KL 002.10 Eng Student Guide Sp2 v1.0.1

Unit I.
Deployment
Unit II. Protection Management
Unit III. Endpoint Control
Unit IV. Maintenance
SP Version
Kaspersky Lab
www.kaspersky.com
I-1
Unit I. Deployment
Unit I. Deployment
Introduction .................................................................................................................... 4
Course Outline .............................................................................................................................................................. 4
Unit Outline .................................................................................................................................................................. 6
Chapter 1. Organizational Issues ................................................................................... 6
1.1 Problem Definition ................................................................................................................................................. 6
1.2 Procedure ................................................................................................................................................................ 8
Potential difficulties ............................................................................................................................................... 8
Procedure ............................................................................................................................................................. 10
Testing .................................................................................................................................................................. 10
Chapter 2. Installing Kaspersky Security Center ........................................................ 12
2.1 System Requirements for Administration Server ................................................................................................. 12
Software requirements ......................................................................................................................................... 12
Supported virtual platforms ................................................................................................................................. 14
Hardware requirements ....................................................................................................................................... 14
2.2 Standard Installation ............................................................................................................................................. 16
Installation files.................................................................................................................................................... 16
Installation progress ............................................................................................................................................ 18
Installing plug-ins ................................................................................................................................................ 22
2.3 Custom Installation ............................................................................................................................................... 24
Components.......................................................................................................................................................... 24
Installation path ................................................................................................................................................... 24
An account for the main Administration Server service ....................................................................................... 26
An account for other Administration Server services ........................................................................................... 26
SQL server ........................................................................................................................................................... 28
Shared folder ........................................................................................................................................................ 32
Connection ports .................................................................................................................................................. 34
Connection address .............................................................................................................................................. 34
Management plug-ins ........................................................................................................................................... 36
Installation results................................................................................................................................................ 36
2.4 Quick Start Wizard ............................................................................................................................................... 38
Keys and codes ..................................................................................................................................................... 40
Update installation statistics ................................................................................................................................ 40
Notifications ......................................................................................................................................................... 42
Vulnerability and patch management .................................................................................................................. 42
Policies and tasks ................................................................................................................................................. 44
Proxy server ......................................................................................................................................................... 48
Wizard completion ............................................................................................................................................... 48
I-2
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
2.5 Additional Components of Kaspersky Security Center ......................................................................................... 50

Components .......................................................................................................................................................... 50
Administration Console ........................................................................................................................................ 50
Chapter 3. Installation on Computers .......................................................................... 56
3.1 System Requirements ............................................................................................................................................ 56
Requirements for installation of Kaspersky Endpoint Security 10 for Windows .................................................. 56
Network Agent installation requirements ............................................................................................................. 58
3.2 Typical Installation Using Wizard ........................................................................................................................ 60
Selecting the product ............................................................................................................................................ 60
Selecting the computers ........................................................................................................................................ 62
Installation method ............................................................................................................................................... 62
Key ....................................................................................................................................................................... 64
Computer restart .................................................................................................................................................. 64
Uninstallation of incompatible applications ........................................................................................................ 64
Computer relocation ............................................................................................................................................ 66
Selecting account.................................................................................................................................................. 66
Installation process monitoring ............................................................................................................................ 66
3.3 Possible Installation Issues .................................................................................................................................... 68
Installation specifics ............................................................................................................................................. 68
Possible obstacles ................................................................................................................................................ 70
Preparing the computer with the riprep.exe utility .............................................................................................. 72
Configuring access using the domain policy ........................................................................................................ 72
3.4 Uninstallation of Incompatible Applications ........................................................................................................ 76
Uninstallation tools .............................................................................................................................................. 76
Uninstallation using Kaspersky Endpoint Security 10 installer ........................................................................... 76
Uninstallation using Network Agent .................................................................................................................... 78
3.5 Other Installation Methods .................................................................................................................................... 86
Installation methods: overview ............................................................................................................................ 86
Installation using standalone packages ................................................................................................................ 86
More installation-related settings ........................................................................................................................ 92
Installation using Active Directory ...................................................................................................................... 94
3.6 Installation Packages ............................................................................................................................................. 98
Network Agent installation parameters ................................................................................................................ 98
Kaspersky Endpoint Security installation parameters ....................................................................................... 102
Creating installation packages ........................................................................................................................... 106
3.7 Deployment Monitoring ...................................................................................................................................... 112
Software version report ...................................................................................................................................... 114
Protection Deployment Report ........................................................................................................................... 114
General deployment status ................................................................................................................................. 114
Discovering new computers ............................................................................................................................... 114
Chapter 4. Management of Computer Structure ........................................................ 116
4.1 Discovering Computers ....................................................................................................................................... 116
Discovery management ...................................................................................................................................... 116
Windows network polling ................................................................................................................................... 118
Active Directory polling ..................................................................................................................................... 120
IP subnet polling ................................................................................................................................................ 122
I-3
Unit I. Deployment
4.2 Creating Group Structure .................................................................................................................................... 126

Computer groups................................................................................................................................................ 126
Managing groups ............................................................................................................................................... 128
How to add computers to groups ....................................................................................................................... 128
Importing groups................................................................................................................................................ 130
4.3 Computer Relocation Rules ................................................................................................................................ 132
Where to move to................................................................................................................................................ 134
When to move ..................................................................................................................................................... 134
What to move ...................................................................................................................................................... 134
Tags .................................................................................................................................................................... 138
Rule application order ....................................................................................................................................... 140
Rule use example ................................................................................................................................................ 140
I-4
KASPERSKY LAB
Introduction
Course Outline
This course aims to explain how to plan, deploy and maintain an endpoint protection system based on the flagship
Kaspersky Lab products: Kaspersky Endpoint Security and Kaspersky Security Center. Kaspersky Endpoint
Security is designed to protect computers. Kaspersky Security Center enables the administrator to manage protection
of all corporate computers.
Upon completion of this course you will see that these products can do much more than just protect and manage
protection. Kaspersky Endpoint Security has encryption capabilities and can restrict the users' actions; while
Kaspersky Security Center is able to manage not only Kaspersky Endpoint Security for Windows, but also other
Kaspersky Lab products designed for Mac OS X, Linux, mobile devices, etc. Kaspersky Security Center can also
manage some functions of the operating system and software installed on the managed computers, in particular
discover vulnerabilities and automatically install updates and fixes.
Studying all of those capabilities takes more than a week, and falls outside the scope of this course. Instead, we will
study protection of a small local-area network, which will take us 2 to 3 days.
The course consists of four units.
Unit I is devoted to planning and deploying a protection system. We will study a typical deployment plan and
elaborate on its steps. Deployment includes not only installation, but also initial configuration, i.e. all the actions to
be taken once and for all, after which the maintenance stage starts.
Unit II describes endpoint protection: the tools implemented in Kaspersky Endpoint Security, how to fine-tune them
if necessary, and how you can find out whether they do their job properly.
Unit III introduces the control tools: Device, Web and Application Control. It is devoted to their capabilities, typical
use cases, settings and monitoring tools.
Unit IV comprises all the rest: maintenance specifics and fine-tuning the created protection system. We will study
how to update signatures and product components, renew and replace a license, configure backup copying and
recover after a failure, and adjust the tools available to the user and the administrator.
I-5
Unit I. Deployment
I-6
KASPERSKY LAB
Unit Outline
Unit I focuses on the deployment process, which starts from planning. Any large-scale project involves not only
clicking buttons but also coordination of time and effort of all the stakeholders.
Therefore, from Chapter 1 we will learn how deployment is organized, including planning, testing and
implementation.
After the organizational issues, we will describe in detail all the steps of a typical deployment plan and product
configuration.
Chapter 2 is devoted to the installation and initial setup of the Administration Server. This is the core component of
Kaspersky Security Center, which is necessary for deploying and managing Kaspersky Endpoint Security on
the computers.
Chapter 3 tells how to use Kaspersky Security Center Administration Server to remotely install Kaspersky Endpoint
Security on the computers. It describes the most popular remote installation method and briefly introduces
the alternatives.
Chapter 4 explains network discovery and organization of computer management groups. Theoretically, computers
should be discovered prior to the remote installation; in practice, however, within a small network, computers are
discovered automatically and this process does not require any special effort. Group creation may either precede or
follow the deployment. Computers can be moved to the proper groups automatically according to the conditions
specified by the administrator; the course explains how to configure this.
Chapter 1. Organizational Issues

1.1 Problem Definition
In a deployment, all network computers must be protected, and the administrator must be able to manage protection
centrally. To achieve this, it is necessary to install Kaspersky Security Center 10 (KSC 10) centrally and Kaspersky
Endpoint Security 10 for Windows (KES 10) on the computers.
In order to provide centralized protection management, and also simplify the deployment process, there must be at
least one Kaspersky Security Center Administration Server installed. Large networks or networks having an unusual
architecture may benefit from more than one Administration Server.
The Kaspersky Administration Console is installed automatically along with the Administration Server. Additional
consoles can be installed on the administrators computers and remotely connect to the Administration Server.
However, administrators often connect to the console installed locally on the Administration Server via Remote
Desktop.
In order to protect the network, Kaspersky Endpoint Security is to be installed on every eligible computer.
Kaspersky Endpoint Security alone cannot interact with Kaspersky Security Center, which is why the Network
Agent must be installed on every computer to make centralized management possible.
I-7
Unit I. Deployment
I-8
KASPERSKY LAB
1.2 Procedure
Potential difficulties
Endpoint protection installation takes time, which is always scarce. In a large network that consists of many
computers, more time is necessary, even if there is an administrator who is solely responsible for endpoint
protection.
In a middle-size network, less time is necessary. Usually such networks lack a dedicated endpoint protection
administrator. IT employees responsible for the deployment also perform other IT infrastructure maintenance tasks.
In small networks, comparatively little time is necessary, but a full-time administrator is not always available.
An ordinary employee who has other work to do may be entrusted with the deployment; or there may be a part-time
administrator who works several hours a week.
The labor intensive deployment problem is aided by remote installation, which can present new problems in turn.
First, remote installation involves data transfer over the network, and network load will increase.
Second, remote installation very rarely works for 100% of the network computers. A computer may temporarily be
off of the organizations network, or turned off, or unreachable over the network; remote access may be restricted by
a security policy or other protection tools.
Compatibility problems may also arise during the deployment. Protection tools by other manufacturers may hamper
installation or operation of Kaspersky Endpoint Security. These protection tools need to be uninstalled before
the installation of Kaspersky Endpoint Security. This makes the deployment even more time consuming.
Kaspersky Endpoint Security with the default settings may sometimes hamper other programs. This is not the case
with widespread, standard programs; but rare and unusual ones, for example, medical software and other special
systems can be at risk. These interaction issues must be identified during the preparation stage and taken into
consideration when adjusting Kaspersky Endpoint Security settings.
I-9
Unit I. Deployment
I-10
KASPERSKY LAB
Procedure
The recommended procedure for deploying Kaspersky Endpoint Security in a network is as follows:
1.
Study Kaspersky Endpoint Security capabilities and try to identify compatibility problems through
preliminary testing
2.
Install the Kaspersky Security Center Administration Server. The Administration Server can serve as
a remote installation tool and is necessary for managing protection on the computers when the deployment
is finished
3.
Connect and protect client computers

3.1. Distribute and install Network Agents. These will make the computers manageable via Kaspersky
Security Center; in particular, they enable the administrators to delete protection tools by other
manufacturers and install Kaspersky Endpoint Security. Network Agents almost never conflict with
other programs
3.2. Uninstall protection tools by other manufacturers. We recommend using uninstallation tools
included either in the operating system or in the program to be uninstalled. As a last resort you can
uninstall third-party software using the corresponding capabilities implemented in Kaspersky
Security Center and Kaspersky Endpoint Security installer
3.3. Install Kaspersky Endpoint Security. In simpler cases, this step can be performed simultaneously
with the previous two steps; that is, you can uninstall protection tools by other manufacturers and
install Network Agent and Kaspersky Endpoint Security with a single task. The decision on whether
to join or separate these steps is to be made at the preparation stage
4.
Create group structure. All computers are gathered into one group after the deployment, which may be
inconvenient, especially in large networks. Principles and methods of dividing computers into groups in
Kaspersky Security Center are described in Chapter 4 of this Unit
Testing
Preliminary tests are performed during the preparation stage to help detect problems and either solve them or find
a workaround in advance. The time spent on pre-testing saves the time that will have to be spent on solving the same
issue network-wide.
Depending on the organizations size and available resources, preliminary tests can be obligatory or optional, and
may be broken down into several stages that take various forms. In most cases, testing includes two key stages:
1.
Studying capabilities. Best performed on virtual machines or, for lack of resources, on the administrators
computers. During this stage, the administrator learns how to install, manage and maintain the product, etc.
It also provides the administrator a way to test facets of the deployment plan: order, methods, and
technicalities.
2.
Operation testing. Best performed on several production computers or, again, on the administrators
computers. During this stage, the administrator tests the planned deployment methods, and monitors
Kaspersky Endpoint Security operation. The purpose is to find all possible problems before the product is
deployed company-wide. At the end of this stage, the administrator should have a more detailed
deployment plan, and also, if necessary, a list of changes to the default settings of Kaspersky Endpoint
Security that are to be made prior to the installation.
In small networks, preliminary tests are often neglected, as the testing cost is comparable to the cost of solving
the issues in the network as they arise. In large companies, the opposite is true and preliminary testing usually must
be performed before new software is deployed or any other changes are introduced in the network.
I-11
Unit I. Deployment
I-12
KASPERSKY LAB
Chapter 2. Installing Kaspersky Security Center

2.1 System Requirements for Administration Server
Software requirements
The supported operating systems and requirements for them are listed below:
Microsoft Windows Server 2008 x86/x64 Standard / Enterprise / Datacenter

Microsoft Windows Server 2008 SP1 x86/x64 Standard / Enterprise / Datacenter
Microsoft Windows Server 2008 SP2 x86/x64 Foundation
Microsoft Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter
Microsoft Windows Server 2008 R2 SP1 Foundation / Standard / Enterprise / Datacenter
Microsoft Windows Server 2012 Foundation / Essentials / Standard / Datacenter
Microsoft Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter
Microsoft Windows Small Business Server 2008 Standard / Premium
Microsoft Windows Small Business Server 2011 Essentials / Standard / Premium Add-on
Microsoft Windows 7 x86/x64 Professional / Enterprise / Ultimate
Microsoft Windows 7 SP1 x86/x64 Professional / Enterprise / Ultimate
Microsoft Windows 8 x86/x64 Professional / Enterprise
Microsoft Windows 8.1 x86/x64 Professional / Enterprise
Microsoft Windows 10 x86/x64 Home / Pro / Enterprise / Education
All of the aforementioned Microsoft Windows Server editions also support Core installation without the graphic
interface.
It is better to use server hosts for the Administration Server. In small networks (up to a couple of hundred
computers), a powerful workstation will do.
In addition to the operating system, the following software is necessary:
Microsoft.NET Framework 2.0 (is included in the distribution)

Microsoft Data Access Components 2.8
Windows Data Access Components 6.0
Windows Installer 4.5 (is included in the distribution)
An SQL server is also necessary for the Administration Server. The distribution of Kaspersky Security Center 10
includes Microsoft SQL Server 2008 R2 SP2 Express Editiona free version of Microsoft SQL server. It is
automatically installed during the Typical installation of the Administration Server, and is sufficient for testing and
production use in small networks. Detailed information on SQL servers is given later in this chapter.
Note that the computer selected for the Administration Server must not have a pre-installed Network Agent.
The installer automatically detects the Network Agent and reminds the administrator to uninstall it.
I-13
Unit I. Deployment
I-14
KASPERSKY LAB
Supported virtual platforms

Many companies use virtualization to improve hardware efficiency and for other reasons. Quite often, even
business-critical servers are located on virtual machines instead of physical ones. In some companies, all servers are
virtualized, and only hypervisors remain physical.
There's nothing preventing you from installing the Administration Server on a virtual machine. The following
virtualization platforms are supported:
VMware vSphere 5.5, 6

VMware Workstation 9.x, 10.x
Microsoft Hyper-V Server 2008, 2008 R2, 2012, 2012 R2
Microsoft VirtualPC 2007 (6.0.156.0)
Citrix XenServer 6.1, 6.2
Parallels Desktop 7
Oracle VM VirtualBox 4.0.4-70112
KVM integrated with:
RHEL 5.4 or later
SLES 11 SPx
Ubuntu 10.10 LTS
It goes without saying that the operating system, software and hardware requirements must be met.
Hardware requirements
Minimum hardware requirements are as follows:
1 GHz or higher processor (1.4 GHz for 64-bit systems)
4 GB of RAM
10 GB of free hard drive space (if you plan to use the Systems Management functionality, 100 GB of free
hard drive space will be necessary)
The specified requirements for the equipment are really minimal. A more powerful server will be necessary for any
significant number of clients. The recommendations based on synthetic tests are available in the Deployment Guide.
Practical experience of using Administration Server in large networks is summarized in course KL 302.10
Kaspersky Endpoint Security and Management: Advanced Skills.
I-15
Unit I. Deployment
I-16
KASPERSKY LAB
2.2 Standard Installation

Installation files
Installation files for Kaspersky Security Center 10 can be downloaded from Kaspersky Lab web site
(http://www.kaspersky.com/product-updates/security-center) or from the product page on the technical support site
(http://support.kaspersky.com/ksc10#downloads).
Two distributions are available:
ksc10.3.407ru.exethe full distribution of Kaspersky Security Center 10 that includes a complete set of its
own components, installation packages of Network Agent and Kaspersky Endpoint Security 10 for
Windows, SQL Server 2008 R2 Express, .NET Framework and other software, as well as the management
plug-ins for all supported products. The size of this distribution is about 1 GB.
ksc10.3.407lite_ru.exethe lite version of the distribution that lacks the installation packages of Kaspersky
Endpoint Security 10 for Windows, SQL Server 2008 R2 Express, .NET Framework and some other
software, and includes only the management plug-ins for Kaspersky Security Center 10 components.
The size of this distribution is about 130 MB. This distribution can be used for upgrading components.
When the full distribution version is run, the installation shell starts. The installation shell allows selecting
the components to install, for example, the Administration Server or the Administration Console. You can also
extract installation files of all the components into the specified folder. Unpacked installation files are grouped in
several subfolders:
Serverinstallation files of the Administration Server
Consoleinstallation files of the Administration Console to be installed separately from the Administration
Server
NetAgent_10.3.407installation files of the Network Agent
KES_10.2.4.674installation files of Kaspersky Endpoint Security 10 Service Pack 1 Maintenance
Release 2 for Windows
Pluginsinstallation files of the Kaspersky Lab products plug-ins for the Administration Console
NapShvuiinstallation files of Kaspersky Security Center SHVthe component that provides interaction
with Microsoft NAP
MDM4Exchangeinstallation files of the Mobile Devices Server for Exchange ActiveSync
MDM4iOSinstallation files of the iOS MDM Mobile Device Server
The last two folders concern mobile device management and are described in course KL 010.10.
I-17
Unit I. Deployment
I-18
KASPERSKY LAB
Installation progress
Installation of the Administration Server can be either custom or typical 1. During the typical installation,
the administrator is prompted to:
Accept the license agreement for Kaspersky Security Center
Select installation type (Typical)
Specify network size
The custom installation enables the administrator to select:
Components
Installation folder
SQL server type and connection parameters
Location of the Administration Server shared folder
Ports and connection address of the Administration Server
Management plug-ins for the products
When installing on Windows Server in the Core mode, typical installation is unavailable
I-19
Unit I. Deployment
I-20
KASPERSKY LAB
Four options are represented for the network size:
Fewer than 100 computers on network

From 100 to 1,000 computers in the network
From 1,000 to 5,000 computers in the network
More than 5,000 computers in the network
The following Administration Server parameters depend on the selected option:

The number of computers in the
network
Fewer than
100
From 100 to
1,000
From 1,000 to
5,000
More than
5,000
Automatically randomize task start
Display slave Administration Servers
Display security settings sections
Automatic randomization of the task start relates to the schedules of virus scan, update, vulnerability search, and
other group tasks. If a task starts simultaneously on many computers, the load on the network and Administration
Server drastically increases. To even out the peak, tasks can start on the computers with a random delay.
The administrator can enable randomization and then specify the randomization range manually or select automatic
randomization. On each computer, the delay is selected randomly within the specified or automatically chosen
range.
If automatic randomization is used, the randomization range depends on the number of computers where the task is
to run:
The number of computers
0-200
200-500
500-1000
1000-2000
2000-5000
5000-10000
10000-20000
20000-50000
50000+
Randomization range
0 minutes
5 minutes
10 minutes
15 minutes
20 minutes
30 minutes
1 hour
2 hours
3 hours
Other parameters affected by the network size, such as visibility of Slave Administration Servers and security
settings, are described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills. These
functions are rarely used in small and middle-size networks.
The default settings are the same when the administrator selects either From 1000 to 5000 or More than 5000
computers on network. The only difference is that when the More than 5000 computers on network option is
selected, the installation wizard warns that the use of free versions of MS SQL server is not recommended, and
the administrator should get acquainted with the documentation on deploying the administration system in large
networks. Course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills covers these issues.
The network size selection only influences a couple of interface settings, which can easily be modified after
the installation. The threshold value that actually makes the difference is 1000 computers. Administration Server
operation parameters do not depend on the selected network size.
I-21
Unit I. Deployment
I-22
KASPERSKY LAB
Installing plug-ins
During the typical installation, management plug-ins for Kaspersky Security Center 10 components and Kaspersky
Endpoint Security 10 for Windows are installed.
Plug-ins are installed in the very end of the Administration Server installation. After the Kaspersky Endpoint
Security 10 plug-in is installed, the installation is finished. On the last page, the administrator may accept starting
the Administration Console.
If you need plug-ins for other Kaspersky Lab products, you can install them from the installation shell.
I-23
Unit I. Deployment
I-24
KASPERSKY LAB
2.3 Custom Installation

The custom installation allows you to select:
Additional components of Kaspersky Security Center

The accounts for starting the Kaspersky Lab Administration Server services
SQL server type and connection parameters
Administration Server connection address and ports
Plugins for managing Kaspersky Lab programs
Components
Within the framework of Administration Server installation, you can additionally install the following components:
SNMP agent
Mobile devices support
The SNMP agent is necessary for the Administration Server to be able to send notifications over SNMP. This
component needs the SNMP service (a Windows component) to be installed on the computer. If the SNMP service
is absent from the computer, the SNMP agent will not be shown in the list of Administration Server components
during the installation.
The Mobile devices support option adds the components necessary for managing Kaspersky Endpoint Security for
Mobile via Kaspersky Security Center. Detailed information is available in KL 010.10 course.
These are the components of the Kaspersky Security Center that can be selected in the Administration Server
installer. Other components can be installed from the installation shell.
Installation path
Under the list of components, you can change the location of Administration Server program files. If the only reason
for relocation of program files is their volume, consider moving only the shared folder. It can be relocated
independently of the program files, and it takes up much more space than the other program files.
Also remember about the %ProgramData%\KasperskySC folder that contains the backup copies of
the Administration Server. These copies consume much space, up to several gigabytes, depending on the settings.
I-25
Unit I. Deployment
I-26
KASPERSKY LAB
An account for the main Administration Server service

By default, the installer creates a new account named KL-AK-<alphanumeric combination> for starting
the Administration Server service. It is a local account. Although it is not included in the computer administrators
group, in is granted the same permissions.
Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of
the Administration Server. For security reasons, this account cannot log on to the system locally.
If the administrator decides to use another account, he or she must grant it all the necessary permissions.
The Administration Server service account must have administrator permissions on the computer selected for
the installation. If the database is planned to be stored on a Microsoft SQL server installed on a remote computer,
the account must have Read and Write permissions for the Administration Server database on the Microsoft SQL
server.
If the Administration Server account has domain administrator permissions, some operations are simplified, for
example, remote installation. In other cases, permissions are not that important.
An account for other Administration Server services

The KL-AK-* account is used only for starting the Kaspersky Security Center Administration Server service. This
is not the only service created during the Administration Server installation though. The others are:
Kaspersky Lab activation proxy server

Kaspersky Lab web server
Kaspersky Security Network proxy server
Kaspersky Security Center Network Agent
Kaspersky Security Center automation object
The Network Agent operates under the Local System account. The automation object operates under the Network
Service account.
The first three services are running under another account created during the installation. It is named KlScSvc and is
similar to KL-AK-*, meaning, is a local account granted the permissions equivalent to administrative less the right
to log on locally.
The installation wizard allows selecting another account instead of KlScSvc.
I-27
Unit I. Deployment
I-28
KASPERSKY LAB
SQL server
Requirements for SQL server
Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers
are supported:
Microsoft SQL Server Express
2005 32-bit
2008 32-bit (is included in the distribution)
2008 R2 64-bit
2012 64-bit
2014 64-bit
Microsoft SQL Server
2005 (all editions) 32-bit / 64-bit

2008 (all editions) 32-bit / 64-bit
2008 R2 (all editions) 64-bit
2008 R2 Service Pack 2 (all editions) 64-bit
2012 (all editions) 64-bit
2014 (all editions) 64-bit
Microsoft Azure SQL Database

MySQL
MySQL Enterprise Server 5.0.60 SP1, 5.0.70, 5.0.82 SP1, 5.0.90
MySQL Community Server 5.0.67, 5.0.77, 5.0.85, 5.0.87 SP1, 5.0.91
Microsoft SQL Server 2008 R2 Express SP2 is included in the distribution kit of Kaspersky Security Center and is
automatically installed during the typical installation. Remember that Express editions have significant limitations
and must not be used for managing a large number of computers. Detailed information about this is provided in the
KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills course.
The supported versions of MySQL server are not the latest ones and not the ones routinely offered at the MySQL
web site. If possible, we recommend using Microsoft SQL server.
SQL server can be installed either on the same computer as the Administration Server or on any other network
computer. The important thing is that Administration Server have Read and Write privileges for the SQL database.
If the Administration Server and SQL server are installed on the same computer, access issues do not arise.
I-29
Unit I. Deployment
I-30
KASPERSKY LAB
Microsoft SQL Server

The administrator can select to install a new local instance of Microsoft SQL 2008 R2 Express (similarly to typical
installation), or use a pre-installed remote SQL server. To access Microsoft SQL server over the network:
Specify the necessary address

Specify the necessary port
Specify the necessary SQL server instance
Specify the name and password of an account having SQL server access
Kaspersky Security Center installer tests connection to Microsoft SQL server before the installation starts. Also,
during the installation the installer connects to the Microsoft SQL server and creates a database for
the Administration Server.
The installer operates under the account of the user who runs it. Generally, installation should be started under
an account allowed to create databases on the Microsoft SQL server. In some organizations, however,
administrators rights are strictly separated and include only the minimum permissions necessary for their job.
A security administrator may not have the permissions for database creation. Then they can specify a name of
an empty database created on the specified server by the database management system administrator on request. In
this case, the Write permission for the database will be enough for the security administrator.
For the Administration Server to be able to work with a remote Microsoft SQL server, specify its name and address
in the installation wizard. The installer can automatically detect available Microsoft SQL servers. To view them,
click the Browse button. However, the necessary Microsoft SQL server may not be detected automatically. If this is
the case, the administrator enters the server and instance names manually.
Even if the Microsoft SQL server name and address are specified correctly, and a Microsoft SQL server
administrator account is used for access, the installer may fail to establish connection. The possible reasons include:
Windows firewallby default, it blocks access to Microsoft SQL server ports. Create rules allowing these
ports
Simple File Sharing or User Account Controlhampers correct authentication of the administrator; if
simple file sharing is used, all users connected over the network are granted guest privileges
Microsoft SQL Server Browser serviceif it is not started, remote connections to Microsoft SQL server
may fail. In Microsoft SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2014, it is disabled by default
Microsoft SQL server settingsby default, Microsoft SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2014
allows only local access. Enable remote access over TCP/IP
I-31
Unit I. Deployment
I-32
KASPERSKY LAB
MySQL Server
Connecting to a MySQL server is simpler. Specify server address and port, and administrator name and password
explicitly. Make sure remote access to MySQL server is allowed and the connection port (usually 3306) is not
blocked by the local firewall.
Since MySQL server itself, not Windows, is responsible for the authentication, the permissions granted to
the account used for installation are not important, as well as simple file sharing enabled on the MySQL server host.
The Check connection button tests the ability to connect to the MySQL server with the specified parameters, and
also checks whether the MySQL server version meets the system requirements.
Shared folder
By default, the installer creates the shared folder of the Administration Server in the folder with program files.
The local name of this folder is Share, and the network nameKLSHARE. The shared folder contains update files
and installation packages, including standalone install packages (if created).
Right after the installation and initial setup, the shared folder takes up about 400 MB. Its size may increase up to
several gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place
the shared folder of the Administration Server on a drive other than the system.
The location of the shared folder can be changed later via the Administration Console.
I-33
Unit I. Deployment
I-34
KASPERSKY LAB
Connection ports
Administration Server accepts connections from the Network Agents on two TCP ports: one for encrypted SSL
connections, the other for non-encrypted ones. By default, all connections are encrypted in Kaspersky Security
Center, so only the SSL port is used. The other port might be used only if the administrator disables connection
encrypting for troubleshooting purposes.
The default ports are:
13000 for SSL connections
14000 for non-SSL connections
If you plan to use other ports instead of the default ones (for example, for security reasons or because of network
restrictions), it is better to introduce these changes when installing Kaspersky Security Center. Modifying the ports
after the client computers are connected to the server is possible, but takes much time.
In addition to these two ports, Kaspersky Security Center uses several other ports for various purposes. They cannot
be selected in the installation wizard, but you can modify them later in the Administration Server settings. One of
the additional ports is TCP 13291 that is used for accepting Administration Console connections. Web server and
activation proxy server services use 4 more ports.
To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years
during the installation. To save and restore the certificate after failures or after Administration Server reinstallation,
use the backup procedure (see Unit IV Maintenance).
Connection address
The client computers where the Network Agent is installed will connect to the Administration Server using
the address and port specified during the installation.
The Server address can be specified in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice
depends on the network configuration. Even though an IPv6 address cant be specified, Network Agents can connect
to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name.
If the Administration Server has a static IP address that will not be changed in the near future, it is the best choice.
In this case, the ability to connect depends only on the routers, not on the name resolution system.
If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection
address, as you will need to modify the client connection settings often. In this case, it is better to specify the server
name: either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS name as DNS
name resolution is not usually blocked by local firewalls.
NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls.
Therefore, the NetBIOS name should only be used for connections if the other methods are unable to be used.
After the installation, the Server connection address can be changed in the properties of Network Agent installation
package. The default Server connection address, which will be automatically added to new Network Agent
packages, is specified in the properties of the Advanced | Remote installation | Installation packages node.
I-35
Unit I. Deployment
I-36
KASPERSKY LAB
Management plug-ins
The distribution kit of Kaspersky Security Center includes the management plug-ins for all current versions of
Kaspersky Lab products. The custom installation enables the administrator to select the plug-ins of the products that
are used or will be used in the network. The plug-ins can also be installed later from the Kaspersky Security Center
installation shell. Plug-in installers are also included in the distributions of the corresponding products.
Every plug-in is installed by its own short installation wizard. Some plug-ins are installed automatically, while
others require administrators attention, for example, to accept the license agreement.
If a product has been upgraded to a new version with a new plug-in, the old plug-in can be uninstalled.
The following knowledgebase article explains how to remove unnecessary plug-ins:
http://support.kaspersky.com/faq/?qid=208280749
Installation results
If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages,
the result will be the same as with the Typical option:
Kaspersky Security Center is installed; specifically, the Administration Server, Network Agent and
Administration Console
SQL servera local instance of Microsoft SQL Server 2008 R2 SP2 Express is installed, which is included
in the distribution kit of Kaspersky Security Center; the instance is named KAV_CS_ADMIN_KIT, and
the database name is KAV
Program files of Kaspersky Security Center are located in the %Program Files%2\Kaspersky
Lab\Kaspersky Security Center folder
Data files of Kaspersky Security Center are located in the %ProgramData% folder, mainly in
the %ProgramData%\KasperskyLab\adminkit directory
Another folder is created, %ProgramData%\KasperskySC\SC_Backup, where backup copies of
the Administration Server are copied by default
The following services are created:
Kaspersky Security Center Administration Server service

Kaspersky Security Center automation object
Kaspersky Security Network proxy server
Kaspersky Lab web server
Kaspersky Lab activation proxy server
KLAdmins and KLOperators security groups are created (their purpose is described in detail in course KL
302.10)
The following user accounts are created:
KL-AK-*a local account for starting the Kaspersky Security Center Administration Server service;
it is included in the local KLAdmins group and has broad permissions (comparable to administrative)
on the computer
On 64-bit systems, program files are installed into the %ProgramFiles(x86)% folder
I-37
Unit I. Deployment
KlScSvcan account for starting Kaspersky Lab Web Server, Kaspersky Security Network proxy
server and Kaspersky Activation Proxy services, has the same properties as the KL-AK-* account
KlPxeUsera service user for the Systems Management functionality (see course KL 009.10 for
details)
The shared folder of Administration Serverthe Share subdirectory of the program files folder (its share
name is KLSHARE)
I-38
KASPERSKY LAB
Administration Server connection address is selected as the DNS name of the computer
Administration Server connection ports are chosen as follows:
8060http port of Kaspersky Lab Web Server

8061https port of Kaspersky Lab Web Server
13000for SSL connections of Network Agents
14000for non-SSL connections of Network Agents and Administration Consoles
13291for SSL connections of Administration Consoles and Web Consoles
13111port of Kaspersky Security Network proxy server service
17000port of Kaspersky Lab Activation Proxy Server
Management plug-ins
Kaspersky Security Center Administration Server

Kaspersky Security Center 10 Network Agent
Kaspersky Endpoint Security 10 Service Pack 1 for Windows
Kaspersky Endpoint Security 10 Service Pack 1 for Mobile
Kaspersky Mobile Device Management 10 Service Pack 1
Plug-in for management of mobile iOS devices
Plug-in for Exchange ActiveSync
Installation packages
Kaspersky Endpoint Security 10 for Windows

iOS MDM Mobile Device Server
Exchange ActiveSync Mobile Device Server
Note that the Kaspersky Security Center Network Agent service is started under the Local system account after
the installation; while the Kaspersky Security Center automation object service, under the Network Service account.
Most of these settings can be modified either during the custom installation, or in the product settings after
the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is
installed; some others are very difficult to change. You should consider them very carefully before the installation:
1.
The path to data files cannot be modified at all, which complies with Microsoft requirements
2.
The path to the program files, as well as the SQL server address, cannot be modified unless you reinstall
Kaspersky Security Center
3.
The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way
2.4 Quick Start Wizard

When the Console connects to the Server for the first time, the Quick Start wizard launches. It continues with
the installation creating the default settings. In the Quick Start wizard, the administrator adds the key (license),
specifies whether to use Kaspersky Security Network, configures e-mail notification and report delivery, chooses
vulnerability search and fix modes, and enters proxy server settings; then the wizard creates basic tasks and policies
and downloads updates to the server repository.
I-39
Unit I. Deployment
I-40
KASPERSKY LAB
Keys and codes

The first step of the Quick Start wizard is activating the products. Most Kaspersky Lab products require activation
and some, particularly Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different
levels of functionality. That is, depending on the license, some functions may be unavailable.
To activate a product, you need a key or a code. Both can represent the customers license with all relevant
restrictions. The difference is that a key is a file and its validity and restrictions can be verified locally by the
product. A code is just a string and the product needs to connect to Kaspersky Lab Activation service online to
verify its validity and restrictions.
Historically, keys were the earlier method of activation and codes were introduced later. The codes are used more
and more often compared to the keys, but the two methods are not completely independent. Having a code, it is
possible to obtain the corresponding key or keys from the Activation Service by Kaspersky Lab. In fact, if any
corresponding keys are available, the Administration Server will automatically download them and put into
the Advanced | Application management | Kaspersky Lab licenses node.
By virtue of being a more recent implementation, codes are more versatile. Usually the customer receives just one
code regardless of the license. That is, any license can be represented by a single activation code. This, however, is
not the case with keys. Depending on the license, the customer may get two or more key files for activating different
products and components.
In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than its all simple, just
choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to
connect to the Internet at this stage. If you have a key, than most probably you have more than one of them, and you
need to decide which one to feed to the wizard.
It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it
is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be
added later either in the properties of the Administration Server or in the Advanced | Application management |
Kaspersky Lab licenses node.
For more information on the activation methods, refer to Unit IV. Maintenance.
Update installation statistics

This step appears in the Quick Start wizard only if the administrator either specified a license that covers
the Systems Management functionality (for example, Kaspersky Endpoint Security for Business Advanced) at
the first step, or selected to add key later. If the administrator specified KES for Business Select, this page will not
be displayed.
The wizard prompts the administrator whether to send anonymous statistics to Kaspersky Lab and thus to participate
in improving the functionality that installs updates and patches. This statistics concerns only the updates and patches
installed through Kaspersky Security Center.
Whether to send to KSN anti-malware statistics, which helps to improve malware detection functionality and reduce
false positives, will be configured later, when creating Kaspersky Endpoint Security policy.
I-41
Unit I. Deployment
I-42
KASPERSKY LAB
Notifications
The next step is the e-mail notification and report delivery setup. To have notifications about important events sent
to the administrators mailbox, specify the e-mail address and SMTP server parameters (address, port and, if
necessary, authorization data). The specified parameters will be used for notifications and reports.
By default, event notifications are not sent. To receive the information about events by e-mail, turn on notifications
in the event properties. The parameters of Kaspersky Security Center events are available in the Administration
Server properties, and parameters of Kaspersky Endpoint Security eventsin the Kaspersky Endpoint Security
policy.
If the notification parameters are left blank, the wizard will not create the Send reports task. If they are filled in,
the wizard will create the task and configure it to send the report about protection status to the administrator on
a weekly basis.
The wizard does not check correctness of the specified settings, but allows the administrator to do it with the Notify
with message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the
SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to
check the inbox and make sure that the message is actually there.
Vulnerability and patch management

This step appears in the Quick start wizard only if the administrator specified a key or code that activates
the Systems Management functionality of Kaspersky Security Center (or selected to add key later).
The choices define how application fixes and Microsoft updates are installed. Kaspersky Security Center can
automatically detect vulnerable programs and operating system modules on the computers, and automatically install
the necessary updates and fixes. Additionally, Kaspersky Security Center can function as a local source of Microsoft
updates (WSUS Server). This functionality is described in detail in KL 009.10: Systems Management course.
I-43
Unit I. Deployment
I-44
KASPERSKY LAB
Policies and tasks

After all parameters are specified, the Quick Start wizard creates the policies and tasks necessary for endpoint
protection. The following policies and tasks are created:
Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windowsa policy
created for the Managed computers group, sets the default parameters for Kaspersky Endpoint Security 10
Kaspersky Security Center Network Agenta policy created for the Managed computers group, which
sets the Network Agent parameters
Install updatea task created for the Managed computers group that sets the update parameters for
Kaspersky Endpoint Security 10; by default, uses the Kaspersky Security Center source and the When new
updates are downloaded to the repository schedule. The use of the randomized task start depends on
the network size selected during the installation
Quick Virus Scana task created for the Managed computers group; it sets the settings and schedule for
regular on-demand scan tasks running on the protected computers. By default, scans critical areas every
Friday at 19:00
Find vulnerabilities and required updatesa task created for the Managed computers group; it sets the
settings and schedule for the regular vulnerability scanning performed on the protected computers (refer to
KL 009.10: Systems Management course for details). By default, starts on Tuesdays at 07:00 PM
Download updates to the repositoryan Administration Server task, sets the settings and schedule for
downloading updates to the Administration Server (further on, they will be distributed to the Managed
computers). By default, uses the Kaspersky Lab update servers as the primary source and is scheduled to
start hourly; the list of updates is set up automatically
Backup of Administration Server dataan Administration Server task; it sets the settings and schedule
for creating a copy of the Administration Server database and settings, by default saves the copies in
the %ProgramData%\KasperskySC\SC_Backup folder daily at 2 a.m.
Database Maintenance is an Administration Server task that improves the performance of its database:
cleans up errors, optimizes indexes, updates statistics, shrinks the database, etc. Runs every Saturday at
13:00
The following three tasks are created depending on the parameters specified earlier:
Deliver reportsan Administration Server task that is created if e-mail notification parameters are
specified. Sets the schedule and the list of reports to be e-mailed; by default, delivers the standard
Protection status report daily at 8:00AM
Install required updates and fix vulnerabilitiesa task for the Managed computers group that
automatically fixes critical vulnerabilities, and also installs the most important Microsoft updates and
the updates selected by the administrator. The task starts daily at 01:00 AM
Perform Windows Update synchronizationan Administration Server task that downloads information
about Microsoft updates (update packages themselves are not downloaded). Network Agents may use these
data when searching for vulnerabilities on the client computers. The task starts daily at 3:00 AM
I-45
Unit I. Deployment
I-46
KASPERSKY LAB
Kaspersky Security Network

When creating the Kaspersky Endpoint Security policy, the wizard displays two more windows.
In the first of them, the administrator can agree to use Kaspersky Security Network (KSN). KSN is the name for
the cloud-assisted protection technologies of Kaspersky Lab.
KSN provides extra protection for the computers by receiving the latest information about new threats before this
information is added into the traditional Anti-Virus databases. In return, Kaspersky Lab will receive anonymous
information about the files and URL addresses processed on the client computers. The KSN service is described in
detail in Unit II Protection Management.
If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are
activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be disabled in
the Kaspersky Endpoint Security 10 policy; however, the use of KSN proxy will be enabled nevertheless.
The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server. In
the Administration Server, the KSN proxy function is implemented as a service named Kaspersky Security Network
proxy server. By default, the use of KSN proxy is enabled in the Administration Server properties.
Default exclusions
In the other window, the administrator can choose the default exclusions from scanning. There are two options that
help to create recommended exclusions for workstations and servers according to Microsoft and Kaspersky Lab
guidelines. They are enabled by default.
Additionally, there are exclusion templates for remote management software. These templates should be enabled if
the listed software is used in the company. Otherwise, remote management using this software may be partially
disrupted by Kaspersky Endpoint Security.
I-47
Unit I. Deployment
I-48
KASPERSKY LAB
Proxy server
The last step that prompts the administrator for data contains proxy server settings for the Internet access.
The Administration Server connects to the Internet to download updates and communicate with KSN servers of
Kaspersky Lab. Both features use common proxy server parameters.
The settings are rather typical: the address, the port, optional user name and password for authorization, and
an option to bypass proxy server for local addresses.
Wizard completion
The task that downloads updates to the repository starts immediately after selecting proxy server settings to provide
client computers with the current updates. Also, it downloads the information necessary for vulnerability scanning
and categorization information necessary for the control components. The Quick Start wizard displays the task
progress, but you dont need to wait for it to finish. If you proceed to the following page of the wizard, updating will
still be going on in the background.
The last page of the Quick Start wizard displays the check box that allows starting the remote installation wizard for
deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is
preferable to adopt a deployment plan and stick to it rather than rush into action.
If necessary, the administrator can start the Quick Start wizard again from the shortcut menu of the Administration
Server. In this case the wizard will create only the tasks and policies that are missing.
I-49
Unit I. Deployment
I-50
KASPERSKY LAB
2.5 Additional Components of Kaspersky Security

Center
Components
The following components are included in the Kaspersky Security Center 10 distribution kit, but can be installed
independently of the Administration Server:
Kaspersky Security Center Administration Console

