Beruflich Dokumente
Kultur Dokumente
Deployment
Unit II. Protection Management
Unit III. Endpoint Control
Unit IV. Maintenance
Kaspersky Lab
www.kaspersky.com
I-1
Unit I. Deployment
Unit I. Deployment
Introduction .................................................................................................................... 4
Course Outline .............................................................................................................................................................. 4
Unit Outline .................................................................................................................................................................. 6
Chapter 1. Organizational Issues ................................................................................... 6
1.1 Problem Definition ................................................................................................................................................. 6
1.2 Procedure ................................................................................................................................................................ 8
Potential difficulties ............................................................................................................................................... 8
Procedure ............................................................................................................................................................. 10
Testing .................................................................................................................................................................. 10
Chapter 2. Installing Kaspersky Security Center ........................................................ 12
2.1 System Requirements for Administration Server ................................................................................................. 12
Software requirements ......................................................................................................................................... 12
Supported virtual platforms ................................................................................................................................. 14
Hardware requirements ....................................................................................................................................... 14
2.2 Standard Installation ............................................................................................................................................. 16
Installation files.................................................................................................................................................... 16
Installation progress ............................................................................................................................................ 18
Installing plug-ins ................................................................................................................................................ 22
2.3 Custom Installation ............................................................................................................................................... 24
Components.......................................................................................................................................................... 24
Installation path ................................................................................................................................................... 24
An account for the main Administration Server service ....................................................................................... 26
An account for other Administration Server services ........................................................................................... 26
SQL server ........................................................................................................................................................... 28
Shared folder ........................................................................................................................................................ 32
Connection ports .................................................................................................................................................. 34
Connection address .............................................................................................................................................. 34
Management plug-ins ........................................................................................................................................... 36
Installation results................................................................................................................................................ 36
2.4 Quick Start Wizard ............................................................................................................................................... 38
Keys and codes ..................................................................................................................................................... 40
Update installation statistics ................................................................................................................................ 40
Notifications ......................................................................................................................................................... 42
Vulnerability and patch management .................................................................................................................. 42
Policies and tasks ................................................................................................................................................. 44
Proxy server ......................................................................................................................................................... 48
Wizard completion ............................................................................................................................................... 48
I-2
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-3
Unit I. Deployment
I-4
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Introduction
Course Outline
This course aims to explain how to plan, deploy and maintain an endpoint protection system based on the flagship
Kaspersky Lab products: Kaspersky Endpoint Security and Kaspersky Security Center. Kaspersky Endpoint
Security is designed to protect computers. Kaspersky Security Center enables the administrator to manage protection
of all corporate computers.
Upon completion of this course you will see that these products can do much more than just protect and manage
protection. Kaspersky Endpoint Security has encryption capabilities and can restrict the users' actions; while
Kaspersky Security Center is able to manage not only Kaspersky Endpoint Security for Windows, but also other
Kaspersky Lab products designed for Mac OS X, Linux, mobile devices, etc. Kaspersky Security Center can also
manage some functions of the operating system and software installed on the managed computers, in particular
discover vulnerabilities and automatically install updates and fixes.
Studying all of those capabilities takes more than a week, and falls outside the scope of this course. Instead, we will
study protection of a small local-area network, which will take us 2 to 3 days.
The course consists of four units.
Unit I is devoted to planning and deploying a protection system. We will study a typical deployment plan and
elaborate on its steps. Deployment includes not only installation, but also initial configuration, i.e. all the actions to
be taken once and for all, after which the maintenance stage starts.
Unit II describes endpoint protection: the tools implemented in Kaspersky Endpoint Security, how to fine-tune them
if necessary, and how you can find out whether they do their job properly.
Unit III introduces the control tools: Device, Web and Application Control. It is devoted to their capabilities, typical
use cases, settings and monitoring tools.
Unit IV comprises all the rest: maintenance specifics and fine-tuning the created protection system. We will study
how to update signatures and product components, renew and replace a license, configure backup copying and
recover after a failure, and adjust the tools available to the user and the administrator.
