration Server, File operation performed. It will specify who (which account) copied or
OR

deleted a file.

Unlike other events, this event will not be stored locally.

By default, logging access to USB flash drives is disabled. To enable it, click the Logging button. It is available
D

only for removable drives. You can select which operations to log, writing and/or deleting, and file formats:
E

 Text files
 Video files
PI

 Audio files
 Graphic files
 Executable files
CO

 Office files
 Database files
 Archives
BE

How to specify trusted Wi-Fi networks

Device Control permits to control Wi-Fi networks via a switch that has three positions:
TO

1. Allow
2. Block
3. Block with exceptions this parameter contains additional settings, which permit to draw up a list of trusted
WiFi networks based on network name, authentication type, and encryption type. A network is considered
trusted only if all the specified parameters are matched. If network name is not specified, it may vary.
T
NO
III-42 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
Connecting corporate notebooks to public Wi-Fi networks is not always desired. You can use Device control to

RE
disable Wi-Fi. However, for notebooks, which the users may take home, it is not the most optimal solution. It will
be more logical to use the option Block with exceptions, and specify trusted networks: for example, corporate and
home.

What Anti-Bridging does

OR
E D
PI
CO
BE
TO

Device control includes the Anti-Bridging component, which enables the administrator to prohibit users from
establishing two network connections simultaneously to prevent unauthorized bridges to the internal network that
bypass perimeter protection.
T

For example, a user’s computer is connected to the corporate network. The user has connected a Wi-Fi adapter to
the computer and configured it to act as a wireless access point. This access point may be used not only by those for
NO

whom it was created, but also criminals who can use exploits for the adapter, bruteforce username and password, or
employ other methods to bypass protection. As a result, the user’s computer will be compromised and criminals will
have a stepping stone for further development of the attack vector. In this case, Anti-Bridging is a part of protection
that stops criminals from gaining access to the internal network, because as soon as the user turns on the Wi-Fi
adapter, Anti-Bridging will automatically disrupt all network connections, including access to the local network,
and only the Wi-Fi network will be active.
 III-43
Unit III. Security Controls

A similar threat to corporate network security may arise if a user’s notebook is connected to the organization’s

ED
network using a wired connection. The user may create a hotspot on the smartphone to bypass the organization’s
protection tools and connect the notebook to it over Wi-Fi. After that, accidentally or intentionally open a webpage
that contains an exploit pack, which will compromise the notebook, and criminals will receive the capability to
attack the organization’s internal network from the internet.

UT
In both cases, there are two networks—local and Wi-Fi—on the user’s computer, which is connected to the
organization’s network. To eliminate simultaneous operation of two networks and give preference, for example, to a
wired connection, the administrator is to turn On all controls in Anti-Bridging settings and give maximum priority

IB
to the network adapter. In this case, the user will not be able to turn on Wi-Fi network on a computer unless disables
the wired network.

TR
The Anti-Bridging component is disabled by default; to enable it, in the Device Control window, click the
corresponding button and in the window that opens select the respective check box. After Anti-Bridging is enabled,
Kaspersky Endpoint Security will block already established connections according to the connection rules.
The higher the rule on the list, the higher its priority. Anti-Bridging can block all connections except the one that

S
has maximum priority. For this purpose, in the Anti-Bridging window, turn On all controls and define priorities for
all devices:

DI
— Network adapter
— Wi-Fi
— Modem

RE
Note: If several wired connections are configured, only one of them will be allowed (arbitrary). If the Wi-Fi adapter
is not connected to a network, it will not be blocked until the user tries to connect.
OR

3.2 How to specify a trusted device

E D
PI
CO
BE
TO
T

If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile
to make them trusted. Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device
NO

Control | Trusted devices section.

III-44 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
Devices can be made trusted by their ID, a mask of ID or by model. When you click the Add button above the list of

RE
trusted devices, it expands into a list of three options:

— Devices by ID
— Devices by model
— Devices by ID mask
OR

The first two options allow you to select the device that you want to make trusted and its ID or model will be added
to the list. ‘Select’ means that the Administration Server should have the device in its database. If the
Administration Server is unaware of this particular device you can’t make it trusted.
E D
PI
CO
BE
TO

The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on
the Administration Server knowledge of the device, only on the administrator’s knowledge of the device ID. Device
T

ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of
the Device Instance Path property. It looks somewhat like
NO

USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0

When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple devices, e.g.,
‘NEC*CDR??’. This helps when a company has a lot of devices with similar IDs that should be trusted. Adding
a device by model can also help in this case, if all devices are from the same vendor and of the same type.
 III-45
Unit III. Security Controls

There is also a Comment field when adding a trusted device, which the administrator can fill in to describe why this

ED
trusted device (or a group) is added.

To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky
Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some

UT
time till the information about the device makes it to the Administration Server.

To simplify the search for the necessary device, you can choose the device type and also specify the name of
the computer where it is or was connected. Then click the Refresh button to display the filtered results.

IB
S TR
DI
RE
OR

You can also import /export the list of trusted devices in XML format. This capability may come in handy, for
D

example, when you need to edit the name of a trusted device displayed in Kaspersky Security Center interface, add
many similar devices, save a backup copy of the list of trusted devices, or move the list to another server.
E

Before adding the device, you can also restrict the list of users that will have access to it. You may want to have
PI

trusted devices, but you may not necessarily want everybody to have access to them. Perhaps only administrators
should be able to use them.
CO
BE
TO
T
NO
III-46 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

3.3 How to configure interaction with users

ED
UT
IB
S TR
DI
RE
When the user attempts to connect a prohibited device, a pop-up notification is displayed.
OR

If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or
even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add
the contact information of the person responsible for device access.
D

To open the notification template, click the Templates button in the Device Control section of Kaspersky Endpoint
Security policy. You can use variables in the notification text, for example, the name of the device or the blocked
E

operation.
PI

If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled
nor hidden.
CO
BE
TO
T
NO

If the user sends a request, it will be sent to the server as an event having the Warning severity level. Similar to
the other control components, requests are displayed in a special selection named User requests. The administrator
 III-47
Unit III. Security Controls

does not have to react to a request; but if they want to, they can, for example, configure the corresponding email

ED
notifications in the KES policy.

UT
IB
S TR
DI
RE
3.4 How to configure temporary access
OR
E D
PI
CO
BE
TO

Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as
follows:
T

1. The user finds out that the necessary device is blocked

NO

2. Generates a request access file for it in the Kaspersky Endpoint Security local interface

3. Emails the request access file to the administrator

4. The administrator examines the request, and in the case of an affirmative answer, creates and sends the user
a special access key
III-48 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

5. The user activates the received key. After this, the selected device (and only that device) becomes

ED
accessible for the time span specified by the administrator. The user cannot pause temporary access to use
it later; and the administrator cannot remotely revoke temporary access

It goes without saying that many users may believe that their devices are blocked by mistake, and will ask

UT
the administrator for temporary access. To avoid numerous requests, you can disable this capability: in
the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access
check box.

IB
How can the user send a request to get access to a
blocked device?

S TR
DI
RE
OR
E D
PI

In the local interface of Kaspersky Endpoint Security, click the button Settings, and go to section Security Controls
/ Device Control. Click the button Request access. The window that opens by default lists the currently connected
devices, including blocked ones (to display all devices ever connected to the computer, apply the filter For the
CO

entire runtime). Select the device to which you want to receive temporary access, and click the button Generate
request access file. Specify how long you will need to access the device (by default, 24 hours), click the button
Save, and send the .akey file to the administrator.

Note: If the administrator prohibits requesting temporary access, the button Request access appears dimmed.
BE

How to create activation code

TO

Temporary access is granted to a specific user for the specified device on the specified computer. That is why
the key is generated using the client computer’s shortcut menu, neither in the policy nor in the group properties.
T
NO
 III-49
Unit III. Security Controls

ED
UT
IB
S TR
DI
A client computer can be conveniently found in the Administration Console by the Search utility. Then

RE
the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode
command. In the window that opens, switch to the Device Control tab and click the Browse button to select
the .akey file received from the user.

The Administration Server checks the file integrity and whether it belongs to the selected computer, and then
OR

displays the request. If necessary, the administrator can change the access duration and activation window. Both
periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours.

Then the administrator is to save the generated key into an .acode file and send it to the user.
D

So, the key is generated for the exact device and the computer where the user generated the request access file. Any
other devices will still be blocked; also, the device for which the access was granted will be blocked on other
E

computers.
PI

The key is also bound to the username. Another user will not be able to access the same device on the same
computer using this access key. If temporary access is activated by the user who requested it and another user logs
on to the computer during the allowed period, they will not be able to use the device.
CO

How to activate temporary access

BE
TO
T
NO
III-50 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

In the same window where the request key was generated, the user clicks the Activate access key button, and

ED
specifies the received .acode file. The device can be used immediately. Neither restart, nor synchronization with
the Administration Server is necessary.

The key must be activated before the specified activation window expires, and the access duration countdown starts

UT
at the moment of activation. The device may be connected at any time (or even several times) during this period, or
not connected at all. The access countdown cannot be paused.

When temporary access is activated, a notification is sent to the Administration Server, but it is not included either

IB
in the selection of user requests, or in the report on Device Control events.

TR
3.5 Monitoring Device Control

S
DI
RE
OR
E D
PI
CO

Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains
the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and
the account that initiated it.

The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of Critical
BE

events. If necessary, the administrator can make a separate selection for blocked device access attempts.

The Operation with the device allowed event having the Info severity will be sent if a non-prohibited device is
connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners,
removable drives, etc.
TO

All events, including complaints, are stored on the server for 30 days by default.
T
NO
 III-51
Unit III. Security Controls

ED
UT
IB
S TR
DI
The Report on Device Control events provides the general view of the device control work. It displays a chart with

RE
the distribution of its responses by user names. By default, the report includes all actions—device connecting,
disconnecting and blocking. To generate a report about device blocking only, leave only the Device connection
blocked check box selected in the Settings section of the report properties.

If necessary, the administrator can configure receiving daily email statistics about who and when tried to connect,
OR

for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV
Maintenance.
E D
PI
CO
BE
TO
T
NO
III-52 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Chapter 4. Web Control

UT
IB
S TR
DI
RE
OR

The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is
used to block social networks, music, video, non-corporate web mail, etc. during business hours. If a user tries to
D

open such a site, either a notification that the access is blocked or a warning about an unwelcome site can be
displayed, depending on the settings in the policy.
E
PI
CO
BE
TO
T
NO

Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule
properties include the user accounts, schedule, connection and content-specific conditions, and the action. The rules
are applied in the order specified by the administrator, and a page is processed according to the first applicable rule.
The Default rule that allows everything to everyone takes the last place on the list and acts as a ‘catch all’ rule.

Only HTTP and HTTPS traffic is scanned.

 III-53
Unit III. Security Controls

ED
UT
IB
S TR
DI
RE
OR
E D
PI
CO

4.1 Blocking criteria

BE

First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be
blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*.
TO

Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following
categories:

— Online stores, banks, payment systems

T

— Shops and auctions

— Banks
NO

— Payment systems
— Internet communication
— Web-based email
— Social networks
— Chats and forums
— Blogs
— Dating sites
III-54 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

— Religions, religious associations

ED
— Job search
— Weapons, explosives, pyrotechnics
— News media
— Software, audio, video

UT
— Torrents
— File sharing
— Audio and video
— Anonymizers

IB
— Banners
— Profanity, obscenity
— Violence

TR
— Computer games
— Adult content
— Alcohol, tobacco, narcotics
— Gambling, lotteries, sweepstakes

S
The content can also be categorized by data types:

DI
— Video
— Sound
— Office files
— Executable files
— Archives
— Graphic files RE
OR
E D
PI
CO
BE

As far as secure connections (HTTPS) are concerned, Kaspersky Endpoint Security has no access to the traffic
contents. Therefore, HTTPs traffic is filtered only by addresses, for example, if social networks are blocked,
https://facebook.com will also be blocked, as this address is included in the signature databases as pertaining to
TO

social networks.