Kaspersky Security Center Web Console
Kaspersky Security Center System Health Validator (for Microsoft Network Access Protection)
Exchange ActiveSync Mobile Device Server
iOS MDM Mobile Device Server
Kaspersky System Health Validator is a component that provides interaction of Kaspersky Security Center and
Microsoft Network Access Protection. With this component, the network access protection system Microsoft NAP
defines the access level taking into account the Kaspersky Endpoint Security status. Kaspersky Security Center SHV
is similar to Kaspersky Lab Cisco NAC Posture Validation Server: both of them provide integration with external
network access control systems. Kaspersky Security Center 10 is able to provide network access control by itself
too. For details, refer to course KL 009.10: Systems Management.
The Exchange ActiveSync and iOS MDM Mobile Device Server components are designed for managing mobile
devices: smartphones, tablets, etc. Mobile device management is described in course KL 010.10.
All of the above components can be installed from the installation shell of Kaspersky Security Center, which also
allows installing plugins for the Administration Console.
The Web Console is not included in the Kaspersky Security Center 10 distribution and should be downloaded
separately. The Web Console provides somewhat limited management options via a web browser and is useful in
some deployment scenarios.
Administration Console
Use
The Kaspersky Security Center Administration Console enables you to remotely work with the Kaspersky Security
Center Administration Server: view reports, modify settings, run tasks, etc.
The Administration Server can accept connections from the Consoles on port 13291. The remote console interface is
absolutely the same as that of the local Kaspersky Security Center console.
The Administration Console is not the only method of managing the Administration Server remotely. Many
administrators prefer to connect to the remote desktop of the computer where the Administration Server is installed
and work within the local console.
I-51
Unit I. Deployment
Remote desktop connection uses port 33893. This remote management alternative tends to generate more traffic than
the remote Administration Console. On the other hand, an Administration Console requires installation and supports
only Windows, while remote desktop access does not involve installation of additional tools and is platformindependent.
An Administration Server is often installed on a virtual machine. In this case, the virtual computer desktop can be
accessed via the console of the corresponding virtual infrastructure.
Here we mean the built-in Windows remote desktop. There are also many alternative tools with similar capabilities that connect using other
protocols and ports. For example, programs based on the VNC protocol usually employ port 5900.
I-52
KASPERSKY LAB
Installation requirements
The Administration Console can be installed under the same operating systems as Administration Server.
Since the Administration Console is an MMC snap-in, Microsoft Management Console 2.0 or later must be installed
on the computer. This requirement is automatically met on all supported operating systems.
Windows Installer 4.5 is also necessary for the installation.
Internet Explorer 7 or later is necessary for correct representation of the Administration Server interface on
Windows XP/Vista/2003/2008/2008 R2. Internet Explorer 8 or later is required on Windows 7. Internet Explorer 10
or later is required on Windows 8 and 10. On Windows 10, the Microsoft Edge browser is also enough. If the
computer doesnt have the appropriate browser version, the interface may be represented incorrectly.
Hardware requirements for the Administration Console are as follows:
Processor: 1 GHz or higher for 32-bit systems; 1.4 GHz or higher for 64-bit systems
512 MB of RAM
1 GB of free hard drive space
Installation
The Console installer can be launched from the Kaspersky Security Center installation shell.
The installation wizard allows modifying only the default location of the program files folder:
%ProgramFiles%4\Kaspersky Lab\Kaspersky Security Center Console.
Also, the installation wizard will prompt you to accept the license agreement and inform you about the start of
the installation of the necessary components and the console.
The console distribution includes the complete set of management plug-ins for all Kaspersky Lab products, but
installs only the plug-ins for managing Kaspersky Security Center components and Kaspersky Endpoint Security 10
Service Pack 1 Maintenance Release 2 for Windows. Custom installation is not available. The missing plug-ins can
be installed later from the installation shell of Kaspersky Security Center or from the folder.
%ProgramFiles(x86)% on 64-bit systems
I-53
Unit I. Deployment
I-54
KASPERSKY LAB
Connection to the Administration Server

When the console starts, the connection parameters window opens. Here you need to specify the Administration
Server address and account of the administrator. In order to adequately manage the server, the account should be
either a local administrator on the computer where the Administration Server is installed, or an account that is
included in the KLAdmins group (which is automatically created when the Administration Server is installed).
The access control system is described in detail in KL 302.10. Kaspersky Endpoint Security and Management:
Advanced Skills course. By default, the console tries to connect on behalf of the current user, but allows the
administrator to specify another username and password.
The Administration Server accepts SSL connections from the Consoles on port 13291 by default. This port can be
modified in the Administration Server properties. If you do that, specify the connection port after the server address
followed by a colon in the connection window.
If SSL is disabled, the console does not permit specifying the user in the connection window and always connects on
behalf of the local user for security reasons. You should not disable SSL unless you want to troubleshoot connection
issues.
The Advanced button allows the administrator to specify additional connection settings:
Use data compression
Use proxy server, if there is a proxy server between the computer where the console is installed and
the Administration Server
One console can be used for connecting to several Administration Servers.
To add an Administration Server to the console, select the Kaspersky Security Center node and click New,
Administration Server on its shortcut menu. After that, you will be prompted for the server address, the connection
parameters, and additional parameters.
Certificate
Encrypted connections are established over SSL. The authentication phase relies on the Administration Server
certificate. A new certificate is generated when the Administration Server is installed 5 and is used for authentication
on every encrypted connection. This certificate is valid for 10 years.
When the first encrypted connection is established, the Console computer does not have the Server certificate and
authentication is impossible. The easiest way out is downloading the certificate from the Server and using it for
further connections. In this case, the certificate guarantees that the Console connects to the same Server from which
the certificate was downloaded.
To avoid server substitution when the first connection is established, the administrator can copy the Server
certificate to a portable carrier and specify its path when prompted for. The server certificate named klserver.cer is
located in the %ProgramData%\KasperskyLab\adminkit\1093\cert folder. This folder may also contain other
certificates that are necessary for managing mobile devices.
A certificate that has 1024-bit RSA key is created by default. You can also create a certificate with a 2048-bit key. To achieve this, start the
Administration Server installation with the /vSERVERCERT2048BITS=1 parameter.
I-55
Unit I. Deployment
I-56
KASPERSKY LAB
Chapter 3. Installation on Computers

3.1 System Requirements
Requirements for installation of Kaspersky Endpoint
Security 10 for Windows
Kaspersky Endpoint Security supports installation on the following Microsoft Windows operating systems:
Client
Windows 10 Pro, Enterprise x86 / x64

Windows 8.1 / 8.1 Update Pro, Enterprise x86 / x64
Windows 8 Pro, Enterprise x86 /x64
Windows 7 / 7 SP1 Professional, Enterprise, Ultimate x86 / x64
Windows Vista x86/x64 SP2
Windows XP Professional x86 SP3
Windows 8.1 tablets6. The following devices have been tested:

Samsung ATIV Smart PC Pro XE700T1C-A03 (Windows 8.1 x32)
Lenovo ThinkPad Tablet 2 (Windows 8.1 x64)
Microsoft Surface Pro 2 128 (Windows 8.1 x64)
Embedded6
Windows Embedded 8.1 Industry Pro x64

Windows Embedded 8.0 Standard x64
Windows Embedded POSReady 7 x86/x64
Windows Embedded Standard 7 SP1 x86/x64
Server
6
7
Windows Server 2012 R2 Foundation, Essentials, Standard 7

Windows Server 2012 Foundation, Essentials, Standard 7
Windows Server 2008 R2 / 2008 R2 SP1 Foundation, Standard, Enterprise
Windows Server 2008 SP2 Standard, Enterprise x86/x64
Windows Server 2003 SP2 / 2003 R2 SP2 Standard, Enterprise x86 / x64
Windows Small Business Server 2011 Essentials, Standard x64
Windows Small Business Server 2008 Standard, Premium x64
Windows MultiPoint Server 2011 x64
Tablets and embedded versions of Windows do not support encryption

The ReFS file system is supported with limitations; Server Core and Cluster Mode configurations are not supported.
I-57
Unit I. Deployment
This list includes most Windows versions from Windows XP SP3 / Windows Server 2003 SP2 to Windows 10 /
Windows Server 2102 R2.
An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky
Security for Windows Server is designed for their protection.
Kaspersky Endpoint Security 10 Service Pack 1 for Windows can be installed on the following hardware platforms:
VMware ESXi 5.5 Update 1, Update 2

Microsoft Hyper-V 3.0 (Windows Server 2012)
Citrix XenServer 6.2
Citrix XenDesktop 7.5
Citrix Provisioning Server 7.1
On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command
line switch.
I-58
KASPERSKY LAB
To install Kaspersky Endpoint Security, administrator permissions are necessary; protection tools by other
manufacturers must be uninstalled from the computers.
General hardware requirements for Kaspersky Endpoint Security 10 Service Pack 1 are as follows:
CPU: 1 GHz
RAM: 1 GB8
Available disk space: 2 Gb
Internet Explorer 7.0 and Windows Installer 3.0 are also necessary for the installation.
Network Agent installation requirements

The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint
Security 10 for Windows.
Hardware requirements for Network Agent installation are as follows:
CPU:
1 GHz or higher for 32-bit systems
1.4 GHz or higher for 64-bit systems
RAM: 512 MB
Hard drive space: 1 GB
RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less
RAM.
The absolute bare minimum for the installation is 384 MB for Windows XP and embedded versions of Windows, and 768 MB for the other
versions.
I-59
Unit I. Deployment
I-60
KASPERSKY LAB
3.2 Typical Installation Using Wizard

There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on
the same mechanism. The difference is in the location of their starting points in the Console and the number of
available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard.
Its typical use is described below.
The Administration Server detects computers where protection tools are not installed. This information is displayed
on the Monitoring tab of the Administration Server node, in the Deployment area: the indicator is yellow and
a warning is shown. The administrator clicks the Install Kaspersky Anti-Virus link. The Advanced | Remote
installation node opens, where the administrator can start the remote installation wizard.
The deployment wizard prompts the administrator for the installation package to be installed, target computers and
the installation method.
Selecting the product

The product to be installed is selected from the list of available installation packages. The standard installation of the
Kaspersky Security Center includes installation packages for the current versions of the Network Agent, Kaspersky
Endpoint Security for Windows and two components for mobile device management, which are described in
training course KL 010.10. You can manage installation packages, delete or create new ones in the Installation
Packages repository (in the Advanced | Remote Installation node). See further sections for details.
If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network
Agent. The wizard not only installs the selected package, but also connects the computers to the Administration
Server by installing the Network Agent on them. If the computers are already connected, the Network Agent is not
reinstalled (overwritten).
Installation packages of Kaspersky Endpoint Security 10 for Windows and Network Agent can be installed on any
supported operating system. You need not run the wizard separately for server and desktop versions of Windows or
for 32-bit and 64-bit editions. The same wizard can install the products on computers with different operating
systems.
Due to this universality, the installation package of Kaspersky Endpoint Security 10 is relatively large: about 290
MB. There are no supported ways to reduce this size. The Network Agent package is much smaller: about 40 MB.
I-61
Unit I. Deployment
I-62
KASPERSKY LAB
Selecting the computers

You can select groups or separate computers for installation. Groups are comprised of managed computers. To
install the products on unassigned or even undiscovered computers, click Select computers for installation. Then you
will be able to either select the computers detected by Administration Server, or specify computers addresses
manually.
When a group is selected, the wizard does not show its contents, so the administrator must remember which group
the target computers are in.
When selecting computers, the administrator can select among those discovered, and also add arbitrary names, IP
addresses and IP subnets in the list. The Administration Server will try to perform installation on all specified
computers.
As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If
a group is selected, a group task is created; if computers, a task for specific computers.
Installation method
The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on
the computer, installation using Windows tools is tried. Both these methods are described further in this chapter.
If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs
the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 10 using Network Agent.
I-63
Unit I. Deployment
I-64
KASPERSKY LAB
Key
Kaspersky Endpoint Security, unlike the Network Agent, needs activation to operate properly. In the installation
wizard, you can explicitly select which code or key should be used to activate the product from the list of codes and
keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary, you can add another
code or key to the repository without quitting the wizard.
This step can be skipped if the repository contains a code or a key configured to be distributed automatically. It will
be automatically installed on all computers where Kaspersky Endpoint Security needs to be activated. Activation is
described in detail in Unit IV Maintenance.
Computer restart
The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky
Endpoint Security 10 installation requires restarting the computer. The Network Agent installation almost never
requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection
program has been installed on the computer.
The default choice, Prompt user for action, is all right for workstations. When installing the product on servers, we
recommend selecting Do not restart the computer. At a server, a user is unlikely present and so no one will react
to the prompt.
The restart parameters are described in more detail later in this chapter.
Uninstallation of incompatible applications

An important capability of the Kaspersky Endpoint Security 10 installer is the ability to detect and uninstall
incompatible applications (various protection tools, including Anti-Viruses, firewalls, etc.), which are not
recommended to be used concurrently with Kaspersky Endpoint Security, because this can result in serious
problems for users and computers.
The administrator usually knows which potentially incompatible protection tools are installed in the network and
should coordinate their uninstallation beforehand. The programs are recommended to be uninstalled either by their
built-in uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer
should be regarded only as a contingency measure.
Detection of incompatible applications cannot be disabled9, since it is intended to prevent conflicts. You can modify
uninstallation settings in the remote installation wizard; this is described in detail later in this chapter.
Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible programs; if
necessary, it can be added to the package description file for remote installations.
I-65
Unit I. Deployment
I-66
KASPERSKY LAB
Computer relocation
As a result of installing the Network Agent and protection tools, computers become manageable. That is why if
computers, not groups, are selected, the wizard will ask whether it is necessary to relocate the computers to
an administration group, and if yes, into which one.
The managed computers must be included in administration groups for tasks and policies to be applied to them. If
a computer has the Network Agent installed, but is not included in an administration group, it will neither send its
events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified
by the administrator. It is manageable only nominally. De facto it is not.
The selection affects only unassigned computers. If both unassigned and managed computers are on the installation
list, the managed ones will remain in their groups. This step is displayed only if Network Agent is installed together
with Kaspersky Endpoint Security 10.
Selecting account
Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers.
The deployment wizard allows you to specify several accounts, in case different administrator passwords are used
on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges,
the next one is tried, and so on.
Before the specified accounts are tried, the installer attempts to act on behalf of the Administration Server service
account, which you dont actually see on the account list. However, if the administrator used the default settings
when installing the server, the server service account cannot be used for remote installation. As a result of
installation with default settings, the server service starts on behalf of the KL-AK-* account that is created
automatically and receives the rights of a local administrator (not literally, but effectively the same). It has no rights
on remote computers.
So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain
environment, a domain administrator account is the best choice for remote installations. In large companies, there is
usually a special account for remote installations, or the IT personnel accounts have the necessary rights.
Installation process monitoring

The installation wizard uses the settings specified by the administrator to create and immediately start the product
installation task on the selected computers. After that, it automatically opens the task page in the Administration
Console.
The task page displays the task progress on the selected computers. An installation can be ready for execution,
running, wait for reboot, complete successfully or return an error. The number of computers in every status is
displayed on the pie chart and in the table.
I-67
Unit I. Deployment
I-68
KASPERSKY LAB
To view the task log, click the View results link under the statistics on the task page. The upper part of the results
window contains the list of all target computers and the current task status for every one of them; and the lower part
shows the task log for the selected computer.
The task log contains the history of each task status changing on the computer. The status can be the same, while its
description may vary. For example, an installation task log usually contains several records of the Running status,
where the first one informs of starting file copying to the remote computer, the second oneof starting the installer,
and the third oneof the installation completion.
The typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky
Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer, and then
the Administration Server waits for the connection with the installed Agent to start the installation of Kaspersky
Endpoint Security.
3.3 Possible Installation Issues

A remote installation consists of two main stages:
Copying the files onto the computer
Starting the remote installation
Most problems arise at the first stage, and usually these are access problems. Typical problems depend on
the method of copying, or, in other words, on the selected installation method.
Installation specifics
Installation using Windows tools
This term implies the following sequence of actions:
The Administration Server copies installation files over the network into the admin$\Temp shared folder
on the remote computer (i.e. \\COMPUTER\Admin$\Temp)
The Administration Server sends the command to start the copied setup.exe file with the necessary
parameters over RPC (Remote Procedure Call protocol)
TCP ports 139 and 445 are used for copying, and TCP port 135for starting. The operations are performed either
on behalf of the Administration Server service account, or on behalf of the accounts specified by the administrator in
the installation wizard.
I-69
Unit I. Deployment
I-70
KASPERSKY LAB
Installation using Network Agent

In this scenario, the Network Agent does everything:
Downloads the installation files from the Server and saves them into the Windows temporary folder
Starts the setup.exe file with parameters on behalf of the local system10
To download the files, the agent connects to the Administration Server over TCP port 13000 (by default).
Possible obstacles
An installation using Network Agent is usually trouble-free. If the Agent can connect to the Administration Server,
it can usually download the files and install the product10.
An installation failure using Windows tools is typically related to access problems. Windows operating system
would not allow anybody and everybody to remotely copy files and start programs on the computer. There are
several obstacles here.
Windows Firewall blocks access to shared files and printers by default on the computer. In the task details,
the access error is explained by the failure to connect to the computer over the network. In some cases,
the Administration Server cannot resolve the computer name into its IP address; this information is also logged in
the installation task details.
User Account Control in Windows Vista / 7 / 8 / 10 prompts the user to confirm the action, which is impossible to
do remotely, and consequently the files are not copied. The task returns an error of insufficient rights for accessing
the folder.
The Simple File Sharing setting in Windows XP has the same effect. In this mode, all users connected over
the network receive guest rights. The result is insufficient rights for copying the files.
Sometimes the insufficient access rights error arises because the administrator either did not specify a user account
having administrator permissions on the computer in the remote installation wizard or mistyped the password.
There are also two rather unusual obstacles that need attention:
The Server service is not installed or is not started. Without this service, shared files and folders cannot be
accessed
An account with an empty password is used for the installation. Windows security policy by default denies
network access to the user accounts with empty passwords, even administrators
In both cases, the task returns the same error of insufficient rights to access the shared folder.
You can see that various obstacles result in the same installation task problems. Usually, they cannot be solved
remotely since most of them are related to the local computer settings. An installation error often means that
the remote installation using Windows tools is impossible on the computer. Another method should be tried.
Obviously, this does not apply to those situations when the computer is temporarily turned off, or when
the administrator mistyped the user name and password.
10
This approach does not work for remote installation on a server with the Remote Desktop Services (Terminal Services) role. On these
servers, the local system account has no administrative permissions. We recommend that you manually install Kaspersky Security for
Windows Server on terminal servers.
I-71
Unit I. Deployment
I-72
KASPERSKY LAB
Preparing the computer with the riprep.exe utility

If remote installation is impossible on a computer, a local installation is the next logical choice.
As an alternative to the local installation, the computers can be prepared for remote installation. For this purpose,
Kaspersky Security Center includes the riprep.exe utility (RIPrep = Remote Installation Preparation).
The utility is started locally and can solve most access problems:
Disables Simple File Sharing

Starts the server service
Opens the necessary ports in Windows Firewall
Creates an account having the necessary rights for remote installation
Disables User Account Control
riprep.exe relieves the administrator of investigating why the Administration Server cannot access the admin$
folder. The utility removes most potential obstacles.
Sometimes, system administrators e-mail the utility to the users for them to prepare the computers for remote
installation. This will only work if the users have local administrator rights.
If the users do not have local administrator permissions, the system administrators must have the groundwork for
deploying programs on the computers.
Configuring access using the domain policy

The above described problems usually arise on those computers that are not members of the domain.
The administrator has more control of the domain computers and can prepare them for the remote installation using
the domain policies.
User Account Control, Simple File Sharing and Firewalls can be set up via group policies.
To disable simple file sharing within a policy, open Computer Configuration, Policies, Windows Settings,
Security Settings, find Network access: Sharing and security model for local accounts and select Classic Local users authenticate as themselves. Simple file sharing will be disabled on the domain computers.
I-73
Unit I. Deployment
I-74
KASPERSKY LAB
User Account Control settings are also located there, at the end of the list. If necessary, you can disable UAC.
Windows XP Firewall parameters are located in Computer Configuration, Administrative Templates, Network,
Network Connections. In the Windows Firewall parameters, allow the file and printer sharing exception in
the domain profile.
Windows Vista / 7 / 8 / 10 Firewall parameters are located in: Computer Configuration, Policies, Windows
Settings, Security Settings, Windows Firewall with advanced security. Here, creating the necessary exception is
more difficult. You can open the necessary ports, or export the necessary rules from the local Firewall settings and
import them into the policy, but usually it is easier to disable the firewall for the domain profile.
I-75
Unit I. Deployment
I-76
KASPERSKY LAB
3.4 Uninstallation of Incompatible Applications

Uninstallation tools
Kaspersky Endpoint Security is not compatible with other protection tools. Before the installation, the conflicting
programs must be uninstalled. If for some reason the incompatible applications cannot be uninstalled using regular
tools, the administrator may use Kaspersky Security Center functionality for this purpose:
The Uninstall incompatible applications automatically option in the installation wizard of Kaspersky
Endpoint Security, or
An Uninstall application remotely task
Uninstallation using Kaspersky Endpoint Security 10

installer
The installer of Kaspersky Endpoint Security 10 for Windows always detects incompatible applications.
The installer can uninstall most of the incompatible applications it can find.
If uninstallation of incompatible applications is disabled and a conflicting application is found during Kaspersky
Endpoint Security 10 installation, the installer returns an error. The error description explains that the product cannot
be installed if incompatible applications are installed on the computer. The administrator needs to uninstall
the conflicting programs and re-start the installation.
Security software by other manufacturers is not incompatible with the Network Agent and does not hamper its
installation.
You can configure uninstallation of incompatible applications in the remote installation wizard. There is a step with
the list of programs whose uninstallation is supported, where you can select the Uninstall incompatible
applications automatically check box.
If uninstallation is enabled, as soon as Kaspersky Endpoint Security 10 installer detects an incompatible program, it
automatically deletes it and proceeds with Kaspersky Endpoint Security 10 installation. After the installation is
finished, the installer will prompt for restarting the computer.
Incompatible application uninstallation parameters are actually a part of Kaspersky Endpoint Security 10 installation
package properties, which are described later in this chapter.
I-77
Unit I. Deployment
I-78
KASPERSKY LAB
Uninstallation using Network Agent

Detecting incompatible applications
An alternative approach to uninstallation of incompatible applications is as follows:
1.
2.
3.
4.
5.
Install Network Agent without Kaspersky Endpoint Security 10 for Windows

Generate a report on incompatible applications
Create a selection of computers with incompatible applications
Create and run an incompatible application uninstallation task for the selection
Install Kaspersky Endpoint Security
The Network Agent can detect incompatible applications and inform the Administration Server about them. This
information is available in the computer properties: System Info, Applications registry. The Network Agent
reports all installed programs, not just the incompatible ones, but in the computer properties window you can select
to view incompatible applications only.
To view information about incompatible applications on all managed computers, open the corresponding report on
the Reports tab of the Administration Server node.
I-79
Unit I. Deployment
I-80
KASPERSKY LAB
Creating a computer selection

To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where
these programs are installed.
The easiest way to do it is to use computer selections. They are located in the corresponding node at the root level of
the console tree. There are quite a few default computer selections, but none of them shows computers with
incompatible applications. To draw up a list of these computers, it will be necessary to create a new computer
selection. In the properties of this new computer selection, modify its conditions: in the Applications registry
section, specify the name of the incompatible application. The computer selection results will contain only
the computers where this program is detected.
To include computers with different incompatible applications in one selection, specify several search conditions in
the selection properties.
Incompatible application uninstallation task

The following step is to create an uninstallation task for this selection. Start a generic task creation wizard in the
Tasks node, follow the wizard and when prompted for the target computers, choose the selection object. Every time
the task runs it will check the contents of the selection and update the target computers list accordingly.
I-81
Unit I. Deployment
I-82
KASPERSKY LAB
To uninstall incompatible applications, select the Kaspersky Security Center Administration Server | Advanced |
Uninstall application remotely task type in the task creation wizard.
This task is used in various scenarios concerning uninstallation of programs and service packs. Here, we are
interested in the Uninstall incompatible application option.
After this step, specify the name of the incompatible application to be uninstalled. You can select several programs
or even all of them. This increases the task run time though, because such a task executes, step by step, the uninstall
scripts for all the selected programs.
The uninstallation task also has computer restart parameters. The restart is often necessary to finish
the uninstallation. By default, the user is prompted to restart the computer. If they choose to postpone the restart,
the prompt reappears every 5 minutes, and in half an hour the restart is forced.
The administrator can modify these intervals and the message text. If the administrator selects a forced restart,
the users data may be lost. Another alternative is to wait for a regular restart, which may happen, for example,
the next morning; however, the task will remain uncompleted for a while.
I-83
Unit I. Deployment
I-84
KASPERSKY LAB
The administrator should also select the target computers. The available options include:
Picking computers from the Managed computers group and the Unassigned devices node
Typing the names or addresses of the computers
Specifying a computer group name
Pointing to a selection of computers
The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers
where incompatible applications are detected.
The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because
Network Agent is already installed on the computers and will run the uninstallation task under the local system
account. The account does need to be specified if the task is run either on computers without a Network Agent, or on
computers where the Network Agent has no administrator permissions.
At the last steps of the wizard, select the schedule, task name, and whether to start the task immediately. Once
the incompatible programs are uninstalled, Kaspersky Endpoint Security can be deployed by running the remote
installation wizard or an automatic installation task, which are described later in this chapter.
I-85
Unit I. Deployment
I-86
KASPERSKY LAB
3.5 Other Installation Methods

Installation methods: overview
Remote installation using Windows tools does not work in some cases. This means that the initial deployment of
Kaspersky Endpoint Security by the standard remote installation wizard of Kaspersky Security Center might fail.
At the same time, Kaspersky Endpoint Security is typically not the only program to be deployed within a network.
The administrators regularly install and update programs on the computers, and they must have the corresponding
tools and methods. Those vary widely: from local installation on the computers performed by IT employees, to
the use of IT infrastructure management systems like Microsoft SCCM, or installation using Active Directory tools
or login scripts.
Support of Kaspersky Security Center is not especially important if these alternative methods are used, but comes in
handy if available. For example, for manual installation, Kaspersky Security Center allows integrating all
installation files and parameters into one installation file. Also, installation using Active Directory tools can be
selected right in the installation wizard.
Installation using standalone packages

A standalone package in Kaspersky Security Center is a file that includes the installation files and installation
parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can include Network
Agent installation files and the Administration Server connection parameters.
This package is designed for local installation by the IT employees, administrators or users who have sufficient
rights. It saves time and reduces the number of errors.
An extremely simple installation procedure is an advantage of standalone packages. No parameters need to be
specified during the installation, as they are already included in the package. This helps to save time and prevent
errors, for example, when specifying the Server connection address.
Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This
eliminates the risk of missing some files, and reduces the overall time necessary.
I-87
Unit I. Deployment
I-88
KASPERSKY LAB
Creating a standalone package

The Administration Server signs standalone packages with its certificate by default. This certificate is self-signed,
and Windows will display a warning when the package is run. The administrator can select to sign packages with
another certificate. Specify the necessary certificate in the properties of the Advanced | Remote installation
| Installation packages node, in the Signing stand-alone packages section.
Standalone or 1click packages are created from regular installation packages available in the Advanced, Remote
installation, Installation packages node of the Administration Server. A special wizard is used that prompts for
the installation parameters.
When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include
the Network Agent, so that the target computer could immediately connect to the Administration Server.
Regardless of the selected product, computers should be moved into the managed category right after
the installation. Leaving protected computers in the unassigned category usually does not make much sense. This
step appears in the wizard if the Network Agent is installed together with the main package.
If it is necessary to modify the default settings of Kaspersky Endpoint Security or select the specific components to
be installed, it needs to be done within the properties of the regular installation package, before starting
the standalone installation package wizard. The parameters of the installation packages are described later in this
chapter.
After all the parameters are specified, the wizard generates the setup.exe installation file and places it in the PkgInst
subdirectory of the shared folder on the Administration Server.
I-89
Unit I. Deployment
I-90
KASPERSKY LAB
The wizard suggests that the administrator takes one of the following actions:
Open the folder containing the packagefor example, to copy it on a flash drive
E-mail users an invitation to run the packageAdministration Server starts the default e-mail client and
automatically fills in the message subject and body providing a link to the package located in the shared
folder; the only thing the administrator has to do is to specify the recipient addresses
Place a link to the package on a web resourcea text window opens, which contains HTML code of
the link to the package that can be added to a web page
Later, the list of created standalone packages can be opened from the Installation packages node within the
Advanced, Remote installation container. You can delete unnecessary packages or send another e-mail message to
the users.
The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server.
If non-domain users who are not registered on the Administration Server try to click it, they will not be able to
access the resource.
The link to the network folder should be replaced with an http link to the package that can be copied from its
properties. There is a built-in web server on the Administration Server where any user can download the package.
Each standalone package gets a unique http link based on the package id. The administrator can find the link in
the package properties in the list of all standalone packages.
If standalone package creation wizard is started for a package repeatedly, the administrator can either re-create
the standalone package or create another one.
Installation from a standalone package

When the users receive the message inviting them to install the product, they should click the link to download
the standalone package, run it and wait for the installation to finish. If Kaspersky Endpoint Security is installed over
the previous version or a protection tool by another manufacturer, the computer may need to be restarted. In either
case, the user will be prompted for this.
To start the standalone package in a silent mode, you can use the /s command-line switch.
I-91
Unit I. Deployment
I-92
KASPERSKY LAB
More installation-related settings

Previously we described using a wizard for remote deployment. And we mentioned that the result of completing
the remote deployment wizard is a task that actually does all the job. Such a task has more settings than the remote
deployment wizard, and we are going to discuss these settings now.
Schedule
Kaspersky Security Center allows configuring almost any sensible schedule for an installation task:
Manuallywithout schedule
Immediatelyright after creating
Onceon the specified day, at the specified time
Every N hoursincluding every hour
Dailyevery N days, at the specified time
Weeklyon the specified weekday, at the specified time
Monthlyon the specified day, at the specified time
On completing another task
As a rule, single launch is used for installation; usually, Manually. The Immediately option can also be used (as in
the deployment wizard), or Once, for example, to run installation on servers at night.
Occasionally, the administrator might want to restart a deployment task, for example, to force deployment to
the computers where the task failed the first time around. This will not cause the reinstallation on the computers
where the task succeeded. If Kaspersky Security Center detects that the packages are already installed on
the computer, the task immediately completes for this computer.
If some of the computers selected for the installation are shut down, but they support the Wake-on-LAN function,
the Administration Server can send the turn-on signal to these computers before running the task. To use this
technology, enable the corresponding option in the installation tasks schedule parameters.
You can stop a task after some time. A task might hang in the Running status if the computer is powered off
unexpectedly. With the automatic stop option enabled, the task will be stopped and can be started again later, to
repeat the installation attempt.
Storing the results

The information that the administrator can see in the task results window is transferred to the Administration Server
and stored in the events database. Initially, it is the installer that transfers the events, but once the Network Agent is
installed, it handles the information transfer.
Remote installation events are stored in the Administration Server database for 7 days. This lifetime can be modified
in the task properties, along with the other storage settings.
The results can be stored in the Administration Server database and in the Windows event log. By default, all task
events are stored. You can select to store only the execution events: in this case, the Applied and Ready for
execution statuses will not be logged. Alternatively, you can select to store only the task results.
Also, you can enable the notification of task completion here. They will be sent using the general notification
parameters specified on the Administration Server.
I-93
Unit I. Deployment
I-94
KASPERSKY LAB
File transfer over the network

If an installation starts on a thousand computers simultaneously, and they all try to download the installation
package from the Administration Server at the same time, the network is likely to be overloaded to the extent that
some computers will not be able to connect to the Server and install the product. Other network applications used in
the organization may also encounter problems as a result of mass data transfer over the network.
This doesnt happen however, because there is a limit on the number of simultaneously downloaded installation
packages in the task properties. By default, it is set to 5, but you can adjust it if necessary. At any moment
the package will be downloaded by not more than 5 computers. Other computers will be waiting for their turn.
When the package is completely downloaded to one of the computers, the next computer will be permitted to start
downloading.
Sometimes installation is aborted because of temporary obstacles, and its immediate restart results in success. So as
not to make the administrator start the task again manually, the task makes several installation attempts before
informing of an error. By default, 3 attempts are made. If installation is aborted 3 times, a persistent problem likely
exists.
Program reinstallation
By default, reinstallation is disabled. The task gets the information about the installed programs from
the Administration Server database. If the database reports that the Kaspersky Endpoint Security version installed on
the computer is the same as the one to be installed by the task, the installation will finish with the Program already
installed verdict. Vice versa, if the server has the data that Kaspersky Endpoint Security is not installed on
the computer, the installer will install Kaspersky Endpoint Security even if the same version is actually installed on
the computer.
In some cases, the administrator may want to reinstall an already installed program. For example, the Network
Agent can be reinstalled with the purpose of editing its connection settings. To perform reinstallation, disable the Do
not install application if it is already installed parameter.
Installation of a newer product version than what is already installed on the computer is not considered to be reinstallation and is always allowed. Installation of an older version is treated as a re-installation and is regulated by
the same option.
Installation using Active Directory

The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared
folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to
a group policy that is applied to the domain computers. When a client computer starts and logs in the domain,
the policy is applied and the installation package is automatically installed, even before the user logs on to
the system.
This installation method can be comparatively easy when implemented manually. Nevertheless, Kaspersky Security
Center makes it even more convenient. Just select the Assign Network Agent installation in the Active Directory
group policies check box in the task. The method is applicable for the Network Agent only, because after the Agent
is installed, other programs are supposed to be installed using the Agent.
I-95
Unit I. Deployment
I-96
KASPERSKY LAB
If this option is selected, the Administration Server creates a new group in Active Directory named
Kaspersky_AK{GUID} and includes within it the accounts of the computers to which the task applies.
Also, the Administration Server creates a new group policy object of the domain level that is named
Kaspersky_AK{a different GUID} in Active Directory and assigns within it the installation of the Network Agent
MSI package located in the shared folder on the server.
The permission to apply the policy is granted only to the created group which contains the accounts of the target
computers. So, the domain level policy will be applied to the selected domain computers, not all domain computers.
After this, the standard installation is performed. The policy eventually applies to the computers. At the next restart,
computers download the Network Agent MSI package from the shared folder on the Administration Server and
install it. The installation parameters, which include server address and ports, are taken from the answer file located
in the same folder as the MSI package. Thus computers automatically connect to the Administration Server.
If the task is configured to install not only the agent, but also another program, for example, Kaspersky Endpoint
Security, the installation will resume after the agent connects to the server.
The security group and group policy object created by the task persist in the Active Directory until the task is
removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory
group policies option is cleared in the task properties.
I-97
Unit I. Deployment
I-98
KASPERSKY LAB
3.6 Installation Packages

Installation packages in Kaspersky Security Center represent the products ready to be installed. A package includes
installation files along with the installation parameters and some product setup parameters. Installation package
parameters in a sense replace the local installation wizard and local setup wizard. Every product has its own settings.
As you know, installation packages are used in the remote installation wizards and tasks, and for creating standalone
installation packages.
Kaspersky Security Center includes all packages necessary for deploying the protection system:
Network Agent
Kaspersky Endpoint Security for Windows
Available packages are stored in the Advanced, Remote installation, Installation packages repository. This node
shows the following information on each package: name and version of the product, and the unique name of the
package.
Packages can be created, modified and removed. If a package is used in a current installation task, it cannot be
removed until the associated task is deleted.
You can create and use various installation packages in Kaspersky Security Center. You can use them to install
operating systems, programs, updates and critical fixes, and also to start various scripts and utilities on
the computers. This is described in more detail in KL 009.10: Systems Management course. Within the framework
of this chapter, we describe only the installation packages created for Kaspersky Lab programs.
Network Agent installation parameters

The General section of the package properties shows the program version and file size, and also the path to
the package file in the shared folder of the Administration Server. If necessary, an IT employee can download
the installation files over the network and install the Network Agent locally.
I-99
Unit I. Deployment
I-100
KASPERSKY LAB
The Settings section allows changing the installation folder and also setting the uninstallation password. If
the Network Agent installation folder is not specified explicitly, the standard path is used:
%ProgramFiles%\Kaspersky Lab\NetworkAgent
Agent uninstallation can be protected with a password that can be specified in the package properties. Even users
with administrator permissions will not be able to uninstall the agent using regular tools unless they know
the password. However, users with administrator permissions can make the agent inoperative if they really want to.
The same password protection function is also available in the Network Agent policy.
The Connection section of the Network Agent installation package properties contains the Administration Server
connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive
installation.
The main connection parameters are the Administration Server address and ports. Initially they take the values
specified during the Administration Server installation. If the client computers and Administration Server belong to
different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation
package properties. These standard parameters include the proxy server address and port, and also the user name and
password for authorization. Remember that these parameters will be used by Network Agents when connecting to
the Server, not vice versa.
When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP
port. So that the Windows Firewall would not block requests on this port, the Network Agent can automatically
create the necessary exception. To modify this behavior, clear the Open Network Agent ports in Microsoft
Windows Firewall check box. By default, Network Agent accepts connections on UDP port 15000. This value can
be changed both in the package properties and later in the Network Agent policy.
Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted
connections to the Server. By default SSL is enabled. Network Agents automatically download and use
the Administration Server certificate. The certificate can be specified manually in networks with strict security
requirements to exclude the possibility of Administration Server substitution.
None of the Network Agent parameters are specified in the deployment wizard. The Network Agent is installed and
connected to the Server using the standard settings from the package.
The advanced parameters of the Network Agent installation package are useful in networks with complicated
infrastructure. These are described in KL 009.10. Systems Management and KL 302.10. Kaspersky Endpoint
Security and Management: Advanced Skills courses.
The Tags section is described later in this unit.
I-101
Unit I. Deployment
I-102
KASPERSKY LAB
Kaspersky Endpoint Security installation parameters

General
The general properties of Kaspersky Endpoint Security package are similar to those of the Network Agent package.
The only difference is the Update databases button.
For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes
antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky
Endpoint Security is installed, the update task starts and downloads the new databases.
Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may
take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that
the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more
important, since it may constitute tens of megabytes if the package contains outdated databases.
In this case, databases can be updated in the package prior to the installation. The date of the last update is also
shown in the general package properties, in the Databases updated field.
The Update databases button copies a complete set of databases from the Server storage to Kaspersky Endpoint
Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After
an update using the Update databases button, the archive is replaced with a folder named bases. The folder's
volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed.
Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to
the repository. But this is performed only once for each package. If databases have ever been updated automatically
in a package, they will not be updated automatically any more. Actually, automatic update is performed for
the Kaspersky Endpoint Security package that is added to the storage during the installation (it is updated shortly
after the installation), and for any other newly created Kaspersky Endpoint Security package soon after it is created.
Parameters
Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters.
The main parameters are the list of components and the program files folder.
The set of components depends on the Installation type parameter. The administrator can select one of the two preset installation types:
Basic installation: all components whose names includes the Anti-Virus word, Firewall, Network Attack
Blocker, System Watcher and Application Privileges Control
Standard installation: all components except encryption
If you need some other configuration, choose the Custom installation type and select the components you want to be
installed. The Encryption and BadUSB Attack Prevention components can only be installed through Custom
installation.
By default, the Standard installation is selected, which includes all components except for Encryption and BadUSB
Attack Prevention. The administrator may switch between the preset installation types, or choose Custom
installation and select individual components on the list. Remember that some of the components only work on
workstations, while a package can be installed on any supported operating system. On server systems, only
the following components can be installed:
File Anti-Virus
Firewall
Network Attack Blocker
BadUSB Attack Prevention
I-103
Unit I. Deployment
Although Application Privilege Control settings will also show up in Kaspersky Endpoint Security on servers,
the component is not actually installed. Kaspersky Endpoint Security wont control application privileges on servers,
e.g., it wont block Untrusted applications on servers. The reason why Application Privilege Control settings are
visible on servers is that a part of these settings are also used by the Firewall component. Application Privilege
control and Firewall are described in more detail in Units II and III of this course.
In addition to the components, local tasks are installed. They cannot be selected in the package properties and are
installed on all operating systems:
Updates
Update rollback
Virus Scan tasks
Full scan
Critical areas scan
Custom scan
Background scan
Scan removable drives on connection
Integrity check
Vulnerability scan
I-104
KASPERSKY LAB
By default, the Kaspersky Endpoint Security components are installed to:

%ProgramFiles%\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1
If necessary, the administrator can modify this path.
The encryption module is also included in the installation package. Even though it is installed together with
Kaspersky Endpoint Security, technically, it is a separate application and you can specify another installation path
for the encryption module. The encryption module is not installed if none of the encryption components is selected.
Encryption is described in detail in KL 008.10 course.
Those administrators who often use the command line interface can select to automatically add the installation
folder to the %PATH% environment variable. Then they will be able to carry out product management commands
via avp.com, without specifying the complete path.
The package has two additional parameters that provide compatibility settings. One of them, Do not protect
the installation process, disables self-defense during the installation. It is enabled by default, i.e. self-defense does
not run during the installation. When self-defense is disabled, installation files may be modified by malicious
programs or malevolent users. This parameter should be used when installing on a potentially infected computer.
The other parameter disables installation of the NDIS5 driver that is used for intercepting network connections in
Windows XP/2003. If the Do not install the NDIS5 driver option is enabled, alternative network drivers klin.sys
and klick.sys will be installed on these operating systems, which perform the same functions: intercept network
packets. The option is used if NDIS5 driver causes compatibility problems. On Windows Vista/2008/7/2008
R2/8/2012/2012 R2/10 this option plays no role, a NDIS-type driver is installed on them anyway, but NDIS6 instead
of NDIS5.
One more parameter is the Configuration file. This file defines the configuration settings used by Kaspersky
Endpoint Security after the installation. To create it, install the product on a computer, configure it as needed, and
save its configuration using the application settings management feature in the local interface.
The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If the configuration file is not
specified, the product will work using the default settings. However, as soon as the Network Agent connects to
the Server, the Kaspersky Endpoint Security policy will be enforced which will override the protection settings. So,
the configuration file is necessary if the policy does not affect some of the product settings, or for unmanaged
computers.
I-105
Unit I. Deployment
I-106
KASPERSKY LAB
Key
Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code
or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed
product. One of them is to specify the key file in the installation package properties.
This is a reliable, although not always the most convenient way for key distribution. License management is
described in detail in Unit IV Maintenance.
Uninstallation of incompatible applications

The aim of uninstalling incompatible applications and the corresponding Kaspersky Security Center tools were
described earlier.
Uninstallation of incompatible applications is disabled by default. It means that if an incompatible application is
found, the installation will be aborted with an error.
Creating installation packages