I-5
Unit I. Deployment
I-6
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Unit Outline
Unit I focuses on the deployment process, which starts from planning. Any large-scale project involves not only
clicking buttons but also coordination of time and effort of all the stakeholders.
Therefore, from Chapter 1 we will learn how deployment is organized, including planning, testing and
implementation.
After the organizational issues, we will describe in detail all the steps of a typical deployment plan and product
configuration.
Chapter 2 is devoted to the installation and initial setup of the Administration Server. This is the core component of
Kaspersky Security Center, which is necessary for deploying and managing Kaspersky Endpoint Security on
the computers.
Chapter 3 tells how to use Kaspersky Security Center Administration Server to remotely install Kaspersky Endpoint
Security on the computers. It describes the most popular remote installation method and briefly introduces
the alternatives.
Chapter 4 explains network discovery and organization of computer management groups. Theoretically, computers
should be discovered prior to the remote installation; in practice, however, within a small network, computers are
discovered automatically and this process does not require any special effort. Group creation may either precede or
follow the deployment. Computers can be moved to the proper groups automatically according to the conditions
specified by the administrator; the course explains how to configure this.
I-7
Unit I. Deployment
I-8
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
1.2 Procedure
Potential difficulties
Endpoint protection installation takes time, which is always scarce. In a large network that consists of many
computers, more time is necessary, even if there is an administrator who is solely responsible for endpoint
protection.
In a middle-size network, less time is necessary. Usually such networks lack a dedicated endpoint protection
administrator. IT employees responsible for the deployment also perform other IT infrastructure maintenance tasks.
In small networks, comparatively little time is necessary, but a full-time administrator is not always available.
An ordinary employee who has other work to do may be entrusted with the deployment; or there may be a part-time
administrator who works several hours a week.
The labor intensive deployment problem is aided by remote installation, which can present new problems in turn.
First, remote installation involves data transfer over the network, and network load will increase.
Second, remote installation very rarely works for 100% of the network computers. A computer may temporarily be
off of the organizations network, or turned off, or unreachable over the network; remote access may be restricted by
a security policy or other protection tools.
Compatibility problems may also arise during the deployment. Protection tools by other manufacturers may hamper
installation or operation of Kaspersky Endpoint Security. These protection tools need to be uninstalled before
the installation of Kaspersky Endpoint Security. This makes the deployment even more time consuming.
Kaspersky Endpoint Security with the default settings may sometimes hamper other programs. This is not the case
with widespread, standard programs; but rare and unusual ones, for example, medical software and other special
systems can be at risk. These interaction issues must be identified during the preparation stage and taken into
consideration when adjusting Kaspersky Endpoint Security settings.
I-9
Unit I. Deployment
I-10
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Procedure
The recommended procedure for deploying Kaspersky Endpoint Security in a network is as follows:
1.
Study Kaspersky Endpoint Security capabilities and try to identify compatibility problems through
preliminary testing
2.
Install the Kaspersky Security Center Administration Server. The Administration Server can serve as
a remote installation tool and is necessary for managing protection on the computers when the deployment
is finished
3.
4.
Create group structure. All computers are gathered into one group after the deployment, which may be
inconvenient, especially in large networks. Principles and methods of dividing computers into groups in
Kaspersky Security Center are described in Chapter 4 of this Unit
Testing
Preliminary tests are performed during the preparation stage to help detect problems and either solve them or find
a workaround in advance. The time spent on pre-testing saves the time that will have to be spent on solving the same
issue network-wide.
Depending on the organizations size and available resources, preliminary tests can be obligatory or optional, and
may be broken down into several stages that take various forms. In most cases, testing includes two key stages:
1.
Studying capabilities. Best performed on virtual machines or, for lack of resources, on the administrators
computers. During this stage, the administrator learns how to install, manage and maintain the product, etc.
It also provides the administrator a way to test facets of the deployment plan: order, methods, and
technicalities.
2.