The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and
data types.
T

Filtering by category and data type can be combined within a rule: for example, you can block office files and
archives received by web mail.
NO

Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic
analysis of page content (for non-secure connections only). URL reputation can also be requested from Kaspersky
Security Network.
 III-55
Unit III. Security Controls

Data types are hard-coded in Kaspersky Endpoint Security and include the following file types:

ED
Category Category contents
Executable Win32 PE—exe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files

UT
files Microsoft Installer Archive—msi
Video Adobe Flash Video—flv, f4v
Audio/Video Interleave—avi
MPEG4 ISO format—3gp, 3g2, 3gp2, 3p2

IB
MPEG4—divx, mp4, m4a
Matroska—mkv
Apple Quicktime—mov, qt

TR
Microsoft Container—asf, wma, wmv
RealMedia CB/VB—rm, rmvb
MPEG2 (DVD) format—vob
VCD (MPEG 1)—dat, mpg

S
Bink Video—bik
Sound MPEG-1 Layer 3—mp3

DI
Lossless Audio—flac, ape
OGG Vorbis Audio—ogg
Advanced Audio Coding—aac
Windows Media Audio—wma
AC3 multichannel audio—ac3
Microsoft Wave—wav
RE
Matroska Audio—mka
RealAudio—rm, ra, ravb
OR

MIDI—mid, midi
CD digital Audio—cdr, cda
Office files Open XML documents—docx, xlsx, pptx, dotx, potx, and others
Office 2007 macro enabled docs—docm, xlsm, pptm, dotm
MS Office documents—doc, xls, ppt, dot, pot
D

Adobe Acrobat—pdf
E

Archives ZIP archive—zip, g-zip

7-zip archive—7z, 7-z
PI

RAR archive—rar
ISO-9660 CD Disk—iso
Windows Cabinet—cab
CO

Java (ZIP) archive—jar

BZIP2 archive—bzip2, bz
Graphic files JPEG/JFIF—jpg, jpe, jpeg, jff
GIF—gif
Portable Graphics—png
BE

Windows Bitmap (DIB)—bmp

Targa Image File Format—tif, tiff
Windows Meta-File—emf, wmf
Post-Script Format—eps
Adobe Photoshop—psd
TO

Corel Draw—cdr

Let’s mention some specifics of Kaspersky Endpoint Security types and categories:

 The type is defined by the file format. Therefore, this does not work for secure connections; but it is
T

possible to use the address filter to block files by extensions. For example, to block .key files, specify
the *.key mask
NO

 Data types inside archives are not checked—if executable files are prohibited while archives are not,
archived executable files will be allowed

 PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites
that use pdf may display incorrectly
III-56 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

 In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In

ED
Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web
Control

 Flash videos in SWF format can be blocked only by extension mask—usually it is *.swf

UT
The rules may be applied depending on the account and access time.

IB
4.2 Configuring exclusions and trusted servers

S TR
DI
RE
OR
E D
PI

Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network,
or online trainings can be blocked because of video files. In this case, it is easier to create an allow rule instead of
creating a separate group with a special policy. You can configure an allow rule giving access to some categories or
CO

data types located on the specified servers.

To have such a rule applied before the blocking rules, place it higher on the list.

In extreme cases, the organization policy can prohibit the Internet during business hours and allow only
BE

the corporate site. An exclusion can be made only for the IT department. In this case, the administrator creates
the general rule: during business hours, deny everything to everybody. Then adds two allowing rules above it:
the first allowing any content to the accounts of IT department employees, and the second allowing everybody to
access the corporate site.
TO

By default, in addition to the universal rule allowing everything to everybody, there is another rule in web control,
Scripts and Stylesheets, which explicitly allows files with .css, .js, and .vbs extensions. Usually these files contain
style sheets, java scripts and visual basic scripts saved as separate files. This rule is necessary because sometimes
such files are located on separate servers and their URLs differ from the main site address. If a site is allowed while
its scripts and style sheets are blocked, it will be displayed incorrectly. To avoid this, keep the rule allowing .css, .js,
T

and .vbs higher than the prohibiting rules.

NO
 III-57
Unit III. Security Controls

4.3 Diagnostics and testing

ED
UT
IB
S TR
DI
RE
When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this
OR

purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control.

To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on
that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens
the window where you can specify the conditions of a presumed request:
D

— Select categories
E

— Select data types

— Specify day and time
PI

— Select accounts
— Type site address (the * wildcard is allowed)
CO

and get the web control verdict with the list of rules applicable to these conditions.

For example, the administrator can check whether access to a personal home mail server of an employee is blocked
by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you
can find out which rule works incorrectly.
BE

4.4 Configuring interaction with users

TO

If web control blocks a part of page contents, the user may overlook it. If the page is completely forbidden,
a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or
T

a message about blocking.

NO
III-58 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of

RE
the links in the warning message: The link to the specific page that was requested, or the link that enables access to
all pages on the website, or all pages on the website and its sub sites (e.g. access *.amazon.com/* as opposed to
www.amazon.com/*)
OR
E D
PI
CO
BE

If the site is blocked, there are no links to proceed, access is completely denied.

Notifications are displayed only for non-secure connections. If the HTTPS protocol is used to open a website,
TO

the user will see only the browser message about inability to display the page in both cases.

There is also a Request access link in all types of messages to disagree with the policy and request a policy change
to be able to access the blocked website freely. Requests are sent to the Administration Server as events and fall into
the User requests selection.
T

You can edit both warning and blocking notifications, as well as the request template: in the Kaspersky Endpoint
NO

Security policy, switch to the Web Console section and click the Templates button.
 III-59
Unit III. Security Controls

ED
UT
IB
TRS
DI
RE
OR
E D
PI
CO
BE
TO
T
NO
III-60 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

4.5 Web Control statistics

ED
UT
IB
S TR
DI
RE
When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding
OR

event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with
Warning severity, respectively.

In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web
Control verdict. If the rule was created for a category or data type, they are also specified.
D

Note: Web Control independently processes each object of which the site consists. That is why, for example, when
E

graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access
a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses
PI

the Internet day and night. That is why these events are not transferred to the Administration Server by default.

If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully
CO

attempted after warning event having the Warning severity is sent to the server.
BE
TO
T
NO
 III-61
Unit III. Security Controls

4.6 Web control report

ED
UT
For regular control and general information, a report can be used. It provides aggregate statistics on the number of
warnings and blockages for each rule. Allowing rules are not included.

IB
S TR
DI
RE
OR
E D
PI
CO
BE
TO
T
NO
III-62 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
IB
S TR
DI
RE
OR
DE
PI
CO
BE
TO
T
NO
 IV-1
Unit IV. Maintenance

ED
UT
Unit IV. Maintenance

IB
TR
Chapter 1. How to maintain protection ......................................................................... 3

S
DI
Chapter 2. What to do daily ............................................................................................ 6
2.1 How to create a custom dashboard ......................................................................................................................... 7

RE
How to answer all questions at a glance................................................................................................................ 7
How to create a custom dashboard ........................................................................................................................ 8
How understand that important protection components are disabled in the policy ............................................. 10
2.2 How to email reports............................................................................................................................................. 11
OR

Which reports to email ......................................................................................................................................... 12

How to create a custom report ............................................................................................................................. 13
2.3 How to email notifications .................................................................................................................................... 15
Where to enable notifications............................................................................................................................... 15
D

Where to modify the addressee and the mail server ............................................................................................. 16

About which events you need to know .................................................................................................................. 17
E

Chapter 3. What to do if something has happened ...................................................... 19

PI

3.1 What to do with malware ...................................................................................................................................... 19

Where to learn about threats................................................................................................................................ 20
CO

How to find computers with threats ..................................................................................................................... 21

How to understand what has happened to the threats ......................................................................................... 22
How to find computers with non-disinfected threats ............................................................................................ 23
How to scan critical areas ................................................................................................................................... 24
How to isolate a computer and eliminate an active infection .............................................................................. 25
BE

How to reset virus counter ................................................................................................................................... 26

3.2 What to do if Kaspersky Endpoint Security does not work .................................................................................. 27
Where to find out that Kaspersky Endpoint Security does not work .................................................................... 28
How to understand whether a computer is under a policy ................................................................................... 29
TO

How to start protection remotely ......................................................................................................................... 30

3.3 What to do if databases are outdated .................................................................................................................... 31
Where to find out that databases are out of date ................................................................................................. 32
How to find out whether a computer has an update task ..................................................................................... 33
T

How to find out whether the Server has an update task ....................................................................................... 36
Where to specify proxy server parameters ........................................................................................................... 37
NO

How to disable automatic assignment of Update Agents ..................................................................................... 38

How to check whether KSN is used ...................................................................................................................... 38
IV–2 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
3.4 How to check the client-server connection ........................................................................................................... 40
How to distinguish powered off computers .......................................................................................................... 40
What to do if a computer has not connected for a long time ................................................................................ 40

UT
How to make a computer connect to the Server ................................................................................................... 42
How to reconnect a computer to the Server ......................................................................................................... 43
3.5 How to contact technical support .......................................................................................................................... 44

IB
When and how to contact technical support ......................................................................................................... 44
How to remotely collect Windows and GetSystemInfo logs ................................................................................. 45
How to remotely collect trace logs ....................................................................................................................... 46

TR
How to collect logs locally ................................................................................................................................... 46
How to send a request to technical support ......................................................................................................... 48

Chapter 4. What to do from time to time ...................................................................... 49

S
4.1 How to install program updates ............................................................................................................................ 49

DI
Program update types .......................................................................................................................................... 49
Where to find out that an update has been issued ................................................................................................ 50
How to install only approved updates .................................................................................................................. 51

RE
How to find out that a new version has been released ......................................................................................... 53
4.2 How to renew a license ......................................................................................................................................... 55
When to renew a license ....................................................................................................................................... 55
How to find out that the license expires ............................................................................................................... 56
OR

How to find out that the number of activations is exceeded ................................................................................. 57

How to switch over to a new license .................................................................................................................... 58
How to replace the active license ......................................................................................................................... 60
4.3 How to configure backup ...................................................................................................................................... 61
Why back up? ....................................................................................................................................................... 61
D

How to configure backup ..................................................................................................................................... 62

How to restore from a backup .............................................................................................................................. 63
E

How and why maintain the database .................................................................................................................... 64

PI

4.4 Maintenance: Summary ........................................................................................................................................ 65

CO
BE
TO
T
NO
 IV-3
Unit IV. Maintenance

ED
UT
Chapter 1. How to maintain protection

IB
S TR
DI
RE
OR
D

After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the necessary
policies and tasks, and configured them as necessary, you need to monitor the system to make sure protection works,
E

and react to incidents.

PI

To keep protection working, you have to perform routine maintenance; some things have to be done often, and some
infrequently. Most of the actions are obvious, but we will tell about them nevertheless, just in case.
CO

What to do daily

Check the most important things.

BE

What to check Why so often

There are no You install protection to repel threats. Kaspersky Endpoint Security blocks most of them
unprocessed threats on automatically. But if protection cannot handle the threat, you should be informed about
TO

the computers this as soon as possible and neutralize it manually. The longer a threat is active, the more
damage it can do.
This is obvious enough.

Protection is installed If protection does not work, you do not know whether there is malware on the computer.
and works on the And the longer protection does not work, the more chances that malware infects the
T

computers computer.
NO
IV–4 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
What to do weekly

Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly.

UT
What to check Why so often

The computers Almost all protection components use signatures to detect malware. If signatures are old,

IB
have the latest Kaspersky Endpoint Security will not be able to detect new viruses. The older the signatures,
signature databases the greater the risk. If signatures are two days old, it is bad, but not critical. And if they are
two months old, it is almost as dangerous as if protection was not running at all

TR
Protection uses Kaspersky Security Network informs about known malicious files and helps to detect them
Kaspersky Security even if signatures are obsolete. Moreover, Kaspersky Security Network informs about new
Network malicious files earlier than signatures are issued for them. Without Kaspersky Security

S
Network, protection works not so well. But still works and protects against most of the
threats.