Installation packages included in Kaspersky Security Center are usually enough for protecting most networks.
Additional packages can be necessary in the following cases:
A new version of Kaspersky Endpoint Security has been released. For version updating, just like for
the initial installation, an installation package is necessary. The administrator can either create the package
manually or download the new version of Kaspersky Security Center that includes new package version
and reinstall Administration Server over the old one (all settings will be saved).
It is necessary to remotely install a Kaspersky Lab product that is not included in the distribution of
Kaspersky Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to
be created manually.
Different parameters are needed in several network parts. For example, according to the deployment plan,
some computers do not need Web Anti-Virus and Mail Anti-Virus components. To be able to deploy
the system simultaneously on both categories of computers, create an additional installation package with
those non-standard settings.
An installation package is created from installation files by a wizard started from the Advanced, Remote
Installation, Installation packages repository. The wizard will ask for the package type, installation files location,
and some installation parameters depending on the application. It may also ask to accept the license agreement of
the application.
Creating a package requires the management plugin for the same application to be installed in the Kaspersky
Security Center console. The plugin installation file is usually found among the installation files of the application
and sometimes the wizard detects the plugin installer and installs it automatically. If this is not the case, you will
need to install the plugin before creating the package.
I-107
Unit I. Deployment
I-108
KASPERSKY LAB
The wizard starts with a choice of the package type. There are three (or four, depending on the Kaspersky Security
Center interface settings), options:
A package for a Kaspersky Lab application. This package type requires a special package description file,
which is included in the distribution of most Kaspersky Lab applications. A description file can be created
manually, but this is an advanced topic outside the scope of this course.
A package for an executable file. This package type allows running the specified file (not necessarily
an installer, it could be a script or a utility) on remote computers.
A package for a 3rd-party application based on Kaspersky Lab application database. This allows installing
3rd-party applications without the need to look for and manually download their installation files.
The feature is described in course KL 009.10 Systems Management.
The fourth option which may not be visible depending on the settings is a package for operating system deployment
based on a disk image. It is also explained in course KL 009.10 Systems Management.
Now, we are interested in the first option. After you select it, the wizard prompts for the package name and path to
the folder that contains the installation files and the package description file.
I-109
Unit I. Deployment
I-110
KASPERSKY LAB
Installation files may be unpacked (this is how they are usually supplied on CD), or packed into a self-extracting
archive (in this form they are available for downloading from Kaspersky Lab web site). The package creation wizard
supports both formats. If a self-extracting archive is specified, the wizard will automatically unpack it into
a temporary folder and extract all necessary files.
Installation packages for Kaspersky Lab products are created based on description files having a .kpd or .kud
extension. The files are identical, except for the character encoding: .kpd files use ANSI encoding, while .kud files
are in Unicode. The files contain the product version, the name of the installer, installation parameters, error
descriptions and additional options depending on the application.
A .kpd/.kud file alone is not enough to create a package. It is just a description, not an archive. The description files
are located within the distribution package, and must not be separated from it. To create an installation package
correctly, select the .kpd/.kud file located within the corresponding distribution package. It is a common mistake to
copy just the description file into a separate folder and try to create a package from it. This will not work.
A way to avoid this mistake is to point the wizard to the self-extracting installer of the application downloaded from
the Kaspersky Lab website. This option is not apparent in the wizard though. What you need to do is when prompted
for the description file, change the file type from .kpd/.kud to Self-extracting archive. And then point to the
downloaded installer. The package creation wizard will automatically unpack the specified file to a temporary folder
and extract the description file from it.
After the package description file is selected, the wizard will show the application name and version for you to
check that it is exactly the application you want. At the next step, the wizard may ask to accept the license
agreement.
Then, depending on the application, the wizard may ask for some installation parameters. In the case of Kaspersky
Endpoint Security, the wizard prompts for the installation type: Basic or Standard. This can be modified later in
the package properties, especially if you need a custom selection of components.
I-111
Unit I. Deployment
I-112
KASPERSKY LAB
To create an installation package for a Kaspersky Lab program, the administrator does not need to search for and
download the installation files. Kaspersky Security Center monitors current versions of Kaspersky Security Center,
Kaspersky Endpoint Security and Kaspersky Security for Windows Server and allows the administrator to create
installation packages right from the distributions available on Kaspersky Lab servers.
In the Installation packages node, there is the Additional actions button, and the View current version of
Kaspersky Lab applications link beneath. It opens the list of available distributions for various versions and
localizations11. The administrator just selects the necessary distribution and clicks the Download applications and
create installation packages button; and the Administration Server automatically completes the job.
Kaspersky Security Center also notifies the administrator about new versions of distributions. When they are issued,
the corresponding message appears on the Monitoring tab of the Administration Server node, in the Deployment
area.
3.7 Deployment Monitoring

Task results and the information available on the Managed computers group do not always provide comprehensive
information on the protection deployment in the network. Deployment by a single task on all computers, as well as
managing all computers within one group, is characteristic of small networks only.
For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are:
Incompatible applications report (was described earlier)
Kaspersky Lab software version report
Protection deployment report
Selections are also very useful at the deployment stage:
New computers found
Kaspersky Anti-Virus is not installed
Unassigned computers with Network Agent
11
English, French, German and Russian localizations of Kaspersky Security Center, Kaspersky Endpoint Security for Windows and
Kaspersky Security for Windows Server are displayed.
I-113
Unit I. Deployment
I-114
KASPERSKY LAB
Software version report

Reports are available on the corresponding tab of the Administration Server node.
The software version report shows the number of Kaspersky Lab programs installed on managed computers. In
particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security
instances.
Various versions (builds) of the products are represented separately, which is convenient when upgrading
the products. The report shows how many computers use the current versions of the programs, and how many run
older versions.
The graphic part of the report illustrates the statistics table, which lists all versions of managed products and
the number of installations for each of them.
The Details table gives information on every computer: which products are installed, which versions, etc.
Protection Deployment Report

This report shows three categories:
Computers with Network Agent and protection tools
Computers with Network Agent, but without protection tools
Computers without Network Agent
Computers with protection tools, but without the Network Agent are included in the last category. If the Network
Agent is not installed, the Administration Server has no way to detect the protection tools. This category also
includes the computers where the Network Agent is installed, but is not connected to the Administration Server.
The chart and the Summary table show the number of computers in every category. The Details table, just like in
the software version report, shows the version of Network Agent and Kaspersky Endpoint Security on every
computer.
This report is especially useful if the administrator first moves all of the computers into the Managed computers
group, and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed
computers are not connected to the server, and how many of those connected are not yet protected with Kaspersky
Endpoint Security.
If the administrator uses the remote installation wizard for the deployment and always selects the computers from
unassigned computers area, this report is less useful as it does not cover unassigned computers.
General deployment status

The information about protection deployment is also available on the Monitoring tab of the Administration Server
node. The Deployment area contains the number of managed computers where Kaspersky Endpoint Security is not
installed. If it is non-zero, a link to the selection that includes all these computers is also displayed.
If there are any computers with Network Agent in the Unassigned devices node, this will be reflected in
the Computer management area with another link to the corresponding selection of computers.
Discovering new computers

The administrator can configure notifications about new computers found in the network. The corresponding event
is in the properties of the Administration Server, and you can enable e-mail notification in the event properties.
How computers get found in the network is described in the next chapter.
I-115
Unit I. Deployment
I-116
KASPERSKY LAB
Chapter 4. Management of Computer Structure

4.1 Discovering Computers
In the deployment wizard or when creating a deployment task, the administrator can select computers from a list.
The Administration Server makes up this list by polling the network. Polls are performed periodically in several
different ways.
Windows network polling
Active Directory polling
IP subnet polling
Discovery management
Polling results are shown in the Advanced | Network poll node separately for each discovery method:
Domainscomputers detected during Windows network polling; workgroups and domains are represented
as folders containing computers
Active Directorydomains and organizational units are represented as folders containing computers
IP subnetsIP subnets are represented as folders
The discovered computers are also displayed in the Unassigned devices node.
One computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its
address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in
the corresponding folders.
To modify the poll settings for every method, go to the Advanced | Network poll node and then click the respective
Edit polling settings link. You can also start any type of polling manually on this page.
I-117
Unit I. Deployment
I-118
KASPERSKY LAB
Windows network polling

Quick poll
The Administration Server collects the list of Windows network computers just like the operating system itself.
When a user opens the computers network places, the list of neighborhood computers grouped by domains and
workgroups is shown. The Administration Server can acquire the same list.
This polling method is called quick Windows network polling. It places hardly any extra load on the network.
The Computer Browser service is responsible for making up and representing the list of computers. In every
network segment there is the main computer that stores the general list and provides it when requested. To receive
the list, Administration Server only needs to send a request.
Quick poll is performed every 15 minutes. The results are names of domains, workgroups and their computers.
Full poll
During the full Windows network polling, the Administration Server goes through the list received as a result of
the quick poll, and then tries to connect to every computer using the NetBIOS protocol. The purpose of this poll is
identifying computers IP addresses and operating systems.
As the number of requests is proportionate to the number of computers, the network activity is much higher than
with quick poll. That is why full poll is performed hourly by default.
I-119
Unit I. Deployment
I-120
KASPERSKY LAB
Windows network polling parameters

The main parameters of each type of polling are the polling schedule and the check box enabling the polling. If
the check box is cleared, this polling method will not be used. After all of the computers are detected and no
changes in the network are expected, the network polling can be disabled.
Additionally, for Windows network polling the administrator can specify the life span for the information on
the detected computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by
Windows network polling, the information about this computer is deleted from the server database.
This interval can be specified independently for every domain or workgroup. Also, you can specify a common life
span and use it for the whole windows network.
Additionally, you can disable polling of a domain or a workgroup in its properties.
Polling schedule is defined as a start time and an interval. The interval can be as small as several minutes or as large
as several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but
will be useful if polling is performed once a week or a month.
Active Directory polling

This method shares many features with quick Windows network polling. The Administration Server sends a request
to the domain controller and receives the Active Directory computer structure.
Active Directory polling is performed hourly.
I-121
Unit I. Deployment
I-122
KASPERSKY LAB
Active Directory polling parameters

Polling parameters for Active Directory are similar to those for Windows network polling. There is an option to turn
off this polling method entirely and the schedule to use when the method is turned on. There is no explicit lifetime
parameter for the polling results. The implicit lifetime is equal to the polling interval. The data received at the next
polling completely replaces the old data.
In the Advanced polling parameters, the administrator can select the polling scope:
The Active Directory domain to which the Administration Server belongs (the default choice)
The domain forest to which the Administration Server belongs
The specified list of Active Directory domains
To add a domain to the scanning scope, specify the address of the domain controller, and the name and password of
the account for accessing it.
You can selectively disable polling for some organizational units in their properties.
IP subnet polling
IP subnet polling is more complicated than it may seem to be. The Administration Server tries to perform reverse
name resolution for every address from the specified range into a DNS name using standard DNS requests. If this
operation succeeds, the server sends an ICMP ECHO REQUEST (the same as the ping command) to the received
name. If the computer responds, the information about it is added in the Server database.
The reverse name resolution is necessary to exclude network devices other than computers, such as network printers,
routers and other devices that can have an IP address but are not endpoints that require protection.
This polling method relies upon a correctly configured local DNS service. It must have a reverse lookup zone. If this
zone is not configured, IP subnet polling will bring no results. At the same time, such a zone is not necessary for
many network services, and is often neglected in small networks. In the networks where Active Directory is used,
such a zone is maintained automatically. But in these networks IP subnet polling does not provide more information
than Active Directory polling. Due to all those complications, IP subnet polling is disabled by default.
Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is
installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0,
the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses
from 192.168.0.1 to 192.168.0.254.
I-123
Unit I. Deployment
I-124
KASPERSKY LAB
IP subnet polling parameters

IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When
this polling method is enabled, the default period is 420 minutes (7 hours). Life span for the polling results is 24
hours by default. If an IP address is not verified by polling in 24 hours, it is removed from the results. Such a short
life span tries to account for dynamic IP addresses (assigned over DHCP protocol), which can change frequently.
When modifying the settings, make sure that the information life time exceeds the polling interval.
Configuring subnets
In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually.
You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also,
the name of the subnet should be specified.
One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas
named subnets are not allowed to overlap, unnamed ranges inside a subnet have no such restrictions.
You can enable and disable scanning independently for every subnet.
I-125
Unit I. Deployment
I-126
KASPERSKY LAB
Polling statistics
When the network is polled, the Advanced | Network poll page displays the progress. Detailed information is
available in the Administration Server statistics. There you can find the time of the last poll performed by each
method, polling progress percentage and the name of the polled domain for Windows network polling.
4.2 Creating Group Structure

Computer groups
After the initial installation, there is only one group on the Administration ServerManaged computers. With
a single group, the same protection policy is applied to all computers, which is not always preferred.
Even in small networks, it may be necessary to use different protection settings for servers and workstations. In
large networks, where different groups of users use various types of software, the capability to create policies with
different exclusions for different users is extremely useful. The computers must be placed into different groups to be
able to apply different policies12.
From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into
the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. In this
case the fact that a computer belongs to a group makes the administrator aware of its physical location.
There are other examples of group use. Often, especially in large networks, the administrators create groups to
organize the deployment process. Computers without the Agent and protection tools are placed into the Deploy
Agent group, where the Network Agent automatic installation task is created. The computers with installed Agent
are moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible applications is
configured. The computers without incompatible applications are moved into the Deploy KES group, where the task
of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected computers are
moved into the permanent management structure.
12
Kaspersky Security Center 10 Service Pack 1 provides the capability to apply different policies (to be more precise, different configuration
profiles) to different computers within the same group. For more details, refer to course KL 302.10.
I-127
Unit I. Deployment
I-128
KASPERSKY LAB
Managing groups
Creation of groups in the Administration Console is as simple as folder creation in Windows Explorer. First, groups
are created within the Managed computers node. Then you can create new groups either in the same node or inside
the created groups.
In the Administration Console interface, you can use any of the following methods to create a new group:
Select the Managed computers node or an existing group and click the New group button on
the Computers tab of the group management page
On the shortcut menu of the necessary node, click New, Group
Enter the name of the group in the displayed dialog window: it will then appear as a subfolder in the structure of
managed computers. Each group page contains tabs for managing the hosts included into the group, group tasks and
group policies.
If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or
subgroups.
Groups can also be moved within the hierarchy of managed computers. For example, if the structure of groups
reflects physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup
can be easily relocated together with its computers from the Building 1 group to the Building 2 group. The task can
be accomplished using traditional Cut and Paste or Drag and Drop methods.
How to add computers to groups

In the Administration Console, you can use any of the following methods to move computers:
Drag and Dropselect a computer among the managed or unassigned hosts and drag it with the mouse to
the necessary group. You can move several computers at once
Cut and Pastethe procedure is almost the same, but you cut the selected computers (using the shortcut
menu or CTRL+X keyboard shortcut) and then paste them into the necessary group (once again using
the shortcut menu or CTRL+V keyboard shortcut)
Select one or several computers in the Unassigned devices node or a selection of computers (the method
does not work within the groups), open the shortcut menu, select the Move to Group command and specify
the necessary group
Select the destination group and launch the Add client computers wizard using the Add computers link on
the Computers tab of the group management page. In the wizard, you can either select the computers from
the polling results or specify their names or addresses manually
I-129
Unit I. Deployment
I-130
KASPERSKY LAB
Regardless of the method, you can add only the computers that have been discovered by the Administration Server
after polling the network. Even in the Add client computers wizard, if you specify a name or an address of
a computer that is missing from the Administration Server polling results, the wizard will inform about the inability
to add the unidentified computer.
If a computer exists in the network but cannot be discoveredfor example, its firewall allows only outbound
connectionsinstall Network Agent there. As soon as the Network Agent connects to the Server, the computer will
be added to the database.
Importing groups
If the network is large enough and the planned structure of managed computers requires a large number of groups,
creating a hierarchy using the methods described above can be very labor-intensive. In some cases you can use
the automation tools available in Kaspersky Security Center to reduce the amount of work.
If administrators want to arrange the managed computers in the exact same order as their network, to combine them
into the same workgroups or domains and subdivisions, they can use the structure import functionality.
You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In
the first two cases you may import either the entire structure (groups including computers) or just groups. When
importing the topology from a text file, only groups can be created.
Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit
that is being imported are already present in a group of managed computers, the wizard will not relocate them.
To run the wizard, right-click the Managed computers group and select the All tasks, Create group structure
command on the shortcut menu. In the wizard, specify the structure to be imported and the destination group. For
a structure to be imported from the Windows network or Active Directory, you may disable importing the
computers.
Windows network topology and a structure defined in a text file are always imported completely. When importing
an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be
ignored.
I-131
Unit I. Deployment
I-132
KASPERSKY LAB
A structure import via a text file must be prepared manually. Every group or subgroup must be specified on
a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters,
for example:
Office1\Subdivision1\Department1
Office1\Subdivision1\Department2
Office2
Office3\Subdivision1
If a subgroup path contains groups that do not exist yet, they are created.
Groups created during the import procedure are completely identical to the groups created manually. You can
rename, move, delete them, etc.
The structure creating wizard is designed for initial creation of the structure of managed computers. It is not
intended for regular synchronization of structures of Kaspersky Security Center, and, for example, Active Directory.
If you need to synchronize, configure the computer relocation rules.
4.3 Computer Relocation Rules

If groups in Kaspersky Security Center correspond to IP subnets or Active Directory units, the administrator can
easily automate the computers distribution into the groups. Computer relocation rules serve this purpose.
A relocation rule consists of the following basic settings:
What to movea set of conditions the computers must meet to be relocated
Where to movethe name of the group in the structure of managed computers where the hosts matching
the rule conditions will be relocated
When to movethe conditions that will trigger automatic relocation
To open the list of relocation rules, click Properties on the shortcut menu of either the Unassigned devices or
Advanced | Network Poll node. Alternatively, you can follow the Configure rules of computer allocation to
administration groups link in the bottom of the Advanced | Network Poll page.
In some cases, the Kaspersky Security Center automatically creates computer relocation rules. For example, when
the administrator selects to move unassigned computers into a group in the remote installation wizard or when
creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can
be viewed on the list and can be disabled, but not deleted or edited. The server deletes them automatically when
the corresponding task or standalone package is deleted.
I-133
Unit I. Deployment
I-134
KASPERSKY LAB
Where to move to
When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on
the rule list. Also, you will need to select the destination groupwhere to move the computers.
When to move
After this, decide when to apply the rule to the computers. Three capabilities are available:
Run once for each computeras soon as the rule is created, it will be applied to all computers in the server
database, and then it will be applied only to new computers when they are discovered
Run once for each computer, then at every Network Agent reinstallation on computeris similar to
the previous option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such
a host
Rule works permanentlythe rule is permanent; if a computer matching its conditions is manually moved
to another group, the Administration Server will immediately return it to the location specified in the rule.
If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will
not
The rules created by the Administration Server for installation tasks and standalone packages are Run once for each
computer, then at every Network Agent reinstallation on computer.
Permanent rules are somewhat more convenient, but create a persistent computational load on the Administration
Server.
What to move
Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is
located in the General section and is named Move only computers not added to administration groups.
With this option selected, a ruleeven a permanent onewill not hamper the administrator to manually move
computers in the groups. It affects only unassigned computers. To apply such a rule to a computer within a group,
just delete the computer from the group. When deleted from the managed computers structure, the computer
becomes unassigned and the rule applies to it.
If this check box is cleared, the rule applies to all computers in the server database and the corresponding computers
are moved into the specified group no matter what happens. This does not prevent the administrator from deleting
these computers from the Administration Server database, though.
Other conditions are located in additional sections in the rule properties.
Network
Many of the relocation conditions are related to the network attributes of the computers:
NetBIOS name
Name of the domain or workgroup
DNS name
DNS domain
IP address
Server connection IP address (if a computer is behind a NAT gateway, the connection address is
the gateway address)
I-135
Unit I. Deployment
To be able to apply a rule to several computers, IP addresses can be specified as ranges, and names can be specified
as masks with * and ? wildcards. If these options are not enough, you can always create several rules with
different conditions that will move computers to the same group.
If the rule is to be applied to unassigned computers, the conditions can be specified in the terms of unassigned
computer representation in Kaspersky Security Center:
IP subnets specified in the Advanced | Network poll node
Subgroups in the Domains structure of the Advanced | Network poll nodethese are names of
the domains and workgroups detected by the Administration Server when polling the network
I-136
KASPERSKY LAB
Active Directory
There are similar conditions for the computers within the Active Directory structure:
Active Directory unit name
Active Directory group name
Relocation rules allow configuring synchronization with Active Directory. For this purpose, enable additional
options under the Apply rule to Active Directory organization unit condition:
Including child organization unitsif the selected unit has child units, computers within them will be
moved into the destination group
Move computers from child organizational units to corresponding subgroupsif the selected unit has
child units, and the destination group has the corresponding subgroups, computers from the child units will
be moved into the corresponding subgroups
Create missing subgroupsif the selected unit has child units, and the destination group has no
corresponding subgroups, the Administration Server will create these subgroups and move the computers of
the child unit there
Delete subgroups that are not present in Active Directorythe opposite of the previous option. When
an organizational unit is deleted in the Active Directory, this option will remove the respective group from
the Kaspersky Security Center.
If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination
group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another,
Kaspersky Security Center will automatically repeat these changes in its group structure.
Software
Conditions for computers may include operating system version, architecture and currently installed Service Pack.
Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers
into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions
used in the network. For example, Windows Servers 2008 R2 and Windows Servers 2012.
Also, there is the Network Agent is running condition. This condition can separate the computers already connected
to the Administration Server from those that need to be connected.
I-137
Unit I. Deployment
I-138
KASPERSKY LAB
Tags
Relocation rules support a limited number of conditions, which might be insufficient for performing some tasks. For
example, the administrator might need to move computers having a particular hardware configuration (e.g., with
SSD drives) to a special group. Or it might be necessary to prohibit some computers from being relocated by rules.
This cannot be configured with standard conditions, but tags can be of help here.
Tags are manually assigned to computers by the administrator. Any word or phrase can be used as a tag. After
the administrator assigns a tag to a computer, the tag is automatically added to the global tag list. Tags from
the global list can be used in the relocation rules and assigned to other computers.
A condition specified for a tag in a relocation rule can be including or excluding, depending on whether the Apply
to computers without specified tags check box is selected under the list of tags. It is cleared by default, which
means that the rule will be applied to the computers having the specified tag assigned.
If you need the rule to be applied to all computers except those having the selected tags, select the check box. For
example, you can assign, say, Dont move! tag to some computers and then configure relocation rules to be
applied only to the computers without this tag.
If several tags are selected in the rule, the condition can apply either to the computers that have all of these tags or to
the computers that have at least one of them. This depends on the Apply if at least one specified tag matches check
box, which is not selected by default.
To assign a tag to a computer, open its properties and switch to the Tags section. Here you can either select tags
from the global list (i.e. tags that have already been assigned to other computers), or write a word or phrase for
a new tag under the list and click the Add button. This word or phrase will be assigned as a tag to the current
computer and will also be added to the global list.
You can do the same to several computers at once. Just select them and then choose the Properties option on
the shortcut menu. The collective Properties window would open, which has only the Tags section.
You can add tags to computers when installing the Network Agent. To do this, select or create the necessary tags in
the Network Agent installation package properties. It is a typical example of why you may need to have several
packages for the same application (e.g. Network Agent): this way, it is easier to assign different tags to different
computers.
Tags can be renamed and deleted. If a tag is renamed, it will be updated on all computers to which it is assigned. If
a tag is deleted, it will be unassigned from all computers and removed from the global list. If you need to just take
a tag off a machine, open the computers properties and clear the corresponding check box.
Starting with version 10 Service Pack 2, you can create tagging rules in Kaspersky Security Center. The list of
tagging rules is located in the properties of the Administration Server node.
The Administration Server will assign tags to computers automatically according to the specified conditions.
The tagging conditions are similar to those of computer relocation rules. You can automatically assign a tag to
computers within the specified subnet or computers running Windows 10. You can also automatically assign a tag to
computers where the specified application is installed.
Tagging is described in more detail in course KL 302.10 Kaspersky Endpoint Security and Management. Advanced
Skills.
I-139
Unit I. Deployment
I-140
KASPERSKY LAB
Rule application order

The created rules are organized into a list where their order makes a difference. Permanent rules have a higher
priority than the others. Among rules of the same type, the higher the rule in the list, the higher its priority. In other
words, if a computer meets the conditions of several rules, only the top one is applied.
Rule order can be changed by arrows on the right. Also, a rule can be applied manually using the Force button at
the bottom of the window. This allows re-applying a non-permanent rule. For the permanent rules, the button does
nothing, since permanent rules are constantly forced anyway.
The Rule execution wizard will prompt for the group where the rule is to be applied, and move the computers that
meet the rule conditions from the selected group to the group specified in the rule. There is an option that allows
skipping the computers to which this rule has already been applied and only force the rule on new computers.
Rule use example

In many organizations, employees use portable computers as workstations. They take them home and on business
trips. Outside the corporate perimeter, they connect to the local network via VPN. As a rule, different ranges of
addresses are allocated to computers inside the corporate perimeter and hosts connected through VPN. This fact can
be used to configure the corresponding relocation rules.
If a host address is within the range of internal IP addresses, it may be added to a group with softer security
restrictions because the computer is additionally guarded by the protection tools installed on the gateways and mail
servers. If, on the contrary, an address belongs to a range assigned for the VPN, such a computer will automatically
be transferred to a group with stricter security settings.
I-141
Unit I. Deployment
I-142
KASPERSKY LAB
II1
Unit II. Protection

Management
Chapter 1. Basics of Kaspersky Endpoint Security 10 .................................................. 4
1.1 Protection and Management Tools ......................................................................................................................... 4
Components............................................................................................................................................................ 4
Protection components ........................................................................................................................................... 6
Policies ................................................................................................................................................................... 6
Tasks .................................................................................................................................................................... 12
1.2 General Protection Parameters .............................................................................................................................. 14
Automated start and self-defense of the protection .............................................................................................. 14
Categories of detectable threats ........................................................................................................................... 16
Kaspersky Security Network ................................................................................................................................ 18
Chapter 2. File System Protection ............................................................................... 22
2.1 File Anti-Virus ...................................................................................................................................................... 22
Scanning technologies.......................................................................................................................................... 22
Scanning parameters ............................................................................................................................................ 24
Actions.................................................................................................................................................................. 28
Configuring exclusions......................................................................................................................................... 30
2.2 Virus Scan Tasks .................................................................................................................................................. 32
Scanning: parameters and specifics ..................................................................................................................... 34
Common parameters of scan tasks ....................................................................................................................... 40
Centralized use of virus scan tasks ...................................................................................................................... 40
Standard group task ............................................................................................................................................. 41
2.3 Advanced Disinfection Technology ...................................................................................................................... 42
Chapter 3. Network Protection .................................................................................... 44
3.1 Network Traffic Interception ................................................................................................................................ 46
3.2 Mail Anti-Virus..................................................................................................................................................... 46
Actions.................................................................................................................................................................. 48
Security level ........................................................................................................................................................ 48
Configuring Exclusions ........................................................................................................................................ 52
3.3 Web Anti-Virus..................................................................................................................................................... 52
Actions.................................................................................................................................................................. 54
Security level ........................................................................................................................................................ 54
Configuring exclusions......................................................................................................................................... 56
II2
KASPERSKY LAB
3.4 IM Anti-Virus ....................................................................................................................................................... 58

Settings ................................................................................................................................................................. 58
3.5 Network Attack Blocker ....................................................................................................................................... 58
Settings ................................................................................................................................................................. 60
3.6 Firewall ................................................................................................................................................................. 60
Settings ................................................................................................................................................................. 60
Standard filtering rules ........................................................................................................................................ 70
Chapter 4. System Monitoring ...................................................................................... 72
4.1 System Watcher .................................................................................................................................................... 72
Purpose and Principles ........................................................................................................................................ 72
Settings ................................................................................................................................................................. 73
Exclusions ............................................................................................................................................................ 74
4.2 BadUSB Attack Prevention................................................................................................................................... 76
What is a BadUSB attack? ................................................................................................................................... 76
How to enable protection against BadUSB attacks? ............................................................................................ 76
What is the user to do? ......................................................................................................................................... 76
Chapter 5. Threat Diagnostics ...................................................................................... 78
5.1 Event Generation and Transfer ............................................................................................................................. 78
Local detection events .......................................................................................................................................... 78
Events in the Administration Console .................................................................................................................. 78
5.2 Centralized Processing of Detection Events ......................................................................................................... 80
Reports ................................................................................................................................................................. 80
Anti-Virus statistics .............................................................................................................................................. 82
Virus outbreak ...................................................................................................................................................... 84
5.3 Threat Processing Statuses .................................................................................................................................... 86
Statuses connected with threat processing ........................................................................................................... 86
Global statuses and selections ............................................................................................................................. 86
5.4 Repositories........................................................................................................................................................... 88
Local repositories ................................................................................................................................................. 88
Centralized repositories ....................................................................................................................................... 90
Chapter 6. Protection Status Diagnostics .................................................................... 94
6.1 Computer Statuses and General Statuses .............................................................................................................. 94
Possible statuses ................................................................................................................................................... 94
Virus scan status................................................................................................................................................... 94
Real-time protection status ................................................................................................................................... 94
Kaspersky Anti-Virus is not running .................................................................................................................... 96
6.2 Statistics and Protection Status Report .................................................................................................................. 98
II3
II4
KASPERSKY LAB
Chapter 1. Basics of Kaspersky Endpoint

Security 10
1.1 Protection and Management Tools
Components
Kaspersky Endpoint Security consists of components, each of which is responsible for protection against a particular
type of threat. When considering the components purpose, they can be organized into three groups:
Anti-Virus protection
Endpoint control
Encryption
This is how the components are grouped in Kaspersky Endpoint Security 10 policy. The Anti-Virus protection
includes Firewall and Network Attack Blocker; and control components limit both user actions and program
activities. The complete list of components is in the table below.
There are three installation types and respective license bundles in Kaspersky Endpoint Security 10:
Basiccorresponds to the KESB Core license
Standardcorresponds to the KESB Select license
Customcorresponds to the KESB Advanced license
II5
The third method of components classification considers the operating system class. Some components can be
installed on any supported Windows version, while others cannot be installed on embedded or server operating
systems. This is due to the fact that server systems are less vulnerable to some threats (for example, web threats) in
a corporate environment, and at the same time have stricter requirements for software compatibility.
The table below represents the system components, their grouping in the policy, the corresponding functionality
levels and supported operating system types.
Workstations
Embedded
Servers
Installation type
File Anti-Virus
Basic
Virus Scan
Basic
Mail Anti-Virus
Basic
Web Anti-Virus
Basic
IM Anti-Virus
Basic
Firewall
Basic
Basic
System Watcher
Vulnerability Monitor
Vulnerability Scan
Basic
Application Privilege Control
Basic
Application Startup Control
Standard
Device Control
Standard
Web Control
Standard
Anti-Virus protection
Basic
+
Custom
Control components
Basic
Data protection (Encryption)

Disk encryption
Custom
Encryption of files and folders
Custom
It should also be noted that installation types (license bundles) and functionality levels nearly coincide. The Basic
installation includes all components of the Anti-Virus protection minus BadUSB Attack Prevention, but plus
Application Privilege Control. The Standard installation includes all of the Anti-Virus protection and Control
components, again without BadUSB Attack Prevention. The Custom installation additionally includes Encryption
and BadUSB Attack Prevention.
Although the Application Privilege Control section is displayed in the settings of Kaspersky Endpoint Security for
Windows under all operating systems, this component does not work on servers. It will not block programs or restrict their
activities. In the settings, this section is displayed only because some of these options influence the Firewall component
configuration.
II6
KASPERSKY LAB
Protection components
This Unit is devoted to the Anti-Virus protection components. These components can be broken down into three
groups:
File System Protection
File Anti-Virus
Virus Scan (tasks)
Network protection and traffic scanning
Mail Anti-Virus
Web Anti-Virus
IM Anti-Virus
Firewall
Proactive Defense
System Watcher
They are directly responsible for antivirus protection, that is, they prevent computer infection and minimize
probable harm.
Control components are described in Unit III, and Encryption is explained in course KL 008.10.
Policies
Policies are the main remote management tool for Kaspersky Endpoint Security. The policies help to specify
parameters for the product in general, for its interface and protection components.
A policy helps to set up parameters and control their use on the computers. After the administrator locks a setting
in the policy, the user cannot change this setting using the local interface of Kaspersky Endpoint Security.
The Network Agent transfers policy parameters to the client computers within the framework of a special procedure
called synchronization. By default, the Administration Server tries to synchronize with the clients right after
the changes are made to the policy by sending a signal to UDP port 15000 of the computers. Clients in their turn
connect to the server every 15 minutes to check for changes in policies and tasks. So if the Server fails to
synchronize with a client right after the changes are made, the synchronization will take place during the planned
connection initiated by the client.
Active and inactive policies

A policy is created for a group of computers (management group). It can be either active or inactive.
Active policy is sent to client computers during the synchronization. So, after the synchronization is completed,
the active policy will exist locally and its settings will be used regardless of whether the computer remains
connected to the Administration Server. A product cannot apply more than one policy at the same time; that is why
there can be only one active policy for each product in a group.
There can be any number of inactive policies. Inactive policy settings do not affect network computer parameters
but do allow the Administrator to prepare and save settings for various emergencies, such as a virus outbreak, in
advance. Several different inactive policies can be prepared for different virus outbreak situations. Several different
inactive policies can be prepared for different virus outbreak situations. For example, a policy blocking access to
USB drives can be prepared for malware attacks that spread via removable drives.
An inactive policy can easily be made active. In this case, the policy which has been active, automatically becomes
inactive. So, with some preparatory work, the administrator can promptly react to emergencies by quickly changing
some security parameters.
II7
Even in case of an unforeseen situation, it can be easier and faster to create a new policy with special settings than to
modify the current active policy. Then, after the problem has been resolved, just activate the old policy instead of
trying to remember which settings have been modified and rolling back the changes to return to the regular settings.
II8
KASPERSKY LAB
Policy inheritance
By default, a policy applies to all computers within the group and its subgroups. For example, the policy for
Kaspersky Endpoint Security created by the Quick Start wizard in the Managed computers group initially applies
to all managed computers.
If active policies for Kaspersky Endpoint Security exist in both parent and child groups, the child group policy is
used. However, the settings which are locked in the parent policy will be enforced on the subgroup policy. So,
the policy of the child group inherits all locked settings of the parent group, and at the subgroup level you can
specify only additional restrictions.
This behavior may not always be desired. The optimal balance between the protection and usability may vary
considerably on different computers. If you want the policy of a child group to override the values of the locked
settings of the parent group's policy, disable the Inherit settings from parent policy check box within its settings.
After this, the settings of the child group policy can be changed as if the parent group policy did not exist.
If a subgroup does not have an active policy of its own, the active policy of the parent group will be applied, as we
mentioned earlier. This is called policy inheritance (as distinct from inheritance of policy settings, which was
described earlier).
Inherited policies are displayed by default. To conceal them, click the Hide link next to the Inherited policies text
above the list of policies. This option controls representation of inherited policies within the current group. To make
inherited policies visible again, click the Show link.
Compared to a policy created in the group, an inherited policy is visually different: its icon is dimmed, Inherited
from Group name is written in the Inherited column, and in the properties, there is a warning that you can
modify this policy only in its native group. To jump to the group from which the policy is inherited, click Show
policy in group where it was created on the shortcut menu of the policy.
Policy profiles
In Kaspersky Security Center 10 Service Pack 1, a new approach to policies was additionally implemented. The
previously described approach presumes that if some computers need special settings, they need to be joined into
a dedicated group. Starting with Kaspersky Security Center 10 Service Pack 1, there is also an alternative approach.
To apply special settings to a set of computers, you can create a profile in a policy and specify these special
parameters there, along with the profile applying conditions. If a computer meets those conditions, the profile will
be applied to it.
II9
II10
KASPERSKY LAB
Profiles are supported in the policies of Kaspersky Endpoint Security 10 SP1 for Windows and Kaspersky Endpoint
Security 10 SP1 for Mobile.
The Policy profiles section in the policy allows configuring profiles. By default, there are no profiles in a policy.
Profiles are described in detail in course KL 302.10. Advanced Skills. In the Fundamentals course, the following
recommendations are appropriate:
Do not use policy profiles and child group policies concurrently. This structure will be too complicated. We
recommended either using one policy with profiles configured in the Managed computers group, or
setting up policies in the child groups without any profiles.
However, if profiles are configured in a parent policy and a child policy is created within it, the child policy
will by default inherit all the locked parameters of the parent policy, including profiles (entirely). Thus
profiles configured in a parent group will be applied to all subgroups except those where inheritance is
disabled in the policies.
Tag-based conditions are most useful for activating the profiles. If you need to apply special settings to
some computers, assign a common tag to them and configure a profile for computers having this tag.
The special settings are to be specified in the profile.
A profile is enforced over the policy rather than instead of it. By default, all parameters are unlocked in
a profile and are not applied. In a profile, you need to configure only those settings that differ from
the policy settings. When you specify those special parameters, close the respective locks.
As a result, a profile is applied as follows: if the lock related to a parameter or a group of parameters is
open, the policy settings are enforced. If the lock is closed, the profile parameters are used.
Avoid situations when several profiles are applied to a computer. The resulting settings are hard to control,
especially if two or more overlapping profiles assign different values to the same parameter. In case of
a conflict, the higher a profile is located on the list of profiles, the higher its priority.
Global list of policies

After a while, especially in a large company with a lot of computers, the computer structure and the number of
policies can grow quite large and difficult to comprehend at a glance. Its easy to imagine policies being made for
smaller subgroups to address some performance or compatibility issues. In a large company, these policies can be
introduced by different employees and nobody will have a good idea of how many different policies there are and
what purposes they serve.
This can affect smaller companies too. Employees come and go and a new administrator has to make sense of what
his or her predecessor has left in terms of different groups and settings. Traversing the group structure manually
looking for policy objects is tiresome and error-prone.
The global list of policies comes to save the day. It is located in the Policies node and includes all the policies,
active and inactive, that exist in the structure of managed computers.
You can see for which group a policy was created. You can also click the corresponding link to jump there, for
example, to find out which computers belong to this group and understand whether the specified settings fit them.
You can modify policy settings, create or delete a policy right there on the list.
II11
II12
KASPERSKY LAB
Tasks
Policies affect all protection components except for Virus Scan and Vulnerability Scan. Scanning is performed by
tasks that can be started either by command or as scheduled.
Tasks can run on multiple computers at once and they can differ in how the list of target computers is defined:
Tasks for specific computers apply to a selection of computers that can belong to different groups. These
tasks are displayed only in the Tasks node. In such a task, the list of target computers can be specified
either explicitly, or implicitly as a name of a computer selection. In the latter case, at each start, the task
will check which computers belong to the selection, and then run.
Group tasks, just like policies, apply to all computers of their respective groups and subgroups.
The number of scan tasks of the same type within a group is unlimited. There may be several scan tasks
running simultaneously on a computer (which is not recommended though)
Sometimes scanning parameters of a group task do not fit all of the computers in the group. The administrator can
then specify the subgroups where the task must not be run in the Exclusions from task scope in the task properties.
The administrator can also use this section to exclude computers with either server operating systems or workstation
operating systems if this makes sense for a task.
Just like policies, task settings (of group tasks and tasks for specific computers equally) are transferred to client
computers during the synchronization. After the settings are transferred, the task will run on schedule regardless of
whether the computer remains connected to the Administration Server.
II13
II14
KASPERSKY LAB
Similar to a global list of policies, there is also a global list of all tasks. It is located in the Tasks node and exhibits
the same behavior as the list of policies. The list includes all tasks created on the Administration Server:
Administration Server tasks, group tasks, and tasks for specific computers. The tasks can be viewed, created,
modified and deleted here. For group tasks, the target group is displayed, and the Show task in group where it was
created shortcut menu command takes you directly to that group.
1.2 General Protection Parameters

By general parameters, we mean the settings that affect Kaspersky Endpoint Security as a whole, as well as
the settings shared by several or all protection components. These parameters are specified in the policy of
Kaspersky Endpoint Security.
Automated start and self-defense of the protection

The Launch Kaspersky Endpoint Security 10 for Windows at computer startup setting is one of the main
protection parameters. It controls the automatic start of the product after each restart, and therefore it should be
enabled and locked.
There is a self-defense technology implemented within Kaspersky Endpoint Security, which prevents unauthorized
product disabling and other attempts to hamper its operation. The self-defense is regulated by two options, which
can be found under Advanced Settings, Application Settings:
The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security
processes in the computer system memory, its files on the hard drive and its registry keys
The Disable external management of the system service option blocks the attempts to stop the Kaspersky
Endpoint Security service unless made via the product interface
If self-defense is disabled, the computer protection level decreases; that is why both parameters are enabled and
locked by default. It makes sense to disable self-defense only if compatibility problems arise (for example, with
remote management utilities, though there are better ways for handling those) or for troubleshooting.
II15
II16
KASPERSKY LAB
Categories of detectable threats

This is a common parameter for the components that use Anti-Virus databases to detect malware (File Anti-Virus,
Virus Scan, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus).
Kaspersky Endpoint Security can detect not only malware, but also so-called potentially unwanted programs.
They include, for instance, modules displaying advertising messages in shareware programs. It often happens that
a shareware program has already been uninstalled, yet the advertising module remains in the system and annoys
the user with obtrusive advertising messages.
To improve the balance between the protection and efficiency on the managed computers, detection of some
program categories can be disabled.
The categories of detectable threats are divided into three groups. The Malware group includes three categories:
Viruses and worms
Trojans
Malicious tools
Programs falling in the first two categories are always detected. Even the Administrator cannot disable detection of
viruses, worms or Trojan programs. Malicious tools include so-called virus constructorsprograms that automate
creation of new viruses. Such programs are not viruses and are not widespread, but must be detected and deleted
nevertheless.
The second group includes the following categories:
Adware
Auto-dialers
Other
As a rule, adware does not impose any direct threat to the computer; however, it can interfere with the user's work.
Automatic dialers are used to connect to remote computer networks via a phone network using a modem. This
technology is nearly obsolete today. This category also includes pornware. Unlike malware, these programs inform
the user about the actions taken.
The Other category includes remote administration utilities, for example, remote desktop utilities, such as RAdmin,
UltraVNC, DameWare and others. These legitimate tools can be installed on a computer using a Trojan program and
then used by intruders in order to obtain unauthorized access to the computer. In order to protect against it, you can
enable the feature that ensures detection of these utilities.
On the other hand, large networks often use remote desktop tools to control computers and solve problems remotely.
If you do not wish these tools to conflict with Kaspersky Endpoint Security, you can create exclusions for these
tools. Detection of the programs in this category is disabled by default, since such conflicts are highly probable.
The Compressed files group includes two more categories:
Packed files that may cause harm
Multi-packed files
Malware programs often use file compression tools in order to confuse antivirus programs. Using compression with
various settings, intruders can easily create arrays of seemingly different, but, in essence, identical copies of
a malware program. It is not uncommon for a malware program to undergo several compression stages. Many
legitimate programs use compression, too; but as a rule, they employ well-known commercial or freeware
compression utilities that do not have a function of parametric compression. Therefore, programs compressed with
non-standard packagers, especially those that are packed many times, raise understandable suspicions. Kaspersky
Endpoint Security regards these objects as suspicious rather than malicious.
The decision regarding which program categories Kaspersky Endpoint Security should skip or detect, of course,
should not be made by the user. Therefore, no matter which settings are specified in this area, they must be locked.
II17
II18
KASPERSKY LAB
Kaspersky Security Network

Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all
protection components.
In a nutshell, the technology analyses the information received from the users of Kaspersky Lab products and from
Kaspersky Lab partners, makes up a list of programs and web resources, and defines their reliability level based on
geographical distribution patterns, frequency of use and, importantly, expert analysis. Later on, this information is
used by various Kaspersky Endpoint Security components for their verdicts. This technology has been used in
Kaspersky Lab products for some time now and has proved its value.
A part of the KSN database is cached locally, on the computer with Kaspersky Endpoint Security. If information
about an executable file or a web resource is missing from the local cache, a request is sent to the KSN servers of
Kaspersky Lab. When a file is checked, the request contains its MD5 checksum, for a URL address it is
an encrypted mask of the address. The answer from the KSN is saved in the local cache of Kaspersky Endpoint
Security. Every record has an expiration date; after that, if the corresponding file or link is accessed again, a new
request is sent to the KSN.
The computer may be disconnected from the network when a request is sent to the KSN servers. After the timeout
period elapses, the component that sent the request will treat the program or the web resource as uncategorized.
The use of the information received from KSN is described in detail in the sections devoted to protection
components.
The administrator initially decides whether to use KSN in the Quick Start wizard. Later, the KSN use settings can be
changed in the properties of the Kaspersky Endpoint Security policy. The administrator can enable or disable the use
of KSN altogether, or specifically for file classification or URL classification. Additionally, the administrator can
enable the use of KSN proxy, a feature of Kaspersky Security Center that is described in the next section.
II19
II20
KASPERSKY LAB
KSN proxy
To reduce the traffic volume induced by KSN requests from protected computers, the Administration Server can act
as KSN proxy.
As KSN proxy, the Administration Server becomes an intermediate between the managed computers and
the Kaspersky Lab KSN servers. The information requested by a managed computer is saved in the Administration
Server cache and when other computers need this record, it is taken from the server cache without accessing
the external servers. Unlike client computers where KSN cache is stored on the hard drive, the Administration
Server stores KSN cache in RAM and it is lost when the server is reset.
If KSN use is enabled in the policy, the administrator can either completely prohibit the managed computers from
directly connecting to the Kaspersky Lab KSN servers, or allow using external servers when the Administration
Server is inaccessible.
When using KSN via the Administration Server proxy, client computers connect to the Administration Server over
TCP on port 131112. You can change the port number in the Administration Server properties. Network Agents
deliver this port number to the computers along with the policy settings. In KSN requests, the Network Agent does
not participate: Kaspersky Endpoint Security connects to the KSN proxy directly.
KSN proxy settings are located in the properties window of the Administration Server node. There, in the KSN
proxy server section, the administrator can opt out of using KSN proxy and decide which KSN to use: global or
private.
In this section, the administrator can also enable sending the statistics of update and patch installations to Kaspersky
Lab (the I agree to participate in Kaspersky Security Network checkbox). This data helps to improve
the vulnerability and patch management subsystem, a part of the Systems Management functionality, which is
described in course KL 009.10.
If the Use Administration Server as proxy server check box is cleared, KSN proxy will be disabled and managed
computers would either be unable to use KSN or resort to using KSN directly without a proxy. Global or private
KSN determines the destination of KSN requests redirected by the KSN proxy. With global KSN, the requests are
redirected to Kaspersky Lab KSN servers. If private KSN is used, requests will be sent to the KSN infrastructure
deployed at the customers site. This option is described in more detail in course KL 302.10. Kaspersky Endpoint
Security and Management. Advanced Skills.
The Network Agents inform the client computers which KSN to use. Even if KSN proxy is inaccessible for some
reason, Kaspersky Endpoint Security will keep using the same KSN, global or private, depending on
the Administration Server settings. Unmanaged computers cannot use private KSN.
Deployment and configuration of a private KSN infrastructure requires inviting Kaspersky Lab experts.
The customers administrator must not and cannot do it alone.
UDP port 15111 was used by the old version of Kaspersky Security Network module and is incompatible with the KSN module implemented in Kaspersky
Endpoint Security 10.
II21
KSN proxy server statistics

The KSN proxy server statistics section is located under the KSN proxy server settings in the Administration
Server properties. This section shows:
Cache records: the number of KSN cache records on the Administration Server
Packages processed in cache: the number of requests from protected computers that were served from
the cache
Received packages: the total number of requests received from protected computers
There is also the Check KSN connection button here. It helps the administrator to make sure that
the Administration Server receives answers from KSN.
II22
KASPERSKY LAB
Chapter 2. File System Protection

The file system protection level largely defines the overall computer security. In most cases, malware saves its code
within the computer file system. That is why a proper file system protection defends the computer from most
viruses.
In Kaspersky Endpoint Security, File Anti-Virus and Virus Scan components are responsible for file system
protection.
2.1 File Anti-Virus

File Anti-Virus intercepts all file operations (such as reading, copying, executing) using the klif.sys driver and scans
the files being accessed. If the file is infected, the operation is blocked, and the file is either disinfected or deleted by
default.
Even if Mail Anti-Virus and Web Anti-Virus are disabled, the user will not be able to start an infected file received
by e-mail or downloaded from the Internet, because a file cannot be started either from an attachment or from a web
page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and blocked by
the File Anti-Virus.
So, File Anti-Virus is of primary importance for the file system protection, which makes it the most important
protection component in general.
Scanning technologies
File Anti-Virus uses the following scanning technologies:
Signature analysis is a malware detection method that uses signatures. A signature is a part of executable
code, a checksum, or some other binary string, which helps to detect whether the file is infected by
the corresponding malware. Consecutive file checks against the signatures of known malware returns
the verdict whether the file is infected in general. This scanning method is very reliable, but only allows
detecting the malware whose signatures have been added to anti-malware databases.
Heuristic analysis. This scanning method applies only to executable files. Kaspersky Endpoint Security
starts the scanned file in a virtual environment isolated from the operating systema so-called sandbox
and monitors the files behavior. This method requires more time when compared with the signature
analysis, but helps to detect some new viruses
Check against KSN lists. This method also applies to executable files only. A checksum is calculated for
every scanned file, which is compared with the records in the local KSN database. Further, the following
alternatives exist:
II23
If neither signature nor heuristic analysis has detected an infection, the decision is made based on
the information available in the local KSN cache on the client computer. If the local cache lacks
information about this file, access to the file is allowed, and a background request is simultaneously
sent to the KSN cloud. If the answer is received that the file is dangerous, File Anti-Virus scans it
again. If KSN returns information that the file is harmless or if KSN servers cannot be reached, file
scanning is finished
If either signature or heuristic analysis has detected that the file is infected, File Anti-Virus sends
the request to KSN. If the local database lacks information about the file, File Anti-Virus will wait for
the answer from the KSN cloud. If KSN considers the file to be clean, it is treated as non-infected
despite the verdicts of signature and heuristic analysis. If the verdict is reaffirmed or information
cannot be received from KSN (connection with KSN servers cannot be established), the file is
processed as an infected one
As you can see from the scanning algorithm, the check against the KSN database complements the signature
analysis and helps to decrease the probability of false positives.
II24
KASPERSKY LAB
Scanning parameters
Scanning parameters and other File Anti-Virus settings that define the protection scope are gathered in the Security
level group of parameters. In the policy, these parameters have a common lock, that is, they are locked or unlocked
together. Considering the importance of File Anti-Virus, the users should not be allowed to change the scanning
parameters and the lock should be closed in the Security level area.
Protection scope
By default, Protection scope of the File Anti-Virus includes:
All removable drives
All hard drives
All network drives
In other words, all drives from which malware can be run. A protection area allows adding individual drives and
folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection
level. That is why this group of settings should be modified very cautiously. For example, if Cisco NAC, Microsoft
NAP or another tool guarantees that all network nodes are protected with Anti-Viruses, then All network drives can
be removed from the protection scope. In this case, if a file from a network drive is accessed, it will be scanned by
the Anti-Virus installed on the local computer where the drive is located.
Types of files to be scanned

The File types setting can take one of the following three values:
All files
Files scanned by formati.e. files that can contain executable malware code3; in this case the file format
is determined as the result of the file header analysis rather than by the file extension
Files scanned by extensioni.e. files with extensions characteristic of infected formats
The optimum value for the File Anti-Virus is the middle one. Scanning of all files requires considerably more
resources without a dramatic improvement of protection. The scanning based on the file extensions is fraught with
skipping a renamed malware object or a non-typical extension may result in opening or even running such a file.
Heuristic analysis
Heuristic analysis parameters are configured in the Scan methods group. Heuristics levelsLight, Medium or
Deepdefine the period of observing the object in the virtual environment. In the context of the File Anti-Virus
operation this means an increased delay when a program is run. Therefore, completely disabling heuristic analysis
within the File Anti-Virus component is acceptable.
These include not only executable files but also, for example, Microsoft Office documents that may contain infected macros and some graphic formats that
may contain active executable elements.
II25
II26
KASPERSKY LAB
Scan optimization
The Scan only new and changed files option ultimately decreases the number of scans performed by File AntiVirus. If an object was scanned and has not been modified ever since, it will not be scanned again. Kaspersky
Endpoint Security receives information about the changes using iSwift and iChecker technologies, whose settings
are located in the Additional tab.
Scan of compound files

It is not recommended to scan compound files using File Anti-Virus. Unpacking of these files consumes a lot of
resources and they do not impose any direct threat. Even if an archive contains a virus, you cannot run any infected
file without unpacking it. During unpacking it will be detected and blocked as a regular file. It is sufficient to scan
compound files with on-demand scan tasks4.
iSwift and iChecker

iSwift and iChecker scanning technologies are responsible for collecting data about the changes made to files.
The iSwift technology extracts the data about changes from the NTFS file system. The iChecker technology is used
for executable files located on the drives with non-NTFS file systems, for example, FAT32. For this purpose,
iChecker calculates and saves the checksums of the scanned executable files. If the checksum remains the same
during the next check, it means that the file has not been changed. Both technologies save information about the file
scan date and the version of the databases used for the scanning.
If the Scan only new and changed files checkbox is selected, the iSwift Technology and iChecker Technology
check boxes are of no importance. Even if you clear them, these technologies will still be used because without them
Kaspersky Endpoint Security will not be able to determine which files have already been scanned and which of them
have not been changed since the last scanning.
If the Scan only new and changed files setting is disabled, the iSwift Technology and iChecker Technology
settings are relevant. In this case, a certain quarantine5 or a trust period is associated with each file. During
the quarantine periods the file will be scanned even if it has not been modified, while during the trusted periods
the file will not be scanned.
The quarantine period is assigned to all files which have not been scanned yet or which have changed since the last
scanning. During the quarantine period, the file will not be scanned if it was already scanned with the same database
version. For this purpose, the iSwift and the iChecker technologies register the version of the antivirus databases
used for the scanning. In all other cases, standard scanning is performed.
Once the quarantine period is over, the trusted period is assigned to the file. During the trusted period, the file is not
scanned if it has not changed. Once the trusted period is over, the file is scanned once again when the necessity
arises, and if it is not infected, a new trusted period is assigned, longer than the previous one. In case of any change,
the file gets a quarantine period and everything begins from scratch.
When the Scan only new and changed files setting is enabled, the trusted period is not restricted in time.
The trusted period expires only if the file is changed.
Disabling the iSwift and iChecker technologies makes no sense in File Anti-Virus. This will either have no effect (if
the Scan only new and changed files feature is enabled) or will lead to more scans and a general decrease of
computer performance.
These scan tasks are described later in this chapter.

This quarantine term is not related to the Quarantine repository.
II27
Scan mode
The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse
order of their appearance:
On executiononly executable files are scanned and only when they are started. Copying an infected
executable file will remain unnoticed. Switching File Anti-Virus into this mode decreases the security level
considerably
On accessfiles are scanned when they are opened for reading or execution. The user may download
malicious code from a website but will not be able to do anything with this file
On access and modificationfiles are scanned when any operation is performed on them. This is
the safest mode, yet the most resource-consuming
Smart modethe order of operations performed with the file is analyzed. If a file is opened for writing,
the scan will be performed after it is closed and all changes to it are made. Intermediate changes made to
the file are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not be
rescanned on intermediate read operations until the file is closed
Essentially, Smart mode ensures the same protection as On access and modification, but consumes less resources.
Therefore it is recommended for most computers. On access or On execution modes can be used on the computers
where efficiency is more important than security, understanding that the probability of infection or virus spreading
increases.
Pausing File Anti-Virus

File Anti-Virus can be paused while a resource-consuming operation is performed using the settings in the Pause
task area:
By schedulethe schedule (daily only) is set by specifying the time when the File Anti-Virus is to be
paused and when it is to resume its normal operation. The time is specified in hours and minutes
At application startupFile Anti-Virus will pause when the specified program loads in the memory and
will resume its operation when this program is unloaded from the memory
II28
KASPERSKY LAB
Standard security levels

The security levels can be managed using the three-position switch: Low, Recommended and High. Depending on
the switch position, the File Anti-Virus settings adopt the following values:
Level Low
Recommended
High
Setting
File types
Files scanned by
extension
Files scanned by
format
All files
Protection scope

All hard drives
All network drives

All hard drives
All network drives

All hard drives
All network drives
Heuristic analysis
Light scan
Light scan
Medium scan
Scan only new and changed

files
Scan embedded OLE

objects
Do not unpack large
compound files.
Maximum file size: 8
MB
Scan new archives

Scan new installation
packages
Scan all embedded OLE
objects
Scan of compound files
Scan mode
Smart
Smart
Smart
Scan technologies
iSwift technology
iChecker technology
iSwift technology
iChecker technology
iSwift technology
iChecker technology
Pause task
If any setting is modified, the security level is changed to Custom. In order to return to the Recommended level,
click the By default button.
Actions
Malware detected by File Anti-Virus should not be left unprocessed. That is why the settings that regulate File AntiVirus actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected
files6. Most malicious files cannot be disinfected, because they contain nothing but the infected code.
Before a file is disinfected or deleted, its copy is placed into the Backup repository or Quarantine, depending on
the verdict. That way, if it contains important information or is deleted because of a false positive, the file can be
recovered.
If the Roll back malware actions during disinfection option is enabled within the properties of the System
Watcher component, Kaspersky Endpoint Security not only deletes malicious files, but also rolls back their actions 7.
6
7
The Select action automatically option is equivalent to the Disinfect. Delete if disinfection fails option.
The rollback procedure is described in Chapter 4 of this Unit.
II29
II30
KASPERSKY LAB
Configuring exclusions
Scan exclusions
Sometimes File Anti-Virus erroneously returns the infected verdict. Such cases are rare, and usually concern
tailor-made software. This problem is reduced by creating exclusion rules for objects.
Exclusions are configured in the General protection settings and are used by all protection components. A scan
exclusion consists of three attributes:
File or folderthe name of the file or folder to which the exclusion applies. The name of the object may
include environment variables (%systemroot%, %userprofile% and others) and also * and ? wildcard
characters
Object namethe name of the threat to be ignored (usually corresponds to a malware name), which can
also be specified using wildcard characters
Protection componentsthe list of protection components to which the rule applies
Of the three attributes, one of the first two attributes and the third one are mandatory. You can create a scan
exclusion for a file or folder without specifying the threat type; then the selected components will ignore any threats
in the specified file or folder. Conversely, you can create a scan exclusion for a threat type, for example, for
the UltraVNC remote administration tool, so that the selected protection components would not respond to this
threat regardless of where it is detected.
All three attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for
widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object
(typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security
would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from
another folder, Kaspersky Endpoint Security would consider it a threat.
Trusted applications
Security level settings can be adjusted so as to achieve the optimal performance-reliability balance for an average
computer. But if the computer runs resource-consuming programs, their operation can be slowed down by the File
Anti-Virus. This is especially true for the programs that perform numerous file operations, for example, backup
copying or defragmentation. To avoid slowdowns, a number of measures can be taken.
The first thing to do is to configure an exclusion so that File Anti-Virus ignores file operations performed by
the program. When adding exclusions under Trusted applications, within the Scan exclusions for Application
window, specify the path to the executable file of the program and select the Do not scan opened files action.
The path may contain environmental variables and *, ? wildcards.
If the program has many processes, and the data files are located in one directory, it might be worthwhile to exclude
this directory from the File Anti-Virus scan scope: Under Scan exclusions, add the rule, specify the necessary
directory in the File or folder parameter, do not specify any Object name, and select File Anti-Virus in the list of
components to apply the rule.
II31
II32
KASPERSKY LAB
If the desired effect is not achieved by setting up exclusions, as a last resort, configure pausing File Anti-Virus while
the program runs (in the Security Level settings, on the Additional tab).
Exclusion settings should be locked. Users are often unable to properly configure their exclusions and may abuse
such a capability and considerably weaken the protection of the computer.
When a policy is applied, all local exclusions are disabled and replaced with centralized ones. In order to create
a useful set of exclusions, the administrator should find out which exclusions are required to minimize impact to
the users, and to set them up in the policy. The best way to do this is to create exclusions in the local Kaspersky
Endpoint Security interface and then import them into the policy.
2.2 Virus Scan Tasks

Virus scan tasks check objects using the same methods as File Anti-Virus: signature and heuristic analysis and KSN.
The difference is that File Anti-Virus checks files on-the-fly when they are accessed while virus scan tasks inspect
the files by schedule or on demand.
File Anti-Virus works with the user. The more actively work the users applications, the more files are scanned by
the File Anti-Virus and the more resources it consumes. Therefore, it is recommended to optimize the File AntiVirus settings to ensure protection against immediate threats only. If an archive is being copied, there is no
immediate infection risk and it may be skipped.
Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be
performed. That is why the scan task will wait for the answer from KSN before returning the final verdict,
regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from
the scan scope of the File Anti-Virusarchives, installation packages, files in non-infectable formats, etc.
One more aspect of the File Anti-Virus implies that it scans files on disk before their launch but it does not check
the processes that are already present in the memory. So, if a new virus manages to load its code to the memory
before the product downloads updates with the corresponding signatures, the File Anti-Virus will be unable to do
anything until the next virus launch.
A virus scan task can be configured to check the processes in the memory and be scheduled to run after each
successful database update.
II33
II34
KASPERSKY LAB
Scanning: parameters and specifics

Scan scope
Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for
example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select
whether to scan all the contents, including subfolders, or just the folder itself without subfolders. If subfolders are
not selected to be scanned, the object icon is marked with the little red "minus" sign.
In addition to files and directories, the following scan objects can be specified:
My emailOutlook data files (.pst and .ost)
System Memoryexecutable files of all running processes are scanned
Startup Objectsexecutable files of the programs started at the system startup. Additionally, if this object
is selected in the task properties, rootkit scanning will also be performed (rootkits are hidden objects of
the file system)
Disc boot sectorsboot sectors of hard and removable drives
System Backup StorageSystem Volume Information folders
All removable drivesthe removable drives connected to the computer at the moment
All hard drivescomputer hard drives
All network drivesall network drives connected to the computer
Computerall the above objects, except for My email and All network drives
Security level
Security level parameters in virus scan tasks are almost identical to the security level parameters specified for File
Anti-Virus. Different settings include a couple of additional parameters in the Scan of compound files section and
the Skip files that are scanned for longer than N sec option. This timeout is necessary to avoid the task freezing
when it scans archives that are deliberately corrupted by criminals for this purpose.
Virus scan tasks are also used to check archives. This is important because the File Anti-Virus usually does not scan
archives. A virus scan task can check the same types of compound objects as the File Anti-Virus, and two more:
Archives
Installation packages
Embedded OLE-objects
Email formats
Password-protected archiveswhen scanning these, Kaspersky Endpoint Security will prompt the active
user for the password to unpack the archive. Since scheduled scans usually run in off hours when there is
no user, this option should be reserved for manual scans performed locally.
Processing of compound objects is regulated by another option that becomes available after clicking the Additional
buttonDo not unpack large compound files.
The other security level parameters are identical to those of File Anti-Virus.
II35
II36
KASPERSKY LAB
You can also change the scan settings using the Security level slider. In that case the following settings will be
used:
Level Low
Recommended
High
Setting
File types
Files scanned by
format
All files
All files
Scan only new and changed files
Skip files that are scanned for longer than
180 sec
Scan archives
New
All
All
Scan installation packages
New
All
All
Scan embedded OLE objects
New
All
All
Parse email formats
Scan password-protected archives
Do not unpack large compound files
Heuristic analysis
Light scan
Medium scan
Deep scan
iChecker technology
iSwift technology
Actions
A virus scan task can take almost the same actions as File Anti-Virus. There are still two main neutralization
options: Disinfect and Delete. We recommended using the default values.
Additionally, Virus Scan tasks include a setting that is missing from the File Anti-Virus parameters: Run Advanced
Disinfection immediately. This option is described in detail at the end of this chapter. This setting has been created
because the advanced disinfection procedure requires restarting the computer. By default, the user is prompted and
may reject it. The Run Advanced Disinfection immediately option enables the administrator to force the start of
the advanced disinfection procedure. The user will be informed of the upcoming restart and will be able to save
the data, but will not be able to cancel the procedure.
Account
By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes
network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem,
an account that has the necessary rights must be specified within the task properties.
II37
II38
KASPERSKY LAB
Schedule
Virus scan tasks may use any regular schedule: every N minutes, every N hours, every N days, weekly, monthly.
They can also be started once: either automatically at the specified time, or manually.
In addition, special schedule types are available:
After application updatethe task will start after new threat signatures are downloaded and applied. This
is convenient for the scanning of memory and other locations where active threats may appear
At application startthe task will start immediately after the launch of Kaspersky Endpoint Security (or
in a few minutes). This is another opportunity for the scanning of the most vulnerable computer areas
On completing another taska universal schedule that allows arranging tasks into a chain. From
the practical viewpoint, the best approach would be to link virus scan to update completion, but there is
already a special schedule option for that purpose
On virus outbreakwhen the Virus outbreak event8 is registered on the Administration Server
There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task
will start as soon as the computer is switched on. If the computer is not accessible at the time of a manual task start,
it will run once the computer reconnects to the Server. Please note, there are negative aspects to running missed
tasks. If a scan task was scheduled during the weekend but was missed, it will start on Monday morning, which can
cause slowdowns for the user working with that machine.
If scan tasks are run simultaneously on many computers, numerous events are sent to the Administration Server. To
help distribute load, the task start is staggered by default: the task starts with a delay rather than exactly at the
specified time; a random delay is selected for each computer.
By default, the Administration Server automatically selects the maximal delay. To change this, clear the Define task
launch delay automatically check box and select the Randomize the task start with interval (min) check box. If
a large enough interval is specified, tasks will start at different times, and the number of simultaneous connections
on the server will be reduced.
If both check boxes are cleared, the task will start on all computers exactly at the specified time.
The Advanced window contains a few other useful settings:
Activate computer before the task is started by the Wake On LAN function (min)the option allows
you to schedule scan start for the night time or weekends without needing to worry whether the computer is
on. However, to use this feature, you need to enable its support in the BIOS settings of the target computers
Turn off computer after task is completethe option may supplement the previous one. If a scan is
scheduled for the night or a weekend, the computer can be turned off after its completion.
Stop if the task is taking longer than (min)the option allows guaranteed task completion before
the working day begins, so that the running scan does not interfere with the user activity
This is described in detail in Chapter 5 of this Unit.
II39
Run mode also influences the task schedule:

Suspend scheduled scanning when the screensaver is off and the computer is unlocked (in
the Properties section)the option means that virus scan will only be performed if the computer is unused
(if it is locked or its screensaver is active), otherwise the task will switch to the Paused mode
II40
KASPERSKY LAB
Common parameters of scan tasks

Some settings influence all scan tasks. They are specified in the Kaspersky Endpoint Security 10 policy, in
the Advanced settings, Application settings section:
Do not start scheduled tasks while running on battery powerthis setting is designed for notebooks
and is enabled by default. If the laptop is not plugged in, the scan task will not start, to help extend
the battery life
Concede resources to other applicationsthe task will increase the delay before it proceeds to the next
file when the CPU load is high
Centralized use of virus scan tasks

Virus scan tasks can be assigned to groups or selections of computers.
Regular virus scans must be performed on all computers. Group tasks best serve this purpose. In particular, it is
recommended to run a scan task that checks the most infectable areas once a week. If time and resources permit, you
can run a full computer scan task instead. A task scanning the memory and other areas that may contain active
viruses (equal to the local Critical Areas Scan task) after each database update will also be helpful.
If you need to create a task for an individual computer, it is better to create it as a task for specific computers. This is
more convenient than creating and monitoring a local task. It is also more efficient than creating a separate subgroup
for this computer alone.
Tasks for computer selections can also be used to solve current problems. For example, the administrator may need
to urgently scan the computers where multiple viruses are detected or those that have not been scanned for a long
time.
II41
Standard group task

The standard virus scan task is created by the Quick Start wizard in the Managed computers group with
the following settings:
Parameter
Value
Schedule
Every Friday at 7:00 PM
Objects
System memory
Startup objects
Boot sectors
%systemroot%\
%systemroot%\system \
%systemroot%\system32 \
%systemroot%\system32\drivers \
%systemroot%\syswow64 \
%systemroot%\syswow64\drivers \
Security level
Recommended
Action
Select action automatically (i.e. Disinfect; Delete if disinfection fails)
II42
KASPERSKY LAB
2.3 Advanced Disinfection Technology

If the detected malware is already running, it can hamper disinfecting: block access to the infected files or hide
them. There is a special feature for such cases: Advanced Disinfection Technology. It is enabled by a separate
parameter in the Kaspersky Endpoint Security policy.
Advanced Disinfection Technology is engaged when File Anti-Virus or a scan task detects a malware program and
at least one of the following conditions is met:
The infected file is found on the desktop
The infected file has been started before, according to the file system data
Automatic start of the infected file is configured in the registry
The conditions are not hard-coded and have the potential to be changed as a result of a regular update. This would
be a rare change, though.
If at least one of the above conditions is met, advanced disinfection starts:
1.
On the client computer, the user is prompted to start the advanced disinfection procedure and is warned that
the computer will need to be restarted during the disinfection
2.
If the user agrees, the system is switched into a special restricted operation mode: start of new programs is
blocked and registry changing is prohibited
3.
The product attempts to disinfect the file. If it fails, but the file can potentially be treated, its copy is created
in the same location and is disinfected
4.
Memory scanning starts, to find running copies of the malware and stop them
5.
The records that enable auto-start of the infected file are deleted from the registry and configuration files
6.
The computer is restarted. If the file(s) have not been disinfected at step 3, when the system begins to boot,
the infected file is either replaced with its disinfected copy, or deleted (if disinfection is impossible)
The main drawback of the advanced disinfection is the necessity to restart the computer, which cannot be done
without the consent of the user. That is why by default the Advanced Disinfection Technology is disabled. When
enabled and needs to be applied, the user is warned of the forthcoming procedure and restart.
As we mentioned earlier, the Run Advanced Disinfection immediately option, which is located under the action
settings in virus scan tasks, is closely related to the Advanced disinfection procedure. This option is not used until
the advanced disinfection technology is enabled in Kaspersky Endpoint Security policy. When the advanced
disinfection technology is enabled, this option in the task allows starting the advanced disinfection procedure
automatically, without the users confirmation. That is, the described algorithm will start from step 2.
II43
II44
KASPERSKY LAB
Chapter 3. Network Protection

A network is one of the main ways of spreading a virus. That is why network protection and network traffic
scanning are so important for computer security. The Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, Firewall,
and Network Attack Blocker components are responsible for network protection in Kaspersky Endpoint Security.
All together, these components perform the following tasks:
Block and delete malware programs at early penetration stages, before they are saved in the computer file
system
Block access to phishing and malware-spreading web sites, delete links to such web sites from e-mail and
instant messages
Block network attacks, including the attacks that run infected code without saving it in the file system
Prevent epidemics and data leakage, if the computer got infected
II45
II46
KASPERSKY LAB
3.1 Network Traffic Interception

Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. Under Windows XP and
Windows Server 2003 operating systems, klick.sys and klin.sys drivers can be used instead of NDIS filter: in
the properties of Kaspersky Endpoint Security installation package, select the Do not install the NDIS5 driver
check box9.
Regardless of the driver used for intercepting traffic, Kaspersky Endpoint Security works the same. Inbound
network packets are processed by Kaspersky Endpoint Security before being transferred to programs and services,
and outbound packets are intercepted and processed before being sent into the network.
First, the traffic is processed by the Firewall and Network Attack Blocker components. The Firewall blocks packets
according to the rules configured for packets and applications. Network Attack Blocker analyzes packet sequences
and blocks network attacks. The analysis considers the packets blocked by the Firewall, which means that
the Firewall and Network Attack Blocker work in parallel.
Then, the Web Anti-Virus, Mail Anti-Virus and IM Anti-Virus components scan the data at the protocol level.
Protocol interception order is configured for all components combined, in the Monitored ports area of the General
Protection Settings section of the policy.
The traffic allowed by the Firewall and Network Attack Blocker is analyzed by Kaspersky Endpoint Security for
correspondence to the supported protocols. Mail traffic, web traffic and instant messaging traffic is redirected to
the corresponding components for scanning; other packets are sent to their target programs and applications.
If necessary, to reduce the load, there is a way not to analyze all traffic, but only the packets received through
the specified ports or sent to the specified programs. Standard ports and programs are specified in the list of
Monitored ports. If non-standard ports or programs are used, add them to the list.
3.2 Mail Anti-Virus

The Mail Anti-Virus protects from e-mail threats. Messages are intercepted at the protocol level (POP3, SMTP,
IMAP and NNTP), and by embedding into Microsoft Office Outlook 10 (MAPI).
Mail Anti-Virus can detect and block malware programs using virus signatures, heuristic analysis and Kaspersky
Security Network. Additionally, Mail Anti-Virus can block or rename e-mail attachments matching specified masks.
The Mail Anti-Virus check box enables and disables the Mail Anti-Virus component. The other options, just like in
File Anti-Virus, define security parameters and actions.
This parameter is described in detail in Unit I.

The product can also be embedded into The Bat! mail client, which is not widely used.
10
II47
II48
KASPERSKY LAB
Actions
Mail Anti-Virus can take the standard actions: Disinfect and Delete against detected dangerous objects. Before
the disinfection or deletion, a copy of the object is placed in the Backup or Quarantine repository. The files deleted
by the attachment filter are also placed into the Backup repository.
If an action is performed with an e-mail message, its subject is modified. The action taken is described in
the message subject.
Security level
Protection scope
Security settings, among other options, determine the Protection scope. Mail Anti-Virus can cover either
Incoming and outgoing messages,
or
Incoming messages only
To ensure minimum computer protection, you can scan incoming messages only. The scan of outgoing messages
can prevent inadvertent sending of an infected file contained in an archive and save the embarrassment.
Additionally, scanning of outgoing messages can be used for blocking transfers of attachments of certain types, for
example, music or videos.
Connectivity
The Connectivity group of settings more precisely defines the protection scope:
POP3/SMTP/NNTP/IMAP trafficenables scanning of mail and news messages transferred over
the specified protocols
Additional: Microsoft Office Outlook plug-inenables scanning of objects11 at the level of Microsoft
Office Outlook client. In addition to the scanning of received and sent objects, the messages are scanned
when the user opens them to read
Additional: The Bat! plug-in enables scanning of mail messages received or sent via The Bat!12
The benefit of scanning at the protocol level is that it operates independently of the mail clients used. On the other
hand, the messages transferred over unsupported protocols (for example, through Microsoft Exchange or Lotus
Notes servers) will not be scanned.
Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of
supported mail clients is rather limited.
If the organization strictly limits the applications used, the administrator can disable scanning for unnecessary plugins or protocols. In other cases, it is recommended to leave all the settings enabled. Mail Anti-Virus decreases
consumption of resources rather than increases. If you disable object scanning by Mail Anti-Virus, they will
eventually be scanned by File Anti-Virus.
11
Not only mail messages are scanned, but also the objects of Public folders and Calendar: any objects received over MAPI from the Microsoft Exchange
repository.
12
A mail client popular in some parts of the world. If you havent heard of it, never mind.
II49
Scanning methods
These settings concern scanning attached compound files.
If archives are attached, they can be unpacked and scanned. This behavior is controlled using three settings:
Scan attached archivesthis setting allows the administrator to fully disable archive scanning. As a rule,
it is better to leave this check box enabled and to scan archives on the fly using Mail Anti-Virus. It is
much easier not to allow any infected archive to penetrate into the mail database than to remove it from
the database later using an on-demand scan task
Do not scan archives larger than NN MBlimits the volume of archives to be scanned. Malware is rarely
spread in big files. Enable this limitation to avoid waiting too long when receiving large compound files
Do not scan archives for more than NN sec.this option implements protection against archive bombs
whose scanning requires a very long time and a lot of resources, which slows down the computer.
II50
KASPERSKY LAB
Heuristic analysis
The Mail Anti-Virus uses the same heuristic analysis feature as the File Anti-Virus and Virus Scan tasks. It is
applicable only to executable files and is performed by starting these files in a special emulated environment
(sandbox), where Kaspersky Endpoint Security controls all operations. Analysis level defines how long the file
will be supervised in the emulated environment before the verdict is returned.
Attachment filter
These settings concern only attached files. The administrator can:
Disable filteringpermits all kinds of non-malicious attachments
Rename specified attachment types13is used by default and renames attachments of executable types
(.exe, .bat, .cmd, etc.). This is a preventive measure against unknown malware. The user will not be able to
start the attached file without consciously renaming it.
This option can also be used to fight outbreaks of new viruses. If names of the attachments used by
the virus are known, they can be added to the list and then renamed so that the users are unable to open
these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless
attachment matches the specified mask, renaming would not cause any serious problems. The user can
consult the administrator and receive instructions on how to rename the file back
Delete specified attachment typesit is a safe way to prevent infections, which can also be used to
prevent exchange of files of certain types: for example, music or video files
The list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-defined
masks can contain parts of names. * and ? wildcard characters can be used. The added masks will go to
the beginning of the list and will be immediately enabled.
13
Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes file.ex_
II51
Standard security levels

Protection scope and message scanning parameters can be managed using the Security level switch, which has three
standard positions: Low, Recommended and High. Values of these setting at each of the standard levels are tabled
below:
Level Low
Recommended
High
Parameter
Protection scope
Incoming
messages only
Incoming and
Incoming and
outgoing messages outgoing
messages
POP3 / SMTP / NNTP / IMAP traffic
Additional: Microsoft Office Outlook plugin
Additional: The Bat! plug-in
Heuristic analysis
Light scan
Medium scan
Deep scan
Scan attached archives
Do not scan archives larger than 8 MB
Do not scan archives for more than 5 sec
Attachment filter
Rename specified
attachment types
Rename specified
attachment types
Rename specified
attachment types
If any setting is changed, the security level switches to Custom. If later these settings are set to the values specified
in the above table, the level displayed will still remain Custom. To visibly return to the standard security levels,
click the By default button.
II52
KASPERSKY LAB
Configuring Exclusions
Exclusions for Mail Anti-Virus are configured similarly to File Anti-Virus: in the General Protection Settings,
Exclusions and trusted zone. In the scan exclusion settings, specify the file name only (wildcards are allowed) to
exclude all attachments with matching names from scanning. The same exclusion must be configured for File AntiVirus, or else the received attachments will not be saved or opened.
3.3 Web Anti-Virus

The Web Anti-Virus component performs two important functions:
Analyzes site addresses and blocks access to phishing and malware-spreading sites
Scans the objects downloaded over HTTP (the objects downloaded over HTTPS are not scanned) and
blocks malicious files
Four technologies are used for scanning the links:
Check against the database of suspicious sitescomparing of the address of the site to be opened with
the addresses of the web resources, which are known for hosting malware, attacking computers or other
harmful activities
Check against the database of phishing sitesis similar to the previous check, but against the database of
sites on which phishing pages were found
Heuristic analysis for detecting phishing sitesanalysis of the site contents for HTML code characteristic
of phishing
KSN checkaddresses of the opened sites are checked against the local KSN cache. Dangerous links are
blocked. If the local cache lacks information about the site, a background request is sent to the KSN cloud.
The received answer is saved in the local cache and is used for further checks.
Downloaded files (and embedded scripts) are scanned using all the available methods: signature and heuristic
analysis as well as KSN.
II53
II54
KASPERSKY LAB
Actions
You can select the action to be taken against all detected dangerous objects:
Block download 14
Allow download
You should select the Block download action in the policy and lock it so that the users are not able to download
hazardous objects or visit hazardous websites.
When the user attempts to open a black-listed web resource or download an infected object, a notification will be
displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.
Security level
Web Anti-Virus behavior is regulated by only a few settings:
Check if links are listed in the database of malicious URLswe recommend that you do not disable this
setting. If a website was added to the list of malicious web addresses by mistake, we recommend that you
create an exception for it
Heuristic analysis for detecting virusesenables heuristic analysis. This is the same analysis as in
the File Anti-Virus: executable files are started in the virtual environment and their operations are
supervised. The depth of the analysis defines the monitoring time
Check if links are listed in the database of phishing URLsthis setting is similar to the first parameter
and should also remain enabled
Heuristic analysis for detecting phishing linksenables the use of heuristics when detecting phishing
sites. Analysis depth defines which part of the HTML code is analyzed, and which methods are used. At
the Deep scan analysis level, scanning time and thoroughness increase
Limit web traffic caching timesets the time limit for complete downloading of the object to be scanned
(one second). If an object does not download completely in the specified time, Web Anti-Virus will
simulate slow connection and let out small parts while waiting for the whole object to load. If this setting is
disabled, Web Anti-Virus will wait until all objects to be scanned are downloaded. This may cause
problems with audio and video streams; those web addresses will require exceptions
Web Anti-Virus settings can be modified using the Security level switch. The table below explains how
the settings values change depending on the level selected:
Level Low
Recommended
High
Parameter
Heuristic analysis for detecting viruses
Light scan
Medium scan
Deep scan
Limit web traffic cashing time
Scan archives
Scan archives is a hidden setting. If the Security level is switched into the Low position, in addition to the visible
parameter changes, archive scanning is disabled.
The following three parameters:
14
The Select action automatically option works the same as Block download.
II55
Check if links are listed in the database of malicious URLs

Check if links are listed in the database of phishing URLs
Heuristic analysis for detecting phishing links (as well as the depth of the analysis)
do not depend on the Security level and do not change the position of the Security level when modified.
II56
KASPERSKY LAB
Configuring exclusions
Three types of exclusions are available for Web Anti-Virus:
Trusted URLsare specified on a separate tab of the Security level settings (this list does not change
the Security level). The listed site addresses and the objects downloaded from them are not scanned by Web
Anti-Virus. "*" and "?" wildcards can be used in web addresses
Scan exclusionsare configured in the General Protection Settings the same way as exclusions for Mail
Anti-Virus
Trusted applicationsjust like scan exclusions, they are specified in the Exclusions and trusted zone
section of the General protection settings. An exclusion can apply either to all connections established by
a program, or only to the specified IP addresses and ports
II57
II58
KASPERSKY LAB
3.4 IM Anti-Virus
IM Anti-Virus performs the same tasks as Mail Anti-Virus for instant messaging applications. Supported programs
include ICQ, MSN, AIM , Yahoo! Messenger, Jabber, Google Talk, Mail.Ru Agent, and IRC. Instant message text
is scanned for:
Links to phishing and malicious sites
Infected code (signature and heuristic analysis are used)
IM Anti-Virus does not scan the files sent via IM clients.
Settings
By default, IM Anti-Virus scans both incoming and outgoing messages. Outgoing messages can be excluded from
scanning, but there is nothing gained from it, as message scanning does not decrease computer performance in any
perceptible way.
Other IM Anti-Virus parameters define message scanning methods:
Check if links are listed in the database of malicious URLsallows blocking links to the sites known to
spread malware (like in Web Anti-Virus)
Check if links are listed in the database of phishing URLsthat is, block links to phishing sites
Heuristic analysis for virus source code in message textregulates heuristic analysis use and its depth
when scanning message text for infected code
If a link to a dangerous site or infected code is detected, IM Anti-Virus replaces the text message with
the notification about the action taken (blocked link or deleted code).
By default, all IM Anti-Virus settings are required (locked). The administrator may choose to unlock them. Overall
security level will not decrease even if IM Anti-Virus is disabled because an attempt to open a link to a potentially
dangerous web resource will be blocked by Web Anti-Virus, and File Anti-Virus will not allow saving and running
malicious code.
3.5 Network Attack Blocker

The purpose of the Network Attack Blocker component is to block network attacks including port scanning, denialof-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and
services running on the computer.
Network Attack Blocker uses signatures and blocks all connections that correspond to the descriptions of known
network attacks.
As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect
a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory
and thus execute the malicious code. The Network Attack Blocker is the component able to prevent infections from
spreading this way. That is why it must be enabled, and its settings must be locked.
II59
II60
KASPERSKY LAB
Settings
Network Attack Blocker has a few configurable parameters. If the component is enabled, attacks are blocked
automatically.
Additionally, Kaspersky Endpoint Security can block all packets from the attacking computer for a specified time.
The Add the attacking computer to the list of blocked computers option regulates this behavior; by default, it is
enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but
only in the local interface of Kaspersky Endpoint Security.
Special programs that scan network computers to detect vulnerabilities are used in some companies. Their activity
resembles network attacks, and the scanning computers may get blocked. To avoid this, add the addresses of
the scanning computers to the list of Network Attack Blocker exclusions. Attacks from these addresses will still be
blocked, but connections to these addresses will not be blocked entirely.
3.6 Firewall
The Firewall controls connections at the network and transport levels. The control tools are implemented as packet
rules. The Firewall analyzes inbound and outbound packets, compares them with the rules and takes one of the two
actions:
Allow
Block
From the security point of view, the Firewall performs two functions:
Block unauthorized network connections to the computer, thus decreasing the infection probability
Block unauthorized network activity of the programs on the client computer. This decreases the risk of
an outbreak, and also limits actions of the user that consciously or unconsciously violates the security
policy
Settings
The decision about whether a specific packet is allowed or blocked is made based on three lists:
The list of packet rules
The list of applications, each with its own list of packet rules
The list of networks
II61
II62
KASPERSKY LAB
The order of packet processing

After a network packet is intercepted, the packet rules are applied in the top-down order. Firewall sequentially
compares the packet parameters with the specified rules. The packet is processed according to the first matching
rule.
If none of the packet rules fit, application rules are applied15.
The list of networks contains no rules and does not directly influence packet processing. It is an additional list that
helps conveniently specify the scope for packet and application rules.
Rules for packets

A default policy contains a list of packet rules that provides reasonable security for computers both on and off
the corporate network. The standard settings are described in detail in the end of this chapter.
Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. Rules
order on the list can also be changed to adjust their priority. The higher the rule on the list, the higher the priority. If
a packet (or connection) matches several rules from the list, only the first one is applied.
A packet rule contains the following attributes:
Actionthe action taken on the packet to which the rule applies. Three options are available:
Allow
Block
By application rulesthe packet is processed according to the rules specified for the application that
sends or receives the packet
Protocolthe following values are available: TCP, UDP, ICMP, ICMPv6, IGMP, and GRE. For TCP and
UDP transport protocols you can additionally specify the Local ports and Remote ports. For ICMP and
ICMPv6 protocols, ICMP type (for example, Echo Request) and ICMP code are configurable
Directionthe following values are available:
Inboundapplies to all packets transferred within a connection initiated by a remote computer