Operation testing. Best performed on several production computers or, again, on the administrators
computers. During this stage, the administrator tests the planned deployment methods, and monitors
Kaspersky Endpoint Security operation. The purpose is to find all possible problems before the product is
deployed company-wide. At the end of this stage, the administrator should have a more detailed
deployment plan, and also, if necessary, a list of changes to the default settings of Kaspersky Endpoint
Security that are to be made prior to the installation.
In small networks, preliminary tests are often neglected, as the testing cost is comparable to the cost of solving
the issues in the network as they arise. In large companies, the opposite is true and preliminary testing usually must
be performed before new software is deployed or any other changes are introduced in the network.
I-11
Unit I. Deployment
I-12
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
All of the aforementioned Microsoft Windows Server editions also support Core installation without the graphic
interface.
It is better to use server hosts for the Administration Server. In small networks (up to a couple of hundred
computers), a powerful workstation will do.
In addition to the operating system, the following software is necessary:
An SQL server is also necessary for the Administration Server. The distribution of Kaspersky Security Center 10
includes Microsoft SQL Server 2008 R2 SP2 Express Editiona free version of Microsoft SQL server. It is
automatically installed during the Typical installation of the Administration Server, and is sufficient for testing and
production use in small networks. Detailed information on SQL servers is given later in this chapter.
Note that the computer selected for the Administration Server must not have a pre-installed Network Agent.
The installer automatically detects the Network Agent and reminds the administrator to uninstall it.
I-13
Unit I. Deployment
I-14
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
It goes without saying that the operating system, software and hardware requirements must be met.
Hardware requirements
Minimum hardware requirements are as follows:
1 GHz or higher processor (1.4 GHz for 64-bit systems)
4 GB of RAM
10 GB of free hard drive space (if you plan to use the Systems Management functionality, 100 GB of free
hard drive space will be necessary)
The specified requirements for the equipment are really minimal. A more powerful server will be necessary for any
significant number of clients. The recommendations based on synthetic tests are available in the Deployment Guide.
Practical experience of using Administration Server in large networks is summarized in course KL 302.10
Kaspersky Endpoint Security and Management: Advanced Skills.
I-15
Unit I. Deployment
I-16
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-17
Unit I. Deployment
I-18
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Installation progress
Installation of the Administration Server can be either custom or typical 1. During the typical installation,
the administrator is prompted to:
Accept the license agreement for Kaspersky Security Center
Select installation type (Typical)
Specify network size
The custom installation enables the administrator to select:
Components
Installation folder
SQL server type and connection parameters
Location of the Administration Server shared folder
Ports and connection address of the Administration Server
Management plug-ins for the products
When installing on Windows Server in the Core mode, typical installation is unavailable
I-19
Unit I. Deployment
I-20
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Fewer than
100
From 100 to
1,000
From 1,000 to
5,000
More than
5,000
Automatic randomization of the task start relates to the schedules of virus scan, update, vulnerability search, and
other group tasks. If a task starts simultaneously on many computers, the load on the network and Administration
Server drastically increases. To even out the peak, tasks can start on the computers with a random delay.
The administrator can enable randomization and then specify the randomization range manually or select automatic
randomization. On each computer, the delay is selected randomly within the specified or automatically chosen
range.
If automatic randomization is used, the randomization range depends on the number of computers where the task is
to run:
The number of computers
0-200
200-500
500-1000
1000-2000
2000-5000
5000-10000
10000-20000
20000-50000
50000+
Randomization range
0 minutes
5 minutes
10 minutes
15 minutes
20 minutes
30 minutes
1 hour
2 hours
3 hours
Other parameters affected by the network size, such as visibility of Slave Administration Servers and security
settings, are described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills. These
functions are rarely used in small and middle-size networks.
The default settings are the same when the administrator selects either From 1000 to 5000 or More than 5000
computers on network. The only difference is that when the More than 5000 computers on network option is
selected, the installation wizard warns that the use of free versions of MS SQL server is not recommended, and
the administrator should get acquainted with the documentation on deploying the administration system in large
networks. Course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills covers these issues.
The network size selection only influences a couple of interface settings, which can easily be modified after
the installation. The threshold value that actually makes the difference is 1000 computers. Administration Server
operation parameters do not depend on the selected network size.