DI
What to do monthly

Perform preventive maintenance on the Administration Server. RE

What to check Why so often
OR

Make sure that you can You spent quite a lot of time to install protection. If you lose the Administration Server
recover the Server from because of a hardware failure, you will have to spend almost as much time to install and
a backup copy configure protection once again. Backup copying can prevent this. The crucial point
about backup copying is that making a copy is not enough. You must verify that you
D

will be able to restore the configuration. Spend half an hour per month for maintenance
to make sure that you do not find yourself in a critical situation with a misconfigured
E

backup from which you cannot restore data.

Optimize the If the database is not optimized, eventually it grows in size and becomes fragmented.
PI

Administration Server You will have to spend more time generating reports or displaying a computer selection,
database especially in a large network or if the resources are scarce on the Administration Server
(to be more precise, database server, but it is often the same computer).
CO

What to do quarterly
BE

Install updates and patches.

What to check Why so often

If there are any Kaspersky Security Center patches and Kaspersky Endpoint Security maintenance releases
TO

updates or patches for are issued approximately once every quarter or two. They correct errors, improve
Kaspersky Lab performance and sometimes add new functions that are important for protection. You do
products not need to put much effort into installing patches, but do not forget to test them
beforehand.
T
NO
 IV-5
Unit IV. Maintenance

ED
What to do yearly

Renew the license and install new versions.

UT
What to check Why so often

The license has not Commercial licenses are typically issued for 1 year. Without a license, protection keeps

IB
expired and the node working, but the update task stops downloading signatures and Kaspersky Endpoint
limitation has not been Security stops using KSN. Eventually, protection will be affected.
exceeded

TR
Whether there are any New versions or service packs are issued once every year or two. They correct errors,
new versions of improve performance, and also change settings and products’ operation logic. New
Kaspersky Lab technologies, components, interception methods, etc. appear in new versions or service

S
products packs. If an old version is not updated for too long, it will not be able to fight the latest
threats even with up-to-date signatures and KSN. A few years after release, a version’s

DI
support ends.

RE
OR
E D
PI
CO
BE
TO
T
NO
IV–6 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
UT
Chapter 2. What to do daily

IB
S TR
DI
RE
OR
D

During a daily inspection:

E

1. Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If you perform
inspection daily, you can focus on detections in the last 24 hours.
PI

2. Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed threats,
remediate them immediately
CO

3. Check whether protection works on all computers. If protection is not running or is not installed, run or
install it. Find out why it has happened.

To save time, configure the console to be able to quickly learn what you need about threats and protection.
BE
TO
T
NO
 IV-7
Unit IV. Maintenance

ED
2.1 How to create a custom dashboard

UT
How to answer all questions at a glance

IB
S TR
DI
RE
OR

Kaspersky Security Center console provides a lot of information:

D

— Reports
E

— Events
— Computer statuses
PI

— Computer properties
— Statistics of installed applications in computer properties
— Repositories
CO

— Task logs

However, these sources are either insufficiently clear as, for example, lists of events, or cannot be reviewed all
together as reports.

To get a general idea of the overall protection status, open the Monitoring page of the Administration Console.
BE

Indicators are colored icons and short descriptions which provide general information: How many computers are
protected, when the updates were last downloaded, how many clients have the Critical status. However, the
Monitoring tab cannot be configured to include or exclude some data. Besides, information is entirely represented
in text messages, which are not as visual as charts.
TO

The best information source is the Statistics tab of the Administration Server. The administrator selects which
charts to show, which chart types to use and how to organize them.

To save time, make your own statistics page and add there panes that inform about:
T

— Malware
— Network attacks
NO

— Computer statuses
— Computer protection statuses
— And other important data of your choice, for example, signature versions

Pane types are hardcoded, but abundant and can answer most of your questions. For those questions which have no
ready-made panes, you can often use the pane History of set of events matching criteria. You can select an event
type there, and the pane will show how many events of this type were logged in the network over the last 24 hours.
IV–8 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
For example, there is no pane informing about phishing attacks. To be able to see phishing attacks, add events’
history pane and select the event Previously opened phishing link detected.

UT
How to create a custom dashboard

IB
S TR
DI
RE
OR
E D
PI
CO
BE
TO
T
NO
 IV-9
Unit IV. Maintenance

ED
UT
IB
S TR
DI
RE
By default, Statistics includes 6 pages devoted to various network status aspects: Protection status, Deployment,
Update, Statistics of threats, General information, Updates for applications. Each page represents 3 to 4 information
panes. All this can be customized. The administrators can re-arrange the panes on a page at their wish. Or add more
panes or more statistics pages, or remove some.
OR

Usually, a pane contains a chart with a legend or a table. By default, they represent events from all managed
computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties
window, which opens with the button. A statistics page consists of several panes.

The statistics is configurable at three levels. The administrator can add, delete and move statistics pages, add, delete
D

and move panes on a page, and can also modify settings and representation of the panes.
E

Overall, there are more than 50 types of panes grouped into six categories for the administrator to choose from.
PI

To rearrange the pages, click the Customize view button to the right of the page tabs. The administrators can add as
many pages as they wish and name them as they wish. They can also delete the default pages, or re-order them.
The tabs are always lined up in a single row.
CO

To modify page contents, click the button to the right of the page name in its tab. This button is displayed only
for the active page. In the page properties, you can draw up the list of the panes to be displayed and their layout on
the page: one column, two columns (the default choice), 3 columns, etc.
BE

In the pane settings, depending on its type, you can modify the time interval for the displayed data and select
the computers whose data will be shown. There are only two options for the computers: either all computers, or
computers from a specified selection. You cannot specify a group of computers or draw up an arbitrary list of
computers, as in reports.
TO

As far as the pane layout settings are concerned, you can modify the height for the panes to better fit in the console
window. You can also modify chart type, axle orientation, chart appearance (gradient, transparency). Depending on
the pane type, the following chart types can be available: Pie chart, Column chart (the columns can be displayed
either vertically or horizontally), Table, and Graph.
T

The information panes’ capability to display the history of parameter changes over the specified period can be useful.
For example, you can view how many viruses were detected during each hour of the last day. These data may help
NO

to select the threshold for the Virus outbreak event. Reports lack this capability.
IV–10 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How understand that important protection components
are disabled in the policy

UT
IB
S TR
DI
RE
OR

Starting with Kaspersky Endpoint Security version 11, there is a protection level indicator in the policy interface,
which helps the administrator to evaluate the level of threat prevention, and provides a hint which components
should be enabled to improve it.

For example, if administrator enables all Essential Threat Protection and Advanced Threat Protection components in
D

the policy, but (by mistake or intentionally) disables a critically important component Behavior Detection, which
pinpoints threats by analyzing software activities (in particular, it can detect complex threats such as ransomware).
E

Once the Behavior Detection component is disabled, Protection level indicator will immediately turn red and
show the status Low protection level. The following information will appear to the right of the Protection level
PI

indicator: Critical protection components are disabled, and a link Learn more. If you click it, the Recommended
protection components window will open, which allows you to enable the recommended components to maximize
threat counteraction. If the administrator ignores the caution and clicks OK or Apply in the policy window,
CO

Kaspersky Security Center will display an information window and suggest that you fix the settings.

Protection level indicator can have one of the following values:

— High protection level. The indicator turns green if the following components are enabled:
BE

— Critical
 File Threat Protection;
 Behavior Detection;
 Exploit Prevention;
TO

 Remediation Engine.

— Important
 Kaspersky Security Network;
 Web Threat Protection;
T

 Mail Threat Protection;

 Host Intrusion Prevention
NO

— Medium protection level. The indicator turns yellow, if an important component is disabled.

— Low protection level. The indicator turns red if:

— One or several critical components are disabled;

— Two or more important components are disabled.
 IV-11
Unit IV. Maintenance

ED
2.2 How to email reports

UT
IB
S TR
DI
RE
OR

To consult Statistics, you need to open the Administration Console first. Some of the administrators open the
Console only when they need to find out or configure something, and prefer to be informed about issues by email.
This way they use a single tool, mailbox, to learn about issues of various subsystems instead of opening a dozen of
various consoles.
D

Kaspersky Security Center can email notifications and reports. Reports that show what is happening in the network
better fit daily inspections. Notifications inform about specific threats that need immediate attention.
E

To receive reports by email, use the corresponding task:

PI

1. Select the Reports tab of the Administration Server node and click the button Configure report delivery
CO

2. If a task of this type has already been created, the Administration Console will select it in the Tasks node.
In this case, click the link Configure task in the right pane and select the Report type section

3. If there is no task of this type yet, the Console will start the report delivery task creation wizard
BE

4. Select the types of reports that you want to receive. The task shows all report templates available on the
Reports tab of the Administration Server node. However, those are not all of the report types that
Kaspersky Security Center can create. If some reports are missing, create them beforehand on the Reports
tab of the Administration Server node.
TO

5. Select the format (html, xls, or pdf) in the task parameters.

6. Switch to the Schedule section and select when to receive reports. By default, the task emails reports daily
at 8 in the morning.
T

To select where to send reports, in the task properties, select the section Action to be applied to report and click
the link Email notification settings. Specify the recipient’s address and message subject. Check the sender’s address
NO

and mail server parameters in the Administration Server properties.

Note: The Quick Start wizard automatically creates a deliver reports task for the Protection status report if
the administrator fills in the email notification parameters. Later, you can edit this task or create more of them.
IV–12 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Which reports to email

UT
IB
S TR
DI
RE
For daily inspections, you will need reports that show threats and protection status:
OR

— Threats:

— Viruses (over the last day)

— Network attacks (over the last day)
—
D

Phishing attempts (over the last day)

— Host Intrusion Prevention rule triggered (over the last day)
E

— Protection
PI

— Protection status
— Anti-virus database usage
— Errors (over the last day)
CO

All pre-configured reports available on the Reports tab of the Administration Server node either do not have any
period, or show events over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is
difficult to understand what has changed since yesterday.
BE

You need to create one-day reports manually. Delete all the reports you are not going to use. For example, reports
about encryption errors if you do not have an encryption license.
TO
T
NO
 IV-13
Unit IV. Maintenance

ED
How to create a custom report

UT
How to create a report over the necessary period of time

IB
S TR
DI
RE
OR

Formally, the Reports page contains report templates, which describe report type and parameters, rather than
reports themselves. The Administration Server generates reports from templates when emailing them, or when the
administrator clicks the link Show report.
D

To create a report (report template):

E

1. On the Reports page, click the button Create a report template

PI

2. Name the report comprehensibly, for example Threats report over the last day
CO

3. Select the report type. There are 50 report types in Kaspersky Security Center

4. Select the reporting period. For the daily reports, specify one day

5. Select a scope for the report. A report can cover a group, individual computers (a list), or a computer
BE

selection. Most of the reports should cover the whole network; select report for a group and the Managed
devices group

Template settings also include the list of information fields to constitute the report tables. Some fields contain
insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes
little sense in a report if virtual Administration Servers are not used in the network1.
TO
T
NO

1
The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused
with Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your
Administration Server runs in a virtual machine, it is still an ordinary Administration Server, not a virtual server. Virtual servers in the reports and other parts
of the Console are something else entirely. Virtual Administration Servers are described in course 302.
IV–14 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to create a report about events

UT
IB
S TR
DI
RE
The administrator can use information field settings in a report template to create complex filters for the events to be
included in the report. Allowed values can be specified in the field properties. For example, for the Detected object
OR

field, you can specify the malware name. As a result, you will get a report based on the events related to
the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers
with the specified version of the protection software, even if these computers belong to different groups.

For example, there is no report type to display all phishing attempts. Instead, you can use an Event report:
D

1. Create a new report template of the Event report type

E

2. Open the template properties and switch to the Detail fields section
PI

3. Select the Description field and click Modify

CO

4. Select the check box Filter field values and in the Value field, type *Threat of data loss*

This is a part of description of events informing about blocked phishing attacks. This way, you will receive a report
that shows the number of such events.
BE

In addition to filtering by field value, you can change sort order: ascending, descending, or unsorted.