Inbound (packet)applies to all inbound packets
Inbound/outboundapplies to all packets, inbound and outbound
Outbound (packet)applies to all outbound packets
Outboundapplies to all packets transferred within a connection initiated by the local computer
Network adaptersthe list of network adapters to which the rule applies. If a packet is received (or sent)
through an adapter that is not specified on the list, the rule will not be applied even if the other packet
attributes (address, protocol, port) match the rule conditions. If the list is empty, the rule applies to all
adapters.
To add a network adapter to the list, specify its type, and (optionally) one or a few IP / MAC addresses. Also,
specify a name for the adapter. It will be displayed on the list.
15
Application rules are made so as a packet always fits a rule.
II63
II64
KASPERSKY LAB
The following adapter types are available:
Other
Loopback
Wired network (Ethernet)
Wi-Fi network
Tunnel
PPP connection
PPPoE connection
VPN connection
Modem connection
For example, you can easily configure a rule that will block any packets sent through Wi-Fi adapters.
Maximum packet time to livethe packets lifetime. Some attacks, unlike normal applications, use
packets with enormous lifetime. To make a rule applied to packets regardless of their lifetime, type 0
Remote addressesthe list of remote addresses. Possible values:
Any address
Subnet addressall networks that belong to one of the following categories: Trusted, Local, Public16
Addresses from the listthe list of remote DNS addresses, IP addresses and subnets to which the rule
applies. Any can be specified either in IPv4 or IPv6 format. Additionally, if the computer has several
IP addresses, you can specify the local addresses to which the rule applies
Local addressesthe list of local addresses. Possible values
Any address
Addresses from the list
Remote ports, Local portsa rule can be narrowed further by specifying the list or range of ports on
the local and/or remote computer
For convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity,
Browsing web pages, Remote Desktop network activity, etc.)
As we mentioned earlier, a rule applies to a packet whose parameters (protocol, direction, address, etc.) fit the rule
conditions. Rule application will be registered in the Firewall log if the Log events check box is selected.
16
Network statuses are described in detail later in this chapter.
II65
II66
KASPERSKY LAB
Rules for applications

Rules for applications are similar to the rule for packets, but have an additional attribute: name of the executable file
that sends or receives the packet on the local computer.
By default, the Firewall categorizes each program started on the client computer:
Trusted
Low Restricted
High Restricted
Untrusted
The category is selected based on the KSN information. If KSN servers cannot be contacted or the information
about the program is missing in KSN, the category is selected using a special heuristic algorithm17.
Also, three standard network rules for applications with the following attributes are created for each running
program:
Any network activity in Trusted networks
Any network activity in Local networks
Any network activity in Public networks
For programs from the Trusted and Low Restricted groups, all three rules use the Allow action by default, and for
programs from the High Restricted and Untrusted groupsthe Block action. Standard rules cannot be deleted or
modified, except for the Action attribute, which can be changed by the administrator.
Regarding the processing of network packets, even if the packet does not match any of the packet rules, there is
always an applicable rule for applications. So, regardless of the specified settings, there is always a rule used, where
the Firewall can either allow or block the packet.
17
Application trust categories are described in detail in Unit III together with the Application Privilege Control.
II67
II68
KASPERSKY LAB
Managing rules for applications in the policy

Rules for applications are managed differently from other policy settings in Kaspersky Endpoint Security.
The problem is that the set of programs started on the managed computers eventually changes. That is why it is
impossible to list all the necessary programs, specify rules and enforce the settings for them.
To best manage this, rules for applications are specified at the trust group level (Trusted, Low Restricted, etc.)
within the policy. As a result, the administrator sets rules for groups in the policy, and the Firewall on the client
computer defines the program trust group and applies the groups rules to the program.
Rules for groups are the same as rules for applications. That is, the list contains three standard rules Any network
activity for Trusted, Local and Public networks, where only the action can be changed, and the administrator can
add other rules at their discretion.
If general rules for groups are not enough, the administrator can explicitly specify rules for specific programs in
the policy. Click the Add button, then in the window that opens select All Time for the period field and click
the Refresh button. The list of programs will show all the programs found on client computers. Kaspersky Endpoint
Security gathers this information on all network computers and transfers to the Administration Server during
synchronizations18. To find the necessary program, you can filter them by name, manufacturer, trust group or
the time when the program was added in the list.
Networks
To be able to conveniently configure rules for packets and applications, you can assign statuses to networks. This
allows the administrator to specify a network status instead of specifying all networks explicitly when setting up
filtering rules. A network can have the following statuses:
Trusted
Local
Public
If a subnet status is specified instead of an address in a packet rule, it is checked whether the packet is related to at
least one subnet having this status. If yes, the rule is applied to the packet.
18
Unit III explains how the information on the executable files is gathered.
II69
II70
KASPERSKY LAB
The local list of networks contains the list of all network connections. Kaspersky Endpoint Security receives
information about them from the operating system. Kaspersky Security Center automatically detects the status of
these networks. If necessary, it can be modified manually, but only in the local interface of Kaspersky Endpoint
Security.
Also, the list of locally detected networks includes a special Internet network that has address 0.0.0.0/0, which
covers all addresses (includes any other network) and has a permanent status of Public network. So, any packet is
related to at least one network.
After the policy is enforced on the client computer, the list of networks specified in the policy is matched against
the list of networks detected by Kaspersky Endpoint Security locally. If a locally detected network coincides with or
is included as a subnet in a network specified in the policy, its status is ignored when processing packages.
For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And
a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24
respectively. Lets say Kaspersky Endpoint Security automatically assigned the Public status to both these
networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network
effectively becomes Local network, because there is an entry in the policy for network 127.16.0.0/16 that includes
172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching
entry in the policy.
In the default policy settings, there are three network entries, all of which are assigned the Local network status:
172.16.0.0/12
192.168.0.0/16
10.0.0.0/8
These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered
for computers outside the perimeter, e.g., those connecting via VPN or laptop computers on a business trip.
Standard filtering rules

A standard policy does not contain rules for applications (except for the standard ones specified for the trust groups).
That is why, by default, the ultimate network status and application trust level are defined locally in the Firewall.
Packet rules are inherited from the policy, and accordingly, packets are filtered as follows:
1.
The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external
port 53) and e-mail (over TCP protocol, external ports 25, 465, 143, and 993). The By application rules
action is selected in these rules, that is, programs from the Trusted and Low Restricted groups will be
able to send DNS requests and e-mail, while the others will not
2.
Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted
networks, any activity is allowed by default, except for DNS and e-mail limitations for Untrusted and High
Restricted programs
3.
Rule number 5 defines packet processing within the Local networks. Such packets are processed by
application rules. According to the default application rules, the programs from the Trusted and Low
Restricted groups have no limitations in local networks, while High restricted and Untrusted have no
access
4.
The rest of the rules effectively regulate program behavior in the Public networks, since all packets from
Trusted and Local networks are processed one way or another by the above rules. First, there is a group
that blocks remote desktop connections to the computer from public networks, and also blocks connections
to the local DCOM service, NetBIOS packets, access to Windows shared folders, and access to Universal
Plug & Play devices
5.
The following two rules apply rules for applications to inbound TCP and UDP streams (connections).
Again, considering the default application rules, this means Trusted and Low restricted applications can
II71
receive incoming connections from Public networks, whereas High restricted and Untrusted applications
cannot.
6.
The remaining 5 rules block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to
test connection to remote computers
To sum it up, we can say that in Trusted networks, any activity is allowed for all programs. In Local and Public
networks, only Trusted and Low Restricted programs may exchange packets; in public networks, access to some
computer services is additionally blocked (see no 4).
Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed
to exchange data over the network.
II72
KASPERSKY LAB
Chapter 4. System Monitoring

4.1 System Watcher
This chapter is devoted to the System Watcher component, which plays the main role in Proactive Defense.
Proactive Defense is a general term for the components and technologies that either prevent new infections (those
that have yet to be added to the anti-malware databases and Kaspersky Security Network), or minimize the
consequences if new malware programs manage to infect a computer. Of the components described in the previous
chapters, Proactive Defense incorporates Heuristic Analysis. The Control Components, which also take part in this
area of protection, are described in the next Unit of our course.
Purpose and Principles

System Watcher performs several functions:
Logs application activity for comparison with the behavior signatures database
Detects malware programs and blocks their actions
Rolls back actions of the malware detected by other components (File Anti-Virus and scan tasks)
Malware detection is the main task. For this purpose, System Watcher monitors program actions and compares them
with dangerous activity patterns: so-called Behavior Stream Signatures (BSS). The BSS database is updatable, but
its updates are relatively rare. However, the efficiency of the System Watcher does not depend on frequent database
updates.
Various components gather data about application activity for the System Watcher:
The main information source is the klif.sys driver that intercepts file operations (the one used by File AntiVirus). The driver gathers information about file operations and the changes made to the registry.
Firewall gathers information about network activity of applications
System Watcher has its own module that reacts to complicated system events: installation of drivers, hooks,
etc.
II73
Settings
System Watcher has a few settings which correspond to enabling or disabling the abovementioned task components:
Enable Exploit Preventionprotects from various attacks (exploits) whose aim is to receive
administrative permissions in the system or conceal code execution. Exploits typically use buffer overflow
attacks. Incorrect parameters are passed to a vulnerable program or service, which processes them and
therefore executes some parameters as code. Specifically, such attacks against system services running
under the local system account enable the criminals to receive administrative permissions on the computer.
Typically, malware tries to start itself under the administrator account as a result of such an attack. When
this option is enabled, start operations are being monitored and if a vulnerable program starts another
program without the users explicit command, the start is blocked.
II74
KASPERSKY LAB
Log application activity for the BSS databasethis parameter regulates whether the program activity log
is saved on the hard drive. Log storing allows improved detection, as activity analysis can consider all
the program actions, including those performed before the last system start. The maximum log size is about
200 MB
Do not monitor the activity of applications that have a digital signaturenot to log events of those
programs that either have a valid digital signature or have the Trusted status in the KSN
Roll back malware actions during disinfectionroll back actions taken by the programs deleted by File
Anti-Virus or scan tasks or quarantined by System Watcher. Rollback means rolling back the changes made
to the file system (creating, relocating, renaming files) and registry keys (the records created by the
malicious program are deleted). Also, a backup copy of some files and keys is created at the time of
the system start, which allows rolling back to this version, if a virus makes changes to these files and keys.
These special objects include hosts and boot.ini files and registry keys responsible for starting programs
and services during the system start.
This option also recovers the files encrypted by malware (so-called cryptolockers).
Use behavior stream signatures (BSS)detect dangerous behavior using updatable patterns of malicious
activity and take one of the following actions:
Skipdo nothing, only record the detection of malicious activity in the report
Terminate the malicious programstop the malware and unload it from the memory
Move file to Quarantinestop the program and move its executable file into the Quarantine
repository
Select action automaticallythe same as Move file to Quarantine
Exclusions
If dangerous activity is detected in the actions of a known good program, the administrator can configure an
exclusion rule for the System Watcher. Exclusions are configured in the Exclusions and trusted zone using two
methods:
Trusted applicationsdisables detecting malicious activity in the program actions
Scan exclusionsspecifies the type of activity to be allowed for the program. In this case, if dangerous
actions of another type are detected, System Watcher will react as usual. To exclude an application from the
System Watchers scope, select the following checkboxes:
Do not monitor application activitynot to react to the actions performed by the application
Do not monitor child application activitynot to react to the actions performed by the applications
child processes
II75
II76
KASPERSKY LAB
4.2 BadUSB Attack Prevention

What is a BadUSB attack?
A BadUSB attack is when a device takes some actions without the users consent.
Criminals replace the firmware of a USB flash drive and the operating system perceives it not only as a flash drive,
but also as a keyboard. The operating system connects USB keyboards automatically, and the user is unlikely to
notice this. Meanwhile, the malicious drive will be able to send keystrokes and commands to the operating system
and thus take malicious actions.
How to enable protection against BadUSB attacks?

BadUSB Attack Prevention is a special component of Kaspersky Endpoint Security 10 SP1 for Windows. To enable
protection, install the component. It is not included in the Standard installation of Kaspersky Endpoint Security; you
need to select it in the properties of the KES package. Alternatively, you can install BadUSB Attack Prevention
using the Change application components task.
The BadUSB Attack Prevention settings are located in the Advanced Settings \ Protection settings section of
the Kaspersky Endpoint Security policy. There are two of them:
Prompt for USB keyboard authorization upon connectionthe user will need to authorize all the new
USB keyboards. Is enabled by default
Allow use of On-Screen Keyboard for authorizationenables the users to authorize devices via a visual
keyboard displayed on the screen. Is disabled by default
What is the user to do?

If the BadUSB Attack Prevention component is installed and the Prompt for USB keyboard authorization upon
connection option is selected in its settings, it works as follows.
If a new USB keyboard is connected to the computer, Kaspersky Endpoint Security prompts the user to authorize it.
The user must enter a 4-digit code generated by Kaspersky Endpoint Security from the connected device. If a real
keyboard has been connected, the user will easily enter the code and Kaspersky Endpoint Security will not block
the keyboard.
If the user has connected a malicious device that pretends to be a keyboard, he or she is also prompted to enter a
code. But if it is a malicious flash drive, it does not have keys, and the user will not be able to enter the code from it.
Kaspersky Endpoint Security will block such a device.
There are also input devices that have a few buttons but no keys from which digits could be entered. For example,
presentation clickers that only have left/right buttons. To allow users to authorize such devices, enable the use of
the on-screen keyboard. However, the users must behave cautiously and authorize only the devices they are
confident of. USB flash drives found on the street must not be authorized.
The keyboards that had already been connected before BadUSB Attack Prevention was installed need not be
authorized; they are automatically treated as trusted.
II77
II78
KASPERSKY LAB
Chapter 5. Threat Diagnostics

This chapter describes the tools that help the administrator receive information about infected objects detected on
client computers, spot weak points of the protection system and adjust the settings accordingly.
5.1 Event Generation and Transfer

Local detection events
Kaspersky Endpoint Security logs the information about detected infected objects as events. Each detection involves
a chain of events concerned with the object processing, for example:
Threats have been detected

A backup copy of the object is created
Disinfection impossible
Object deleted
The Reports window allows viewing events locally. Events are grouped by components and tasks, for example, File
Anti-Virus events are separated from Virus Scan Task or Firewall events.
Events in the Administration Console

In the Administration Console, events can be viewed within the computer properties. Here it is shown as a common
list instead of being grouped by components and tasks. However, if necessary, you can filter them and view only
the events of the necessary component or task.
II79
II80
KASPERSKY LAB
A more general list of events that contains events from all computers is available on the Events tab of
the Administration Server node. Events are sorted by severity level here. Detection events are Critical, while virus
incident processing results may fall into the Warning or Info category. In order to analyze the history of object
processing, it is logical to view all types of events in chronological order within the Recent events selection.
5.2 Centralized Processing of Detection Events

The Administration Console provides several tools designed for various purposes in the management of events:
reports, selections, and statistics.
Reports
Viruses report
The Viruses report shows statistics of processing the malware detected on the managed computers: how many
objects were treated, how many blocked (by Web Anti-Virus), how many deleted and how many still remain
unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics
are available for each type of malware.
The Viruses report can show which malware KES detected using KSN, and which threats were detected using
traditional tools (antimalware databases and heuristics). To be able to see this information, add the By KSN verdict
column to the Details table.
In order for the administrator to be able to properly use the report, it is vital that the information about all results of
the actions taken against malware be sent to the Administration Server. Unit IV Maintenance explains how to set up
events, reports and other reporting tools in more detail.
Most infected computers

This report shows how many dangerous objects were found on the network computers. Computers most often
infected are included in the chart. The others are listed in the Summary table.
If some computers got infected considerably more than others, it might be worthwhile to find the reason and take
appropriate measures. Computer protection may be weakened because of the absence of security updates;
this problem is easily solved by installing the updates. Another possible reason for detecting numerous viruses is
the computers role. For instance, it could be used as a temporary workstation for visiting employees. In this case it
might be worthwhile to tighten the protection parameters.
II81
II82
KASPERSKY LAB
Users of infected computers

Provides information about those users whose actions resulted in great number of malware detections. This report is
similar to the Most infected computers report. If some users get infected considerably more often than others, it
might be worthwhile to find the reason and give them some guidance.
Network attack report

Another report that shows the network protection status is the Network attack report. It shows which attack types
were detected, and more importantly, the IP addresses of the attacking computers. Knowing the address,
the administrator can investigate the incidents and better solve the problem.
The Network attack report is not created by default, but it can easily be created. New reports are created using
a special wizard that can be started from the shortcut menu of the Reports and Notifications node. There you can
specify the template name and select the report type, and then, depending on the selected type, the reporting period
and the computers to be covered.
Anti-Virus statistics
Statistics pages present charts and tables similar to the reports. Statistics are displayed on the corresponding tab of
the Administration Server node. In the upper part of the statistics tab, there are tabs for switching between
the statistics pages. Each page consists of several information panes, which show aspects of protection status.
The detected threats are displayed on the Anti-Virus Statistics page, which by default contains 4 panes:
Virus activity historymalware detection time distribution. By default, the last 24 hours are displayed.
To modify this period in the chart properties, click the
icon
Most frequent virusesthe chart that shows the viruses that are most frequently detected on client
computers
Computers infected most oftenthe chart that shows most often infected network computers (similarly to
the Most infected computers report)
Users causing infection most oftenthe chart that shows the users with the most virus detections
(similarly to the Users of infected computers report)
II83
II84
KASPERSKY LAB
Anti-Virus Statistics also includes other information panes, which are not displayed by default, but may be added
using the page properties. The following are some notable chart panes that are available:
History of network attacksallows quickly assessing the situation with network attacks over a period of
time
Quarantine historyconsidering the fact that there are no reports about suspicious files, this statistics
pane is the only tool that allows studying the situation with suspicious objects detected in the network
Most frequent incurable virusesshows which types of viruses involve most problems, which is
especially handy when the protection system is deployed in an infected network
Virus outbreak
In addition to threat detection events on managed computers, Kaspersky Security Center has the server-level event
Virus outbreak. This event is registered if many viruses are detected in the network over a short period of time.
The Virus outbreak event registration parameters are specified in the Administration Server properties.
A virus outbreak means that an epidemic may spread or is already sweeping through the network. To help prevent
further virus spread over the network, it might be worthwhile to temporarily tighten protection parameters, for
example, allowing network connections only to trusted programs. For this purpose it is necessary to create a policy
with strict protection parameters in advance, and designate it in the properties of the Virus outbreak event: open
the Administration Server Properties and in the Virus outbreak section, click the Configure policies to activate on
Virus outbreak event link.
In addition to policies, tasks can be started when the Virus outbreak event is registered (they have a special schedule
option On virus outbreak for this purpose). For example, a task can update anti-malware databases, and then
a chained task can scan system folders, system memory and startup objects on the managed computers.
II85
II86
KASPERSKY LAB
5.3 Threat Processing Statuses

Threat detection and their processing results define the computer status in the Administration Console: OK,
Warning or Critical. This allows the administrator to easily notice problematic computers when looking through
the groups. The OK status corresponds to a green icon, the Warning icon is yellow, and Critical is red.
Statuses connected with threat processing

There are many criteria for assigning a status to a computer, but only two of them are connected with malware
detection:
There are unprocessed objects
Many viruses detected
There are unprocessed objects

This status is assigned to computers where malware programs were detected and were not cured.
The Unprocessed files category can be comprised of widely different objects. It can be a virus in memory, which
actively counters the attempts to delete it. Or it can be a malicious file in an old archive detected by an on-demand
scan task where automatic processing of objects is disabled. Or it can be an infected object on a network drive where
Kaspersky Endpoint Security has no Write permission to disinfect or delete the file. In other words, any dangerous
object that was not deleted or disinfected and is still located where it was detected is considered to be unprocessed.
Potentially, it can be an active infection that requires attention. That is why an unprocessed object is a potentially
more important incident than detected viruses. If all detected objects were automatically deleted, there is typically
no problem.
To reset this status, neutralize the detected objects. If an object cannot be disinfected, for example, because it cannot
be accessed, just delete the corresponding record from the list of unprocessed objects in the local interface of
Kaspersky Endpoint Security and the status will change.
Many viruses detected

This status is related to the virus counter parameter. Every time malware is detected on the computer, the counter
increases its value by 1. The counter value is transferred to the Administration Server during the synchronization.
The status is activated if the virus counter value exceeds the specified threshold. By default, the Many viruses
detected status is disabled.
Since the virus counter can only increase without interference from outside, the only method of changing this status
is to manually reset the counter. To do it, on the shortcut menu of the computer, click All tasks, Reset Virus
Counter.
Global statuses and selections

If at least one of the managed computers receives either There are unprocessed objects, or Many viruses detected
status, the global Protection status also changes on the Monitoring tab of the Administration Server node.
The cause of the status change is displayed in the same area. If there are computers with both statuses in the
network, the Protection area will show the There are unprocessed objects status, which is more critical.
The global status description displayed in the Protection area is a link that opens the selection of computers having
the respective status.
II87
A selection is a temporary association of computers selected by an attribute. The standard selections There are
unprocessed objects and Many viruses detected, just like the other selections, are created automatically when
the Administration Server is installed.
You can take group actions on the computers joined into a selection, for example, start update and search tasks, reset
virus counters, move into a group, etc. So, selections are very useful when dealing with the computers having
a problem status.
II88
KASPERSKY LAB
5.4 Repositories
Local repositories
Backup
Before malicious objects are removed or disinfected, they are copied to the Backup repository. This is done as
a precaution in case a removed file needs to be restored, for example, for additional analysis.
The copies are stored in the %ProgramData%\Kaspersky Lab\KES10SP1\QB folder of Kaspersky Endpoint
Security. Copies of dangerous files are encoded, that is why when the drive is scanned by Kaspersky Endpoint
Security or any other antivirus, the malicious code is not detected in them.
The objects can be recovered or deleted from the Backup repository. Also, all objects are automatically deleted from
the repository after 30 days by default.
You can change the default store time and also set a size limit on the storage in the Reports and Storages section of
the policy. For details, see the Object storage settings section below.
Quarantine
The suspicious objects detected are quarantined. Usually these objects are malicious, but until the corresponding
records are added to the signature database, one cannot know that for sure.
Quarantine is a repository similar to the Backup repository and resides in the same folder on the hard drive.
The object storage time and repository size limit are specified for both repositories together.
The administrator can recover or delete an object stored in Quarantine, similarly to the Backup repository.
Additionally, the administrator can manually quarantine an object if it seems suspicious. This simplifies watching
over the object. It will be scanned again after every update, and if new databases help to detect malicious code in it,
the administrator will know it right away.
Unprocessed files
The objects that were detected but were not disinfected are called unprocessed. Their hazard levels vary greatly. It
can be a virus in the system memory that blocks the attempts to delete its file from the drive, or an infected file
detected by on-demand scan task in an old archive, for which the Skip action was selected.
The list of unprocessed objects is not a storage similar to the Backup repository or Quarantine. The detected
objects remain in their locations and the list displays only the information about them.
If you want to try disinfecting or deleting an unprocessed object, click Re-scan on its shortcut menu. This attempt
may succeed if the object is regarded to be an unprocessed object because the Skip action was selected for it. But if
it is a virus in the memory, chances are that neither disinfection nor removing will succeed. In this case
the administrator can open the files location using the Open folder where file was initially located command, and
try to deal with it using special utilities.
II89
II90
KASPERSKY LAB
Another available action, Delete, can be taken for the objects that cannot be processed by Kaspersky Endpoint
Security for another reason. For example, if the object is located in a network folder for which the antivirus has no
write permissions.
Object storage settings

The objects lifetime is specified in the policy. To change it, open the Reports and storages section, and in
the Quarantine and Backup area modify the Store objects not longer than setting.
For most computers, it is enough to limit the length of storage time. If the objects in the repository still consume too
much drive space, you can additionally enable the Maximum storage size parameter. The default repository size
limit is 100 MB.
Centralized repositories
Management model
It would be cumbersome if unprocessed and repository objects were only available locally. On the other hand, if all
of the objects were sent to the repository on the Administration Server, it would create extra traffic and set
additional requirements for the Administration Server disk space.
Kaspersky Security Center uses another approach: only information about local repositories and unprocessed objects
is sent to the Administration Server, so that the administrator could see details about these objects in the Kaspersky
Administration Console and issue commands for processing them. The commands are sent to the related client
computer where they are executed.
Sending information about local objects is controlled by the Kaspersky Endpoint Security policy. The Reports and
Storages section allows selecting the types of information to be sent to the Administration Server along with
the parameters that limit repository size and object storage time. The area is named Inform Administration Server,
and the parameters independently enable or disable sending information on every category of objects:
Files in Quarantine
Files in Backup
Unprocessed files
In the standard policy, information sending is enabled for all objects.
Objects representation
In Kaspersky Administration Console, the information about locally stored objects is represented in the Advanced |
Repositories node. Every category of objects has the corresponding repository: Backup, Quarantine and
Unprocessed files.
II91
II92
KASPERSKY LAB
The Administration Console shows more information on the objects than the local interface. With the default
settings, the following data is displayed for every object:
Computer where the object was detected and is stored

Name of the file
Status of the object, for example, Infected, or Suspicious, or Placed by user, or Deleted
Current action, if the administrator has sent a command to scan, recover or delete the object
Date of placement of the object to the repository (or to the list, if we speak of unprocessed files, which are
not moved anywhere)
Virus name (the column title is Object)
Size of the object, bytes
User logged on to the system when the object was detected
Restoration folder, that is, the full path to the objects original location
Description added by the administrator for this object in Kaspersky Administration Console
The description can be added in the object properties window. Also, this window compactly represents the complete
information on the object.
Processing objects
The Administration Console allows taking the same actions with objects as the local interface. The command is just
transferred to the client computer, and the current action is displayed in the corresponding column until
the command results are received.
Let us cover the actions that cannot be performed from the console. First, you cannot manually quarantine a file.
However, you can do this from the local antivirus interface.
Second, you cannot scan an individual quarantined file. You can only scan all quarantined objects on the computer.
Actually, the Scan Quarantined Files command runs the system task for scanning the quarantine storage. It is
a hidden task that also starts after updates, if the corresponding option is enabled. This task is neither visible in
the local interface, nor in Kaspersky Administration Console. Its existence is revealed only in the local reports.
Also, you cannot open the folder where an unprocessed file is located. However, some actions are available in
the console that may provide additional information on an object moved into the repository.
These actions are Go to computer and Computer properties. The former opens the group to which the computer
with the corresponding object belongs. The latter opens the properties of this computer without leaving
the repository. From the computer properties, you can open the list of latest events on this computer and have
an overview of the incident context. It is especially important for unprocessed files. If computer events show that
the Skip command was applied to the file, simply initiate the Disinfect command. On the other hand, if the events
show that disinfection and deletion have already been attempted in vain, this can likely be an active infection and
the incident needs close attention.
Searching for the objects

The number of objects in the centralized storages, depending on the network size, may reach tens of thousands, and
searching for an object or a group of objects might be challenging. The filtering parameters above the list come in
handy here.
The administrator can search by object status (suspicious, disinfected, false positive etc.), performed action and
a word or a part of word in the object description. For example, you can search by the virus name or a part of the file
name or computer name.
II93
II94
KASPERSKY LAB
Chapter 6. Protection Status Diagnostics

The main tools for monitoring the general protection status are the statuses and their respective selections, reports
and statistics. In addition to the statuses related to threat detection, there are other computer statuses that indicate its
protection. Computer status is set based on the information transferred during the synchronization with
the Administration Server and does not depend on the events.
6.1 Computer Statuses and General Statuses

Possible statuses
The following statuses define the computer protection status:
Kaspersky Anti-Virus is not installed

Real-time protection level is different from the level set by the administrator
Not scanned for a long time
Protection is disabled
Kaspersky Anti-Virus is not running
Virus scan status

There is a status called Not scanned for a long time. By default, a computer receives the Warning status in 7 days
after the last antivirus scanning, and the Critical status in 14 days. The date of the last antivirus scanning is shown in
the computer properties, in the Protection section.
The scan date is updated by any virus scan task that scans local drives or the entire computer. The default group task
created by the Quick start wizard does not do this.
Real-time protection status

There are two conditions connected with real-time protection that may influence the computer status:
Real-time protection level is different from the level set by the administratorthis condition can be
used for assigning the Warning and Critical statuses, but is disabled by default
Protection is offthis condition is used only for the Critical status and is enabled by default
Let us examine how these two conditions work. Protection is considered to be running in Kaspersky Endpoint
Security 10 if at least one protection component works: File Anti-Virus, or Firewall, or System Watcher, or any
other. The protection is considered to be off only if none of the installed protection components is running. Control
and Encryption components are not taken into account.
II95
II96
KASPERSKY LAB
As far as the real-time protection status is concerned, there are two of them: Running or Stopped. In old versions of
Kaspersky Anti-Virus, there was one real-time protection task instead of a set of protection components; in addition
to the two mentioned statuses, it could have been paused; and could have had several security levels, including
custom. Kaspersky Endpoint Security 10 omitted all those features.
The Real-time protection level is different from the level set by the administrator condition is configurable.
The administrator can select the statuses to be considered as normal, and this condition will change the computer
status if its real-time protection status differs from the selected values.
The settings include three valuesStopped, Paused and Running. The Paused value can be ignored, because it is
not used in Kaspersky Endpoint Security 10.
All things considered, the only reasonable configuration for this condition is to select the Running status; and in this
case the Real-time protection level is different from the level set by the administrator condition will work
the same as the Protection is off condition. That is why only the Protection is off condition is enabled by default,
and the other condition is disabled.
If the administrator disables the Protection is off condition and enables Real-time protection level is different
from the level set by the administrator condition, he or she will be able to select the status to be given to
the computer when the condition is met: Warning or Critical. Also, the status description provided for the latter
condition contains more details.
Protection can be disabled for the following reasons:
Failurestatus description in the Protection section of computer properties is: "Real-time protection status
is 'Stopped' though it should be 'Running'." The administrator should employ diagnostic tools to deal with
failures.
The components are stopped by the userit means that either the computer is not controlled by the policy,
or components start is not required in the policy settings (the locks are not closed). To solve this issue,
make sure that the policy is correctly configured and applied to the computer.
The components are stopped by the administratorit is not a problem if planned
If the Protection is off condition is used, the same status description will be shown in all the three described cases.
In contrast, if the Real-time protection level is different from the level set by the administrator condition is
used, the status description will specify whether protection is just stopped or does not work as a result of a failure.
Kaspersky Anti-Virus is not running

The Kaspersky Anti-Virus is not running status is one of the most critical protection statuses. To solve this
problem, carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications
tab of the computer properties.
Another method of starting KESthe Start or stop application task. This task is an advanced task of Kaspersky
Security Center that can be created both for groups and for specific computers.
II97
II98
KASPERSKY LAB
A group task is convenient if the Virus outbreak event is registeredit can start protection on all network
computers, in case the protection is stopped somewhere. A task for specific computers can better serve the purpose
of rectifying status. You can create a selection for the computers where Kaspersky Endpoint Security is not running,
and a then a task for specific computers to start protection.
6.2 Statistics and Protection Status Report

Statistics charts and the Protection status report are based on computer statuses.
The report shows how many network computers have each of the protection statuses. The report considers all
computer statuses, not only the most critical. If you click a status name in the Summary table or in the Details table,
a browser window will open with the report on all computers having this status.
On the Statistics tab of the Administration Server node, the Protection status page displays the following charts:
Current computer statusesshows distribution of all managed computers by their overall status: OK,
Warning and Critical
Real-time protection statusshows distribution of all computers by the status of real-time protection:
Unknown, Stopped, Paused, Starting, Running, and Failure
History of computers statusesshows how the numbers of computers with Warning and Critical statuses
changed over time
Distribution of vulnerability levelsnot really relevant to the protection components and is explained in
course KL 009.10 Systems Management
II99
II100
KASPERSKY LAB
III-1

Chapter 1. Introduction .................................................................................................. 4
1.1 Purpose of Control Components ............................................................................................................................. 4
1.2 Licenses and Installation Types .............................................................................................................................. 4
Changes in the Administration Console interface .................................................................................................. 6
1.3 Installing Control Components ............................................................................................................................... 6
Adding control components.................................................................................................................................... 8
Chapter 2. Application Startup Control .......................................................................... 9
2.1 Operation Principles ............................................................................................................................................... 9
2.2 Settings ................................................................................................................................................................... 9
Application categories ......................................................................................................................................... 10
Configuring conditions manually ......................................................................................................................... 16
Category exclusions ............................................................................................................................................. 22
How to find out which KL-category a file belongs to ........................................................................................... 22
Inventory task ....................................................................................................................................................... 26
Application startup control rules ......................................................................................................................... 28
2.3 Monitoring Startup Control................................................................................................................................... 30
How to find out what a particular user is prohibited from .................................................................................. 30
Local notifications and complaints ...................................................................................................................... 30
User requests selection ........................................................................................................................................ 30
Events ................................................................................................................................................................... 32
Report on blocked runs ........................................................................................................................................ 32
2.4 Default Deny Policy.............................................................................................................................................. 32
Chapter 3. Application Privilege Control ..................................................................... 36
3.1 Operation Principles ............................................................................................................................................. 36
3.2 Automatic Categorization ..................................................................................................................................... 36
3.3 Application Control Rules .................................................................................................................................... 38
3.4 Protected Resources .............................................................................................................................................. 40
3.5 Policy Specifics..................................................................................................................................................... 42
3.6 Configuring Exclusions ........................................................................................................................................ 44
Chapter 4. Device Control ............................................................................................ 46
4.1 What Can Be Blocked and How ........................................................................................................................... 46
4.2 Advanced Settings ................................................................................................................................................ 48
4.3 Trusted Devices .................................................................................................................................................... 50
III-2
KASPERSKY LAB
4.4 Configuring Interaction with User ........................................................................................................................ 52

4.5 Temporary Access ................................................................................................................................................ 54
How to send a request .......................................................................................................................................... 54
How to create activation code.............................................................................................................................. 56
How to activate temporary access ....................................................................................................................... 56
4.6 Monitoring Device Control ................................................................................................................................... 58
Chapter 5. Web Control ................................................................................................ 60
5.1 Blocking Criteria................................................................................................................................................... 60
5.2 Configuring Exclusions and Trusted Servers ........................................................................................................ 66
5.3 Diagnostics and Testing ........................................................................................................................................ 66
5.4 Configuring Interaction with User ........................................................................................................................ 68
5.5 Web Control Statistics .......................................................................................................................................... 72
5.6 Web Control Report .............................................................................................................................................. 72
III-3
III-4
KASPERSKY LAB
Chapter 1. Introduction
1.1 Purpose of Control Components
In addition to anti-malware protection, Kaspersky Endpoint Security 10 contains control components that restrict
actions harmful to the computers or the company in general. Primarily, Application Control, which can be used to
prohibit computer games, movies, and other activities that have little to do with work.
Device Control enables the administrator to bring the use of various devices to conformity with the company
policy. In particular, blocking removable drives considerably impedes unauthorized data copying; the prohibition to
connect mobile phones and players helps reduce the temptation of listening and copying music; also, Wi-Fi
connections and external network adapters can be blocked.
If network connections are allowed, they can be regulated by Web Control, which allows restricting access to social
networks and non-corporate web e-mail, communications with recruiting agencies or browsing job sites.
1.2 Licenses and Installation Types

There are three functional areas in Kaspersky Security Center 10:
Antivirus protection
Control components
Encryption
The control components require KESB Select license and are automatically installed if the Standard installation
type is selected. (Except for Application Privilege Control, which belongs to the Basic functionality level and
requires KESB Core license.) Under KESB Core license, the control components will not work.
Licenses and activation are described in more detail in Unit IV.
III-5
III-6
KASPERSKY LAB
Changes in the Administration Console interface

Since control components are not included in the Basic functionality, their settings are not displayed in
the Administration Console1 by default. To be more precise, their settings are not displayed in Kaspersky Endpoint
Security 10 policies.
To be able to change the settings of the control components within a policy, the corresponding interface elements
must be activated in the Administration Console. This is found in the interface settings window: click the Configure
functionality displayed in user interface link located in the Administration Server area on the Monitoring tab of
the Administration Server node. An alternative method to open this window is to select the Administration Server
node on the tree, then on the View system menu, click Configure interface.
In the interface settings window, select the Display endpoint control settings check box. To apply these settings,
restart the Administration Console.
1.3 Installing Control Components

To install the control components on the computers, Standard installation or Custom installation type must be
selected in the properties of the Kaspersky Endpoint Security 10 installation package that will be used for
deployment.
Except for the Application Privilege Control, which is displayed always
III-7
III-8
KASPERSKY LAB
Adding control components

If only Basic components are installed on the computers, the administrator can upgrade the installation type to
Standard.
Using the Change application components task of Kaspersky Endpoint Security 10. This task is designed
especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product.
The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on
the client computer during the initial installation2.
In the task properties, you can select either the installation type or the components that you need to be installed, just
like in an installation package. However, you cannot select individual components while creating the task in
the wizard. To specify the necessary components, complete the task creation wizard and then open the task
properties: the choice of components is not limited there.
You can find the package in the %ProgramData%\Kaspersky Lab\KES10SP1\Setup folder on the protected computers.
III-9
Chapter 2. Application Startup Control

Application Startup Control allows the administrator to restrict the program start on the endpoint. At the same time,
Application Startup Control reduces the computer infection risk by decreasing the attack surface.
2.1 Operation Principles

Application Startup Control allows the administrator to restrict the program start on the client computer. Program
start permissions are specified in special rules. When a program starts, the following conditions are checked:
The categories to which the program belongs
The account that starts the program
The rules regulating the start of programs in categories with regards to the user account
If there are no matching blocking rules, and at least one rule that allows 3 starting the program is met, the start is
allowed. If there are no allowing rules, or there are both allowing and blocking rules for this account to start
a program of this category, the start is prohibited.
2.2 Settings
Application Startup Control settings are organized as follows:
Program categoriesspecified at the Administration Server level in the Advanced | Application
management | Application categories container
The list of rulesspecified at the computer group level, in Kaspersky Endpoint Security policy
By default, there is an 'Allow all' rule that allows starting any program to any account.
III-10
KASPERSKY LAB
Application categories
An application category is a list of conditions and exclusions that allows identifying a program or a group of
programs. The list is displayed in the Advanced | Application management | Application categories container and
is empty by default. New categories are created using a special wizard. There are three types of categories:
Filled manuallytheir conditions are added and changed only manually
Filled automatically from a folderthe administrator selects only the directory where executable files of
programs belonging to this category are located; the Administration Server checks the contents of
this directory on schedule, calculates checksums of executable files (MD5) and updates the list of
the category criteria
Filled automatically from computersthe administrator selects one or several managed computers, and
the Administration Server automatically includes executable files found on the computers into the category
Categories are created on the KSC Administration Server and are transferred to client computers similarly to
policies and tasks. You can monitor categories delivery to computers using the chart in the upper-right corner of
the Advanced | Application management | Application categories page.
III-11
III-12
KASPERSKY LAB
Automatic filling from a folder

The contents of an automatically filled category are updated when the source folder contents change (executable
files are deleted or added). Also, you can make a category update to schedule.
If the specified folder contains archives or installation packages (for example, .msi), the Administration Server will
automatically unpack them (into a temporary folder) and include in the category data about the executable files
within the archive or package. So, if you place program distribution into the folder, the category will include not
only the installation file, but also program files.
This method of creating a category is useful if the company has a repository of program distributions to be installed
on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add
programs to the list or replace them with newer versions.
To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make
the Administration Server automatically monitor the changes and add parameters of the detected files to
the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in
the policy to allow start of all the used programs.
You can also select to Include dynamic-link libraries (.DLL) in this category. If this check box is selected,
Kaspersky Security Center will calculate checksums of .dll files and add them to the category along with executable
files.
It makes sense to care about .dll files because Windows allows starting processes from them through
the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others
blocked. In this regard .dll files are similar to script files (.js or .vbs), which are not executable, but are started via
the cscript.exe (or wscript.exe) utility, and can be allowed or blocked selectively.
The Calculate SHA-256 for files in this category parameter is not applicable to Kaspersky Endpoint Security 10
Service Pack 1 for Windows. It is designed for the Kaspersky Critical Infrastructure Protection product, which falls
out of the scope of this course.
III-13
III-14
KASPERSKY LAB
Automatic filling from computers

In addition to the repository of allowed program distributions, there may be a reference computer in the organization
where all the programs used in the company are installed. Such a reference computer is usually necessary for
creating images to be deployed on new computers. As a result of such a deployment, the operating system and all
programs necessary for work are installed on the computer, and the whole process takes much less time than
installing everything from distributions. The administrator periodically upgrades programs on the reference
computer and updates the image accordingly.
With this approach, it would only be logical to automatically make all programs installed on the reference computer
allowed. For this purpose, it is necessary to scan the computer, add all programs to a category, and then create
an allowing rule for it in the policy. This is what a category automatically filled with files from selected computers
is designed for.
Sometimes it is necessary to categorize the files found on the reference computer. For example, separate Windows
files from Program files. In this case, you can configure a filter based on the folder where a file is located.
The category will include only the files that are located in the specified folder of the reference computer.
Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with
a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky
Endpoint Security. That means that a reference computer must be equipped with Kaspersky Endpoint Security for
file detection and with Kaspersky Network Agent for sending the data to the Administration Server. There will be
more details on how this works later in this chapter.
Similar to a category filled from a folder, the administrator can specify the scanning interval. The detected files will
be added to the category and later identified by MD5 hash sum.
III-15
III-16
KASPERSKY LAB
Configuring conditions manually

For a manually filled category, conditions for the programs are specified in the list; each condition can contain
several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set
by various methods, but all of them can be boiled down to five general types4:
MD5 hash of the filethe checksum returned by MD5 hash function that allows unambiguous
identification of the file (the checksums of different files are different)
Metadatafile name, its version, name of the program and manufacturer. The version does not have to be
specified exactly. You can select all files older or younger than the specified version. Various file
characteristics constitute a single condition, rather than several individual conditions
Application folderthe path to the folder that contains program executable files
Device typea special parameter that allows the administrator to create a separate category for the files
started from a removable medium
KL categoryapplication category according to Kaspersky Lab classification, for example, Browsers,
Games, Drivers, etc.
Adding from the applications registry

Most of the available condition adding options boil down to a condition based on MD5 hash sum or metadata. For
example, the Add button by default opens a window where you can select a program from the applications registry.
This registry contains programs installed on the computers, namely, the programs displayed in the Programs and
components (Windows Vista / 7 / 8 / 10) or the Add or Remove Programs (Windows XP) tool. Network Agents
gather names and attributes of these programs and transfer them to the server. The gathered information about
the installed programs does not contain data about the program executable files. But it is the data about executables
that is necessary to create a condition. That is why the Administration Server compares data about installed
programs and data about executable files detected on the computers, and after that creates a condition based on
the hash sum of the program executables.
It might happen that a program is considered to be installed by mistake, or a program is installed but started
extremely rarely and the data about its executable file is missing on the Administration Server. In this case,
a condition for this program may fail to be created.
On the other hand, if a program has several executable files, the applications registry simplifies rule creation.
The Administration Server automatically adds conditions for all executable files associated with the program.
If a program is installed but its executable files havent been reported to the Administration Server yet,
the administrator may consider running an Inventory task to speed up the process.
You can create a condition based on a file certificate in a category. This capability was implemented for the Kaspersky
Critical Infrastructure Protection product, which falls out of the scope of this course. Kaspersky Endpoint Security 10 Service
Pack 1 does not support these conditions and will ignore the categories that include certificate-based conditions.
III-17
III-18
KASPERSKY LAB
Adding a file-based condition

If necessary, the administrator can create a condition based on individual files. The files can be selected using
several methods:
From the executable files listthe list of executable files that have ever been started on the client
computers or detected by an Inventory task. This list of files is displayed in the Advanced | Application
management | Executable files container
From file propertiesyou can add a checksum or metadata of a local or network file to the condition list
When selecting a file on the drive, the administrator can specify a simple hash-sum condition for it (MD5 hash), or
a more flexible condition based on the attributes.
A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For
example, hash sums are used in automatically filled categories described earlier, because it is important to allow
starting the exact file versions installed on the reference computer or included in an approved distribution. Any
changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file
start.
Hash sums are also convenient if it is necessary to prohibit renamed files from starting. Renaming does not
influence the hash sum and the blocking rule will still work.
At the same time, you may need to include several application versions in a category. In this case you should create
a condition based on file attributes, such as name, manufacturer name, version number. The version number may not
only coincide with the specified value, but also be more or less than the specified value, or start from it, etc.; so you
will be able to block old program versions or too new, which have not been approved yet.
Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file
metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files
will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create
a condition based on the file name and then be surprised that a file with a matching name is not treated as expected.
Most probably, this means that the file has no digital signature.
In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by
the vendors certificate. To control open-source and freeware programs, use other condition types.
Conditions for a group of files