I-21
Unit I. Deployment
I-22
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Installing plug-ins
During the typical installation, management plug-ins for Kaspersky Security Center 10 components and Kaspersky
Endpoint Security 10 for Windows are installed.
Plug-ins are installed in the very end of the Administration Server installation. After the Kaspersky Endpoint
Security 10 plug-in is installed, the installation is finished. On the last page, the administrator may accept starting
the Administration Console.
If you need plug-ins for other Kaspersky Lab products, you can install them from the installation shell.
I-23
Unit I. Deployment
I-24
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Components
Within the framework of Administration Server installation, you can additionally install the following components:
SNMP agent
Mobile devices support
The SNMP agent is necessary for the Administration Server to be able to send notifications over SNMP. This
component needs the SNMP service (a Windows component) to be installed on the computer. If the SNMP service
is absent from the computer, the SNMP agent will not be shown in the list of Administration Server components
during the installation.
The Mobile devices support option adds the components necessary for managing Kaspersky Endpoint Security for
Mobile via Kaspersky Security Center. Detailed information is available in KL 010.10 course.
These are the components of the Kaspersky Security Center that can be selected in the Administration Server
installer. Other components can be installed from the installation shell.
Installation path
Under the list of components, you can change the location of Administration Server program files. If the only reason
for relocation of program files is their volume, consider moving only the shared folder. It can be relocated
independently of the program files, and it takes up much more space than the other program files.
Also remember about the %ProgramData%\KasperskySC folder that contains the backup copies of
the Administration Server. These copies consume much space, up to several gigabytes, depending on the settings.
I-25
Unit I. Deployment
I-26
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The Network Agent operates under the Local System account. The automation object operates under the Network
Service account.
The first three services are running under another account created during the installation. It is named KlScSvc and is
similar to KL-AK-*, meaning, is a local account granted the permissions equivalent to administrative less the right
to log on locally.
The installation wizard allows selecting another account instead of KlScSvc.
I-27
Unit I. Deployment
I-28
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
SQL server
Requirements for SQL server
Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers
are supported:
Microsoft SQL Server Express
2005 32-bit
2008 32-bit (is included in the distribution)
2008 R2 64-bit
2012 64-bit
2014 64-bit
I-29
Unit I. Deployment
I-30
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Kaspersky Security Center installer tests connection to Microsoft SQL server before the installation starts. Also,
during the installation the installer connects to the Microsoft SQL server and creates a database for
the Administration Server.
The installer operates under the account of the user who runs it. Generally, installation should be started under
an account allowed to create databases on the Microsoft SQL server. In some organizations, however,
administrators rights are strictly separated and include only the minimum permissions necessary for their job.
A security administrator may not have the permissions for database creation. Then they can specify a name of
an empty database created on the specified server by the database management system administrator on request. In
this case, the Write permission for the database will be enough for the security administrator.
For the Administration Server to be able to work with a remote Microsoft SQL server, specify its name and address
in the installation wizard. The installer can automatically detect available Microsoft SQL servers. To view them,
click the Browse button. However, the necessary Microsoft SQL server may not be detected automatically. If this is
the case, the administrator enters the server and instance names manually.
Even if the Microsoft SQL server name and address are specified correctly, and a Microsoft SQL server
administrator account is used for access, the installer may fail to establish connection. The possible reasons include:
Windows firewallby default, it blocks access to Microsoft SQL server ports. Create rules allowing these
ports
Simple File Sharing or User Account Controlhampers correct authentication of the administrator; if
simple file sharing is used, all users connected over the network are granted guest privileges
Microsoft SQL Server Browser serviceif it is not started, remote connections to Microsoft SQL server
may fail. In Microsoft SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2014, it is disabled by default
Microsoft SQL server settingsby default, Microsoft SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2014
allows only local access. Enable remote access over TCP/IP
I-31
Unit I. Deployment
I-32
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
MySQL Server
Connecting to a MySQL server is simpler. Specify server address and port, and administrator name and password
explicitly. Make sure remote access to MySQL server is allowed and the connection port (usually 3306) is not
blocked by the local firewall.