Starting with version 10 Service Pack 1, you can do it in the generated report too, by clicking the column titles in the
tables. Click again to reverse the sort order.
TO
T
NO
 IV-15
Unit IV. Maintenance

ED
2.3 How to email notifications

UT
Where to enable notifications

IB
S TR
DI
RE
OR

Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also
D

in the Administration Server properties, in the Event configuration section. The events are grouped by four severity
levels: Critical event, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event,
E

it cannot be modified. Each program has its own events with their default settings.
PI

An event has three storage settings:

— On the Administration Server—meaning, in the server database

CO

This storing method is enabled for most critical and error events, as well as for many warning and some
info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for
all events (naturally, except for the events whose storage is disabled).

The Administration Server events’ default lifetime depends on their severity levels. For Information events,
BE

it is 30 days; for Warning, 90; and for Critical and Error, 180.

If you have Kaspersky Endpoint Security for Business Advanced or Kaspersky Total Security for Business
license, you can export events of the Administration Server and other Kaspersky applications installed on
TO

the managed devices to a SIEM system. For this purpose, select the check box Export to SIEM via Syslog
(standard RFC 5424).

— In the OS event log on device—makes sense only for the Network Agent events. Kaspersky Endpoint
Security already has this capability in the settings of local event processing.
T

— In the OS event log on Administration Server—similarly to local Kaspersky Endpoint Security events. If
the Administration Server becomes inaccessible, the administrator will be able to find information in
NO

the Windows log.

When the specified lifetime is over, events are automatically deleted from the Administration Server database (but
not from Windows logs, which have their own settings). Increasing the lifetime will also increase the number of
events stored in the database, and this will affect the time required to process operations on events. On the other
hand, when the administrator decreases event lifetime, the maximum reporting period also decreases.
IV–16 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
To be informed about important events, configure notifications. This is configured in the properties of every
particular event type that you want to be notified about. Kaspersky Security Center 10 supports four notification
channels:

UT
— Email
— SMS
— Running an executable file or script
— SNMP

IB
Notifications help to draw the administrator’s attention to the most important events.

TR
By default, notifications are not sent. To start receiving notifications, open the event properties and select
notification methods.

Where to modify the addressee and the mail server

S
DI
RE
OR
E D
PI
CO

By default, all events are delivered with the same parameters, which are specified in the Administration Server
properties. To send different notifications to different addresses or with different messages, click the Settings link in
the event properties and clear the check box Use Administration Server settings. After that, change the recipients’
addresses, text template and other notification parameters.
BE

At first, email notification delivery parameters are specified in the Quick Start wizard. Later, they can be modified
on the Events tab of the Administration Server node. Expand the list next to the link Configure notifications and
event export and select Configure notifications. These parameters are also available in the Administration Server
properties, in the section Notification delivery settings.
TO

Email notification delivery parameters include:

— Recipients’ addresses—email addresses separated by semicolons

— SMTP server address—name or IP address
—
T

SMTP server ports

— Text of the notification message
NO

These parameters are sufficient if the selected SMTP server does not require authorization. The recipient address is
also used for the sender address, and the subject of the sent notifications is made of the event severity level and its
type, for example, Critical event: Threats have been detected
 IV-17
Unit IV. Maintenance

ED
To view additional email notification settings, click the Settings link. Then you will be able to modify:

— Message subject
— Authorization username and password

UT
— Sender address

When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:

IB
— %SEVERITY%—event severity level
— %COMPUTER%—the sender computer

TR
— %DOMAIN%—Windows domain
— %EVENT%—event
— %DESCR%—event description
— %RISE_TIME%—event time

S
— %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name
— %KL_PRODUCT%—program

DI
— %KL_VERSION%—version number
— %HOST_IP%—IP address
— %HOST_CONN_IP%—connection IP address

RE
The macros can be added using the special buttons located next to the fields where notification text and subject are
edited.

About which events you need to know

OR
E D
PI
CO
BE
TO

It is up to the administrator to decide about which events to receive notifications. However, prime candidates are
events about active threats and potentially successful attacks:

Event What does it mean?

T

Active threat detected. The malicious file is not running on the computer, but Kaspersky Endpoint Security
NO

Advanced Disinfection cannot terminate it. The user or the administrator must confirm starting the Advanced
should be started Disinfection procedure

Malicious object detected A malicious object was detected using a request sent to KSN rather than signatures.
(KSN) This means that it is a new threat, and the administrator should carefully monitor what
is happening in the network. Maybe even switch to a policy with stricter protection
settings
IV–18 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Previously opened Information that the link is dangerous has appeared only after a user opened it (data
dangerous link detected about previous actions is stored in the KSN cache and Remediation Engine’s logs).
The user could have downloaded and started new malware

UT
Process terminated Malware was running on a computer. Although Kaspersky Endpoint Security
terminated it, it could have done harm

Network attack detected If the attacking computer is located within the network, it may mean that it is infected

IB
with unknown malware, or that protection does not work there

Host Intrusion Prevention If you configured Host Intrusion Prevention to protect documents against

TR
rule triggered ransomware, these events inform when unknown programs try to edit or delete the
user’s documents

All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in the

S
Kaspersky Endpoint Security policy, in the Event configuration section. The last event is an Info event. The others
are Critical events.

DI
Some events (including important) may occur too frequently to send a notification for each of them. For example,
the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications.

RE
To make each notification draw your attention, limit the number of notifications. For this purpose, in the
Administration Server properties, open the Notification delivery settings section and click the link Configure
numeric notification limit.
OR

Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached, notifications
are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew.
The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for
the Threats have been detected event hit the limit, notifications for other event types will not be affected.
E D
PI
CO
BE
TO
T
NO
 IV-19
Unit IV. Maintenance

ED
Chapter 3. What to do if something has

UT
happened

IB
TR
3.1 What to do with malware

S
DI
RE
OR
E D
PI
CO

If no new events about threats have appeared on the computers over the last day, you need not do anything. But
what to do if there are some events?

First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted, disinfected
or blocked a threat, you need not do anything. Just reset the virus counter on the computer to be able to see when
BE

new threats appear.

If malware is not treated or removed, act according to a plan. Prepare the plan beforehand.

A typical plan may include the following steps:

TO

— Run the critical areas scan task to understand whether the computer is infected

— If a computer is infected or you suspect that it may be infected with unknown malware:

—
T

Isolate the computer from other computers in the network

— Disable the policy using the password
—
NO

Raise the heuristics level and enable Advanced Disinfection technology

— Check integrity of Kaspersky Endpoint Security by a local task
— Perform full scan on the computer

If this does not help, restore the computer from an image. If all computers are installed from images at the company,
and the users’ data are stored in the network rather than on the computers, restoring from an image may be the first
step of your plan to save time.
IV–20 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
If you find suspicious files during an investigation, send them to Kaspersky Lab for analysis via the portal
companyaccount.kaspersky.com. Also, invite internal or external experts if you suspect a targeted attack against
your organization.

UT
Where to learn about threats

IB
S TR
DI
RE
OR

You can find out that viruses have been found from events, reports, statistics and computers’ statuses. Next to
statistics, statuses draw your attention first of all.
D

Threat detection and their processing results define the computer status in the Administration Console: OK,
E

Warning or Critical. This allows the administrator to easily notice problematic computers when looking through
the groups. The OK status corresponds to a green icon, the Warning icon is yellow, and Critical is red.
PI

The Many viruses detected status tells that viruses were found on the computers. This status is related to the virus
counter parameter. Every time malware is detected on the computer, the counter increases its value by 1.
CO

The counter value is transferred to the Administration Server during the synchronization. The status is activated if
the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled.

To enable the status to show the computers where malware was found, open the properties of the Managed devices
node. Switch to the Device status section and select the check box next to status Many viruses detected. To make
BE

computers receive the Warning status and be displayed yellow, select the respective check box in the list Set status
to Warning if. To make computers receive the Critical status and be displayed red, select the respective check box
in the list Set status to Critical if. To paint computers yellow when there are a few viruses on them, and red when
the number of viruses exceeds, say, 5, configure different thresholds for the status Many viruses detected (via the
status’s shortcut menu).
TO
T
NO
 IV-21
Unit IV. Maintenance

ED
How to find computers with threats

UT
IB
S TR
DI
RE
If at least one of the managed computers receives either There are unprocessed objects, or Many viruses detected
OR

status, the global Protection status also changes on the Monitoring tab of the Administration Server node.
The cause of the status change is displayed in the same area.

If there are computers with different statuses in the network, the Protection settings area will show all critical
statuses. If there are computers with the Critical status, this area will describe all causes that are giving this status to
the computers. The causes that are giving the Warning status to other computers at the same time will be hidden. For
D

example, the critical status Protection is off can override the status There are unprocessed objects, which has the
Warning level, on the Monitoring page.
E

A message like Many viruses detected on ХХ devices is a link. If you click it, the Console will open the selection of
PI

computers where many viruses have been detected. All statuses behave this way on the Monitoring page.

A selection is a dynamic set of computers selected by an attribute. There are standard selections on the
CO

Administration Server, which show computers with various statuses. For example, There are unprocessed objects
and Many viruses detected

You can take group actions on the computers joined into a selection, for example, start update and search tasks, reset
virus counters, move into a group, etc. So, selections are very useful when dealing with the computers having
BE

a problem status.
TO
T
NO
IV–22 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to understand what has happened to the threats

UT
IB
S TR
DI
RE
The Threats report shows statistics of processing the malware detected on the managed computers: how many
OR

objects were treated, how many blocked (by Web Threat Protection), how many deleted and how many still remain
unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics
are available for each type of malware.

The Threats report can show which malware KES detected using KSN, and which threats were detected using
D

traditional tools (antimalware databases and heuristics). To be able to see this information, add the By KSN verdict
column to the Details table. You can also add the Detection technology that pinpointed the malicious code and
SHA-256. For this purpose, in the properties of Threats report, open section Detail fields, click the button Add,
E

and select the necessary data in the list Report field name.
PI

If you find it difficult to sort out the report about all network computers, consult reports of individual computers. For
this purpose:
CO

— Select a computer where malware was detected

— Expand the description of the status Many viruses detected and click the link View virus activity level
report
BE

If you do not use the Many viruses detected status, you can open a computer’s report from its properties, in the
Protection section. Use the link View threats report

Report on most heavily infected devices and Report on users of infected devices also may come in handy. If some
TO

computers have been infected considerably more than others, it might be worthwhile to find the reason and take
appropriate measures.

Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the Network
attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking
computers. Knowing the address, the administrator can investigate the incidents and better solve the problem.
T

The Network attack report is not created by default. To view it, create a new template on the Reports tab of the
NO

Administration Server node.

In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with threats.
Events show what was happening simultaneously with threat detection, whether there were other threats or errors in
components’ operation. To understand where a threat ended, always check the last event about it. It is normal for
Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and in a second, report that the file was
deleted successfully.
 IV-23
Unit IV. Maintenance

ED
How to find computers with non-disinfected threats

UT
IB
S TR
DI
RE
You do not have to study reports and events to be able to understand whether any computers are infected.
OR

Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this using the
status There are unprocessed objects. This status is enabled by default, gives computers the Warning status, and is
displayed on the Monitoring page.
D

This status is assigned to computers where malware programs were detected and were not cured.

The Unprocessed files category can be comprised of widely different objects. It can be a virus in memory, which
E

actively counters the attempts to delete it. Or it can be an infected object on a network drive where Kaspersky
Endpoint Security has no Write permission to disinfect or delete the file.
PI

When a user accesses a malicious file in a shared folder on a file server, the protection solution installed on the
server may block access and delete the file. Meanwhile, the protection software installed on the user’s computer
CO

detects the threat at the same time, but cannot delete the file from the folder and informs that there is an unprocessed
threat, although in reality it has been processed on the server. This is a reason for paying attention anyway, since
malicious files must not appear in shared folders, and you need to find out how it got there.