You can select not only a file, but also a folder. If a file or several files are located within an MSI package, you can
specify this MSI package. The wizard will scan the specified folder or package for executable files and create
a condition for each of them. The condition can be created based on the hash sum or on the attributes.
These capabilities are similar to creating an automatic category based on folder; but in an automatically filled
category, the Administration Server monitors the changes within the folder and updates the condition
correspondingly. An automatically filled category cannot have conditions other than those retrieved from the files
located in the folder.
If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be
scanned once when creating the category, and later will not be rescanned. The administrator can add any other
condition to such a category.
III-19
III-20
KASPERSKY LAB
Conditions based on file location

So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file
location. Copying or moving the executable file would not influence the file start regulations based on
these conditions.
The following two types of conditions consider only the file location:
Application folderdefines the local path to the file. The administrator can, for example, prohibit starting
executable files from the desktop or from the whole user's home directory
Alternatively, the administrator can allow starting executable files from the system folders: c:\Windows,
c:\Program Files and prohibit from all other computer locations.
The condition is recursive, meaning, it works for the files in subfolders of the specified folder.
Device typecan have only one value: Removable device. Essentially, its purpose is to enable
the administrator to prohibit starting programs from removable media.
Conditions based on KL categories

The described conditions enable the administrator to allow or prohibit known programsprograms whose hash
sum, or attributes, or location on the drive, etc. are known or can be found out.
In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for
one, etc. This task is not easy to solve using the described tools.
The solution is to use KL categories. These categories define program class or type: e-mail programs, web browsers,
development tools, electronic payment systems, etc. KL category means that the programs are categorized by
Kaspersky Lab experts.
The program categorization information is a part of the downloadable databases. That is why the Download
updates to the repository task must run at least once before you can create conditions based on KL categories.
Programs started on each computer are independently scanned for correspondence to the conditions, and if different
database versions are used on different computers, Startup Control rules can work to different effects. Also, if
the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time.
Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All
uncategorized files are automatically associated with the Other Software KL category.
III-21
III-22
KASPERSKY LAB
Category exclusions
If it is necessary to prohibit all programs corresponding to the specified conditions except for one, add an exclusion
to the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion
condition will be excluded from the category.
How to find out which KL-category a file belongs to

If the administrator wants to know which KL category includes a specific executable file, they can find this
information both locally on the computer and in the Administration console. The local verdicts (which may vary
slightly on different computers because of different database versions) are available in the Application Activity
Monitor window.
Information in the Administration Console can be used for troubleshooting as well as for planning the rules. The list
of executable files is located in the Advanced | Application management | Executable files node.
The administrator can view the attributes and KL category of each file.
Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering
options may help finding the necessary one. The administrator can search for a file using a part of its name, or apply
a filter and search by the values of various file attributes.
You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as
when the file was first detected on the computers, but also to add or exclude the file to or from an administratordefined category. There is a button that adds the file to administrator-defined categories. You can add the file to
an existing category or create a new one. And when modifying an existing category, you can either add the file to
the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the files MD5
hash sum.
III-23
III-24
KASPERSKY LAB
III-25
III-26
KASPERSKY LAB
Inventory task
This task is not created automatically. Executable files are reported to the Kaspersky Security Center by Kaspersky
Endpoint Security via the Network Agent. When a file is launched, either Application Startup Control or
Application Privilege Control intercepts the file, collects its data and sends it to the Administration Server.
However, some files may start very rarely. It may take a very long time until all executable files are intercepted and
reported to the Administration Server. A faster way to detect files is by using an Inventory task.
This is a Kaspersky Endpoint Security task, which can be created for both groups and computer selections. With
standard settings, the task searches for executable files in the following directories:
%SystemRoot%
%ProgramFiles%
%ProgramFiles(x86)%
The list of folders can be modified. The information about discovered files is sent to the Administration Server and
is available in the Advanced | Application management | Executable files container.
Unlike the monitoring components, this task can detect executable files within archives and installation packages. In
the task settings, in the Properties section, click the Additional button and select the Scan archives and Scan
installation packages check boxes.
When executable files are being searched for, their checksums are calculated, which may slow down the computers.
To reduce resource consumption, you can use the option to scan only new and changed files. The information about
changes is obtained using the iSwift technology and requires almost no calculations.
Alternatively, you can schedule the task to run during nonworking time, or use the option Suspend scheduled
scanning when the screensaver is off and the computer is unlocked.
Kaspersky Endpoint Security can send information about executable files to the Administration Server. There are
settings in the Kaspersky Endpoint Security policy that control which types of data are sent and which are not. It is
critically important that informing the Administration Server about executable files is disabled by default. The
settings are located in the Reports and Storages section of the policy. As a result, all lists of executable files will be
empty. Even a successful execution of an Inventory task will not change this, unless you enable sending information
About started applications in the Kaspersky Endpoint Security policy.
III-27
III-28
KASPERSKY LAB
Application startup control rules

Note that Application Startup Control is disabled by default in Kaspersky Endpoint Security 10 Service Pack 1.
That is one of the reasons why sending the information about executable files is disabled. The first thing
the administrator needs to do before configuring rules is to enable the component.
A rule contains the following parameters:
Categoryan application category created on the Administration Server beforehand. A policy may contain
only one rule for each category
Users and/or groups that are granted permissionthe list of local or domain users and groups who are
allowed to start the programs belonging to the selected category. If more than one entity needs to be
specified, separate them with semicolon (;)
There is a related option Deny for other users. When enabled, it automatically denies permission to all
unlisted users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this
option were always enabled. In version 10 Service Pack 1 this option is configurable and disabled by
default. Unlisted users are granted or denied permission based on the rest of the rules
Users and/or groups that are denied permissionthis parameter explicitly defines the list of users and
groups who are prohibited from starting the programs
Trusted updatersconsider all programs of this category to be trusted updaters5
Denial has a higher priority than permission. If a rule is configured to allow program start to all users and prohibit
for the Tom user, this user will not be able to start the program according to this rule. There are some predefined
rules in the list that cannot be deleted, only enabled or disabled:
Allow alla rule allowing start of all programs. The rule is enabled by default. Disabling it is dangerous, it
can result in programs failures on the client computers if alternative allowing rules are not configured
Trusted updatersif this rule is enabled, the applications installed by trusted updaters will not be blocked
even if there are no allowing rules for them. It is a special KL category6 that includes programs that
download and install module updates, for example, Adobe Updater, Chrome Component Updater, etc.
The rule is disabled by defaultit is used only in a default deny policy described later
Golden Imagethis category contains the executable files necessary for the operating system, as well as
executable files supplied with the systemvarious standard utilities and applications, also intended for use
in a default deny policy
Each rule can be in the On, Off or Test state. In the Test mode, the rule does not block the program start;
when enabled, it only generates Application startup prohibited in test mode or Application startup
allowed in test mode events. This mode and these events help the administrator evaluate the policy
operation without hampering the users.
This option is described in detail later in this chapter.

This KL category cannot be selected when configuring program category conditions.
III-29
To test what would happen if you disable the Allow all rule, select the Generate test verdict for the default rule
check box, but dont disable the Allow all rule just yet. This way, you will get events about the files that would be
blocked if the Allow all rule were disabled.
The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on
a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of
different application categories; but some programs may belong to several categories at once. If there is at least one
rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say.
If a program does not belong to any category for which rules are configured and enabled, it will be processed
according to the Allow all rule (will be allowed to start). This operation mode is called default allow or black list
mode. The administrator can disable the Allow all rule and thus switch to the default deny or white list mode. In
the default deny mode, if a program is not included in an allowed category for which rules are configured and
enabled, it will be prohibited from starting. The recommendations for using the default deny mode are provided later
in this chapter.
III-30
KASPERSKY LAB
2.3 Monitoring Startup Control

How to find out what a particular user is prohibited from
There is the Statistical analysis button next to the list of startup control rules in the KES policy. It opens
the window where you can select a user or a group; in the right pane, the list of prohibited categories and blocked
files will be displayed.
Local notifications and complaints

When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up message
notifying that the program was blocked so that the user is not confused about the reason for the program behavior.
If the user needs this program for work, the pop-up notification allows for sending the administrator a request for
program start permission. The user should click the Complain link in the notification window and then click
the Send button.
The text of the pop-up notification, as well as the request to allow a program start, can be modified in the Kaspersky
Endpoint Security policy. You can use variables there, which provide information about a specific event, for
example, the name of the blocked program, the computer where the event was registered, etc.
User requests selection

The standard User requests event selection contains the Application startup blockage message to administrator
events registered over the last 7 days. The Application startup blockage message to administrator event is
registered when a user sends a request to allow program start, and contains the request text along with
the information about the computer, username and the program in question: complete information necessary for the
administrator to make a decision.
It may happen that a user would need a program urgently. That is why, if the administrator rarely opens the User
requests selection, it might be worthwhile to configure e-mail notification for the Application startup blockage
message to administrator event. This will enable the administrator to process the requests as soon as possible.
It is possible to use the request events to modify application categories. The event contains all the relevant
information about the blocked file, including the MD5 hash. The administrator can use the Add file to category link
to immediately add the blocked file to an existing or a new category either as an inclusion condition or as
an exclusion.
III-31
III-32
KASPERSKY LAB
Events
Application Startup Control generates five types of events:
Application startup prohibited

Application startup blockage message to administrator
Application startup allowed
Application startup prohibited in test mode
Application startup allowed in test mode
By default, all the events except for Application startup allowed are transferred to the Administration Server.
If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup
prohibited in test mode or Application startup allowed in test mode events, because these events are not
included in the report about blocked starts.
Report on blocked runs

Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked
runs, which shows the distribution of the number of blocked starts on the client computers by applications. Click the
program name in the Summary table to open another report in the browser, which contains information about all
computers where start of this program was blocked.
2.4 Default Deny Policy

As we mentioned earlier, the list of Application Startup Control rules includes a rule allowing all users to start all
programs. The administrator can add rules prohibiting the start of the specified application categories to
the specified users. Programs that are not included in any category will be allowed.
In most cases, the described approach is optimal and helps prevent unwanted activity, without causing serious
inconvenience to the users. However, the security policy may prescribe that all programs are prohibited except for
those that are absolutely necessary for work. For example, there can be a policy for using programs on
the computers that are used as point-of-sale (POS) terminals. Only special programs must be allowed to start on
them, and all unknown programs must be prohibited.
In this case, it is necessary to configure allowing rules according to the security policy and disable the Allow all
rule. After this, all programs that do not meet the allowing rules will be blocked.
The main difficulty when working in the white list mode (when the start of uncategorized programs is prohibited by
default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked
along with other programs.
III-33
III-34
KASPERSKY LAB
Various configurations of allowing rules are possible; it will be necessary to create one or several categories for
system executable files and configure allowing rules for them using one of the following methods:
Use a reference computer with the operating system and allowed programs installed for creating
an automatically filled category
Use a directory with distributions of allowed programs for creating an automatically filled category
Use the Golden Image | Operating Systems & Utilities KL categorythis category is used, for example,
if you enable the standard Golden Image rule that is available in the list of rules initially, but is disabled by
default
Under Windows Vista and later versions, you can allow starting all programs on behalf of the System account,
because a non-system application cannot receive system service rights in these operating systems.
For those programs for which allowing rules are configured not to be blocked after upgrades, use the Trusted
updaters standard rule. This rule exists by default in the list and cannot be deleted; but it is disabled by default.
When enabled, the programs downloaded and installed by the applications included in the Trusted updaters
category will not be blocked even if the corresponding allowing rules are not configured.
The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allowing
rule.
III-35
III-36
KASPERSKY LAB
Chapter 3. Application Privilege Control

3.1 Operation Principles
The main purpose of the Application Privilege Control is to regulate the activities of the running programs, namely,
access to the file system and registry as well as interaction with other programs.
Application Privilege Control separates applications into categories (trust groups) for which limitations are
specified. Every program receives one of the four trust levels:
Trusted
Low Restricted
High Restricted
Untrusted
For each category, standard activity limits are pre-defined. The administrator can change these restrictions within
the categories. Additionally, individual limitations can be configured for every program in the policy.
Application Privilege Control can be compared with the Firewall. It uses the same trust groups and similar operation
principles. If individual restrictions are specified for a specific program in the policy, they are used. If individual
restrictions are not specified, Kaspersky Endpoint Security uses KSN, heuristic algorithms and administrators
settings to define the program trust group, and then applies the restrictions specified for this trust group.
It should be noted that Application Privilege Control and Firewall not only use similar operation principles, but also
are inseparably connected. If settings are specified for a program in the Firewall policy, this program will also
appear as an individual element in the Application Privilege Control policy, and vice versa.
The trust groups in Firewall and Application Privilege Control are also the same. General program trust groups are
defined in Kaspersky Endpoint Security, and each component applies its own restrictions to the programs
comprising these groups.
3.2 Automatic Categorization

Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time; and the start is
suspended until the analysis is over. The main categorization tool is Kaspersky Security Network. If it is
inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings:
Use heuristic analysis to define groupif this check box is selected, Kaspersky Endpoint Security
defines the program status using a special heuristic algorithm that emulates the program start. Emulation
and analysis require time. By default, the time for assigning a trust group is limited to 30 seconds. There is
a separate setting named Maximum time to define group for this purpose. After the specified time,
the analysis is finished and the program gets placed into a trust group
III-37
Automatically move to groupan alternative to using heuristics. This setting allows assigning one of
the 3 trust levels (High Restricted, Low Restricted, or Untrusted) to all unknown programs without
the analysis
Trust applications that have a digital signatureif this parameter is enabled, the programs having
a valid digital signature are automatically placed in the Trusted group
The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted
depending on the following settings:
Update control rules for previously unknown applications from KSN databasesprogram trust group
will be changed automatically if it appears in the KSN
Delete rules for applications that are not started for more than 60 daysallows wiping out the trust
group information for the programs that have not been started for a long time. The lifetime is adjustable
Also note that if the administrator explicitly specifies the trust group for an executable file in the policy, the value
from the policy will be used. The trust group is defined locally only for the programs that are not explicitly specified
in the policy.
The Application Privilege Control component, which is installed on server operating systems, is responsible only for
program categorization. Access rules cannot be configured on server systems
III-38
KASPERSKY LAB
3.3 Application Control Rules

Application Privilege Control allows limiting a programs interaction with other programs and operating system
services depending on its trust group. The limitations can be configured both at the trust group level and for separate
programs. Control rules include a wide list of various interactions, for each of which the Allow or Block value is
specified. The list of controlled interactions is hard-coded.
Generally, the default restrictions for trust categories are as follows:
Trustedno limitations and no logging
Low Restrictedeverything is allowed except for building into operating system modules
High Restrictedinteraction with operating system modules and other programs are prohibited. A program
is allowed to work only with its own segment of system memory
Untrusteda program is prohibited even from starting
Note: Application Privilege Control, just like Application Startup Control, can block an application start. There is
no contradiction here: if a program must be blocked according to the settings of one of the components, it is blocked
regardless of the other component settings
III-39
III-40
KASPERSKY LAB
3.4 Protected Resources

Application Privilege Control helps limit access to files, folders and registry keys on the hard drives. Files and
registry keys are organized into groups and subgroups, for which the rights of programs belonging to different trust
categories are specified. The restrictions specified for a group of resources can be changed at the subgroup level, or
individually for a file or registry key.
Initially, the list of protected resources contains groups of most important files and registry keys. The administrator
can modify and create the categories. Access rights can be specified both in the list of protected resources, and in
the program properties within the trust categories.
Rights to access a group of resources are defined independently for four operation types:
Read
Write
Delete
Create
Generally, the default limitations for the trust groups are as follows:
Trustedno restrictions
Low Restrictedeverything is allowed except for changing important system files (boot.ini, system.ini,
autoexec.bat, executable files within the system directory, etc.)
High Restrictedonly Read access is allowed to the data from the operating system directories and
registry branches
Untrustedthe program is prohibited even from starting
Note: The limitations configured for a program are inherited by all its child processes, even if their executable files
are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions using
the privileges of programs having higher trust levels.
III-41
III-42
KASPERSKY LAB
3.5 Policy Specifics

You can see that Application Privilege Control uses the same trust levels as the Firewall. It is not just a similarity;
these components actually use the same trust levels. A program trusted by Firewall is trusted by Application
Privilege Control, too, and vice versa. Similar to the Firewall, Application Privilege Control defines access rights for
the trust groups in the policy. On the client computer, Kaspersky Endpoint Security assigns a trust group to every
specific application.
Meanwhile, the administrator can also manually assign a trust level to a particular program in the policy. If
necessary, individual restrictions different from those set for the trust group can be specified for a particular
program. New programs are added in the list the same way as in the Firewall: the executable file of an application is
selected from the list of files ever started on the client computers. The policy has a higher priority than the locally
assigned trust group.
III-43
III-44
KASPERSKY LAB
3.6 Configuring Exclusions

If the limitations set by the Application Privilege Control still block a necessary program, you can configure
the corresponding exclusion. There are two types of exclusions in Application Privilege Control:
Exclusions for resourcesallow any program to perform any operation with the specified group of
resources
Exclusions for programsallow the specified program to perform any operation
Exclusions for resources are configured in the properties of the Application Privilege Control, on the Protected
resources tab. You can configure exclusions for folders, files and registry keys.
Exclusions for programs are configured in the General protection settings section (Exclusions and trusted zone),
and provide several additional capabilities:
Do not monitor application activitydisable all restrictions for the specified program
Do not inherit restrictions of the parent process (application)disable the limitations inherited from
the process that started the program and the parent processes of higher levels
Do not monitor child application activitydisable the restrictions for the processes started by
the program for which the exclusion is created
III-45
III-46
KASPERSKY LAB
Chapter 4. Device Control

The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various
devices in the corporate network and, if necessary, prohibit using some of them.
The most popular use case for this component is blocking USB flash drives. The users can bring infected files on
them or, for example, their childrens homework and end up devoting a workday to it. Accidentally or deliberately,
the user can take away files that are of commercial value for the company on a USB drive. Various restrictions help
prevent such problems.
The Device Control component in Kaspersky Endpoint Security allows the administrator to enforce the corporate
security standards, by specifying who, when and which devices can use on the computers. The rules may be applied
to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc.
Device Control can be installed only under non-server operating systems.
4.1 What Can Be Blocked and How

Almost all peripheral devices can be blocked. They can be blocked by types (removable drives, CD/DVD, Wi-Fi,
portable devices (MTP), etc.), or by buses: for example, you can entirely disable all USB devices.
Some devices can be allowed, but with limitations: you can explicitly specify the prohibition schedule, restrict only
writing operations or make exclusions for some users but not others. You can do that for:
Hard drives
Removable drives
Floppy disks
All other device types you can only disable completely:
Printers
CD/DVD drives
Modems
Tape devices
Multifunctional devices
Smart card readers
Windows CE USB ActiveSync devices
Wi-Fi
Cameras and scanners
Smart card readers
Portable devices (MTP)
Bluetooth
Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as
removable drives, if connected as external data carriers.
III-47
III-48
KASPERSKY LAB
The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking
their connection buses.
Kaspersky Endpoint Security allows blocking connected devices by interface type (bus):
USB
FireWire
Infra Red
Serial Port
Parallel Port
PCMCIA
The administrator can totally block, for example, all USB devices.
Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules
Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash
drive will work correctly.
By default, all devices work in the Depends on bus mode, and all buses are allowed.
4.2 Advanced Settings

Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list
cannot be edited to add new devices.
You can partially restrict the use of removable drives, hard drives, and floppy disks by specifying:
The list of accounts that are allowed to use the device type. You can select accounts from the domain to
which the computer where the Administration Console is started belongs, or among local users if there is no
domain. The rule will work on any computer where the policy is enforced The Everyone universal account
is always available.
Operation types and access schedule. You can manage Read and Write permissions separately.
The schedule is specified by hours and days of the week. For example, you can allow Read operations for
removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to
the Administrators and only during business hours
If several rules fit a user, the most restrictive of them will be applied. If a device is allowed, it means always
allow everyone to perform any operation.
You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for
the administrators: allow them using USB flash drives during business hours.
The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are
blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable
as soon as the policy is enforced and the next operation will be blocked.
III-49
III-50
KASPERSKY LAB
4.3 Trusted Devices

If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile
to make them trusted. Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device
Control | Trusted devices section.
Devices can be made trusted by their ID, a mask of ID or by model. When you click the Add button above the list of
trusted devices, it expands into a list of three options:
Devices by ID
Devices by model
Devices by ID mask
The first two options allow you to select the device that you want to make trusted and its ID or model will be added
to the list. Select means that the Administration Server should have the device it its database. If the Administration
Server is unaware of this particular device you cant make it trusted.
The Devices by ID mask option allows you to type the device ID or a part of it. This doesnt rely on
the Administration Server knowledge of the device, only on the administrators knowledge of the device ID. Device
ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of
the Device Instance Path property. It looks somewhat like
USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0
When adding a mask, you can replace a part of the ID with * or ? to make it applicable to multiple devices, e.g.,
NEC*CDR??. This helps when a company has a lot of devices with similar IDs that should be trusted. Adding
a device by model can also help in this case, if all devices are from the same vendor and of the same type.
There is also a Comment filed when adding a trusted device, which the administrator can fill in to describe why this
trusted device (or a group) is added.
To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky
Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some
time till the information about the device makes it to the Administration Server.
To simplify the search for the necessary device, you can choose the device type and also specify the name of
the computer where it is or was connected. Then click the Refresh button to display the filtered results.
Before adding the device, you can also restrict the list of users that will have access to it. You may want to have
trusted devices, but you may not necessarily want everybody to have access to them. Perhaps only administrators
should be able to use them.
III-51
III-52
KASPERSKY LAB
4.4 Configuring Interaction with User

When the user attempts to connect a blocked device, a pop-up notification is displayed.
If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or
even worse, try to fix it without assistance. The administrator can modify the notification text, for example, add
the contact information of the person responsible for device access.
To open the notification template, click the Templates button in the Device Control section of Kaspersky Endpoint
Security policy. You can use variables in the notification text, for example, the name of the device or the blocked
operation.
If pop-up notification about blocking is enabled, it contains the Complain link, which can be neither disabled nor
hidden.
If the user sends a complaint, it will be sent to the server as an event having the Warning severity level. Similar to
the other control components, complaints are displayed in a special selection named User requests.
The administrator does not have to react to a complaint; but if they want to, they can, for example, configure
the corresponding e-mail notifications in the Kaspersky Endpoint Security policy.
III-53
III-54
KASPERSKY LAB
4.5 Temporary Access

Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as
follows:
1.
The user finds out that the necessary device is blocked
2.
Generates a request key for it in the Kaspersky Endpoint Security local interface
3.
E-mails the key to the administrator
4.
The administrator examines the request, and in the case of an affirmative answer, creates and sends the user
a special access code
5.
The user activates the received code. After this, the selected device (and only that device) becomes
accessible for the time span specified by the administrator. The user cannot pause temporary access to use
it later; and the administrator cannot remotely revoke temporary access
It goes without saying that many users may believe that their devices are blocked by mistake, and will ask
the administrator for temporary access. To avoid numerous requests, you can disable this capability: in
the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access
check box.
How to send a request

The user opens Kaspersky Endpoint Security interface on the Protection and Control tab, and on the shortcut menu
of Device Control clicks Access to device. A window opens with the list of devices ever connected to
the computer, including those blocked. Find the device for which the access is necessary, select it and click Get
access code. So as not to make a mistake when selecting the device, switch the device representation mode from
For the entire runtime to Currently.
Note: If the administrator prohibits requesting temporary access, the button appears dimmed
The only configurable parameter is the desirable access duration (24 hours by default). The value entered by the user
is only a wish. The administrator can either use the offered value or change it when generating the access code.
The user is to send the generated .akey file to the administrator.
III-55
III-56
KASPERSKY LAB
How to create activation code

Temporary access is granted to a specific user for the specified device on the specified computer. That is why
the code is generated using the client computers shortcut menu, neither in the policy nor in the group properties.
A client computer can be conveniently found in the Administration Console by the Search utility. Then
the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode
command. In the window that opens, switch to the Device Control tab and click the Browse button to select
the received .akey file.
The Administration Server checks the file integrity and whether it belongs to the selected computer, and then
displays the request. If necessary, the administrator can change the access duration and activation window. Both
periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours.
Then the administrator is to save the generated code into an .acode file and send it back to the user.
So, the code is generated for the exact device and the computer where the user generated the key. Any other devices
will still be blocked; also, the device for which the access was granted will be blocked on other computers.
The code is also bound to the username. Another user will not be able to access the same device on the same
computer using this access code. If temporary access is activated by the user who requested it and another user logs
on to the computer during the allowed period, they will not be able to use the device.
How to activate temporary access

In the same window where the request key was generated, the user clicks the Activate access code button, and
specifies the received .acode file. The device can be used immediately. Neither restart, nor synchronization with
the Administration Server is necessary.
The code must be activated before the specified activation window expires, and the access duration countdown starts
at the moment of activation. The device may be connected at any time (or even several times) during this period, or
not connected at all. The access countdown cannot be paused.
When temporary access is activated, a notification is sent to the Administration Server, but it is not included either
in the selection of user requests, or in the report on Device Control events.
III-57
III-58
KASPERSKY LAB
4.6 Monitoring Device Control

Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains
the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and
the account that initiated it.
The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of Critical
events. If necessary, the administrator can make a separate selection for blocked device access attempts.
The Operation with the device allowed event having the Info severity will be sent if a non-prohibited device is
connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners,
removable drives, etc.
All events, including complaints, are stored on the server for 30 days by default.
The Report on Device Control events provides the general view of the device control work. It displays a chart with
the distribution of its responses by user names. By default, the report includes all actionsdevice connecting,
disconnecting and blocking. To generate a report about device blocking only, leave only the Connection is blocked
check box selected in the Settings section of the report properties.
If necessary, the administrator can configure receiving daily e-mail statistics about who and when tried to connect,
for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV
Maintenance.
III-59
III-60
KASPERSKY LAB
Chapter 5. Web Control

The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is
used to block social networks, music, video, non-corporate web e-mail, etc. during business hours. If a user tries to
open such a site, either a notification that the access is blocked or a warning about an unwelcome site can be
displayed, depending on the settings in the policy.
Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule
properties include the user accounts, schedule, connection and content-specific conditions, and the action. The rules
are applied in the order specified by the administrator, and a page is processed according to the first applicable rule.
The Default rule that allows everything to everyone takes the last place on the list and acts as a catch all rule.
Only HTTP and HTTPS traffic is scanned.
5.1 Blocking Criteria

First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be
blocked, or use the * wildcard to block sites by address masksfor example, *.fm or *shop*.
Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following
categories:
Adult content
Software, audio, video
Alcohol, tobacco, narcotics
Violence
Profanity, obscenity
Weapons, explosives, pyrotechnics
Gambling, lotteries, sweepstakes
Internet communication media
Electronic commerce
Job search
HTTP query redirection
Computer games
Religions, religious associations
News media
Banners
The content can also be categorized by data types:
Video
Sound
Office files
Executable files
Archives
Graphic files
As far as secure connections (HTTPS) are concerned, Kaspersky Endpoint Security has no access to the traffic
contents. Therefore, HTTPs traffic is filtered only be addresses, for example, if social networks are blocked,
https://facebook.com will also be blocked, as this address is included in the signature databases as pertaining to
social networks.
III-61
III-62
KASPERSKY LAB
The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and
data types.
Filtering by category and data type can be combined within a rule: for example, you can block office files and
archives received by web mail.
Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic
analysis of page content (for non-secure connections only). URL reputation can also be requested from Kaspersky
Security Network.
III-63
III-64
KASPERSKY LAB
Data types are hard-coded in Kaspersky Endpoint Security and include the following file types:
Category
Category contents
Executable
files
Win32 PEexe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files
Visual Basic Scriptvbs, vb
Executable files (not PE) MS-DOS, Win-16, OS/2exe, dll, com
Command Line Scriptcmd, bat
Microsoft Installer Archivemsi
Video
Adobe Flash Videoflv, f4v

Audio/Video Interleaveavi
MPEG4 ISO format3gp, 3g2, 3gp2, 3p2
MPEG4divx, mp4, m4a
Matroskamkv
Apple Quicktimemov, qt
Microsoft Containerasf, wma, wmv
RealMedia CB/VBrm, rmvb
MPEG2 (DVD) formatvob
VCD (MPEG 1)dat, mpg
Bink Videobik
Sound
MPEG-1 Layer 3mp3

Lossless Audioflac, ape
OGG Vorbis Audioogg
Advanced Audio Codingaac
Windows Media Audiowma
AC3 multichannel audioac3
Microsoft Wavewav
Matroska Audiomka
RealAudiorm, ra, ravb
MIDImid, midi
CD digital Audiocdr, cda
Office files
Open XML documentsdocx, xlsx, pptx, dotx, potx, and others

Office 2007 macro enabled docsdocm, xlsm, pptm, dotm
MS Office documentsdoc, xls, ppt, dot, pot
Adobe Acrobatpdf
Archives
ZIP archivezip, g-zip

7-zip archive7z, 7-z
RAR archiverar
ISO-9660 CD Diskiso
Windows Cabinetcab
Java (ZIP) archivejar
BZIP2 archivebzip2, bz
Graphic files
JPEG/JFIFjpg, jpe, jpeg, jff

GIFgif
Portable Graphicspng
Windows Bitmap (DIB)bmp
Targa Image File Formattif, tiff
Windows Meta-Fileemf, wmf
Post-Script Formateps
Adobe Photoshoppsd
Corel Drawcdr
III-65
Lets mention some specifics of Kaspersky Endpoint Security types and categories:
The type is defined by file format. Therefore, this does not work for secure connections; but it is possible to
use the address filter to block files by extensions. For example, to block .key files, specify the *.key mask
Data types inside archives are not checkedif executable files are prohibited while archives are not,
archived executable files will be allowed
PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites
that use pdf may display incorrectly
In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In
Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web
Control
Flash videos in SWF format can be blocked only by extension maskusually it is *.swf
The rules may be applied depending on the account and access time.
III-66
KASPERSKY LAB
5.2 Configuring Exclusions and Trusted Servers

Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network,
or online trainings can be blocked because of video files. In this case, it is easier to create an allowing rule instead of
creating a separate group with a special policy. You can configure an allow rule giving access to some categories or
data types located on the specified servers.
To have such a rule applied before the blocking rules, place it higher on the list.
In extreme cases, the organization policy can prohibit the Internet during business hours and allow only
the corporate site. An exclusion can be made only for the IT department. In this case, the administrator creates
the general rule: during business hours, deny everything to everybody. Then adds two allowing rules above it:
the first allowing any content to the accounts of IT department employees, and the second allowing everybody to
access the corporate site.
By default, in addition to the universal rule allowing everything to everybody, there is another rule in web control,
Scripts and Stylesheets, which explicitly allows files with .css, .js, and .vbs extensions. Usually these files contain
style sheets, java scripts and visual basic scripts saved as separate files. This rule is necessary because sometimes
such files are located on separate servers and their URLs differ from the main site address. If a site is allowed while
its scripts and style sheets are blocked, it will be displayed incorrectly. To avoid this, keep the rule allowing .css, .js,
and .vbs higher than the prohibiting rules.
5.3 Diagnostics and Testing

When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this
purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control.
To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on
that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens
the window where you can specify the conditions of a presumed request:
Select categories
Select data types
Specify day and time
Select accounts
Type site address (the * wildcard is allowed)
and get the web control verdict with the list of rules applicable to these conditions.
For example, the administrator can check whether access to a personal home mail server of an employee is blocked
by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you
can find out which rule causes the disorder.
III-67
III-68
KASPERSKY LAB
5.4 Configuring Interaction with User

If web control blocks a part of page contents, the user may overlook it. If the page is completely forbidden,
a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or
a message about blocking.
If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of
the links in the warning message: the link to the specific page that was requested, or the link that enables access to
all pages on the web site, or all pages on the web site and its sub sites (e.g. access *.amazon.com/* as opposed to
www.amazon.com/*)
If the site is blocked, there are no links to proceed, access is completely denied.
III-69
III-70
KASPERSKY LAB
Note: Notifications are displayed only for non-secure connections. If the HTTPS protocol is used to open a Web
site, the user will see only the browser message about inability to display the page in both cases
There is also a Complain link in all types of messages to disagree with the policy and request a policy change to be
able to access the blocked web site freely. Complaints are sent to the Administration Server as events and fall into
the User requests selection.
You can edit both warning and blocking notifications, as well as the complaint template: in the Kaspersky Endpoint
Security policy, switch to the Web Console section and click the Templates button.
III-71
III-72
KASPERSKY LAB
5.5 Web Control Statistics

When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding
event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with
Warning severity, respectively.
In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web
Control verdict. If the rule was created for a category or data type, they are also specified.
Note: Web Control independently processes each object of which the site consists. That is why, for example, when
graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access
a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses
the Internet day and night. That is why these events are not transferred to the Administration Server by default.
If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully
attempted after warning event having the Warning severity is sent to the server.
5.6 Web Control Report

For regular control and general information, a report can be used. It provides aggregate statistics on the number of
warnings and blockages for each rule. Allowing rules are not included.
III-73
III-74
KASPERSKY LAB
IV-1

Introduction .................................................................................................................... 4
Chapter 1. License Management ................................................................................... 5
1.1 What Is This Chapter About ................................................................................................................................... 5
1.2 Licensing Basics ..................................................................................................................................................... 6
License concept ...................................................................................................................................................... 6
License prolongation.............................................................................................................................................. 6
Licensing of Kaspersky Endpoint Security for Business (KESB) ........................................................................... 8
Kaspersky Endpoint Security 10 licensing ............................................................................................................. 8
Kaspersky Security Center 10 licensing ............................................................................................................... 10
1.3 Activation ............................................................................................................................................................. 10
General ................................................................................................................................................................ 10
Activation key ....................................................................................................................................................... 12
Activation code..................................................................................................................................................... 12
Activation proxy ................................................................................................................................................... 12
1.4 License Expiration ................................................................................................................................................ 14
Key expiration ...................................................................................................................................................... 14
Additional keys ..................................................................................................................................................... 16
1.5 Activation of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 ............................................. 16
Kaspersky Security Center 10 activation ............................................................................................................. 16
Activation of Kaspersky Endpoint Security 10 via Kaspersky Security Center 10 ............................................... 18
Key installation task ............................................................................................................................................. 20
Activating Kaspersky Endpoint Security 10 ......................................................................................................... 20
1.6 Information About Licenses ................................................................................................................................. 22
Licenses in the Administration Console ............................................................................................................... 22
Functionality limitation data................................................................................................................................ 22
Key usage report .................................................................................................................................................. 24
Computer statuses ................................................................................................................................................ 24
Kaspersky Endpoint Security 10 events................................................................................................................ 26
Kaspersky Security Center 10 events ................................................................................................................... 26
1.7 Subscription Licenses ........................................................................................................................................... 28
Chapter 2. Updates ....................................................................................................... 30
2.1 Overview............................................................................................................................................................... 30
Update types......................................................................................................................................................... 30
Update management ............................................................................................................................................ 32
2.2 Updating Server Repository .................................................................................................................................. 34
Schedule ............................................................................................................................................................... 34
Sources ................................................................................................................................................................. 34
IV2
KASPERSKY LAB
Connection parameters ........................................................................................................................................ 34

Updates list........................................................................................................................................................... 36
Network Agent module updates ............................................................................................................................ 36
2.3 Updating Client Computers................................................................................................................................... 38
Group tasks .......................................................................................................................................................... 38
Schedule ............................................................................................................................................................... 40
Sources ................................................................................................................................................................. 40
Module updates .................................................................................................................................................... 42
Kaspersky Seamless Update Service .................................................................................................................... 42
2.4 Monitoring Updates .............................................................................................................................................. 44
Updates repository ............................................................................................................................................... 44
Global status ........................................................................................................................................................ 46
Statistics and reports ............................................................................................................................................ 46
2.5 Rollback ................................................................................................................................................................ 48
Chapter 3. Interaction with the User............................................................................ 48
3.1 Password Protection .............................................................................................................................................. 48
Password protection in Kaspersky Endpoint Security .......................................................................................... 50
Configuring password protection for Network Agent .......................................................................................... 52
3.2 Local and Group Task Management via KES Interface ........................................................................................ 52
3.3 Local Notifications ................................................................................................................................................ 56
3.4 Technical Support Information ............................................................................................................................. 58
3.5 Concealing Kaspersky Endpoint Security ............................................................................................................. 58
Chapter 4. Out-Of-Office Computer Management......................................................... 60
4.1 Out-of-Office Policy Settings ............................................................................................................................... 62
4.2 Conditions of Switching into Out-of-office Mode ................................................................................................ 62
4.3 Update Settings in Mobile Mode .......................................................................................................................... 64
Chapter 5. Backup and Restore .................................................................................... 66
5.1 Backup Considerations.......................................................................................................................................... 66
5.2 Creating a Backup Copy ....................................................................................................................................... 68
How backup works in Kaspersky Security Center ................................................................................................ 68
Backup task settings ............................................................................................................................................. 68
5.3 Restoring Data from Backup Copy ....................................................................................................................... 70
Chapter 6. Statistics and Reports ................................................................................ 72
6.1 Introduction ........................................................................................................................................................... 72
Overview .............................................................................................................................................................. 72
Interconnection of monitoring tools ..................................................................................................................... 72
6.2 Computer Statuses and Selections......................................................................................................................... 73
Searching for computers ...................................................................................................................................... 74
Standard selections .............................................................................................................................................. 76
Custom selections ................................................................................................................................................. 76
6.3 Events and Event Selections ................................................................................................................................. 78
Local events .......................................................................................................................................................... 78
Events on the Administration Server .................................................................................................................... 80
Database maintenance ......................................................................................................................................... 82
Event notifications ................................................................................................................................................ 84
E-mail notification settings .................................................................................................................................. 84
IV-3
SMS notification settings ...................................................................................................................................... 86

Executable file start ............................................................................................................................................. 86
Notification limits ................................................................................................................................................. 86
SNMP notification ................................................................................................................................................ 88
Event selections .................................................................................................................................................... 88
6.4 Reports and Statistics ............................................................................................................................................ 90
Reports ................................................................................................................................................................. 90
Statistics ............................................................................................................................................................... 94
IV4
KASPERSKY LAB
Introduction
This unit covers the following aspects of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10
operation:
Licensing and license managementmost functions of the products in question are inaccessible without
a license; that is why license installation is an important part of deployment. Since a license expires sooner
or later, if the company decides to prolong the license, the administrator should quickly and efficiently
distribute the new license to the computers
Updates the products can operate without updates, but protection efficiency declines quickly. That is why
regular updating is an important part of endpoint protection maintenance
Interaction with userusers dont interact with Kaspersky Security Center (and even with the Network
Agent), they only interact with Kaspersky Endpoint Security. Or rather Kaspersky Endpoint Security may
interact with the user. How much of Kaspersky Endpoint Security is exposed depends on the administratordefined settings. There can be too much of exposure when users are overwhelmed with messages they dont
understand. Or there can be too little interaction, when users are confused about hidden actions taken by
Kaspersky Endpoint Security. Thats why various options, their values and trade-offs are worth discussing.
Out-of-office modewhen computers are outside the network, some of the protection settings need to be
changed. E.g., none of the networks can be trusted; the users cannot rely upon the administrator and must
depend on themselves if security incidents occur; the update settings that are optimal within the network are
not optimal outside, etc. Automation of the configuration change depending on the computer location is
an important aspect of protection management
Backup and recoverywe need not to explain what backup copying is necessary for and why it is
important. Deployment and setup of the protection management system is a time-consuming process.
The built-in backup copying tools of Kaspersky Security Center protect your time and effort
Customizing monitoring toolsusually, the administrator cannot afford looking through events and reports
in the Administration Console all day long. In practice, the administrator opens the console occasionally
and for a short time. They need to quickly evaluate the network protection status and whether they need to
take some actions. Customizing the presentation of the monitoring tools may increase efficiency of
the administrators work
IV-5
Chapter 1. License Management

1.1 What Is This Chapter About
This chapter covers various aspects of product licensing:
What is a license, and what are the attributes it has
In which cases does a company have to purchase or update a license
Licensing schema for Kaspersky Lab productsKaspersky Security for Business (KES4B)
Specifics of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 licensing
Product activation concept, activation methods of Kaspersky Lab products, keys and activation codes
Work with the keys and activation codes in Kaspersky Security Center 10 and
Kaspersky Endpoint Security 10
Gathering information about license use
Events and statuses concerning the license use
IV6
KASPERSKY LAB
1.2 Licensing Basics

License concept
License is the limited right of the user (buyer, customer) to use the product. The limitations may include:
Licensing period1 year usually, but may be a month, 6 months, 3 years, etc. Subscription licenses may
not have a definite licensing period and assume continuous prolongation until the subscription is cancelled
by either party
The number of computersor, more precisely, the number of licensed objects, which are computers for
Kaspersky Endpoint Security 10, but could also be mailboxes, megabytes of traffic, or non-computer
devices for other products and license types
Types of licensed objectsfor example, servers, workstations, mobile devices (smartphones, tablets);
a license may allow using the product on workstations, but not on servers
Functionalityfor example, anti-malware protection, encryption, mobile devices management; Kaspersky
Endpoint Security 10 and Kaspersky Security Center 10 include various functions, and a license may allow
using some functions and prohibit others
License prolongation
Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to
overcome one of the following license limitations:
Prolongthe most typical situation, when the company is satisfied with the product and it is necessary to
renew the license to keep using it
Increase the number of computersif the company grows and the number of computers is about to exceed
the license limit
Extend functionalityif the necessity to use additional product functions has appeared in the company, for
example, Encryption or automatic installation of Windows updates
IV-7
IV8
KASPERSKY LAB
Licensing of Kaspersky Endpoint Security for Business

(KESB)
Simultaneously with the release of Kaspersky Endpoint Security 10 and Kaspersky Security Center 10, Kaspersky
Lab adopted a licensing schema called Kaspersky Endpoint Security for Business (or KESB for short). This
licensing schema is designed to organize and structure licensing options depending on the customers needs.
KESB supports the following license bundles:
KESB Core
KESB Select
KESB Advanced
Kaspersky Total Security for Business
A license bundle can be used on several different products, e.g., Kaspersky Endpoint Security 10 and Kaspersky
Security Center 10, and allows a customer to use a specific set of functions within each product.
In addition to license bundles, licenses for individual products or functional areas (such as Mobile Devices
Management) can be purchased according to the Kaspersky Targeted Security licensing schema.
Kaspersky Endpoint Security 10 licensing

KESB license bundles allow using Kaspersky Endpoint Security 10 features as follows.
Corethe right to use the following functionality of Kaspersky Endpoint Security 10 only on workstations:
Virus Scan
File Anti-Virus
Mail Anti-Virus
Web Anti-Virus
IM Anti-Virus
System Watcher
Firewall
Vulnerability Scan
Vulnerability Monitor
Application Privilege Control
Selectthe right to use the following functionality of Kaspersky Endpoint Security 10 on servers and
workstations (considering system requirements):
Core functionality
Application Startup Control
Device Control
Web Control
Advancedthe right to use all functions of Kaspersky Endpoint Security 10 (including encryption) on
servers and workstations
The Kaspersky Total Security license bundle allows a customer to use the same functions of Kaspersky Endpoint
Security 10 for Windows as KESB Advanced.
Kaspersky Endpoint Security 10 for Windows is licensed by the number of protected devices.
IV-9
IV10
KASPERSKY LAB
Kaspersky Security Center 10 licensing