Since MySQL server itself, not Windows, is responsible for the authentication, the permissions granted to
the account used for installation are not important, as well as simple file sharing enabled on the MySQL server host.
The Check connection button tests the ability to connect to the MySQL server with the specified parameters, and
also checks whether the MySQL server version meets the system requirements.
Shared folder
By default, the installer creates the shared folder of the Administration Server in the folder with program files.
The local name of this folder is Share, and the network nameKLSHARE. The shared folder contains update files
and installation packages, including standalone install packages (if created).
Right after the installation and initial setup, the shared folder takes up about 400 MB. Its size may increase up to
several gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place
the shared folder of the Administration Server on a drive other than the system.
The location of the shared folder can be changed later via the Administration Console.
I-33
Unit I. Deployment
I-34
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Connection ports
Administration Server accepts connections from the Network Agents on two TCP ports: one for encrypted SSL
connections, the other for non-encrypted ones. By default, all connections are encrypted in Kaspersky Security
Center, so only the SSL port is used. The other port might be used only if the administrator disables connection
encrypting for troubleshooting purposes.
The default ports are:
13000 for SSL connections
14000 for non-SSL connections
If you plan to use other ports instead of the default ones (for example, for security reasons or because of network
restrictions), it is better to introduce these changes when installing Kaspersky Security Center. Modifying the ports
after the client computers are connected to the server is possible, but takes much time.
In addition to these two ports, Kaspersky Security Center uses several other ports for various purposes. They cannot
be selected in the installation wizard, but you can modify them later in the Administration Server settings. One of
the additional ports is TCP 13291 that is used for accepting Administration Console connections. Web server and
activation proxy server services use 4 more ports.
To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years
during the installation. To save and restore the certificate after failures or after Administration Server reinstallation,
use the backup procedure (see Unit IV Maintenance).
Connection address
The client computers where the Network Agent is installed will connect to the Administration Server using
the address and port specified during the installation.
The Server address can be specified in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice
depends on the network configuration. Even though an IPv6 address cant be specified, Network Agents can connect
to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name.
If the Administration Server has a static IP address that will not be changed in the near future, it is the best choice.
In this case, the ability to connect depends only on the routers, not on the name resolution system.
If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection
address, as you will need to modify the client connection settings often. In this case, it is better to specify the server
name: either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS name as DNS
name resolution is not usually blocked by local firewalls.
NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls.
Therefore, the NetBIOS name should only be used for connections if the other methods are unable to be used.
After the installation, the Server connection address can be changed in the properties of Network Agent installation
package. The default Server connection address, which will be automatically added to new Network Agent
packages, is specified in the properties of the Advanced | Remote installation | Installation packages node.
I-35
Unit I. Deployment
I-36
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Management plug-ins
The distribution kit of Kaspersky Security Center includes the management plug-ins for all current versions of
Kaspersky Lab products. The custom installation enables the administrator to select the plug-ins of the products that
are used or will be used in the network. The plug-ins can also be installed later from the Kaspersky Security Center
installation shell. Plug-in installers are also included in the distributions of the corresponding products.
Every plug-in is installed by its own short installation wizard. Some plug-ins are installed automatically, while
others require administrators attention, for example, to accept the license agreement.
If a product has been upgraded to a new version with a new plug-in, the old plug-in can be uninstalled.