To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the described
BE

situation with malware in a shared folder, delete the record about the unprocessed object from the list of
unprocessed objects:

1. In the Administration Console, open the node Advanced, Repositories, Unprocessed files
TO

2. Find the file that has actually been removed from the shared folder, and carry out the Delete command on it
T
NO
IV–24 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to scan critical areas

UT
IB
S TR
DI
RE
If many viruses or a previously opened malicious link have been detected on a computer, or a malicious process has
OR

been terminated, it may mean that the computer can still be infected. To scan a computer for known threats, run
critical areas scan there.

There are a few ways to achieve this. The one which is always available is as follows:
D

1. Open the computer properties

2. Switch to the Tasks section
3. Find the task Critical Areas Scan and run it
E
PI

Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security. Local
means that it is displayed only in the computer properties, but is not shown in groups or in the Tasks node. This
makes it less useful. To start it on several computers, you have to open their properties one by one.
CO

You can also use the group task Quick Virus Scan, which the Quick Start wizard creates. However, it will scan all
computers, and why slow down the computers where there are no threats?

To quickly scan critical areas on those computers where threats have been detected, make a virus scan task for
specific computers. For this purpose, copy the group task Quick Virus Scan to the Tasks node and rename it. To
BE

scan a computer, select on its shortcut menu All tasks, Run a task, and in the window that opens, select the virus
scan task for specific computers.

You can start only tasks for specific computers from the shortcut menu, group tasks are not available there
TO

To run a task on several computers, select them with the mouse and use the same command from the shortcut menu:
All tasks, Run a task.

To start a task on all computers within a selection, open the target selection, click the button Perform action and
select the command Perform task.
T
NO
 IV-25
Unit IV. Maintenance

ED
How to isolate a computer and eliminate an active
infection

UT
IB
S TR
DI
RE
OR
E D
PI
CO
BE

Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Host Intrusion Prevention,
TO

Behavior Detection, and Exploit Prevention components are responsible for this. File Threat Protection does not
scan programs in the memory.

If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced Disinfection
technology.
T

This technology is disabled by default, because it blocks start of all programs and restarts the computer, which
would hamper the users. The user can agree to perform the Advanced Disinfection procedure and take the risk of
NO

losing data, or refuse to start the procedure and leave the computer infected. Anyway, it should be the administrator
who makes the decision rather than the user.
IV–26 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
If you suspect that a computer is infected, you had better reinstall it from the image. If it is unacceptable or
impossible, try to disinfect the computer:

— Disconnect the computer from the corporate network

UT
— Disable the policy using the command Disable policy in the shortcut menu of KES icon

To use this command, enable password protection in the Kaspersky Endpoint Security policy

IB
— Open Kaspersky Endpoint Security window and click Settings
— Go to General Settings, Application Settings and select the check box Enable Advanced Disinfection
technology

TR
— Run a Virus scan task: Return to the main window of Kaspersky Endpoint Security and click the Tasks
area
— If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection procedure,
agree

S
With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit new

DI
programs to start, scans memory, takes more aggressive methods when terminating processes, tries to
delete malicious files at restart

RE
— Restart the computer, connect it to the Internet and update the signatures
— Scan the whole computer once again

How to reset virus counter

OR
E D
PI
CO
BE
TO

After all threats have been neutralized, reset the virus counters on the computer.

The virus counter can only increase without interference from outside, and the only method of changing this status is
to manually reset the counter. To do it, on the shortcut menu of the computer, click All tasks, Reset Virus Counter.
T

This command can also be applied to a few computers: select them with the mouse and click Reset virus counter in
the right pane of the Console window.
NO

If you are sure that there are no threats on any computers, use the command Reset virus counter in the shortcut
menu of the Managed devices node.
 IV-27
Unit IV. Maintenance

ED
3.2 What to do if Kaspersky Endpoint Security does
not work

UT
IB
S TR
DI
RE
OR

If protection does not work, it may be caused by various reasons. Before contacting technical support, please make
sure that:
D

The Network Agent is The user could have uninstalled Network Agent; then the Console would show the last
E

installed on the data which the Agent had sent to the Server. Reinstall the Agent and protect it from the
computer user: Set an uninstallation password
PI

Kaspersky Endpoint The user may have uninstalled Kaspersky Endpoint Security. Reinstall it and protect
Security is installed on from the user: Set a password
CO

the computer

A policy is applied to A computer may belong to a group without a policy, or a Kaspersky Endpoint Security
the computer version for which there is no policy on the server can be installed on the computer.
Create policies in all groups and for all used versions of Kaspersky Endpoint Security
BE

Policy settings are If the locks are open, the user can modify parameter values and potentially can disable
locked components or even start of Kaspersky Endpoint Security. Close the locks for all
important parameters in the policy

Password protection is If password protection is not enabled, the user can exit Kaspersky Endpoint Security
TO

enabled even without administrative permissions

After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run because of
failures, collect diagnostic logs and contact the technical support of Kaspersky Lab.
T
NO
IV–28 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Where to find out that Kaspersky Endpoint Security does
not work

UT
IB
S TR
DI
RE
OR

The following computer statuses may mean that protection does not work:

No security application installed It is enabled by default for the Warning and Critical
statuses
D

Real-time protection level is different from the level It is disabled by default. You can set one of the following
E

set by the administrator values: Stopped, Paused, Running

Protection is off It is enabled by default for the Critical status

PI

The security application is not running It is enabled by default for the Critical status
CO

The status Real-time protection level is different from the level set by the administrator, although disabled by default,
is more useful than the status Protection is off. The status Protection is off does not show why it is off: because of a
failure or because the user has disabled it. The status Real-time protection level is different from the level set by
the administrator shows this difference.
BE

We suggest that you enable the condition Real-time protection level is different from the level set by
the administrator for the Critical status and select the Running value for it.

There are standard computer selections for the statuses Protection is off and No security application installed. The
administrator can create custom selections for other statuses.
TO

The status Security application is not running is always accompanied by the status Protection is off, but not the other
way around. If Kaspersky Endpoint Security works, but all protection components are disabled, the computer’s
status will be Protection is off without the status Security application is not running.
T

Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection components
works. Even if it is only Mail Threat Protection
NO

To understand that components have not started on the computer because of a failure, consult the Errors report or an
event selection. To check all errors:

— Open the Events tab of the Administration Server node

— Click the selection name to the right of the Selection events text and select Functional failures
 IV-29
Unit IV. Maintenance

ED
To understand which components are running on a computer, open the Tasks section in the computer properties.
Components are listed among other tasks and the list shows which ones are running and which are not.

UT
How to understand whether a computer is under a policy

IB
S TR
DI
RE
OR

Protection or some components may be not running if a policy is not applied to the computer. Then the user can
open Kaspersky Endpoint Security settings and disable its components.
D

By default, the Quick Start wizard creates the Kaspersky Endpoint Security policy in the Managed devices group,
meaning, for all computers. However, the administrator may regroup computers later, create new policies in groups,
E

and delete the original policy or make it inactive. As a result, there may be a group where the administrator have not
created or have not activated a policy by mistake.
PI

Different versions of Kaspersky Endpoint Security require different policy versions. Usually, a single policy applies
to all installations of Kaspersky Endpoint Security that have the same Service Pack version. Different Service Packs
CO

require different policies. It may turn out that some computers do not have a policy after an upgrade.

To check whether a computer has a policy, start with the computer selection Protection is off:

1. Open computer properties and switch to the Applications section

BE

2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version

3. Close computer properties and go to its group: use the command Go to device on its shortcut menu
TO

4. In the group, select the Policies tab

5. Set the Inherited policies option to Show, to be able to see policies of the parental groups

6. Make sure that there is a policy for the necessary version of Kaspersky Endpoint Security on the list
T

7. If no, create it. Think which group to place it into.

NO

8. If the policy exists already, select it and click the Details link in the right pane. Make sure that the policy is
applied to the computer

9. Open the policy and make sure that locks are closed, especially on the parameters that enable the protection
components
IV–30 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to start protection remotely

UT
How to start protection on a single computer

IB
S TR
DI
RE
OR

The Security application is not running status is one of the most critical protection statuses. To solve this problem,
carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications tab of
the computer properties.
D

If individual components are not running, you can start them on the Tasks tab.
E

How to start protection on a few computers

PI
CO
BE
TO
T
NO

Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is an
advanced task of Kaspersky Security Center that can be created for groups or specific computers.

A group task is convenient if the Virus outbreak event is registered—it can start protection on all network
computers, in case the protection is stopped somewhere.
 IV-31
Unit IV. Maintenance

ED
A task for specific computers can better serve the purpose of rectifying the Protection is off status. A task for
specific computers can be started from a computer’s shortcut menu or using the button Perform action in a computer
selection.

UT
To create a task that starts Kaspersky Endpoint Security:

1. Run the task creation wizard in the Tasks container

IB
2. Under Kaspersky Security Center Administration Server 10 | Advanced, select the Start or stop
application task type

TR
3. Select the Kaspersky Endpoint Security versions that need to be started

4. Select the Start application command

S
5. Select a scope for the task: specify the computer selection Protection is off

DI
3.3 What to do if databases are outdated
RE
OR
E D
PI
CO
BE

If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay attention
to computers that have old signatures, update them and find out why the signatures have not been updated.
TO

First, solve trivial issues. Check the following:

The computers have an update task This task is created by default. However, when groups and tasks become
numerous, it may turn out that some computers do not have an update task for
the necessary version of Kaspersky Endpoint Security
T

Task schedule If the administrator created update tasks manually, he or she may failed to set
NO

a schedule for them by mistake

Task source Within the network, the Kaspersky Security Center source must be specified

The Administration Server has a It is created by default, but may have been deleted by mistake
“Download updates to the
repository” task
IV–32 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Schedule and source of It is created by default, but may have been deleted accidentally, or its
the “Download updates to schedule may be misconfigured
the repository” task

UT
The Administration Server can Probably, the internet is accessible only through a proxy server, but its
access the selected source address and authentication data (username and password) are not specified or
need to be updated

IB
After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect logs and
contact the technical support.

TR
Specifically consider whether you need Update Agents. They are not of much help in a small network, and
complicate diagnostics. The Administration Server automatically assigns Update Agents by default. You can disable
this.

S
Where to find out that databases are out of date

DI
RE
OR
E D
PI
CO

The Monitoring page provides the most important information about the databases in use. If everything is fine,
the Update area displays the time when the latest updates were downloaded to the server repository. If there is a
problem, the indicator will turn yellow or red and a problem description will appear, which also acts as a link to
BE

remediation (run a task) or troubleshooting (check a computer selection) tools.

The Databases in the repository not updated for a long time link opens the properties of the Download updates to
the repository task. The Databases are out of date: N devices link opens the selection of hosts that have
the Databases are outdated status.
TO

The permanent link Go to Kaspersky Lab software updates and patches in the Update area of the Monitoring page
opens the node Advanced \ Repositories \ Kaspersky Lab software updates and patches. which contains links to
the settings of the default update tasks and the database version report.
T

More detailed information about the databases in use and computers with problems is available on the statistics
screen and also within the appropriate reports. The Database usage report shows the number of computers where
NO

databases are 1-day old, 3-day old, 7, and more.

These data are also available on the Statistics tab of the Administration Server node. The charts concerning updates
are displayed on the Update page. Unlike reports, statistic charts are updated in real time.

If the databases became obsolete on the computer not because it was off, but because of update task errors,
the administrator would need to view update task events to find out the reason. The events sent to the Administration
 IV-33
Unit IV. Maintenance

ED
Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint
Security usually contains more events.