With regard to Kaspersky Security Center 10, the bundles include:
Corethe right to use typical protection and computer management functionality. The complete list of
functions provided by the Core license is too large. We would rather list the capabilities that need wider
licenses
Selectthe right to use mobile device management functionality of Kaspersky Security Center 10,
including Kaspersky Endpoint Security 10 for Mobile management and creation of mobile device
management servers based on Exchange ActiveSync and Apple MDM
Advancedthe right to use Systems Management functionality, such as:
Vulnerability assessment and patch management (reduced functionality is available in the Core license)
Creation and deployment of operating system images
Hardware and software inventory (reduced functionality is available in the Core license)
Network access control
License monitoring for applications by other manufacturers
In the context of Kaspersky Security Center 10, the Kaspersky Total Security license bundle does not add anything
to the KESB Advanced functionality. Kaspersky Total Security additionally allows customers to use Kaspersky Lab
products for perimeter protection and collaboration products.
The Core functionality is available in Kaspersky Security Center without an activation. Using the Select or
Advanced features requires activating the Administration Server with a key or a code.
Kaspersky Security Center 10 is licensed by the number of managed devices.
1.3 Activation
General
A license formally allows a customer to use the product, but to actually start using it, you need to confirm this in
the product interface. This procedure is called activation.
When selling a license, the manufacturer passes a unique object to the customer: a special file or code, which
technically confirms the right to use the product.
The Kaspersky Lab products described in our course can be activated either with a file (so-called key) or with
an activation code to the same result: the product will start performing the functions covered by the license. There
are some differences in practical use of keys and codes.
IV-11
IV12
KASPERSKY LAB
Activation key
A key file is almost self-sufficient from the activation point of view. License functionality limitations are specified
in the key file itself. The key file is digitally signed, so any attempts to modify the license parameters will be
detected.
Key activation works on computers that rarely (or never) connect to the Internet. On the other hand, changing
the license parameters (renewal, extending the number of nodes, expanding functionality) requires a new key that
has to be redeployed to all computers.
When Kaspersky Lab suspects that a license key is used improperly (is found publicly available on the Internet, or
product instances connecting to the update server are widely geographically distributed), the key is black-listed.
The black list is distributed with regular signature updates. If the product finds its activation key in the black list, it
deletes the key and requires re-activation with another key (or code).
Activation code
A code does not contain any information about the license limitations.
Kaspersky Endpoint Security activated with a code sends the code to Kaspersky Lab activation servers, where
the code is matched to the issued licenses. The activation server finds the license restrictions for the code, forms
a so-called ticket and sends this ticket back to Kaspersky Endpoint Security. A ticket contains information about
the license and allows Kaspersky Endpoint Security to function within the license limitations.
Kaspersky Endpoint Security renews its ticket once every 24 hours. Activation servers keep track of the number of
issued tickets and when the license limit is reached, stop issuing new tickets 1. This way, Kaspersky Lab ensures that
keys are used properly. Any instance of Kaspersky Endpoint Security that tries to get a ticket over quota will not get
it and will not protect the computer.
Starting with Kaspersky Endpoint Security 10 Service Pack 1, subscription licenses are supported. More details
about that will be given later in this chapter. With regards to keys and codes, subscription licensing is exclusively
based on codes, but not every activation code is designed for subscription licensing. The difference between
ordinary and subscription licenses is in how Kaspersky Endpoint Security and activation servers treat the code.
Activation proxy
To support activation with codes, the activation proxy service is implemented in Kaspersky Security Center. This
service redirects activation requests from the client computers running Kaspersky Endpoint Security 10 for
Windows to the Kaspersky Lab activation servers. So, if Kaspersky Security Center 10 is used for managing
protection, only the Administration Server requires access to the Internet.
In fact, the threshold slightly exceeds the number of purchased licenses. This is done on purpose, to prevent maintenance
issues.
IV-13
IV14
KASPERSKY LAB
By default, Kaspersky Endpoint Security 10 for Windows tries to connect to the activation servers directly.
However, if KSC Network Agent 10 is installed on the computer, the behavior of Kaspersky Endpoint Security 10
for Windows changes: Kaspersky Endpoint Security 10 first tries to send activation requests to the Administration
Server, and only if the Administration Server is inaccessible, contacts the activation servers directly.
The activation proxy server accepts Kaspersky Endpoint Security 10 for Windows connections on port 17000.
The port can be modified in the Administration Server properties.
1.4 License Expiration

Key expiration
How does the product behave after the license expires? The answer depends on how it was activated.
If a commercial key expires, updates and KSN stop working. As a result, Kaspersky Endpoint Security keeps
working as before, but its databases gradually become obsolete and protection efficiency decreases considerably.
The control components also suffer, because categorization data for programs and web sites is also loaded together
with the updates or from KSN. License expiration does not influence Device control.
This way there is no abrupt change in the protection level even if the new license is deployed several hours or days
after the old one expires.
If a trial key expires, all Kaspersky Endpoint Security functions stop working. Also, a trial key can be used only for
the first activation of the product. If the product was activated previously (regardless of the key type, commercial or
trial), it will not allow trial activation any more.
Before the first product activation, File Anti-Virus and Firewall work. The product can update once without
an activation. Afterwards, the databases will gradually become obsolete.
IV-15
IV16
KASPERSKY LAB
Additional keys
When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one
license to another without a time gap and without reducing the effective license period of any of the licenses. You
would rather not replace the old license when there still several days left of the licensing period. However, you want
to activate the new license before the old one expires.
Adding the new license as an additional one solves the problem. Additional keys and codes can be added in almost
all products by Kaspersky Lab. Once the active key expires, the product is automatically activated with
the additional key or code.
This approach guarantees smooth transition from the old key to the new one.
An alternative to installing keys or codes as additional is using the automatic license distribution feature, which will
be described later in this chapter.
1.5 Activation of Kaspersky Security Center 10 and

Kaspersky Endpoint Security 10
Kaspersky Security Center 10 activation
Only the extended functions of Kaspersky Security Center Administration Server 10 available in KESB Select and
KESB Advanced licenses require activation. The Administration Server functions supported by the KESB Core
license do not need activation, it is sufficient to activate the managed products.
The Administration Server can be activated in the Quick Start wizard. If you specify a code or key intended for
the Administration Server (for example, a KESB Select license), it will automatically activate the corresponding
server functionality. If you specify a KESB Core license, the server will not be activated, because the server does
not need activation to use the functionality available within the framework of this license.
While the Quick Start wizard can be repeatedly started at any time, it is not the preferred method for adding a new
license. To activate the Administration Server, you can use the Keys section in the server properties window. You
can specify the active and additional license in this section. You can also replace or delete licenses as necessary.
The license for server activation via its properties can be selected among the licenses registered on the server.
The list of registered licenses is always available in the Advanced | Application management | Kaspersky Lab
licenses node. Licenses can be added to this list both by key and by code.
When looking through the list of registered licenses, you may wonder which one is intended for the Administration
Server. To find out, read the keys Application attribute up to the end. There is usually a descriptor there: Security
Center or Kaspersky Endpoint Security that indicates the key purpose.
IV-17
IV18
KASPERSKY LAB
Activation of Kaspersky Endpoint Security 10 via

Kaspersky Security Center 10
Kaspersky Endpoint Security 10 can be activated automatically via Kaspersky Security Center. If there is
an appropriate code or key with automatic distribution enabled in the Advanced | Application management |
Kaspersky Lab licenses node, and the activation number limit has not been exceeded, the Administration Server
will automatically transfer this code or key to all managed computers where Kaspersky Endpoint Security 10 is not
activated.
Unmanaged Kaspersky Endpoint Security 10 would prompt the user if not activated. Managed instances will
suppress local prompts and send activation information via Network Agents to the Administration Server.
The key or code to be distributed can be added in the Quick Start wizard. To add keys later, in the Advanced |
Application management | Kaspersky Lab licenses node, click the Add key button. The key adding wizard
prompts the administrator whether to add code or key.
Licenses can be automatically distributed to the client computers where Kaspersky Endpoint Security 10 is not
activated. Newly added licenses have this option disabled by default. When several registered licenses are marked
for automatic installation, the earliest added license will be distributed first, and so on up to the latest. Note that this
refers to the time when the license was added to the repository, and has nothing to do with the license expiration
date.
Automatically deployed keys are sent to all computers. If a computer does not have an active license,
the automatically distributed key will be activated on it. If an active license is already available, the automatically
distributed key will be deployed as an additional one. If a computer has both an active and a backup license,
the automatically distributed key will not be installed.
When you specify a code in the wizard, the wizard tries to connect to Kaspersky Lab activation servers to verify
the code and download the license information. Depending on the license parameters on the Activation Servers,
the Administration Server may automatically download the license keys associated with the license. As a result,
the repository will contain the code item and possibly one or several key items, all linked to the same license.
The administrator can then choose whether to use the code or a key for Kaspersky Endpoint Security activation.
If the administrator chooses to use the code for client computer activation, then each instance of Kaspersky Endpoint
Security will need to connect to the Activation Servers to receive a ticket. Kaspersky Endpoint Security will try to
use Activation proxy on the Administration Server or connect to the Activation Servers directly if the proxy is
unavailable (if the computer is out of office).
Note that when a code is registered in the repository and verified via Kaspersky Lab Activation Servers, tickets are
not yet issued. They are handed out only when the code is used for activating either Kaspersky Endpoint Security or
Kaspersky Security Center Administration Server. Also note that the Administration Server has no information from
the Activation Servers about the number of issued tickets. The Administration Server tracks license use by the
license information received from the managed computers. There can be a mismatch in the license use data if
the same code is also utilized on unmanaged computers.
Registered keys and codes can be imported from the storage as key files or text files with the code. These can be
used for local activation, if necessary, or for backup purposes.
IV-19
IV20
KASPERSKY LAB
Key installation task

Sometimes it is necessary to install a specific key on a specific computer or a group of computers. Automatic
distribution would not serve this purpose. Instead, you can create an Add key task.
This task can be created using the typical task creation wizard in a group or in the Tasks node. You can also click
the Deploy key to managed computers button in the Advanced | Application management | Kaspersky Lab
licenses nodein this case, the wizard displays fewer steps.
If two products require different Console plugins to be managed, they would require different Add key tasks as well.
For example, Kaspersky Endpoint Security 10 Service Pack 1 and Kaspersky Endpoint Security 10 Maintenance
Pack 1 have independent plugins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP1 wouldnt run
on Kaspersky Endpoint Security 10 MR1 and vice versa.
In the task creation wizard or later in the task properties, you can select a license either from the list of registered
keys and codes (in the Advanced | Application management | Kaspersky Lab licenses node) or from a file. There
is an option in the task that allows installing the selected key or code as an additional key. This option is enabled by
default, because the main license is supposed to be installed through the automatic installation feature (an option in
the key or code properties).
Activating Kaspersky Endpoint Security 10

Kaspersky Endpoint Security 10 automatically prompts the user for a license after an interactive installation. If this
step is postponed, the license can be added or replaced later via Kaspersky Endpoint Security 10 interfacein
the lower part of the program main window, there is the License link, which opens the window for managing keys
and codes.
The use of interactive installation and local Kaspersky Endpoint Security 10 interface is not a common scenario
within a corporate network. The administrator is supposed to use Kaspersky Security Center 10 management system
tools both for the installation of Kaspersky Endpoint Security 10 and for its activation.
IV-21
IV22
KASPERSKY LAB
1.6 Information About Licenses

Licenses in the Administration Console
All keys used on the network computers are displayed in the Advanced | Application management | Kaspersky
Lab licenses storage. Select a key or code to view its characteristics in the lower-right pane:
License type: commercial, not for resale, trial, for beta-testing, etc.
The products covered by the license
Licensing period
Node limitation
Expiration date
The number of computers where the license is used as the main
The number of computers where the license is used as the reserve
In the properties of each key, you can find names of the hosts where the key is installed.
The key icon informs about the following:
(gray icon, no stripes)this key is used on client computers, but is not registered on the
Administration Server, i.e. this key cannot be installed from the Administration Server onto other network
computers or exported into a file
(colored icon, no stripes)this key is registered on the Administration Server and can be installed on
other client computers, but is not marked for automatic installation
(colored icon, three green stripes)this key is registered on the Administration Server and marked
for automatic installation on client computers
The information about used keys and codes represented in Kaspersky Security Center is calculated based on the data
received from the Network Agents. If a license is used on a computer that is not connected to the server, this
information will not be available in the Administration Console.
Functionality limitation data

Since the release of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10, the functionality that
the license activates in the product became an important parameter. Previously, product functionality was not
limited by licenses. The key for Kaspersky Endpoint Security 8 for Windows typically activates all functions of
Kaspersky Endpoint Security 8 for Windows.
Core, Select and Advanced licenses activate different sets of functions in Kaspersky Endpoint Security 10 and
Kaspersky Security Center 10. Also, targeted licenses are available that may activate a specific set of functions in
a product.
You can view the licenses functionality limitations in the properties of the corresponding key or code in
the Advanced | Application management | Kaspersky Lab licenses node of the Administration Console, or in
the Keys section of the application properties (Administration Server or Kaspersky Endpoint Security).
IV-23
IV24
KASPERSKY LAB
Key usage report

Most of the information about the keys that the administrator would ever need is available in the Advanced |
Application management | Kaspersky Lab licenses node. However, sometimes this information should be
presented to the managers in a readable report. Such a report can be found on the Reports tab of the Administration
Server node. Alternatively, you can click the Additional actions button in the Advanced | Application
management | Kaspersky Lab licenses node.
The Key usage report contains structured data on the number of used keys and the complete list of computers with
detailed information on each key (their installation and expiration dates). The report template can be modified to
limit the report scope to any group of computers or simply to remove irrelevant or less important details from the
tables.
Computer statuses
If the license is about to expire or has expired on a computer, the administrator should pay attention. The computer
statuses configured in the administration group properties are designed to attract the administrators attention.
Two status conditions relate to licenses:
License term expiredsets the computer status to Critical. By default, the condition is triggered in 0
days, meaning, right after the license expires. It can be configured to trigger several days after the license
expiration so that the license could update automatically and not waste the administrators time
License term expires soonsets the computer status to Warning. By default, is displayed 7 days before
the expiration, but this parameter is adjustable
When the license that activates the Administration Server is about to expire, a pop-up message is displayed to
the administrator every time the Administration Console starts. Upcoming expiration is also indicated in the
Deployment area of the Monitoring tab of the Administration Server node.
IV-25
IV26
KASPERSKY LAB
Kaspersky Endpoint Security 10 events

In addition to statuses, there are licensing events, which you can see in the client computer properties, or in the event
selections. The events are generated by client computers and Administration Server.
Storage and notification settings of client computer events are configured in the Kaspersky Endpoint Security
policy. The following events relate to licenses:
License agreement violateda critical event that means that the current key is blacklisted and blocked
License has almost expireda critical event generated shortly before the license expiration
Black list of keys corrupted or not founda functional failure (error) event that means that the product
cannot validate the license because the black list of keys is absent, and all functions except for updates are
temporarily inoperative
License expires soona warning event
Kaspersky Security Center 10 events

Administration Server events inform about exceeding the node limitation:
License restriction has been exceededthere are two events with this name, critical and warning.
The critical event is generated when the number of installations constitutes 110% of the license limit.
The warning informs of reaching the limit (100%)
Over 90% of this key is used upan information message
In an informal sense, all of these events are informational, since the Administration Server does not take any
measures if the license limit reaches either 100% or 110%. If keys are used for activation, the administrator can
distribute them with a key installation task to any number of computers.
However, if the Automatically deploy key to managed computers check box is selected in the key properties,
the Administration Server will not only distribute it to computers, but also remove the key from excessive computers
if the license limit is surpassed.
If activation codes are used, the activation server will stop issuing tickets for the product after the license limit is
reached.
The administrator cannot find out how many tickets have been issued by the activation server, but he or she can
view how many of the managed computers use the code. This code can potentially be used on unmanaged
computers, too; and if 90% of the key is used up, it means that at least 90% of tickets have been issued. The event
informing about reaching the 100% limit on the managed computers means that some computers having this code
have already failed to receive the ticket to use Kaspersky Endpoint Security 10.
IV-27
IV28
KASPERSKY LAB
1.7 Subscription Licenses

Starting with Service Pack 1 of Kaspersky Endpoint Security 10 and Kaspersky Security Center 10, subscription
licenses are supported. The key idea is that license parameters can be changed without reinstalling the license. E.g.,
there is no effective license expiration and the number of nodes as well as the supported functionality can be
changed in the license properties on the Activation Server side.
Another important aspect of the subscription licensing is reduced payment intervals. With traditional licenses,
payments are typically made once a year to renew the license. With subscription licenses, there is no effective end
date for the license2, it remains active as long as the customer pays and until either of the parties (the customer, or
the partner who sold the subscription license, or Kaspersky Lab) decides to cancel the subscription. The payment
period can be as small as a month, or a quarter.
The background mechanics of subscription licensing is essentially the same as described for activation codes.
The difference is in the license properties on the Activation Servers. With traditional licensing, the properties are
fixed, whereas with subscription licensing they are flexible.
The customer can request changing the subscription parameters as necessary:
Increase or reduce the number of nodes
Increase or reduce the functionality level
Suspend or renew the subscription
These changes are displayed in the license properties on the Activation Servers and the next time Kaspersky
Endpoint Security renews its ticket it will receive the new license restrictions. This can result in additional
components becoming active or inactive.
In the Administration Console, information about subscription licenses is displayed the same way as about
traditional ones. If the subscription is unlimited, there would be no expiration date. License limitations (nodes and
functionality) are automatically synchronized with the Activation Servers once every 24 hours. There is also a link
in the Advanced | Application management | Kaspersky Lab licenses node that allows synchronizing this
information manually (click the Additional actions button and then follow the corresponding link).
A subscription can have a grace period. This is a space of time officially allowed for payment when the product
keeps functioning after the previous paid period is over. For example the customer pays monthly and the last paid
month is July. If there is a grace period of say 14 days, then Kaspersky Endpoint Security will work with full
(licensed) functionality till the 14th of August. After the grace period expires (and if there is still no payment for
the August), Kaspersky Endpoint Security stops updating and disables the control components, but keeps
the protection components running.
Subscription licenses presume that there is a 3rd party between the customer and Kaspersky Lab. This can be
a Service Provider who manages the customers network, or an Internet Service Provider who additionally delivers
anti-malware services to their customers, or even a supermarket chain that sells licenses along with boxed products.
Let us call all of them Service Providers. The customer is supposed to negotiate all the subscription-related
questions with the Service Provider, who will be able to update the subscriptions parameters on the Activation
Servers (indirectly, though the exact details are not actually important here).
It would be possible to switch from traditional licensing to subscription and back, if necessary. Switching to
subscription licensing is a matter of installing the corresponding activation codes. To switch back to normal licenses,
install an ordinary code or key as an additional license. Once the grace period of the subscription license expires,
the computers will switch to the new license.
To be more precise, there can be one, but not necessarily. Subscriptions may have a time limit.
IV-29
IV30
KASPERSKY LAB
Chapter 2. Updates
2.1 Overview
The version 10 of Kaspersky Security Center and Kaspersky Endpoint Security constitute a multifunctional program
complex solving numerous distinct types of tasks.
During its operation, much data is transferred from the Administration Server to the client computers, a large part of
which can be considered as updates. These include traditional malware signature updates, KL categories for
application startup control, module updates of Kaspersky Security Center and Kaspersky Endpoint Security,
Windows Updates, updates for 3rd-party applications, and latest information from the KSN database.
This chapter considers only some of these update types: signature updates of Kaspersky Endpoint Security, and
module updates of Kaspersky Endpoint Security and Kaspersky Security Center. Windows updates and updates of
3rd-party programs are described in course KL 009.10 Systems Management, and KSN in Unit II of this course.
In other words, this chapter is devoted to two tasks:
Download updates to the repositoryKaspersky Security Center
UpdateKaspersky Endpoint Security
In this chapter, the term update means updates downloaded and distributed by these two tasks.
Update types
Kaspersky Endpoint Security, which uses the majority of updates, requires two types of updates:
Signature database updates, which include malware signatures, network attack descriptions, databases of
suspicious and phishing web addresses, banner database, Anti-Spam databases, etc., are issued regularly,
hourly on average, and their installation does not require a restart. Crucial for protection, they must always
be up to date.
The major part of the database is downloaded during the first update or if updates have not been
downloaded for a long time: for example, if an employee was on vacation for a month and the computer
was powered off. Later, only the changes will be downloaded. The typical volume of an hourly update can
be from several hundreds of kilobytes to a couple of megabytes.
Usually, the computer does not need to be restarted to be able to use new signature databases. If
the necessity arises, the Restart required to complete the task event will be sent to the Server, and the user
will see the corresponding notification in the local interface. This event is not critical, that is why
the computer is not restarted automatically, and Kaspersky Endpoint Security just waits for the restart.
IV-31
IV32
KASPERSKY LAB
Module updates are updates to program modules meant to improve performance and fix the problems
discovered in the product. These updates are released less frequently. In other words, these are fixes for
Kaspersky Endpoint Security, Network Agent, and Administration Server program modules. Sometimes
module updates can introduce changes to components behavior and even new functionality
A module update is a more risky intervention than signature updates. In some companies, any update that
involves executable code requires testing and approval. Kaspersky Endpoint Security 10 SP1 and
Kaspersky Security Center 10 SP1 support this practice by allowing the administrator to mark updates as
Approved (the options include Approved, Declined and, by default, Undefined) and to configure update
tasks to deploy only the approved updates.
Older versions of Kaspersky Endpoint Security and Kaspersky Security Center dont support this
mechanism. To test module updates prior to installing on older versions, the administrator can make
separate tasks for signature updates and module updates, and run the module update task manually only
after the updates have been tested and approved.
Kaspersky Endpoint Security 10 Service Pack 1 module updates can be either critical or non-critical. This
classification is applied at Kaspersky Lab and reflects the updates importance for computer protection.
Updates that fix severe bugs or help protect against new threats are critical.
Update management
In a centralized protection system, updates are distributed centrally.
This helps to decrease external traffic since updates are downloaded only once into the network. Also,
administrators have more control over the update process.
The simplest scenario is where updates are downloaded to the repository on the Administration Server and then
distributed to client computers. More complex scenarios, with intermediate distribution sources, are described in
course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills.
Centralized updates in Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 are based on two tasks,
one of which downloads updates to the repository, and the other which distributes them to the endpoints:
Download updates to the repositoryis a task of Kaspersky Security Center Administration Server; only
one task of this type can be configured on the server
Install updateis a task of Kaspersky Endpoint Security, there may exist any number of such tasks, but
usually one or two tasks per group are configured
IV-33
IV34
KASPERSKY LAB
2.2 Updating Server Repository

The task that updates the Administration Server repository is named Download updates to the repository.
The Quick Start wizard automatically creates this task. It can be found in the Administration Console in the Tasks
node.
You can have only one task of this type. If it is present already, the task creation wizard doesnt allow creating
another one. However, it is possible to delete the automatically created Download updates to the repository task
and create a new one for troubleshooting.
The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be
downloaded and a few additional options.
Schedule
Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging
from 15-20 minutes to several hours. The default value is 1 hour.
Sources
The following update sources are possible:
Kaspersky Lab update serversa list of FTP and HTTP servers officially maintained by Kaspersky Lab.
These servers are located in various countries worldwide to help ensure a high reliability of the updating
procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of
servers is downloaded together with the other updates
Master Administration Serverthis option is used if there are several Administration Servers and they
are connected in a hierarchy (described in detail in course KL 302.10 Kaspersky Endpoint Security and
Management: Advanced Skills)
Local or network folderan update source created by administrators. You may specify not only a
network folder, but also an FTP or HTTP address
The task can have several different sources organized in a list. If the first source turns out to be inaccessible 3,
the task will attempt to download updates from the next.
Connection parameters
You may need to specify the proxy server parameters for the update sources. All sources would share the same
proxy server. If some sources are accessed without it, enable the Do not use proxy server option in their properties.
The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.
IV-35
IV36
KASPERSKY LAB
Proxy server address, port and authentication parameters: user name and password can be specified in
the Administration Server properties, in the Advanced | Configuring Internet access section. These settings will be
used for downloading updates and for KSN requests.
Updates list
Administrators can choose the types of updates to be downloaded in the Updates content window. By default,
Kaspersky Security Center detects the required updates automatically, depending on the products installed on
the client computers, and the products for which it has installation packages. This behavior is determined by
the Autodetect updates list option.
Alternatively, administrators can manually select the updates for downloading. This may be necessary if the server
updates folder functions as an update source for both managed computers and, for example, Kaspersky Anti-Spam
for Linux Mail Servers. In this case, enable the Force downloading of the following types of updates option and
select the corresponding update types. Some update types available in this list relate to obsolete products and are not
currently used.
Network Agent module updates

Before we proceed to the tasks that distribute Kaspersky Endpoint Security updates to the client computers, lets
complete the overview of the Download updates to the repository task settings. Specifically, the Network Agent
update download parameters, which are located in the Settings section, Other settings area. The Update Network
Agent modules parameter controls updating Network Agents up to version 10 SP1 inclusive.
Unlike Kaspersky Endpoint Security updates, which are distributed by special tasks, Network Agent updates are
distributed automatically as soon as the Agents connect to the Server.
If automatic installation of module updates is unwanted (for example, on the servers) for Network Agents (up to
version 10 SP1 inclusive), disable the corresponding parameter in the properties of the Download updates to the
repository task. Since only one task of this type exists, module updates of Network Agents up to version 10 SP1
inclusive will or will not be installed in the whole network. You cannot enable installation of these updates in some
groups and disable in others.
Other settings in that category pertain to the organization of updates in the hierarchy; they are described in course
KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills.
Update settings for Network Agents version 10 SP2 and later are located in the Settings section of the Network
Agent policy. The parameter is named Install applicable updates with Undefined approval. If this check box is
selected, the Administration Server will automatically distribute updates to Network Agents. If cleared,
the Administration Server will distribute only the updates approved by the administrator. The check box is selected
by default.
To approve an update, find it in the Advanced | Application management | Software updates node, open, and in
the Update approval drop-down list, select Approved.
The administrator can always prohibit installing an update even if automatic updates are configured in the policy.
Open the update properties and set the Update approval parameter to Declined.
IV-37
IV38
KASPERSKY LAB
2.3 Updating Client Computers

Group tasks
Updates from the Administration Server repository are distributed to the client computers by group update tasks.
To ensure coverage of all managed computers, an update task must be a group task created within the Managed
computers node. The Quick Start wizard creates this type of task: Install update. If computers are combined into
groups and the optimal updating procedure is different for various groups, you can create a customized update task
for each group4.
Keep in mind that if both parent and child groups have tasks of the same type, the computers of the child group will
run both tasks. This will most likely result in errors, since if an update task is already running, another one cannot
start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups
that have their own tasks from the parent group task scope.
Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac
or Kaspersky Endpoint Security 8 for Windows) are used in your network, they need separate update tasks.
Each product update task has a specific schedule and settings, including:
The list of update sources

The list of updates
The settings used to copy updates to a specified folder
The list of subgroups on whose computers the task will not run
The simplest method is to copy a task and then modify its settings.
IV-39
IV40
KASPERSKY LAB
Schedule
The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to
the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts
the task regardless of whether the Administration Server can be reached or not, the When new updates are
downloaded to the repository schedule means that the task is always started by the Administration Server
command.
The Administration Server sends a wake up call to UDP port 15000 of all affected client computers that there are
new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect
to the Administration Server and download whatever new settings are available. In this particular example, the
Agents will receive the update task start command and pass it to Kaspersky Endpoint Security. If the wake up call
doesnt reach some computers, they will receive the command during a planned synchronization performed every 15
minutes (the period is defined in the Network Agent policy).
The When new updates are downloaded to the repository schedule guarantees that the client computers will
receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple
periodical schedule can be used (for example, once an hour).
To prevent serious peak loads on the update source and the network at the moment of task start, randomization of
the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin
the next scheduled update after a random delay ranging from 0 to 5 minutes.
By default, the Administration Server automatically defines the randomization interval depending on the number of
computers in the group. The administrator can also specify it manually.
Sources
To specify the list of sources, open the Properties section of the task properties and click the Settings button.
Updates can be retrieved from the following sources:
Kaspersky Security Centerthe recommended source for all managed computers. Moreover, the most
natural source for the When new updates are downloaded to the repository schedule
Kaspersky Lab update serversthe recommended source for the computers outside the corporate
perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection rather than
create extra Internet traffic
Local or network update folderanother option for backup update sources. An HTTP or FTP address
may be specified instead of a network folder. For example, if there are several Administration Servers in
the network (which is described in course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources
Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky
Lab or other FTP or HTTP locations, updates are downloaded over standard network protocols. If a proxy server is
required for accessing the source, its parameters are specified in the policy of Kaspersky Endpoint Security (in
the Advanced Settings | Application Settings section). By default, an automatically detected proxy server is used.
In the update task properties you can configure copying updates into a separate folder. This mode can be used for
creating an update source in small networks or subnets without their own Administration Server. In larger networks,
update agents are used to create intermediate update sources. Update agents are created automatically for every
group that contains more than 100 computers (for more details, refer to course KL 302.10 Kaspersky Endpoint
Security and Management: Advanced Skills.)
IV-41
IV42
KASPERSKY LAB
Module updates
Signature updates are always downloaded by an update task. There is no way to disable this as there is little sense in
doing so. Module updates are more configurable.
Kaspersky Endpoint Security can do without module updates. Unless there is a critical issue that needs to be fixed,
you can keep using Kaspersky Endpoint Security without updating its modules until a new major version comes out.
Still, module updates can be useful. They can improve computer performance, increase protection efficiency and
add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing
the updates and installing only approved ones.
The possible choices regarding the module updates include:
Download updates of application modulesenabled by default. Can be disabled in the groups where
computers are extremely sensitive to changes, e.g., groups with important servers
Install critical and approved updatesinstalls the updates marked as approved by the administrator
and the updates marked as critical by Kaspersky Lab without the administrators approval. Installing
unapproved updates may be risky because unforeseen issues might arise
Install only approved updates (the default choice)
How does the administrator approve an update? All available updates can be found in the Advanced | Application
management | Software updates node. It contains a lot of updates, including Windows updates and updates to 3 rdparty applications. Use filters to find Kaspersky Lab application modules updates.
To approve an update, select it in the list and scroll down the description on the right until you see the Actions area.
There is the Update approved parameter there, which can be set to Undefined (default), Approved or Declined. You
can find it in the updates properties too. Also, you can select several updates on the list and approve them all at
once.
Now, why would the administrator decide to approve an update? Generally, there should be a process of installing
an update on a small number of computers (representative of the entire network) and monitoring these computers for
some time. If no problems are detected, the update gets approved and is automatically installed on other computers.
Kaspersky Seamless Update Service

Starting with Service Pack 1, a non-restart update mechanism is implemented in Kaspersky Endpoint Security 10 for
Windows. Kaspersky Seamless Update Service is a part of it.
This service watches Kaspersky Endpoint Security operation and recovers protection after failures.
IV-43
IV44
KASPERSKY LAB
2.4 Monitoring Updates

Updates repository
When being downloaded, updates are first placed into a temporary folder located in the data directory of
the Administration Server. When the download completes, all files are moved into a subfolder of the Administration
Server shared folder. The folder is accessible over the network via SMB. Though SMB is not used for distributing
updates to the managed computers; Network Agent receives the data from the server on port 13000.
In Kaspersky Security Center Administration Console, the available updates are displayed in the Advanced |
Repositories | Updates node. The Updates repository displays, in a table, all the databases and lists of threat
signatures stored on the Server. Each object has the following attributes:
Name indicates the type of update and hints which component or product this update is intended for, say,
Anti-phishing databases or Autorun objects scanner
Description specifies for which version of which product the database is intended for, or, if a component
uses a few different bases, the types of threats described in this particular database
Createdthe date when the update was published on Kaspersky Labs official servers
Receivedthe date when the database was downloaded into the Server repository
Sizethe complete database size. If updated regularly, client computers download just the difference
between their current database version and the version available in the repository. So, the actual traffic is
considerably smaller than the specified size
Note: When the repository is updated, the following information is downloaded in addition to the databases:
vulnerability data and KL category conditions for Application Control.
The data in the repository tells you the age of the updates distributed to the client computers. Updates on
the computers cant be newer than in the repository, so if the updates in the repository are several days old, it is
a problem to be solved. You have to be careful not to jump to wrong conclusions, though. Some updates are OK to
be several days old. Not every update type is released hourly. For a reliable indicator of how recent the updates are
overall, look at the date of the Anti-virus databases.
You can open update properties to find out the location of the relevant files. All update files end up in the Updates
subfolder of the Administration Servers shared folder. Thus, updates can be accessed through a Windows share if
necessary.
Using the links within the Repositories | Updates node, you can view the database version report, modify the
repository update settings, or start the task that downloads updates to the repository.
Computer statuses
If for some reason a computer uses old databases, the risk of infection increases. Moreover, if the latest databases
are missing, a virus can remain unnoticed and, for example, steal valuable data.
That is why computers with old databases receive a Warning or Critical status depending on how old their
databases are. The status criteria are configured in the group properties. By default, the Warning status is given to
the computers whose databases are 7 or more days old, and Critical is assigned after 14 days.
IV-45
IV46
KASPERSKY LAB
You can identify that the computer status changed from OK due to outdated databases by the status description in
the Protection section of computer properties, or in the panel displaying computer characteristics in the lower-right
part of the Administration Console. To view detailed information about the databases and, specifically, the last
update date, open the properties of the Kaspersky Endpoint Security program in the Applications section of
computer properties.
Global status
The Monitoring page also provides the information about the databases in use. If everything is fine, the Update
area displays the time when the latest updates were downloaded to the server repository. If there is a problem,
the light will turn yellow or red and a problem description will appear, which also acts as a link to remediation (run
a task) or troubleshooting (check a computer selection) tools.
The Databases in the repository not updated for a long time link opens the properties of the Download updates to
the repository task. The Databases are out of date: N computers link opens the selection of hosts that have
the Databases are outdated status.
The Go to Updates folder link in the Update area of the Monitoring page opens the Advanced | Repositories /
Updates node, which contains links to the settings of the default update tasks and the database version report.
Statistics and reports

More detailed information about the databases in use and computers with problems is available on the statistics
screen and also within the appropriate reports. In addition to the report on the databases being used, you may be
interested in the report on versions of the program module updates of the Kaspersky Lab applications. It is not
available by default, but can be created manually.
This data is also available on the Statistics tab of the Administration Server node. The charts concerning updates are
displayed on the Update page. Unlike reports, statistic charts are updated in real time.
IV-47
IV48
KASPERSKY LAB
If the databases became obsolete on the computer not because it was off, but because of update task errors,
the administrator would need to view update task events to find out the reason. The events sent to the Administration
Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint
Security usually contains more events.
2.5 Rollback
Although rare, sometimes the latest updates may result in false positives. The Rollback task is designed to deal with
this. It is not created by default, but the administrator can easily create it using the task creation wizard.
The update rollback task has no settings, except for the schedule. It makes little sense to roll back updates
periodically. The rollback is typically performed when the administrator needs it, and the best schedule for such
a task is Manually.
During the rollback, new database files are replaced with their previous version. For this purpose, the database files
of the previous version are stored in a special folder locally on every computer where Kaspersky Endpoint Security
is installed. When new databases are downloaded, the old copy for rollback is deleted and a new one is created.
Only one copy of databases for rollback is stored alwaysthe previous one.
KSN has an important role in decreasing false positive risk. Even if a file seems to be infected according to
the databases, KSNs verdict has a higher priority. If according to KSN the file is trusted, Kaspersky Endpoint
Security ignores the false positive. Thus the introduction of Kaspersky Security Network reduced the need for
running the rollback task considerably.
Chapter 3. Interaction with the User

In this chapter we will describe the local interface of Kaspersky Endpoint Security: what the users see on their
workstations.
Using Kaspersky Endpoint Security policy, the administrator can configure the local interface of Kaspersky
Endpoint Security, set a password for removing or editing protection settings, enable or disable pop-up notifications
for various actions and incidents.
3.1 Password Protection

The default settings provide the users with at least two methods to disable the protection. The first method is to click
Exit on the shortcut menu of the Kaspersky Endpoint Security icon in the notification area. This action doesnt even
ask for elevated permissions, any user can do this. The second method is to uninstall Kaspersky Endpoint Security
and this requires the user to have administrator rights. But some users may have them, especially on laptops.
IV-49
IV50
KASPERSKY LAB
To prevent the users from weakening or stopping Kaspersky Endpoint Security, the administrator can configure
password protection for the mentioned actions in the policy and make these settings required (locked). Though
a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way
or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which
doesnt allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and
processes in the memory. Together, password protection and self-defense are mostly able to prevent any damage
a user might try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas
password protection is not.
Another, a less evident way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes
after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and
the user will be able to change any settings. There is password protection for the Network Agents too, and it is not
enabled by default either.
Password protection in Kaspersky Endpoint Security

Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its
settings, exiting, and uninstalling, changing license, etc.
To enable password protection, open the policy in the Advanced settings | Interface section and select the Enable
password protection checkbox. Then click the Settings button next to the option and enter the password.
By default, the password protects all possible actions, but the administrator can switch to protecting only some of
them and select from the list:
Configure application settingsprotects against any attempts to modify the settings, including the
options that enable and disable the components (e.g. Enable File Anti-Virus); the user still has an option to
disable components via a shortcut menu command
Exit the applicationprotects the Exit command on the shortcut menu of the product's icon. Meanwhile,
self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its processes or files
Disable protection components and stop scan tasksthe user can start protection components and local
tasks (if they are displayed); the password window appears only if the user attempts to stop them.
The update tasks lack this protection
Disable control componentsthe password is necessary to disable the Device Control, Application
Startup Control, or Web Control
Disable Kaspersky Security Center policyadds the option to temporarily disable the policy via
the shortcut menu of Kaspersky Endpoint Security icon after entering the password. The option is only
available when password protection is enabled.
This capability is useful for local troubleshooting. When a policy is active, the administrator cant change
Kaspersky Endpoint Security parameters to see which component or which particular setting is causing
troubles for the user. Moving a problem computer to a special group for diagnostics and then returning it
back after the problem is solved is an awkward solution, especially if different IT units are responsible for
centralized protection management and local diagnostics. The capability to temporarily disable a policy
using a special password on a computer allows carrying out diagnostics without changing the settings on
Remove keythe user cannot stop protection by deleting the key unless the password is entered
Remove/Modify/Restore the applicationthe password prompt is added in the uninstall wizard of
Kaspersky Endpoint Security5
To uninstall the product from the command line, the password will also be necessary.
IV-51
Restore access to data on encrypted drivesprevents the user from starting the data recovery tool. It is
the administrators job to recover data, not users
View reportsprompts for a password prior to displaying events in the local KES interface
The advantage of password protection is that it remains active even when the policy is disabled. Once the password
protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product
without a valid password even if the administrator disables the policy.
IV52
KASPERSKY LAB
Configuring password protection for Network Agent

The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of
installed programs is one of the few places where it can be found. Kaspersky in the product name may be
sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges,
the attempt will succeed.
Administrators can set a password for uninstallation within the Network Agent policy. The Quick Start wizard
creates the policy automatically in the Managed computers node.
The password required for Network Agent uninstallation is set in the Settings section. By default, it is not specified.
Enable the Use uninstall password option, click the Modify button to enter the password and dont forget to lock
that group of settings. Its not locked by default and setting the password while leaving the option unlocked has
zero effect on the local Network Agent settings.
Once the policy is applied, the password prompt is added in the Network Agent uninstallation wizard. An attempt to
uninstall the Network Agent using the command line without the password will also fail.
3.2 Local and Group Task Management via KES

Interface
By default, when the settings are controlled by a policy, the local interface provides access to only one local task
Custom Scan. It can be started from the Kaspersky Endpoint Security window or via the shortcut menu of any file or
folder.
Also, the user can see the group tasks, two by default: Quick Virus Scan and Install update. These are created on
the Administration Server by the Quick Start wizard, and by default are displayed in the local interface. The user can
do nothing with them: neither edit their settings, nor run, nor stop them. The user can only view their reports.
These limitations are true only if the client computer is under a Kaspersky Security Center policy. If no such policy
is present or enforced, the local user is able to configure and manage local versions of update and scan tasks. But as
soon as a policy is enforced, the local tasks Full scan, Critical Areas Scan, Update, and Integrity check are disabled
and hidden. They are supposed to be replaced with similar group tasks, which can only be managed from
When local tasks are concealed, they keep their settings, but cant be started neither manually nor on schedule.
Otherwise, local tasks would interfere with group tasks. If a local update task were running, the start of the group
update task would fail. Execution of a local virus scan task would not obstruct starting the group task, but would
waste computer resources.
The custom scan task and names of the group tasks displayed within the interface are typically enough for the user
to feel protected. However, some users may need more control. They may need to postpone scheduled starts or
initiate updates and scans manually. This can be achieved by configuring the Kaspersky Endpoint Security policy.
There are two relevant options in the Advanced Settings | Application settings:
Allow management of group tasksthis gives the user the power to stop group tasks when they are
running and start them manually. If a task is stopped by the user, the result in the Kaspersky Security
Center will be Completed, but the preceding event will be a warning that the task was stopped while
running. The user still cant modify the group task settings.
IV-53
Allow local tasks to be displayed and managed (except custom scan) 6this makes the local tasks
visible and their settings and control commands available to the user. Moreover, local tasks will start
running on schedule which most of them have by default. Typically, you wouldnt want users tinkering
with the task settings, but if they need to, this option gives them this power. There is no way to allow
managing group task settings via the local interface.
If representation of local tasks is enabled, they will start on the specified schedule with all the negative
consequences described earlier. You cannot make local tasks displayed but started only manually. That is why local
tasks should be used only in very special cases, e.g., on roaming computers while they cannot connect to
the management system.
The Custom scan is never hidden; what you allow to be displayed are all the other local tasks in addition to the Custom scan.
IV54
KASPERSKY LAB
Below you can find the default settings and schedules of the local tasks:
Task
Update
Full scan
Critical areas scan
Custom scan
Integrity check
Vulnerability scan
Settings
Sources:
Kaspersky Lab update servers
Kaspersky Security Center
Download updates of application modules
Install critical and approved updates
Security level: Recommended7
Select action automatically
Scan scope:
System memory
Startup objects
Disk boot sectors
System Backup Storage
All hard drives
Security level: High8
Scan scope:
System memory
Startup objects
Disk boot sectors
Security level: Recommended
Scan scope: Not defined
Checks integrity of Kaspersky Endpoint Security
files
Vulnerability types:
Microsoft
Other vendors
Scan scope:
%SystemRoot%
%ProgramFiles%
%ProgramFiles(x86)%
Schedule
Automatically (translates to every
two hours)
On Mondays at 7:00 PM
Every day at 6:00 PM
Manually
Manually
Manually
There are also two tasks that are never visible in the local interface but can still run and can be controlled by a policy
(see the Advanced Settings | Protection Settings section):
Idle Scana special task that starts when the screensaver is on or the computer is locked and scans startup
objects, system memory and the system partition of the hard drive. Scanning is performed at
the Recommended security level. In the policy, it can be controlled by the Perform idle scan check box
Scan removable drives on connectionanother special scan task. It starts when a removable drive is
connected to the computer. The scan task scope includes boot sectors and the files located on the removable
drive. Two scanning variants are available: Fullthe scanning is performed with the same settings as in
the local Full Scan task. Quickthe scanning is performed with the same settings as the local Critical
Areas Scan task (in particular, archives and installation packages are not scanned). Scanning large drives
may take a long time. To avoid lengthy delays, you can select to scan only small removable drives.
In the policy, the task is controlled by the Action on removable drive connection option, which is set to
Do not scan by default, but can be changed to either Full scan or Quick scan. When scanning is enabled,
you can also adjust the Maximum removable drive size option.
7
8
Scan all files, including archives, installation packages and OLE objects; heuristics level: medium scan
Scan all files, including OLE objects and mail formats, excluding archives and packages, heuristics level: deep scan
IV-55
IV56
KASPERSKY LAB
3.3 Local Notifications