The following knowledgebase article explains how to remove unnecessary plug-ins:
http://support.kaspersky.com/faq/?qid=208280749
Installation results
If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages,
the result will be the same as with the Typical option:
Kaspersky Security Center is installed; specifically, the Administration Server, Network Agent and
Administration Console
SQL servera local instance of Microsoft SQL Server 2008 R2 SP2 Express is installed, which is included
in the distribution kit of Kaspersky Security Center; the instance is named KAV_CS_ADMIN_KIT, and
the database name is KAV
Program files of Kaspersky Security Center are located in the %Program Files%2\Kaspersky
Lab\Kaspersky Security Center folder
Data files of Kaspersky Security Center are located in the %ProgramData% folder, mainly in
the %ProgramData%\KasperskyLab\adminkit directory
Another folder is created, %ProgramData%\KasperskySC\SC_Backup, where backup copies of
the Administration Server are copied by default
The following services are created:
KLAdmins and KLOperators security groups are created (their purpose is described in detail in course KL
302.10)
The following user accounts are created:
KL-AK-*a local account for starting the Kaspersky Security Center Administration Server service;
it is included in the local KLAdmins group and has broad permissions (comparable to administrative)
on the computer
On 64-bit systems, program files are installed into the %ProgramFiles(x86)% folder
I-37
Unit I. Deployment
KlScSvcan account for starting Kaspersky Lab Web Server, Kaspersky Security Network proxy
server and Kaspersky Activation Proxy services, has the same properties as the KL-AK-* account
KlPxeUsera service user for the Systems Management functionality (see course KL 009.10 for
details)
The shared folder of Administration Serverthe Share subdirectory of the program files folder (its share
name is KLSHARE)
I-38
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Administration Server connection address is selected as the DNS name of the computer
Administration Server connection ports are chosen as follows:
Management plug-ins
Installation packages
Note that the Kaspersky Security Center Network Agent service is started under the Local system account after
the installation; while the Kaspersky Security Center automation object service, under the Network Service account.
Most of these settings can be modified either during the custom installation, or in the product settings after
the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is
installed; some others are very difficult to change. You should consider them very carefully before the installation:
1.
The path to data files cannot be modified at all, which complies with Microsoft requirements
2.
The path to the program files, as well as the SQL server address, cannot be modified unless you reinstall
Kaspersky Security Center
3.
The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way
I-39
Unit I. Deployment
I-40
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-41
Unit I. Deployment
I-42
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Notifications
The next step is the e-mail notification and report delivery setup. To have notifications about important events sent
to the administrators mailbox, specify the e-mail address and SMTP server parameters (address, port and, if
necessary, authorization data). The specified parameters will be used for notifications and reports.
By default, event notifications are not sent. To receive the information about events by e-mail, turn on notifications
in the event properties. The parameters of Kaspersky Security Center events are available in the Administration
Server properties, and parameters of Kaspersky Endpoint Security eventsin the Kaspersky Endpoint Security
policy.
If the notification parameters are left blank, the wizard will not create the Send reports task. If they are filled in,
the wizard will create the task and configure it to send the report about protection status to the administrator on
a weekly basis.
The wizard does not check correctness of the specified settings, but allows the administrator to do it with the Notify
with message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the
SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to
check the inbox and make sure that the message is actually there.
I-43
Unit I. Deployment
I-44
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-45
Unit I. Deployment
I-46
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Default exclusions
In the other window, the administrator can choose the default exclusions from scanning. There are two options that
help to create recommended exclusions for workstations and servers according to Microsoft and Kaspersky Lab
guidelines. They are enabled by default.
Additionally, there are exclusion templates for remote management software. These templates should be enabled if
the listed software is used in the company. Otherwise, remote management using this software may be partially
disrupted by Kaspersky Endpoint Security.
I-47
Unit I. Deployment
I-48
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Proxy server
The last step that prompts the administrator for data contains proxy server settings for the Internet access.
The Administration Server connects to the Internet to download updates and communicate with KSN servers of
Kaspersky Lab. Both features use common proxy server parameters.
The settings are rather typical: the address, the port, optional user name and password for authorization, and
an option to bypass proxy server for local addresses.
Wizard completion
The task that downloads updates to the repository starts immediately after selecting proxy server settings to provide
client computers with the current updates. Also, it downloads the information necessary for vulnerability scanning
and categorization information necessary for the control components. The Quick Start wizard displays the task
progress, but you dont need to wait for it to finish. If you proceed to the following page of the wizard, updating will
still be going on in the background.
The last page of the Quick Start wizard displays the check box that allows starting the remote installation wizard for
deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is
preferable to adopt a deployment plan and stick to it rather than rush into action.