UT
IB
S TR
DI
RE
Computer statuses inform about old signature databases.
OR

Computers with old databases receive a Warning or Critical status depending on how old their databases are.
The status criteria are configured in the group properties. By default, the Warning status is given to the computers
whose databases are 7 or more days old, and Critical is assigned after 14 days.
D

You can identify that the computer status changed from OK due to outdated databases by the status description in
the Protection section of computer properties, or in the panel displaying computer characteristics in the lower-right
part of the Administration Console. To view detailed information about the signatures and, specifically, the last
E

update date, open the properties of the Kaspersky Endpoint Security program in the Applications section of
computer properties.
PI

How to find out whether a computer has an update task

CO
BE
TO
T
NO

Updates from the Administration Server repository are distributed to the client computers by group update tasks.
IV–34 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
To ensure coverage of all managed computers, an update task must be a group task created within the Managed
computers node. The Quick Start wizard creates this type of task: Install update. If computers are combined into
groups and the optimal updating procedure is different for various groups, you can create a customized update task
for each group.

UT
If both parent and child groups have tasks of the same type, the computers of the child group will run both tasks.
This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid
that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their

IB
own tasks from the parent group task scope.

Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac

TR
or Kaspersky Security for Windows Servers) are used in your network, they need separate update tasks.

If there are many groups in the console, and different versions of Kaspersky Endpoint Security are installed on the
computers, it is hard to immediately understand whether all computers have update tasks. If signatures are outdated

S
on a computer, to understand whether it has an update task:

DI
1. Open computer properties and switch to the Applications section

2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version

3. RE
Open the computer’s group (click the command Go to device on the computer’s shortcut menu)

4. Open the Tasks tab and set the Inherited tasks option to Show
OR

5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with that
displayed in the computer properties

If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as possible. One
update task per each version of Kaspersky Endpoint Security created in the root group Managed devices is often
D

sufficient.
E
PI
CO
BE
TO
T

Schedule
NO

Each product update task has a specific schedule and settings, including:

— The list of update sources

— The list of updates
— The settings used to copy updates to a specified folder
— The list of subgroups on whose computers the task will not run
 IV-35
Unit IV. Maintenance

ED
The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to
the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts
the task regardless of whether the Administration Server can be reached or not, the When new updates are
downloaded to the repository schedule means that the task is always started by the Administration Server

UT
command.

The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are
new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect

IB
to the Administration Server and download whatever new settings are available. Upon connection to the Server,
the Agent receives the command to start the task and transfers it to Kaspersky Endpoint Security, which carries it
out. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned

TR
synchronization performed every 15 minutes by default (the period is defined in the Network Agent policy).

The schedule When new updates are downloaded to the repository guarantees that the client computers will
receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple

S
periodical schedule can be used (for example, once an hour).

DI
To prevent serious peak loads on the update source and the network at the moment of task start, randomization of
the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin
the next scheduled update after a random delay ranging from 0 to 5 minutes.

RE
By default, the Administration Server automatically defines the randomization interval depending on the number of
computers the task pertains to. The administrator can also specify it manually.

If signatures are outdated on the computers, check the update task schedule. If the schedule is set to Manually,
OR

weekly or monthly, change it to When new updates are downloaded to the repository or Once every N hours

Source
D

To specify the list of sources, open the Properties section of the task properties and click the Settings button.
Updates can be retrieved from the following sources:
E

— Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most
PI

natural source for the When new updates are downloaded to the repository schedule

— Kaspersky Lab update servers—the recommended source for the computers outside the corporate
CO

perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection rather than
create extra Internet traffic

— Local or network update folder—another option for backup update sources. An HTTP or FTP address
BE

may be specified instead of a network folder. For example, if there are several Administration Servers in
the network (this case is described in course KL 302 Kaspersky Endpoint Security and Management:
Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources

Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky
TO

Lab or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security without the Agent.

If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security Center
source. If you want to use a folder or FTP server, make sure that updates are accessible at this address, and the
computers can access the files
T

In the update task properties you can configure copying updates into a separate folder. This mode can be used for
NO

creating an update source in small networks or subnets without their own Administration Server. In larger networks,
update agents are used to create intermediate update sources. The Administration Server assigns Update agents
automatically (for more details, refer to course KL 302 Kaspersky Endpoint Security and Management: Advanced
Skills.)
IV–36 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to find out whether the Server has an update task

UT
IB
S TR
DI
RE
The task that updates the Administration Server repository is named Download updates to the repository.
OR

The Quick Start wizard automatically creates this task. It can be found in the Administration Console in the Tasks
node.

If databases are outdated on the computers, check whether the Administration Server has an update task. Open the
Tasks node and look for the Download updates to the repository task
D

You can have only one task of this type. If it is present already, the task creation wizard doesn’t allow creating
E

another one. However, it is possible to delete the automatically created Download updates to the repository task
and create a new one for troubleshooting.
PI

The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be
downloaded and a few additional options.
CO

Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging
from 15-20 minutes to several hours. The default value is 1 hour.

The following update sources are possible:

BE

— Kaspersky Lab update servers—a list of FTP and HTTP servers officially maintained by Kaspersky Lab.
These servers are located in various countries worldwide to ensure high reliability of the update procedure.
If the task cannot connect to a server, it will try contacting the next one in the list. The list of servers is
downloaded together with the other updates
TO

— Master Administration Server—this option is used if there are several Administration Servers and they
are connected in a hierarchy (described in detail in course KL 302 Kaspersky Endpoint Security and
Management. Advanced Skills)

— Local or network folder—an update source created by administrators. You may specify not only a
T

network folder, but also an FTP or HTTP address

NO

The task can have several different sources organized in a list. If the first source turns out to be inaccessible 2,
the task will attempt to download updates from the next.

2
The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.
 IV-37
Unit IV. Maintenance

ED
Where to specify proxy server parameters

UT
Where to specify proxy server parameters for the Administration Server

IB
S TR
DI
RE
OR

You may need to specify the proxy server parameters for the Administration Server update source. All sources
would share the same proxy server. If some sources are accessed without it, enable the Do not use proxy server
option in their properties.
D

The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server parameters. To
specify a proxy server later:
E

1. In the Administration Server properties, open Advanced/ Configuring Internet access

PI

2. Specify the proxy server address, port and authentication parameters: the user name and password

These settings will be used for downloading updates and for KSN requests.
CO

Where to specify proxy server parameters for the computers

BE
TO
T
NO
IV–38 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy server,
specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open General Settings /
Application Settings, and in the Proxy Server area, click the Settings button.

UT
By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security will take
the proxy server settings specified in the Internet options in Windows Control Panel. The administrator can
explicitly specify the address, port and account for authentication.

IB
How to disable automatic assignment of Update Agents

TR
Update Agents are additional update sources in a network. Any computer where the Network Agent is installed can
act as an Update Agent. The Administration Server automatically selects the computers to which it assigns the
Update Agent role. The administrator can disable automatic allocation and assign Update Agents manually.

S
Automatically selected Update Agents multicast update files and you cannot disable multicasting. Network

DI
administrators often do not like uncontrollable traffic in the network. Also, in a small network of a few hundred
machines, the Administration Server can cope with updates alone, without Update Agents.

To disable automatic assignment of Update Agents:

1.
2.
RE
Open the Update Agents section in the Administration Server properties
Select Manually assign update agents
OR

With this option selected, the administrator can manually specify the computers to be assigned Update Agents.

For more details about Update Agents, please refer to course KL 302. Advanced Skills.

How to check whether KSN is used

E D

Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers have no
PI

access to KSN, they are more likely to get infected.

How to find out that computers have no access to KSN

CO
BE
TO
T
NO
 IV-39
Unit IV. Maintenance

ED
If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via the status
KSN servers unavailable. This status does not get on the Monitoring page. To quickly find all computers that have
no access to KSN, create a custom computer selection.

UT
By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named Kaspersky
Security Network proxy server. The service accepts connections on TCP port 13111. If computers cannot access
KSN, make sure that:

IB
— The service Proxy server Kaspersky Security Network is running on the Administration Server
— Port 13111 is not closed by a firewall
— The service can access KSN servers in the Internet:

TR
— Open the Administration Server properties
— Go to KSN proxy server, KSN proxy server statistics
— Click the button Check KSN connection

S
How to find out that KSN is turned off on the computers

DI
RE
OR
E D
PI
CO

It may turn out that KSN servers are accessible, but the use of KSN is disabled in the policy.

To find out about this and also which computers are experiencing the issue, run the task Checking connection with
KSN:
BE

1. Open the Tasks node and click the button Create a task
2. Select the task type Checking connection with KSN under Kaspersky Endpoint Security 10 SP2
3. Select the Managed devices group to make it run on all computers
TO

On the computers where KSN is turned off in the policy, the task will return the error “Participation in KSN is
disabled”. The task will also show the computers where KSN is used but inaccessible.
T
NO
IV–40 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
3.4 How to check the client-server connection

UT
How to distinguish powered off computers

IB
S TR
DI
RE
OR

In a large network, computers are almost never turned on simultaneously. Some are off at any moment in time.
D

They differ by the icon in the console: powered off computers have an icon with network connection crossed out in
E

red at the bottom (workstations) or on the right (servers). Also, check the columns Agent running and Connecting to
Server. If the Agent is not running, and the last connection was established long ago, do not pay attention to the
PI

computer protection status, it can be inaccurate.

What to do if a computer has not connected for a long

CO

time
BE
TO
T
NO
 IV-41
Unit IV. Maintenance

ED
UT
IB
S TR
DI
RE
If a computer remains powered off for a long time, Administration Server assigns one of the following two statuses
to it:

Not connected for a By default, computers receive this status in 14 days. You can change this in the status
OR

long time settings, in the properties of the Managed devices node

This status means that the Network Agent has not connected to the Server all this time, and
the Server was not able to connect to the computer during the full network poll either

Device connection This status means that the Network Agent has not connected to the Server, but the Server
lost connected to the computer during the full network poll
E D

If the computer has the status Not connected for a long time, find out what is the matter with it. If the computer does
not exist anymore, delete it from the group and then once again from the Unassigned devices node. If its owner is on
PI

vacation, do nothing.

If employees may not connect to the network for a long time (months), increase the period after which the
CO

Administration Server automatically deletes computers from groups (60 days by default). Open the properties of the
Managed devices node, select Devices and change the value of the parameter Delete the device from the group if
it has been inactive for longer than (days). Or disable this parameter at all, if employees may work out of office
for an indefinitely long time.

To enable computers to connect to the Administration Server, to receive settings and inform about threats when
BE

outside the office, configure access to the Administration Server ports from the Internet. How to do it is described in
course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills
TO
T
NO
IV–42 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to make a computer connect to the Server

UT
IB
S TR
DI
RE
If the computer’s status is “Device connection lost”, make sure that:
OR

— Network Agent is installed

— Network Agent is running

If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy.
D

If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network Agent’s
folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent:
E

— Run the command line interface (cmd.exe) as an administrator

PI

— Go to the Network Agent’s folder

— Start the klnagchk.exe utility
CO

When run without parameters, the utility outputs the Network Agent settings, tries to connect to the Administration
Server with these settings, publishes the result, and finally outputs the connection statistics.

During the test connection, the Agent neither checks whether new settings are available on the server nor sends its
data to the server.
BE

To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb

This command must be executed locally on the client computer.

TO

The Administration Console also has commands for checking connection to a computer:

Check device Verifies the computer status Visible in the network against the Administration Server database.
accessibility Does not try to connect to the computer, and therefore adds nothing to what the computer icon
T

shows
NO

All tasks, Force Sends a signal to UDP port 15000 of the computer. If the Agent answers in a few seconds,
synchronization closes the synchronization window. Otherwise, informs that the Agent does not answer and
queues synchronization
 IV-43
Unit IV. Maintenance

ED
How to reconnect a computer to the Server

UT
IB
S TR
DI
RE
If the Network Agent has incorrect Server connection parameters, modify them using the utility klmover.exe that is
OR

located in the same folder of Network Agent:

— Run the command line interface (cmd.exe) as an administrator

— Go to the Network Agent’s folder
— Run the utility klmover.exe with the parameter –address and Server address:
D

klmover.exe –address 10.28.0.20

E

If the Server’s port is non-standard, add the parameter –ps and the port number.
PI

To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the settings of the
Network Agent package. If an Agent has incorrect parameters, they may also be incorrect in the package.
CO
BE
TO
T
NO
IV–44 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
3.5 How to contact technical support

UT
When and how to contact technical support

IB
S TR
DI
RE
OR

If Kaspersky Endpoint Security does not work or works differently from what the administrator has configured, and
D

simple measures cannot help, contact the tech support.