It is the administrator who is supposed to react to Kaspersky Endpoint Security events. That is why the events are
transferred to the Administration Server and displayed in the Console. The corresponding settings can be found in
the Event notification section of the Kaspersky Endpoint Security protection policy. Note that many events are not
sent to the Administration Server to avoid creating unnecessary traffic. This mostly concerns informational events,
and their sending can be easily enabled if necessary.
These same events can be displayed to computer users as pop-up messages. Local users do not need to see
the majority of events, for example, the events pertaining to Kaspersky Endpoint Security maintenance: outdated
databases, required restart, upcoming license expiration, etc. Maintenance tasks are performed by the administrators
who receive this information from the Console.
However, it does make sense to inform the users about blocked operations. When a user attempts to open a phishing
web site or download a malware program, it is recommended not only to block the action, but also explain
the reason it was blocked. Otherwise, the user may suppose that the computer is not working properly and contact
administrators with wrong assumptions. Besides, in a large organization where different departments are responsible
for security and maintenance, a lot of time may pass before the blocking reason becomes clear.
By default, only the notifications about blocked access or dangerous content are enabled. The user will see a pop-up
window in the following cases only:
Application startup prohibitedApplication Startup Control blocked the program start
Operation with the device prohibiteda restriction has been imposed by the Device Control or
BadUSB Attack Prevention component
Temporary access to the device activatedDevice Control temporarily allows access
Previously opened phishing link detectedWeb Anti-Virus considers the link to be phishing
Previously opened malicious link detectedWeb Anti-Virus considers the link to be infected
File access blockedrefers to encryption of files and folders (see course KL 008.10 Encryption)
When the user attempts to access an infected object (open, copy, receive by e-mail or download using a web
browser), a notification is displayedeither a system warning about inability to open the file (because Kaspersky
Endpoint Security blocked it), or the message which Kaspersky Endpoint Security displays, for example, instead of
an infected web page. Such notifications cannot be disabled via the Kaspersky Security Center policy.
Also, when a threat is detected, the Kaspersky Endpoint Security icon changes its appearance for a couple of
seconds while the problem is being solved, and then the user will be able to learn about the incident from
the statistics shown in the main window of the program (if the policy allows the local interface to be displayed) or
from the report (unless it is password-protected).
IV-57
If the administrator believes that more or fewer notifications should be displayed to the users, they can be
configured in the protection policy. In the Advanced settings | Interface section, in the Notifications area, there is
the Settings button that opens the list of events and local notification methods9. For example, you can enable pop-up
notification for malware detection by File Anti-Virus.
Here you can also configure sending e-mail notifications from the client computer. Typically, it is not required,
because events are sent to the server and the server sends e-mail notification when necessary. But it makes sense for
computers out of office that cant connect to the Administration Server.
In the lower-left corner of the Notifications window, a drop-down list is located that enables the administrator to quickly revert to the default settings.
IV58
KASPERSKY LAB
3.4 Technical Support Information

If users will be working with the Kaspersky Endpoint Security interface, the administrators can change the standard
text and links displayed in the Support window of the local interface. By default, they contain the links that enable
and disable system tracing, and open the Technical Support web site of Kaspersky Lab
(http://www.kaspersky.com/support), the knowledgebase, and the user forum of Kaspersky Lab, where answers to
many questions can be found.
The administrator can replace the three links to Kaspersky Lab web resources with some other text that, for
example, specifies the local or internal support department informationfor all user questions to be sent to
the internal support, for example, to the appropriate e-mail address.
The text and links are specified in the protection policy, in the Advanced settings | Interface section. Click the
Settings button in the User support area. Once the administrator fills in at least one new field, all three default links
to Kaspersky Lab site will be hidden.
Note: By default, this setting is not enforced. To apply it, close the lock and enforce the policy.
3.5 Concealing Kaspersky Endpoint Security

The majority of users attempts to disable protection can be prevented if the product is hidden.
The hiding of notifications is described above. The Kaspersky Endpoint Security icon in the notification area and
shortcuts in the Start menu also reveal the products presence.
IV-59
IV60
KASPERSKY LAB
These features can be hidden using the options in the Advanced settings | Interface section:
Display Kaspersky Endpoint Security 10 for Windows interfacewhen deselected, removes the icon
from the notification area, all shortcuts from the Start menu, and the entry for Kaspersky Endpoint Security
from the list of installed applications in the Control panel. To a cursory glance it may appear that
Kaspersky Endpoint Security is not installed
However, a more attentive user will notice Kaspersky-related entries on the shortcut menu of files and
folders, the folder in the Program files, and the service in the list of services. A user with local
administrator rights will find even more traces. But still there is self-defense and password protection to
safeguard Kaspersky Endpoint Security against the user
Display Protected by Kaspersky Lab on Microsoft Windows logon screenwhen this option is
disabled, the sign is not displayed in the upper right corner of the logon screen in Windows XP/2003.
In other version of Windows, this sign is never displayed.
The presence of Kaspersky Network Agent is less apparent, but it will be listed among other installed applications in
the Control Panel. There is no way to hide this.
Chapter 4. Out-Of-Office Computer Management

The risk of computer infection is lower within a corporate network than outside of one. Thus, applying different
settings once computers move out of office seems reasonable.
If the Administration Server is accessible from outside the network, and out-of-office computers can connect to it,
they usually can be distinguished by their IP addresses. Therefore, you can create a rule to relocate such computers
to a separate group with a special policy assigned to it.
Ensuring connection to the Administration Server from outside is a complex task, though (explained in KL 302.10
course). And some out-of-office computers may fail to connect anyway. They could be behind a restrictive firewall
that blocks connections to port 13000. Or they can be disconnected from any network but still vulnerable to
infections from USB drives. In such cases, you have to rely on Kaspersky Endpoint Security and the user.
IV-61
IV62
KASPERSKY LAB
4.1 Out-of-Office Policy Settings

A policy for out-of-office computers must take into account the fact that the host is outside the corporate network
and that Kaspersky Endpoint Security maintenance tasks have to be performed by the user. Consequently, the policy
must allow the user access to the information about the protection status and to the product management tools.
The user should at least be allowed to scan suspicious files/drives and start updates. For this purpose, it is necessary
to allow the user managing group or local tasks, or both. See the previous chapter for details.
To help the user make rational decisions about protection, it is necessary to provide them with more information
about incidents. The user should be warned about detected threats, the need for advanced disinfection and about
outdated databases.
The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer
restrictions. This may not be a safe assumption out of office. These can be networks in hotels, cafes or other public
places which cannot be trusted. The out-of-office policy should treat the abovementioned addresses as public.
On the other hand, Device control and Web control settings could be less strict than in the office. The user on
a business trip might need to connect removable devices to exchange data with colleagues, etc. And it is only
reasonable to allow the user to browse the Internet more or less freely at least during non-working hours.
4.2 Conditions of Switching into Out-of-office Mode

For those situations when a client computer cannot contact the Administration Server, Kaspersky Security Center
supports special Out-of-office policies and also mobile mode in update task settings. This is the third possible policy
status, in addition to the Active and Inactive status.
The policy for out-of-office computers and the mobile mode in update tasks are applied simultaneously if at least
one of the following conditions is met:
1.
Network Agent cannot synchronize with the Administration Server three times in a row. In practice, this
means that the computer is disconnected from the corporate network. By default, the synchronization
period is 15 minutes. Therefore, the client will switch into the mobile mode in 30-45 minutes
In large networks or networks with unstable connections, three consecutive failures may be considered to
be normal and switching into the mobile mode may be undesirable. In this case, it makes sense to disable
automatic switching and configure connection profiles instead. This can be done in the Network |
Connection section of the Network Agent policy. Connection profiles are described in detail in course
KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills
2.
All network adapters are disabled or disconnected on the client computerin this case synchronization is
impossible, and Kaspersky Endpoint Security immediately switches to out-of-office settings
3.
According to connection profiles (see course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills)
IV-63
IV64
KASPERSKY LAB
An out-of-office policy may be created for any group. A group may have only one policy for out-of-office
computers. That policy is propagated in exactly the same manner as an active policy. However, while an active
policy is enforced immediately, a policy for out-of-office computers starts working only when the computer meets
the specified conditions (see above).
If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if
an out-of-office policy exists in both parent and child groups, they are not related in any way. Regardless of
mandatory settings in the parent group policy, they do not restrict the policy of the child group.
In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy,
where the required settings are inherited by the policies of child groups. Out-of-office policies are inherited only
completely by those subgroups where out-of-office policy is not configured.
You can switch a policy into the Out-of-office policy status in its properties window, in the General section, Policy
status area.
Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for Windows and
Kaspersky Anti-Virus for Windows Workstations. Policies of the Network Agent or, for example, Kaspersky AntiVirus for Windows Servers Enterprise Edition do not have such an option.
4.3 Update Settings in Mobile Mode

The default update source and schedule settings are intended for computers connected to the corporate network. If
a computer is outside the corporate perimeter, it cannot receive a signal from the Administration Server informing
that new updates are downloaded in the repository and it may not be able to connect to the Administration Server to
download the updates.
That is why the parameters of the update task include a separate set of settings for the mobile mode.
The mobile mode settings include the list of sources, module update settings and parameters for update copying into
a folder. The default update source is the update servers of Kaspersky Lab which makes the most sense for out-ofoffice conditions. Since proxy server parameters are specified in the policy, it is reasonable to configure the-out-of
office policy to automatically determine proxy server settings.
The mobile mode does not explicitly include schedule parameters. Meanwhile, the usual schedule of the group
update tasks, 'When new updates are downloaded into the repository', makes little sense for out-of-office computers.
Though there is no cause for concern, because in the mobile mode, the update tasks start every two hours regardless
of their schedule parameters.
IV-65
IV66
KASPERSKY LAB
Chapter 5. Backup and Restore

5.1 Backup Considerations
Creating backup copies is a good practice that can save you a lot of trouble should anything happen to
the Administration Server or its database server. The administrator will be able to restore the entire management
system from a backup copy within about an hour. To ensure a quick recovery, it is important to store backups in
a reliable location.
A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This
includes the event database (which contains more than just the events), administration group structure, tasks and
policies, report templates, installation packages 10, selections of computers and events, the Administration Server
certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to
keep an old copy.
Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more
important. The Administration Server configuration now includes the encryption key store that contains master keys
for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case
of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost
irretrievably. Encryption and the risks involved are described in course KL 008.10 Encryption.
But even if we leave encryption out of consideration, losing Administration Server data can result in many hours or
days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be difficult
and may consume much time and effort. If the server is reinstalled, its certificate changes, and it means that Network
Agents, even if they use the correct address, will not be able to establish a connection to the new Administration
Server. Generally, to recover connection to the computers, all Network Agents will have to be reinstalled.
A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all
the settings, and the encryption key store.
Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard
upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous
version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create
a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore
its configuration from the backup. You can use this method when it is necessary to upgrade not only the software
components of the Administration Server, but also its hardware configuration.
In a similar manner, you can use backups to move the Administration Server to a different computer. First create
a backup copy, and then install the Administration Server on another system. Restore the Administration Server
settings from the backup copy. In this case, it is important to ensure that the same type of SQL server (Microsoft
SQL or MySQL) is used by both new and old instances of the Administration Server.
If you move the Administration Server to another system and want to change the Server's name or address, you must
make this change before the migration. Refer to course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills for more information about changing the Administration Server name or address.
10
Including standalone, but excluding operating system image packages (these packages are described in detail in course KL 009.10 Systems Management).
IV-67
IV68
KASPERSKY LAB
5.2 Creating a Backup Copy

How backup works in Kaspersky Security Center
To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data.
Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick
Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure.
The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the
Administration Server. The task launches the utility with the specified options, which then creates a backup copy.
To create a backup copy, the klbackup.exe utility stops the Administration Server service (and the Network Agent
service) and copies the Server settings and data. When the Administration Server service is stopped, all instances of
the Administration Console receive a message that the connection with the Administration Server is lost. Then,
the utility commands the SQL server to create a backup copy of the event database. After the backup copy is
created, the utility starts the Administration Server and Network Agent services.
It is important to realize that backup copies of the Administration Server data are created under the Administration
Server account, whereas backups of the database are created under the database server account. If you specify a
network path as the target location for backup copies, both the Administration Server and SQL server must have
access to this folder. Also, the specified drive must have enough free space.
Backup task settings

Only one parameter is required for the backup task: the location of backup copies. This folder will contain
subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default
location of backup copies is the SC_Backup folder in the Administration Server data directory
(%ProgramData%\KasperskySC\SC_Backup).
IV-69
IV70
KASPERSKY LAB
However, it is risky to store backup copies on the same disk with the Administration Server, because in the event of
a hardware failure, both the current system and its backup copy might be corrupted. So, it is strongly recommended
that you store backup copies separately. The administrator can either specify a network location or use an additional
process to move backup copies to a safer place for storage.
Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored
data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup
copies is three.
The Administration Server certificate is stored in an encrypted form for security reasons. This security measure
prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption,
you need to provide a password. By default, the password is empty.
The backup data copying task is scheduled by default to start daily at 2 a.m.; therefore, only three backup copies of
the last three days are stored.
No matter how often it is explained that creating a backup copy causes the Administration Server to restart and all
connected consoles to disconnect, somebody will be confused and will ask why is that they leave the Console
connected every night only to find it disconnected the next morning? This is because the default backup task runs
every night at 2:00 AM.
5.3 Restoring Data from Backup Copy

There is no task in Kaspersky Security Center for restoring data from a backup copy. This is done by design,
because an accidental launch of such a task would result in the loss of newly added settings and data.
In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from
the Start menu. When started without command line options, this utility works as a wizard, which prompts you to
choose the restore option, enter the path to the backup copy and the password to decrypt the Administration Server
certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if you
specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to
c:\backups\klbackup2011-12-27#02-00-02
The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To
do so, at the Choose Action step, select Perform backup of Administration Server data.
Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can
be used, for example, when you only need to restore connection between the Network Agents and the Server, but
want to create the structure and settings from scratch. This limited backup is not available in the backup task.
The klbackup.exe utility can be launched with the following command line options:
pathbackup copy destination folder, or the source folder during a recovery
restorethe option that instructs the utility to restore data; without it, the utility will create a backup copy
use_tsthe option that creates a subfolder with a name consisting of the time and date of creation;
without it, the utility will create a backup copy right in the folder specified by the path option
passwordthe option that specifies the password for encrypting the Administration Server certificate
IV-71
IV72
KASPERSKY LAB
Chapter 6. Statistics and Reports

6.1 Introduction
Overview
Almost all monitoring tools available in Kaspersky Security Center: events, statuses, reports, selections, etc., were
already mentioned when we described deployment, protection and endpoint control. In the previous chapters, we
placed emphasis on which events, statuses, reports, etc. help to monitor components. This chapter is different in that
it describes the customizations available in these instruments.
For example, Chapter 4 of Unit III of this course describes the events generated by the Device Control component
and reports generated from these events. The current chapter, on the contrary, describes the storage settings of all
events, notification settings for all events, all report generating settings, etc.
Interconnection of monitoring tools

Statistics and reports are created based on the statuses and events sent to the Administration Server, which are
generated by all components: Kaspersky Endpoint Security, Network Agents, and the Administration Server itself.
By default, the events sent to the Administration Server are stored there for:
One monthKaspersky Endpoint Security and Network Agent events, as well as information events of
the Administration Server
Three monthswarning events of the Administration Server
Six monthserrors and critical events of the Administration Server
The administrator can view the events sent to the Administration Server via the Administration Consolewithin
the component properties. For example, to view Kaspersky Endpoint Security events, find the necessary computer in
the Managed Computers node, open its properties, in the Applications section select Kaspersky Endpoint Security
and click Events.
Aggregate data on all events is available on the Events tab of the Administration Server node. Here they can be
grouped, filtered (for example, by registration time), exported into a file, or deleted.
The information necessary for defining the computer status is sent from the client computers to the Administration
Server separately from the events statuses. For example, even if you disable transfer of all events concerning
updates, the Databases are out of date computer status will be displayed nevertheless. To disable sending status
information, you need to disable using statuses in the group settings.
To view all computers having some status, open the corresponding selection in the Computer selections node.
Events and statuses stored in the database serve as a basis for creating reports and statistics panes. E-mail
notification can be configured for events and reports.
IV-73
6.2 Computer Statuses and Selections

Computer statuses
Computer statuses help the administrator to quickly understand on which computers issues are encountered.
A glance at a list of computers within a group allows identifying such computers by icon color.
In practice, many administrators do not pay attention to computer statuses. In a large network, a great part of
computers occasionally gets the Warning or Critical status. The administrators usually just have no time to deal
with each case. Sometimes, the administrators do pay attention to statuses, but only within a comparatively small
category of computers, for example, servers.
At the same time, statuses may reflect critical information about computers protection. For example, absence of
protection tools on a computer is a major security threat.
IV74
KASPERSKY LAB
To make statuses useful for diagnostics, the administrator can modify their settings to disable less important statuses
and the statuses that are not used. For example, the Windows update search has not been performed for a long
time status can be disabled if Windows updates are managed by a different department.
Generally, which statuses to disable and which to use would depend on the components installed on the computers,
and what the administrator believes to be important for network protection.
The administrator can also change the status settings. For example, the period after which databases are considered
to be obsolete can be changed. For some other statuses, their criteria can be modified. For example, the Restart is
required status has seven different conditions in its properties and the administrator can choose which reasons for
restart should trigger the status change and which can wait till the computer is restarted in due course.
The administrator can even configure different status criteria for different groups if computers in these groups serve
different purposes, encounter different threats, or have different components installed. For example, groups with
servers can use more statuses than groups with desktop computers.
By default, all groups inherit status parameters from the settings of the Managed computers node.
The administrator can disable inheritance in any group and adjust the settings.
Each status relates to a component or function of Kaspersky Endpoint Security or Kaspersky Security Center.
The status settings are described in detail in the respective course sections: deployment statuses in Unit I, protection
statuses in Unit II, control statuses in Unit III and some of the rest in this unit. Some statuses related to encryption
and other advanced topics are described in the respective courses.
Searching for computers

Computer search is a tool that enables the administrator to specify conditions and get the corresponding list of
computers. The search window can be opened using the shortcut menu of the following nodes in the Administration
Console (notice that the selected node defines the search scope):
Administration Serverthe computers will be searched for everywhere, among managed and unassigned
computers
Managed computersthe computers will be searched for among the managed computers
Any other groupthe computers will be searched for within the group (including the subgroups)
Unassigned devicesthe computers will be searched for among the unassigned computers
Aside from that, search parameters do not depend on the invocation point and provide vast capabilities:
By network characteristicscomputer name, domain name, IP address, location in Active Directory, etc.
By softwareoperating system, service pack, installed Kaspersky Lab programs, installed programs by
other manufacturers, software vulnerabilities, etc.
By protection statusthe number of detected viruses, update date, status description (for example,
Protection is off)
By equipmentthe amount of memory, peripheral devices, virtual platform type, etc.
By role in Kaspersky Security Centernew computers, computers with non-standard connection profiles,
Update Agents, etc.
By users
And more
IV-75
Some of the search settings are described in more detail in the sections devoted to the respective components and
functions.
One of the most frequent search use cases is searching for a computer by its name or IP address to understand in
which group it is located and which policy is enforced there.
The search results are clickable; for example, you can see computer properties, protection status or events on its
shortcut menu. You can also delete the computer from its group or move into a different a group, run a task on the
computer, send a message to the active user and more, all in the search window.
IV76
KASPERSKY LAB
Standard selections
For many statuses, standard computer selections are available that display computers having this status. For
example, the There are unprocessed objects computer selection displays the computers where the There are
unprocessed objects status condition is met. When computer statuses change, the contents of computer selections
are updated.
Computer selections are not limited to statuses, though. They allow viewing computers that meet any specified
conditions. Standard selections are hard-coded selections that are initially available in the interface and can be
neither modified, nor deleted. If the administrator feels that standard selections are not enough, they can create
custom selections of their choice.
Custom selections
If you often search for computers with the same parameters, you should consider creating a selection with similar
search conditions.
Selections are located in the respective node of the console tree. In addition to standard selections, the administrator
can create various custom selections using the shortcut menu of the Computer selections node or the Advanced
button on the nodes page.
The selection scope is specified in the General section and may include all computers, managed or unassigned.
Search parameters are specified in the Conditions section. The parameters are the same as in the Search window,
however, while in the Search window you can specify only one set of parameters, in a selection you can create
several conditions with different search parameters.
For example, in the Search window you cannot specify two IP address ranges to search for computers in any of
them. Whereas in a selection, you can create two conditions for this purpose and specify different ranges in each of
them.
If several conditions are specified, a selection displays the computers that meet any of them. Search parameters
within a condition (or in the Search window), on the contrary, are superimposed. If both an IP range and a name of
an installed program are specified in a condition, only those computers will be displayed where both the program is
installed and the IP address belongs to the specified range.
IV-77
IV78
KASPERSKY LAB
6.3 Events and Event Selections

Local events
With Kaspersky Endpoint Security, events are registered by the instance installed on the client computer, transferred
to the Network Agent on the same computer and then are sent to the Administration Server. A situation may arise
when events may fail to reach the Administration Server because of some failures or configuration errors. In this
case, it is especially important that Kaspersky Endpoint Security events be saved somewhere in addition to
the central database.
The administrator can control the local processing of Kaspersky Endpoint Security events using the policy. These
parameters are located in the Interface section: click the Settings button in the Notifications area.
There are four event processing methods:
Save in local Kaspersky Endpoint Security log

Save in local Windows log
Notify on screen
Notify by e-mail
All four capabilities may come in handy.

Saving in the local Kaspersky Endpoint Security log does not increase the load on the network, the Administration
Server or the database. That is why you can safely select to save absolutely all events in the local log, which is
actually configured by default. If the complete log of events can always be found on the client computer,
the administrator may select to send only most important events to the Administration Server.
Also, in the local Kaspersky Endpoint Security interface events are grouped by components. The Kaspersky
Security Center console also allows filtering events by the task name, but the filter has to be set up every time, while
the local interface provides this filtering out-of-the box.
Saving events to the local Windows log has the same advantages as saving to the Kaspersky Endpoint Security log,
and one more: Windows log accessibility is independent of Kaspersky Endpoint Security. If Kaspersky Endpoint
Security becomes inaccessible as a result of a failure, the administrator can try to understand the failure cause by
studying the events stored in the Windows log.
On-screen notifications may be handy for out-of-office users. Also, they may be of use for the administrators who
study Kaspersky Endpoint Security capabilities, or while testing a new policy.
Lastly, e-mail notification allows the administrator to learn about most important events taking place on out-ofoffice computers. Usually, notifications are sent by the Administration Server based on the events received from
the managed computers. Out-of-office computers may send events irregularly, or not to send them at all. To remain
aware of what is happening on such a computer, the administrator can configure e-mail notifications to be sent by
Kaspersky Endpoint Security.
For this purpose, open the Kaspersky Endpoint Security policy and in the notification settings window, click the
Email notification settings button. In the opened window you can specify all the parameters, including sender
address, SMTP server address, name and password for the authentication, and, certainly, the recipients address.
If we are talking about out-of-office computers, the mail server must be accessible outside the corporate network. It
can be a mail gateway located in DMZ, or even (as a last resort) a public mail service, such as Google Mail, Yahoo!
Mail, Microsoft Hotmail, etc.
IV-79
IV80
KASPERSKY LAB
Events on the Administration Server

The events available in the Administration Console are not that well-organized as in the local interface, but have two
major advantages:
In the console, the administrator works with events from all computers rather than from one of them
The administrator has the Kaspersky Security Center console at hand, while the local interface of a client
computer is usually not easy to access
The administrator is supposed to occasionally open the console to evaluate the situation in the network and pay
attention to statuses and reports. He or she can be interested in events of a problem computer. All this can be done in
the Administration Console. Only if the problem seems to be significant, and information in the console is scarce,
may the administrator need to view events on the local log or collect traces.
The events available in the Console, meaning the events stored in the Server database, serve two purposes:
Provide creation of regular informative reports
In case of an issue, help the administrator to evaluate it and understand whether any further investigation is
necessary
Also, events may help to test new policy settings. For example, special events allow studying the effect of
Application Startup Control rules without actually restricting applications start.
For an event to become available in the console, it needs to be sent from the computer to the Administration Server
and then further to the database. In other words, each event increases network traffic and load on the Administration
Server and the database server. Also, the more events are stored in the database, the longer it takes to create a report
or show a selection.
If the administrator feels that the available information is insufficient or encounters performance issues, its time to
review the event storing parameters.
Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also
in the Administration Server properties, in the Event notification section. The events are grouped by four severity
levels: Critical event, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event,
it cannot be modified. Each program has its own events with their default settings.
An event has three storage settings:
On the Administration Servermeaning, in the server database
This storing method is enabled for most critical and error events, as well as for many warning and some
info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for
all events (naturally, except for the events whose storage is disabled).
The Administration Server events default lifetime depends on their severity levels. For Information events,
it is 30 days; for Warning, 90; and for Critical and Error, 180.
In the operating system event log on the Administration Serversimilarly to local Kaspersky Endpoint
Security events. If the Administration Server becomes inaccessible, the administrator will be able to find
information in the Windows log.
In the operating system event log on the client computermakes sense only for the Network Agent
events. Kaspersky Endpoint Security already has this capability in the settings of local event processing.
When the specified lifetime is over, events are automatically deleted from the Administration Server database (but
not from Windows logs, which have their own settings). The more the lifetime, the more events are stored in
the database on average at each specific moment, and the more time will event processing operations take. On the
other hand, when the administrator decreases event lifetime, the maximum reporting period also decreases.
IV-81
IV82
KASPERSKY LAB
The global event storage parameters are located in the Administration Server properties, in the Events storage
section. There are two parameters:
Maximum number of events stored in the databasethe default value is 400,000 (four hundred
thousand) and the maximum configurable value is 100,000,000 (a hundred million). The optimal value
depends on the number of managed computers and the resources available to the SQL server. Too low a
limit might lead to a rapid event turnover with new events pushing out older events before the administrator
has a chance to see them. Too high a limit might lead to performance issues with the SQL server. You can
learn that the limit is reached and events are not saved any more from the Windows event log.
Store events after removal of computers, supplemented with the Maximum storage time (days)
optionthis parameter was introduced in Kaspersky Security Center 10 MR1. In previous versions of
Kaspersky Security Center, if a computer was removed from the Administration Server database, all events
associated with this computer were promptly removed too. This is not always a good thing, and now
the administrator can keep the events for some time after computer removal. This parameter is disabled by
default, which corresponds to the old Kaspersky Security Center behavior.
Database maintenance
With time, the Administration Server database may slow down. In particular, the reports may be generated slowly,
and lists of events or computers may be displayed only after a noticeable pause.
To speed up the consoles work with the events stored in the database, the database is to be optimized. Before
Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security
Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database
of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize
the database using the database server tools.
To speed up the Administration Server database, the Database maintenance task performs the following:
Looks for errors in the database and fixes them

Rebuilds indexes
Updates the database statistics
Optionally shrinks the database
The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases
the database size. The database is recommended to be optimized once a week.
You can have only one task of this type. It is created by the Quick Start wizard. By default, the task starts every
Saturday, at 1 a.m.
IV-83
IV84
KASPERSKY LAB
Event notifications
In addition to saving events to the database, you can set up event notification. This is configured in the properties of
every particular event type that you want to be notified about. Kaspersky Security Center 10 supports four
notification channels:
E-mail
SMS
Start of an executable file
SNMP
Notifications help to draw the administrators attention to the most important events.
By default, notifications are not sent. To receive notifications, the administrator finds the necessary events and
selects the necessary delivery options in their properties.
All events are delivered using the general delivery parameters unless the administrator edits the delivery settings of
an individual event, for example, specifies another delivery address.
E-mail notification settings

At first, e-mail notification delivery parameters are specified in the Quick Start wizard. Later, they can be modified
on the Events tab of the Administration Server node. Expand the General settings of selections drop-down list and
click Configure notifications.
E-mail notification delivery parameters include:
Recipients address
SMTP server address
SMTP server port
Message text
These are the main parameters that are configured in the window that opens when you click the Configure
notifications link on the Events page. They are sufficient if the selected SMTP server does not require authorization.
The recipient address will also be used for the sender address, and the subject of the sent notifications will be made
from the event severity level and its type, for example, Critical event: Threats have been detected
To view additional e-mail notification settings, click the Settings link. Then you will be able to modify:
Message subject
Authorization username and password
Senders address
When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:
%SEVERITY%event severity level

%COMPUTER%sender computer
%DOMAIN%domain
%EVENT%event
%DESCR%event description
%RISE_TIME%event time
%KLCSAK_EVENT_TASK_DISPLAY_NAME%task name
%KL_PRODUCT%program
%KL_VERSION%version number
%HOST_IP%IP address
%HOST_CONN_IP%connection IP address
IV-85
The macros can be added using the special buttons located next to the fields where notification text and subject are
edited.
IV86
KASPERSKY LAB
SMS notification settings

SMS notification tends to draw the administrators attention the best, and should be used for the most important
events only.
SMS delivery parameters are configured in the same window as the global notification parameters. To open SMS
settings, in the Notification section, select the SMS tab.
Kaspersky Security Center can send SMS-messages through:
Mail gateway
A special Android application by Kaspersky Lab installed on one or several corporate phones
SMS sending via a mail gateway works as follows. The notification is sent to a special mail server as a typical email
message. The recipients phone number is a part of the recipients e-mail address on this server. Special software
installed on the mail server obtains the phone number from the e-mail address and sends an SMS there.
Such mail gateways are sometimes provided by mobile operators and by other organizations. They may be paid or
free. There are commercial solutions that allow a company to organize their own mail gateway for SMS. Kaspersky
Lab does not offer such a mail gateway.
Instead, Kaspersky Lab offers an Android application named Kaspersky SMS Broadcaster. This application is a part
of the Kaspersky Security 10 for Mobile distribution and can be installed on any Android phone.
To use Kaspersky SMS Broadcaster, the 'Mobile devices support' component must be installed on
the Administration Server and the port for interaction with mobile devices (13292 by default) must be open. In
the SMS Broadcaster settings on the phone, specify the Administration Server address, connection port and the
synchronization interval. After that, the phone can be selected in the SMS delivery settings on the Administration
Server, in the corresponding section of the global notification parameters.
Interaction of the Kaspersky Security Center with mobile devices is described in detail in course 010.10.
Executable file start

Executable file start parameters consist of the path to the file and optional command line parameters. Event details
can be passed to the launched application via the command line parameters using the abovementioned macros.
This notification method may come in handy in various situations. The administrator can write a script that will
automatically react to an event. For example, the Administration Console does not allow configuring settings
modification or task start in response to an event. Such a capability is available only for the virus outbreak event.
However, the administrator can use Kaspersky Security Center automation interface (not covered in this course) to
create a script that will activate a policy or start a task and bind execution of this script to an event.
In the above example, you should configure the script start in the properties of a particular event instead of general
notification parameters. However, a script can receive event type as a parameter and react differently to different
events. This can be configured in the general settings.
In any case, the script or executable file configured for an event will start on the Administration Server. Dont
expect the file to start on the computer which generated the event. Starting a file on the computer can also be
configured, but it is not straightforward.
Notification limits
Some events (including important) may occur too frequently to send a notification for each of them. For example,
the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications. To
avoid this, the administrator can limit the number of notifications: follow the General settings of selections |
IV-87
Configure notifications link on the Events page, and in the Notification section, click the Configure numeric
notification limit link.
The limit is set up as the maximum number of notifications over a time span. As soon as the limit is reached,
notifications are suppressed until the specified period is over. If new events are received afterwards, the limit is
counted anew. The same limit is used for all notification types, but applies individually to each event type. E.g., if
notifications for the Threats have been detected event hit the limit, notifications for other event types will not be
affected.
IV88
KASPERSKY LAB
SNMP notification
SNMP or Simple Network Management Protocol is a protocol that allows receiving standardized information about
various network devices. This protocol is used in numerous industry systems management solutions, such as
HP OpenView (HP BTO). The SNMP information can be delivered as notifications (so-called SNMP traps) or
retrieved on demand.
Kaspersky Security Center Administration Server can also be regarded as a device information about which can be
received over SNMP. The following requirements must be met for this purpose. First, the Windows component
named 'SNMP service' must be installed on the computer with the Administration Server. Second, the Kaspersky
Security Center component named 'SNMP agent' must be installed among other Administration Server components.
SNMP agent interacts with SNMP service to provide the Administration Server statistics on demand and for sending
notifications (SNMP traps). SNMP-specific parameters are configured in the properties of the SNMP service.
The settings are standard for SNMP protocol and should not be difficult for an administrator acquainted with
the protocol.
Statistics and notifications are standardized in SNMP. Special files in MIB (Management Information Base) format
are used for their interpretation. MIB files for interpreting the Administration Server notifications become available
in the SNMP subfolder of the Administration Server program files after the SNMP agent component is installed.
The administrator should take these files and import them into the SNMP console they use.
Event selections
The events stored in the Administration Server database can be viewed in the Administration Console as event
selections located on the Events tab of the Administration Server node. By default, there are seven predefined event
selections:
Recent events
Critical events
Functional failures
Warnings
Audit events
Informational events
User requests
The name of the current selection is displayed next to the Selection events text. To view another selection, click
the name of the current selection or the arrow beside it. The drop-down list of all available selections will open.
Predefined selections support some limited configuration, such as time period, but mostly their filtering parameters
are fixed. To see events with some other properties, for example, events related to license use, the administrator
should create a custom event selection. There is no special search tool for events (similar to the computer search
window), which you could use for a quick lookup.
IV-89
IV90
KASPERSKY LAB
In the selection properties, the administrator can also restrict the number of displayed events or the number of
records to search. Both options affect the time it takes the Console to display the events. The larger the database is,
the more time-consuming the process can be.
In custom selections, the administrator can filter events by the properties of the computers they originated from
(computer names, IP ranges, and management groups), by the event types and severity levels, by the product and
component name and by the time period. It is also possible to include task results in the search scope.
Alternatively (or in addition to filtering by computer or event attributes), there is a simple search field where a word
or several words can be typed. All events that contain any of the typed words 11 anywhere in their attributes (event
name, description, component name, etc.) will be displayed.
For example, if Web Control warns that visiting social networks during business hours is undesirable, but a user
opens such a site nevertheless, the corresponding notification is sent to the Administration Server. The administrator
can create a selection of such events and filer it, for example, by twitter.com.
6.4 Reports and Statistics

Notifications provide urgency, events provide the details, and if the administrator needs a summary of some activity,
they have reports and statistics. Both are located on the respective tabs of the Administration Server node.
Reports
Select the Reports tab of the Administration Server node to view the list of all available report templates. They
contain report generating parameters. To generate a report to the template, either double-click it, or select it and
click the Show report link. The report will open in a new window.
When the Administration Server is installed, there are more than 20 pre-created templates in the console, all for
different report types. All in all, Kaspersky Security Center 10 supports 42 report types and the administrator can
have multiple templates for the same report type if they want to. These templates can give reports for different time
periods or different parts of the network. Pre-created templates are not hard-coded and can be modified or removed
as necessary.
11
To search for the whole phrase, enclose it in quotation marks.
IV-91
IV92
KASPERSKY LAB
A report consists of a header (which contains a phrase, Kaspersky Security Center by default, and a picture,
the Kaspersky Lab logo by default), report name and description, then a chart, a summary table, some statistics and
a details table. The chart usually represents the contents of the summary table.
If the summary table contains the Number of computers column (for example, the number of computers having
the Protection is off status), the figure displayed in the column is a link that takes you to the list of these computers.
Click the link to open the window where you will be able to manage these computers similarly to a selection or
search results.
Everything in the report can be configured to various extents via the template properties or global report parameters.
Template settings include the reporting period, computers or groups whose information is included in the report, and
also the list of information fields that comprise the summary and details tables. Some fields contain insignificant
information and can be deleted not to overload the report. For example, the Virtual server field makes little sense in
a report if virtual Administration Servers are not used in the network12.
The administrator can use information field settings in a report template to create complex filters for the events to be
included in the report. Allowed values can be specified in the field properties. For example, for the Detected object
field, you can specify the malware name. As a result, you will get a report based on the events related to
the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers
with the specified version of the protection software, even if these computers belong to different groups.
In addition to filtering by field value, you can change sort order: ascending, descending, or unsorted.
Starting with version 10 Service Pack 1, you can do it in the generated report too, by clicking the column titles in the
tables. Click again to reverse the sort order.
The report header can also be modified. By default, Kaspersky Lab logo is displayed in the upper-right corner of
the report, and on the left, Kaspersky Security Center is written. If necessary, the administrator can replace the text
and the logo, for example, with the logo and name of their company. These settings are general for all reports and
are specified using the Edit report presentation settings link on the Reports page.
Reports can be saved in the following formats: HTML, XML and PDF. You can use the XML format to import
the summary or details table of a report into a spreadsheet application, for example, Microsoft Excel.
Alternatively, you can schedule the automatic generation of reports, their e-mailing destinations or which directory
they will be stored in. The 'Deliver reports' task serves this purpose. The easiest way to create it is to carry out the
Deliver reports command from the context menu of the selected report.
12
The Virtual Administration Server or Virtual server terms that may be encountered in the reports should not be confused
with Administration Servers running inside a virtual machine. These two usages of the word virtual have almost nothing in
common. If your Administration Server runs in a virtual machine, it is still just a normal Administration Server, not a virtual
server. And virtual servers in the reports and other parts of the Console are something else entirely. Virtual Administration
Servers are described in course 302.10.
IV-93
IV94
KASPERSKY LAB
You can choose the report format (html, xml or pdf) in the task parameters. You can create several tasks to send
different reports to different administrators or managers. A task can send any reports configured in
the Administration Console.
Note: The Quick Start wizard automatically creates a deliver reports task for the Protection status report, if
the administrator fills in the e-mail notification parameters. Later, you can edit this task or create more of them.
Statistics
To get a general idea of the overall protection status, open the Monitoring page of the Administration Console.
Indicators are colored icons and short descriptions which provide general information: how many computers are
protected, when the updates were last downloaded, how many clients have the Critical status.
Detailed statistics are available on the Statistics tab of the Administration Server node, on the statistics pages and
panes. Usually, a pane contains a chart with a legend or a table. By default, they represent events from all managed
computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties
window, which opens with the
button. A statistics page consists of several panes.
By default, Statistics includes 6 pages devoted to various network status aspects: Protection status, Deployment,
Update, Anti-virus statistics, General information, Updates for applications. Each page represents 3 to 4 information
panes. All this can be customized. The administrator can re-arrange the panes on a page at their wish. Or add more
panes or more statistics pages, or remove some.
The statistics is configurable at three levels. The administrator can add, delete and move statistics pages, add, delete
and move panes on a page, and can also modify settings and representation of the panes.
Overall, there are 50 types of panes grouped into six categories for the administrator to choose from.
To rearrange the pages, click the Customize view button to the right of the page tabs. The administrator can add as
many pages as they wish and name them as they wish. They can also delete the default pages, or re-order them.
The tabs are always lined up in a single row.
To modify page contents, click the
button to the right of the page name in its tab. This button is displayed only
for the active page. In the page properties, you can draw up the list of the panes to be displayed and their layout on
the page: one column, two columns (the default choice), 3 columns, etc.
In the pane settings, depending on its type, you can modify the time interval for the displayed data and select
the computers whose data will be shown. There are only two options for the computers: either all computers, or
computers from a specified selection. You cannot specify a group of computers or draw up an arbitrary list of
computers, as in reports.
As far as the pane layout settings are concerned, you can modify the height for the panes to better fit in the console
window. You can also modify chart type, axle orientation, chart appearance (gradient, transparency). Depending on
the pane type, the following chart types can be available: Pie chart, Column chart (the columns can be displayed
either vertically or horizontally), Table, and Graph.
The information panes capability to display the history of parameter changes over the specified period can be
useful. For example, you can view how many viruses were detected during each hour of the last day. This data may
help to select the threshold for the Virus outbreak event. Reports lack this capability.
IV-95
IV96
KASPERSKY LAB
v1.0.1

KL 002.10 Eng Student Guide Sp2 v1.0.1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

KL 002.10 Eng Student Guide Sp2 v1.0.1

Hochgeladen von

Copyright:

Verfügbare Formate

Unit I.

SP Version 

2.5 Additional Components of Kaspersky Security Center ......................................................................................... 50

4.2 Creating Group Structure .................................................................................................................................... 126

Chapter 1. Organizational Issues

Connect and protect client computers

Chapter 2. Installing Kaspersky Security Center

Microsoft Windows Server 2008 x86/x64 Standard / Enterprise / Datacenter

Microsoft.NET Framework 2.0 (is included in the distribution)

Supported virtual platforms

VMware vSphere 5.5, 6

2.2 Standard Installation

Four options are represented for the network size:

Fewer than 100 computers on network

The following Administration Server parameters depend on the selected option:

Automatically randomize task start

Display slave Administration Servers

Display security settings sections

2.3 Custom Installation

Additional components of Kaspersky Security Center

An account for the main Administration Server service

An account for other Administration Server services

Kaspersky Lab activation proxy server

Microsoft SQL Server

2005 (all editions) 32-bit / 64-bit

Microsoft Azure SQL Database

Microsoft SQL Server

Specify the necessary address

Kaspersky Security Center Administration Server service

8060http port of Kaspersky Lab Web Server

Kaspersky Security Center Administration Server

Kaspersky Endpoint Security 10 for Windows

2.4 Quick Start Wizard

Keys and codes

Update installation statistics

Vulnerability and patch management

Policies and tasks

Kaspersky Security Network

2.5 Additional Components of Kaspersky Security

Kaspersky Security Center Administration Console

%ProgramFiles(x86)% on 64-bit systems

Connection to the Administration Server

Chapter 3. Installation on Computers

Windows 10 Pro, Enterprise x86 / x64

Windows 8.1 tablets6. The following devices have been tested:

Windows Embedded 8.1 Industry Pro x64

Windows Server 2012 R2 Foundation, Essentials, Standard 7

Tablets and embedded versions of Windows do not support encryption

VMware ESXi 5.5 Update 1, Update 2

Network Agent installation requirements

3.2 Typical Installation Using Wizard

Selecting the product

Selecting the computers

Uninstallation of incompatible applications

Installation process monitoring

3.3 Possible Installation Issues

Installation using Network Agent

Preparing the computer with the riprep.exe utility

Disables Simple File Sharing

Configuring access using the domain policy

3.4 Uninstallation of Incompatible Applications

Uninstallation using Kaspersky Endpoint Security 10

Uninstallation using Network Agent

SP Version