If necessary, the administrator can start the Quick Start wizard again from the shortcut menu of the Administration
Server. In this case the wizard will create only the tasks and policies that are missing.
I-49
Unit I. Deployment
I-50
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Kaspersky System Health Validator is a component that provides interaction of Kaspersky Security Center and
Microsoft Network Access Protection. With this component, the network access protection system Microsoft NAP
defines the access level taking into account the Kaspersky Endpoint Security status. Kaspersky Security Center SHV
is similar to Kaspersky Lab Cisco NAC Posture Validation Server: both of them provide integration with external
network access control systems. Kaspersky Security Center 10 is able to provide network access control by itself
too. For details, refer to course KL 009.10: Systems Management.
The Exchange ActiveSync and iOS MDM Mobile Device Server components are designed for managing mobile
devices: smartphones, tablets, etc. Mobile device management is described in course KL 010.10.
All of the above components can be installed from the installation shell of Kaspersky Security Center, which also
allows installing plugins for the Administration Console.
The Web Console is not included in the Kaspersky Security Center 10 distribution and should be downloaded
separately. The Web Console provides somewhat limited management options via a web browser and is useful in
some deployment scenarios.
Administration Console
Use
The Kaspersky Security Center Administration Console enables you to remotely work with the Kaspersky Security
Center Administration Server: view reports, modify settings, run tasks, etc.
The Administration Server can accept connections from the Consoles on port 13291. The remote console interface is
absolutely the same as that of the local Kaspersky Security Center console.
The Administration Console is not the only method of managing the Administration Server remotely. Many
administrators prefer to connect to the remote desktop of the computer where the Administration Server is installed
and work within the local console.
I-51
Unit I. Deployment
Remote desktop connection uses port 33893. This remote management alternative tends to generate more traffic than
the remote Administration Console. On the other hand, an Administration Console requires installation and supports
only Windows, while remote desktop access does not involve installation of additional tools and is platformindependent.
An Administration Server is often installed on a virtual machine. In this case, the virtual computer desktop can be
accessed via the console of the corresponding virtual infrastructure.
Here we mean the built-in Windows remote desktop. There are also many alternative tools with similar capabilities that connect using other
protocols and ports. For example, programs based on the VNC protocol usually employ port 5900.
I-52
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Installation requirements
The Administration Console can be installed under the same operating systems as Administration Server.
Since the Administration Console is an MMC snap-in, Microsoft Management Console 2.0 or later must be installed
on the computer. This requirement is automatically met on all supported operating systems.
Windows Installer 4.5 is also necessary for the installation.
Internet Explorer 7 or later is necessary for correct representation of the Administration Server interface on
Windows XP/Vista/2003/2008/2008 R2. Internet Explorer 8 or later is required on Windows 7. Internet Explorer 10
or later is required on Windows 8 and 10. On Windows 10, the Microsoft Edge browser is also enough. If the
computer doesnt have the appropriate browser version, the interface may be represented incorrectly.
Hardware requirements for the Administration Console are as follows:
Processor: 1 GHz or higher for 32-bit systems; 1.4 GHz or higher for 64-bit systems
512 MB of RAM
1 GB of free hard drive space
Installation
The Console installer can be launched from the Kaspersky Security Center installation shell.
The installation wizard allows modifying only the default location of the program files folder:
%ProgramFiles%4\Kaspersky Lab\Kaspersky Security Center Console.
Also, the installation wizard will prompt you to accept the license agreement and inform you about the start of
the installation of the necessary components and the console.
The console distribution includes the complete set of management plug-ins for all Kaspersky Lab products, but
installs only the plug-ins for managing Kaspersky Security Center components and Kaspersky Endpoint Security 10
Service Pack 1 Maintenance Release 2 for Windows. Custom installation is not available. The missing plug-ins can
be installed later from the installation shell of Kaspersky Security Center or from the folder.
I-53
Unit I. Deployment
I-54
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Certificate
Encrypted connections are established over SSL. The authentication phase relies on the Administration Server
certificate. A new certificate is generated when the Administration Server is installed 5 and is used for authentication
on every encrypted connection. This certificate is valid for 10 years.