E

To receive an answer quicker, collect all logs and attach them to your request:
PI

— Kaspersky Endpoint Security logs

— Trace logs of Kaspersky Endpoint Security around the moment when the issue arises
— Windows logs
CO

— GetSystemInfo log—information about the computer

To contact the technical support:

1. Create a request at https://companyaccount.kaspersky.com

BE

2. Select the product and functional area

3. Describe the steps that result in the issue
4. Attach the logs

You can collect logs either on the computer or via the Kaspersky Security Center Console.
TO
T
NO
 IV-45
Unit IV. Maintenance

ED
How to remotely collect Windows and GetSystemInfo logs

UT
IB
S TR
DI
RE
To collect logs remotely, connect to the computer using the remote diagnostics utility:
OR

1. Select the computer in the Administration Console

2. On the shortcut menu, click Custom tools, Remote diagnostics

D

The utility can also be started from the Kaspersky Security Center folder in the Start menu. Then you will
need to specify the computer name and the Administration Server address in the window. The console fills
E

in these boxes automatically

PI

3. Click the Sign In button

4. To receive information about the computer, click the link Load system information in the upper-left corner
CO

of the window

5. To receive Windows logs, select the log and click the link Download event log… in the upper-left corner of
the window
BE

Download Kaspersky Event Log and any other logs that contain events concerning the issue

The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in the
lower-left corner of the window.
TO
T
NO
IV–46 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to remotely collect trace logs

UT
IB
S TR
DI
RE
To collect trace logs using the diagnostics utility:
OR

1. Select Kaspersky Endpoint Security in the tree

2. Click the link Enable tracing on the left, do not change the trace level, and click OK
3. Reproduce the steps that demonstrate the issue
4. Click the link Disable tracing in the diagnostics utility
D

5. Expand the folder Trace files under Kaspersky Endpoint Security

6. Select files one by one and download them using the link Download file on the left
E

If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of Network Agent,
Administration Server, Updater component in a similar manner.
PI

When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the folder
until you send the logs to the technical support.
CO

How to collect logs locally

BE
TO
T
NO
 IV-47
Unit IV. Maintenance

ED
UT
IB
S TR
DI
RE
Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs locally, too.

To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com website.
Run it and save the log in a folder. The utility also collects information about the system and Windows logs, and you
will not have to add them manually.
OR

To collect the trace logs:

1. In the Kaspersky Endpoint Security window, click the button Support

D

2. In the Support window, click the link System tracing

E

3. On the drop-down list, select is enabled; in the list that will appear, select level Normal (500), and click
OK
PI

(You can select traces with rotation. In this case, you will be able to limit the maximum number of trace
files and the maximum size of a trace file. If the number of trace files reaches the limit, the oldest file will
CO

be deleted to free space for a new one.)

4. Reproduce the issue

5. Disable tracing: select is disabled

BE

6. Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\

The file name includes the creation date and time, select the latest logs
TO

How to locally enable trace logs for Kaspersky Security Center components is explained in the article
http://support.kaspersky.com/9323
T
NO
IV–48 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to send a request to technical support

UT
IB
S TR
DI
RE
When you have all logs at hand, contact the technical support:
OR

1. Log on to the website companyaccount.kaspersky.com

If you have no account, sign up: specify your email and license for Kaspersky Lab products (the activation code or
key file)
D

2. Click the button New request and select Make a request for Tech Support
E

3. Select the protection scope, product, version, operating system, request type and subtype
PI

4. Type the request subject: define the problem briefly

CO

5. Describe the issue: the steps that result in it, which result you expect, and which get instead

6. Attach the archive with all logs

BE
TO
T
NO
 IV-49
Unit IV. Maintenance

ED
Chapter 4. What to do from time to time

UT
IB
4.1 How to install program updates

TR
Program update types

S
DI
RE
OR
E D
PI
CO

Except for signature updates, which are issued continually, there are program updates, which are released much
rarer:

New versions Are released once every few years, introduce new capabilities, components, settings, etc.
BE

Are installed by Kaspersky Endpoint Security installation task and the installation wizard of
Kaspersky Security Center

Service Packs Are released approximately yearly, sometimes rarer. Upgrade components and drivers, may add
new settings and capabilities, but the changed are not as significant as in a new version
TO

Are installed by Kaspersky Endpoint Security installation task and the installation wizard of
Kaspersky Security Center

Maintenance For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix errors, may
Releases slightly change settings, are installed by the update task
For Kaspersky Security Center, a Maintenance Release is almost the same as a Service Pack:
T

they are released in a year after a new version or Service Pack, and are installed by the
installation wizard of Kaspersky Security Center
NO

Patches Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center, patches are
released quarterly, fix errors, slightly alter operation, are installed automatically on Network
Agents

Private fixes Are released by request, correct specific issues for individual customers. Usually, for customers
with a Maintenance Service Agreement
IV–50 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
Where to find out that an update has been issued

UT
IB
S TR
DI
RE
You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for Kaspersky
OR

Security Center) has been released on the Monitoring page. Monitor messages in the Update area.

Minor updates are installed automatically, but only after the administrator approves them. When updates are
released, the status “New updates for Kaspersky Lab software modules registered” appears. Usually, to install an
update, you need to accept the license agreement. “Kaspersky Lab software updates not approved” status informs
D

about this.

Both statuses lead to the node Advanced, Application management, Software updates. This node shows all
E

available updates, not only for Kaspersky Lab programs, but also for operating systems and third-party software.
PI

To be able to install updates by other manufacturers, you need a Systems Management license, for example, KESB
Advanced. This is described in course KL 009 Systems Management.
CO

To view only updates by Kaspersky Lab:

1. Click Filter…
BE

2. In the Source field, select AO Kaspersky Lab and wait for a while
TO
T
NO
 IV-51
Unit IV. Maintenance

ED
How to install only approved updates

UT
How to install only approved updates of KES

IB
S TR
DI
RE
OR

Kaspersky Endpoint Security can do without application updates. If there are no critical issues that impede work,
you can use Kaspersky Endpoint Security until a new version or Service Pack is released.
D

Still, module updates can be useful. They can improve computer performance, increase protection efficiency and
add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing
the updates and installing only approved ones. As far as module updates are concerned, the administrator has the
E

following option in the update task of Kaspersky Endpoint Security:

PI

— Download updates of application modules—enabled by default. Can be disabled in the groups where
computers are extremely sensitive to changes, e.g., groups with important servers
CO

— Install critical and approved updates—installs the updates marked as approved by the administrator
and the updates marked as critical by Kaspersky Lab without the administrator’s approval. Installing
unapproved updates may be risky because unforeseen issues might arise

— Install only approved updates (the default choice)

BE

To approve an update:

1. Select the update in the node Advanced \ Application management \ Software updates
2. Click the Approve button above the list of updates
TO

3. If the update has a license agreement, the respective window will open. Accept the agreement

If you approve a wrong update by mistake, open its properties and change the value of the Update approval field to
Undefined or Declined.
T

Prior to approving an update, install it on test computers and make sure that it is not causing any issues.
NO

After a program update is installed, a restart may be required.

IV–52 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to install only approved updates of Network Agent

UT
IB
S TR
DI
RE
Approved updates of Network Agent are installed automatically without tasks. After the administrator approves an
update, Agents will start downloading it during planned synchronizations and install locally.
OR

By default, the Administration Server installs all Network Agent updates rather than only approved ones. To install
only approved updates:

1. Open the policy of Network Agent in the Policies node

D

2. Switch to the section Manage patches and updates

E

3. Clear the check box Automatically install applicable updates and patches for Kaspersky Security
PI

Center 10 components with Undefined status

To test Network Agent updates, create a group for test computers and enable installing unapproved updates in the
CO

policy of this group

The administrator can always select not to install some update, even if automatic update is configured in the policy.
For this purpose, open the update properties and for the parameter Update approval, select Declined.
BE

To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable the
respective parameter in the task Download updates to the repository:

1. In the Tasks node, open the properties of the task Download updates to the repository
TO

2. Switch to the Settings section and in the Other settings area, click the link Configure…

3. Clear the check box Update Network Agent modules (for Network Agent versions earlier than 10
Service Pack 2)
T

Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or
will not be installed in the whole network. You cannot enable installation of these updates in some groups and
NO

disable in others.
 IV-53
Unit IV. Maintenance

ED
How to find out that a new version has been released

UT
Where to look for new versions

IB
S TR
DI
RE
OR

The Update area of the Monitoring page also informs about new product versions and Service Packs. Monitor the
messages:

— Updates are available for Kaspersky Security Center 10 components

D

— Updates are available for Kaspersky Lab applications

— Latest versions of Kaspersky Lab applications
E

All of them lead to the Current application versions window.

PI

To open this window in another way, click the link View current version of Kaspersky Lab applications.
CO

Alternatively, open the node Advanced, Remote installation, Installation packages in the console; click the
button Additional actions and select View current version of Kaspersky Lab applications.

The window shows the list of available product versions by Kaspersky Lab, which are manageable via Kaspersky
Security Center. You can download them from Kaspersky Lab servers through this window.
BE

Program versions include:

— Distributions that can be downloaded to the Administration Server using the button Download and create
installation package
TO

— Distributions that cannot be transformed into a package, but can just be downloaded

— Management plug-ins, which can be downloaded and installed in the console

T
NO
IV–54 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to find the necessary product, version and language

The list includes numerous programs, a few versions of each program and several localizations of each version, and

UT
it’s easy to get lost.

To find what you need, for example, the latest version of Kaspersky Endpoint Security in English, configure a filter:

IB
1. Components:

TR
Controls Distributions and patches of Kaspersky Security Center and Network Agent
components for various platforms

Workstations Kaspersky Endpoint Security for various platforms (Windows, Mac)

S
File Servers and Distributions and plug-ins of Antivirus Kaspersky for Windows File Servers,
Storages Kaspersky Anti-Virus for Windows Servers and

DI
Kaspersky Security for Windows Server

Virtualization Distributions and plug-ins of Kaspersky Security for Virtualization Light Agent

Mobile

Embedded Systems
RE
Distributions and plug-ins of Kaspersky Security for Mobile (Android)

Kaspersky Embedded Systems Security distributions and plug-ins

(ATM and POS)
OR

2. Update type: Full distribution package, plug-in or patch

3. Which software updated to show—select any of the following combinations:

— Only the latest software versions

D

— Only updates for software versions in use—meaning, those that are installed on the network computers
— Only updates for software with plug-ins installed in Administration Console (in the one where the
E

window is currently open, the results may differ in different consoles)

PI

4. Language

— All languages
CO

— Administration Console language or basic set (English, German, French)

— Administration Console language and another language selected on the list

To receive updates only for the Console language, select the third option and then select the console
language once again on the drop-down list
BE
TO
T
NO
 IV-55
Unit IV. Maintenance

ED
4.2 How to renew a license

UT
When to renew a license

IB
S TR
DI
RE
OR

Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to
D

overcome one of the following license limitations:

E

— Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to
renew the license to keep using it
PI

— Increase the number of computers—if the company grows and the number of computers is about to exceed
the license limit
CO

— Extend functionality—if the necessity to use additional product functions has appeared in the company, for
example, Encryption or automatic installation of Windows updates

Also, a license may be blacklisted if it is exposed to the Internet. Kaspersky Lab blocks these licenses, and they stop
working. Products receive black lists of licenses together with signature updates.
BE

Without a license, Kaspersky Endpoint Security works with limitations:

Before the first license is installed File Threat Protection and Firewall work, an update task runs once
TO

If a commercial license has expired All components keep working, but update tasks will not start and KSN
servers are inaccessible. Protection level gradually decreases.

If a trial license has expired or a Only File Threat Protection and Firewall will keep working.
commercial license has been blacklisted Protection will be resumed after you activate the product with a valid
T

commercial license.
NO
IV–56 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to find out that the license expires

UT
IB
S TR
DI
RE
If the license is about to expire or has expired on a computer, the administrator should pay attention.
OR

The license expiration date is displayed in the license properties in the node Administration Server, Kaspersky
Lab Licenses.

The computer statuses configured in the administration group properties may also attract the administrator’s
D

attention. Two status conditions relate to licenses:

— License term expired—sets the computer status to Critical. By default, the condition is triggered in 0
E

days, meaning, right after the license expires. It can be configured to trigger several days after the license
expiration so that the license could update automatically and not waste the administrator’s time
PI

— License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before
CO

the expiration, but this parameter is adjustable

When the license that activates the Administration Server is about to expire, a pop-up message is displayed to
the administrator every time the Administration Console starts. Upcoming expiration is also indicated in the
Deployment area of the Monitoring tab of the Administration Server node.
BE
TO
T
NO
 IV-57
Unit IV. Maintenance

ED
How to find out that the number of activations is
exceeded

UT
IB
S TR
DI
RE
OR

Most of the information about the keys that the administrator would ever need is available in the Administration
Server | Kaspersky Lab Licenses node. including node restriction and use percentage.

The Administration Server shows how many of the managed computers are using the license. It does not receive
D

data from Kaspersky Lab activation servers, which may have different statistics if the license is also used on
computers without the Network Agent
E

Administration Server events inform about exceeding the node limitation:

PI

— License restriction has been exceeded—there are two events with this name, critical and warning.
The critical event is generated when the number of installations constitutes 110% of the license limit.
CO

The warning informs of reaching the limit (100%)

— Over 90% of this key is used up—an information message

The Administration Server does not impose any technical limitations if the license limit reaches either 100% or
110%. If keys are used for activation, the administrator can distribute them with a key installation task to any
BE

number of computers. From the viewpoint of the license agreement, a license entitles you to use software on the
number of devices specified in the license certificate. However, if the Automatically deploy key to managed
computers check box is selected in the key properties, the Administration Server will not only distribute it to
computers, but also remove the key from excessive computers if the license limit is surpassed.
TO

If activation codes are used, Kaspersky Lab activation servers may impose technical limitations. Each instance of
Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a ticket for using the product.
If the number of simultaneously issued tickets greatly exceeds the license limit (1.5 to 2 times), the activation server
will stop issuing tickets.
T
NO
IV–58 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to switch over to a new license

UT
How to renew a license on the computers

IB
S TR
DI
RE
OR

When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one
license to another without a time gap and without reducing the effective license period of any of the licenses. You
would rather not replace the old license when there still several days left of the licensing period. However, you want
D

to activate the new license before the old one expires.

To prevent losing the validity period of neither old nor new license, use one of the following approaches:
E
PI

1. Distribute a new key to the computers using a key installation task beforehand. In the task settings, specify
that it is an additional (backup) key
CO

Additional keys and codes can be added in almost all products by Kaspersky Lab. Once the active key
expires, the product is automatically activated with the additional key or code.

2. Add the new license to the Administration Server and enable in it properties the check box Automatically
deployed key
BE

When the previous key expires on the computers, they will receive the new automatically distributed key
from the Administration Server.

Automatically deployed keys are sent to all computers. If a computer does not have an active license,
the automatically distributed key will be activated on it. If an active license is already available, the automatically
TO

distributed key will be deployed as an additional one. If a computer has both an active and an additional license,
the automatically distributed key will not be installed.

The key or code to be distributed can be added in the Quick Start wizard. To add keys later, in the Administration
Server \ Kaspersky Lab Licenses node, click the Add activation code or key button.
T

Registered keys and codes can be imported from the storage as key files or text files with the code. These can be
NO

used for local activation, if necessary, or for backup purposes.

 IV-59
Unit IV. Maintenance

ED
How to renew an Administration Server license

UT
IB
S TR
DI
RE
Only the extended functions of Kaspersky Security Center Administration Server 10 available in KESB Select and
KESB Advanced licenses require activation.
OR

The operations described in this course do not require activating the Administration Server.

To replace the active key or add another one to the Administration Server, open the Keys section in the Server
properties. You can specify the active and additional license in this section. You can also replace or delete licenses
D

as necessary.
E

You can select a license for the Administration Server from among those added to the Kaspersky Lab Licenses
node.
PI

To add a key to the Administration Server, select a key specifically designed for Kaspersky Security Center. Check
what is written in key table at the very end of the Application name field. There is usually a descriptor there:
CO

Security Center or Kaspersky Endpoint Security that indicates the key purpose.

If you are adding a code, you need not check the name, the same code activates all products covered by the license:
Kaspersky Endpoint Security and Kaspersky Security Center.
BE
TO
T
NO
IV–60 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
How to replace the active license

UT
IB
S TR
DI
RE
Sometimes it is necessary to install a specific key on a specific computer or a group of computers. Automatic
OR

distribution would not serve this purpose. Instead, you can create an Add key task.

This task can be created using the typical task creation wizard in a group or in the Tasks node. You can also click
the Deploy key to managed devices button in the Administration Server | Kaspersky Lab Licenses node—in this
case, the wizard displays fewer steps.
D

If two products require different Console plugins to be managed, they would require different Add key tasks as well.
For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint Security 10 Service Pack 1
E

have independent plugins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP2 wouldn’t run on
Kaspersky Endpoint Security 10 SP1 and vice versa.
PI

In the task creation wizard or later in the task properties, you can select a license either from the list of registered
keys and codes (in the Administration Server | Kaspersky Lab Licenses node) or from a file. There is an option in
CO

the task that allows installing the selected key or code as an additional key. This option is enabled by default,
because the main license is supposed to be installed through the automatic installation feature (an option in the key
or code properties).
BE
TO
T
NO
 IV-61
Unit IV. Maintenance

ED
4.3 How to configure backup

UT
Why back up?

IB
S TR
DI
RE
OR

Creating backup copies is a good practice that can save you a lot of trouble. The administrator will be able to restore
D

the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important
to store backups in a reliable location.
E

A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This
PI

includes the event database (which contains more than just the events), administration group structure, tasks and
policies, report templates, installation packages 3, selections of computers and events, the Administration Server
certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to
CO

keep an old copy.

Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more
important. The Administration Server configuration now includes the encryption key store that contains master keys
for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case
of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost
BE

irretrievably. Encryption and the risks involved are described in course KL 008 Encryption.

However, even if we leave encryption out of consideration, losing Administration Server data can result in many
hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be
difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, which means that
TO

Network Agents, even if they use the correct address, will not be able to establish a connection to the new
Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be
reinstalled.

A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all
T

the settings, and the encryption key store.

NO

Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard
upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous
version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create

3
Including standalone, but excluding operating system image packages (These packages are described in detail in course KL
009 Systems Management.)
IV–62 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore
its configuration from the backup. You can use this method when it is necessary to upgrade not only the software
components of the Administration Server, but also its hardware configuration.

UT
In a similar manner, you can use backups to move the Administration Server to a different computer. First create
a backup copy, and then install the Administration Server on another system. Restore the Administration Server
settings from the backup copy. In this case, it is important to ensure that the same type of SQL server (Microsoft
SQL or MySQL) is used by both new and old instances of the Administration Server.

IB
If you move the Administration Server to another system and want to change the Server’s name, you must make this
change before the migration. For details, refer to course KL 302 Kaspersky Endpoint Security and Management.

TR
Advanced Skills.

The most important thing about backup copying is to regularly make sure that you can restore the system from a
backup copy

S
Spend half an hour once a month or at least quarter to restore Administration Server data on a test computer. This

DI
way, you will make sure that the backup copies are not corrupted and sharpen your skills. In case of a real failure,
you will be able to restore systems quickly and easily.

How to configure backup RE

OR
E D
PI
CO
BE

To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data.
Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick
Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure.
TO

The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the
Administration Server. The task launches the utility with the specified options, which then creates a backup copy.

Starting with Kaspersky Security Center version 10 SP3, when creating a backup copy, the klbackup.exe utility
T

does not stop any services; it copies the Server settings and data, then instructs the SQL server to back up the
database.
NO

Only one parameter is required for the backup task: the location of backup copies. This folder will contain
subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default
location of backup copies is the SC_Backup folder in the Administration Server data directory
(%ProgramData%\KasperskySC\SC_Backup).
 IV-63
Unit IV. Maintenance

ED
It is risky to store backup copies on the disk where the Administration Server is installed, because in the event of a
hardware failure, both the current system and its backup copy will suffer. We strongly recommend that you store
backup copies in another location. The administrator can either specify a network location or use an additional
process to move backup copies to a safer place for storage.

UT
It is important to realize that backup copies of the Administration Server data are created under the Administration
Server account, whereas backups of the database are created under the database server account. If you specify a
network path as the target location for backup copies, both the Administration Server and SQL server must have

IB
access to this folder. Also, the specified drive must have enough free space.

Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored

TR
data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup
copies is three.

The Administration Server certificate is stored in an encrypted form for security reasons. This security measure

S
prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption,
you need to provide a password. By default, the password is empty.

DI
The backup data copying task is scheduled by default to start daily at 2 a.m.; therefore, only three backup copies of
the last three days are stored.

How to restore from a backup

RE
OR
E D
PI
CO
BE

There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done by design,
because an accidental launch of such a task would result in the loss of newly added settings and data.
TO

In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from
the Start menu. When started without command line options, this utility works as a wizard that prompts you to
choose the restore option and enter the path to the backup copy and the password for decrypting the Administration
Server certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if
T

you specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to
c:\backups\klbackup2017-12-27#02-00-02
NO

The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To
do so, at the Choose Action step, select Backup of Administration Server data.

Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can
be used, for example, when you only need to restore connection between the Network Agents and the Server, but
want to create the structure and settings from scratch. This limited backup is not available in the backup task.
IV–64 KASPERSKY LAB™
KL 002.11. Kaspersky Endpoint Security and Management. Fundamentals

ED
The klbackup.exe utility can be launched from the command line with the following parameters:

— –path—backup copy destination folder, or the source folder during a recovery

UT
— –restore—the option that instructs the utility to restore data; without it, the utility will create a backup copy

— –use_ts—the option that creates a subfolder with a name consisting of the time and date of creation;
without it, the utility will create a backup copy right in the folder specified by the path option

IB
— –password—the option that specifies the password for encrypting the Administration Server certificate

TR
How and why maintain the database

S
DI
RE
OR
E D
PI

With time, the Administration Server database may slow down. In particular, the reports may be generated slowly,
and lists of events or computers may be displayed only after a noticeable pause.
CO

To speed up the console’s work with the events stored in the database, the database is to be optimized. Before
Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security
Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database
of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize
BE

the database using the database server tools.

To speed up the Administration Server database, the Database maintenance task performs the following:

— Looks for errors in the database and fixes them

TO

— Rebuilds indexes
— Updates the database statistics
— Optionally shrinks the database

The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases
T

the database size. The database is recommended to be optimized once a week.

NO

If the Administration Server works slowly because its resources are scarce, the Maintenance database task will not
help

There can be only one Maintenance database task. It is created by the Quick Start wizard. By default, the task
starts every Saturday, at 1 a.m.
 IV-65
Unit IV. Maintenance

ED
4.4 Maintenance: Summary

UT
IB
S TR
DI
RE
OR

To keep protection working on the computers, monitor important events:

— Configure notifications about possibly infected computers

— Configure reports to be emailed
— Organize daily inspections of the protection status: Prepare an all-in-one statistics page
D

Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week. Do not
E

allow them to pile up; otherwise, it will soon be difficult to notice something important among them.
PI

If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect logs and
attach them to your request.
CO

Install updates and new versions. They correct errors and improve performance and protection.

Back up the Administration Server data. Regularly make sure that you can restore data from a backup.

Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration beforehand.
BE
TO
T
NO

v1.0.1