When the first encrypted connection is established, the Console computer does not have the Server certificate and
authentication is impossible. The easiest way out is downloading the certificate from the Server and using it for
further connections. In this case, the certificate guarantees that the Console connects to the same Server from which
the certificate was downloaded.
To avoid server substitution when the first connection is established, the administrator can copy the Server
certificate to a portable carrier and specify its path when prompted for. The server certificate named klserver.cer is
located in the %ProgramData%\KasperskyLab\adminkit\1093\cert folder. This folder may also contain other
certificates that are necessary for managing mobile devices.
A certificate that has 1024-bit RSA key is created by default. You can also create a certificate with a 2048-bit key. To achieve this, start the
Administration Server installation with the /vSERVERCERT2048BITS=1 parameter.
I-55
Unit I. Deployment
I-56
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Server
6
7
I-57
Unit I. Deployment
This list includes most Windows versions from Windows XP SP3 / Windows Server 2003 SP2 to Windows 10 /
Windows Server 2102 R2.
An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky
Security for Windows Server is designed for their protection.
Kaspersky Endpoint Security 10 Service Pack 1 for Windows can be installed on the following hardware platforms:
On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command
line switch.
I-58
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To install Kaspersky Endpoint Security, administrator permissions are necessary; protection tools by other
manufacturers must be uninstalled from the computers.
General hardware requirements for Kaspersky Endpoint Security 10 Service Pack 1 are as follows:
CPU: 1 GHz
RAM: 1 GB8
Available disk space: 2 Gb
Internet Explorer 7.0 and Windows Installer 3.0 are also necessary for the installation.
The absolute bare minimum for the installation is 384 MB for Windows XP and embedded versions of Windows, and 768 MB for the other
versions.
I-59
Unit I. Deployment
I-60
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-61
Unit I. Deployment
I-62
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Installation method
The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on
the computer, installation using Windows tools is tried. Both these methods are described further in this chapter.
If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs
the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 10 using Network Agent.
I-63
Unit I. Deployment
I-64
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Key
Kaspersky Endpoint Security, unlike the Network Agent, needs activation to operate properly. In the installation
wizard, you can explicitly select which code or key should be used to activate the product from the list of codes and
keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary, you can add another
code or key to the repository without quitting the wizard.
This step can be skipped if the repository contains a code or a key configured to be distributed automatically. It will
be automatically installed on all computers where Kaspersky Endpoint Security needs to be activated. Activation is
described in detail in Unit IV Maintenance.
Computer restart
The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky
Endpoint Security 10 installation requires restarting the computer. The Network Agent installation almost never
requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection
program has been installed on the computer.
The default choice, Prompt user for action, is all right for workstations. When installing the product on servers, we
recommend selecting Do not restart the computer. At a server, a user is unlikely present and so no one will react
to the prompt.
The restart parameters are described in more detail later in this chapter.
Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible programs; if
necessary, it can be added to the package description file for remote installations.
I-65
Unit I. Deployment
I-66
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Computer relocation
As a result of installing the Network Agent and protection tools, computers become manageable. That is why if
computers, not groups, are selected, the wizard will ask whether it is necessary to relocate the computers to
an administration group, and if yes, into which one.
The managed computers must be included in administration groups for tasks and policies to be applied to them. If
a computer has the Network Agent installed, but is not included in an administration group, it will neither send its
events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified
by the administrator. It is manageable only nominally. De facto it is not.
The selection affects only unassigned computers. If both unassigned and managed computers are on the installation
list, the managed ones will remain in their groups. This step is displayed only if Network Agent is installed together
with Kaspersky Endpoint Security 10.
Selecting account
Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers.
The deployment wizard allows you to specify several accounts, in case different administrator passwords are used
on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges,
the next one is tried, and so on.
Before the specified accounts are tried, the installer attempts to act on behalf of the Administration Server service
account, which you dont actually see on the account list. However, if the administrator used the default settings
when installing the server, the server service account cannot be used for remote installation. As a result of
installation with default settings, the server service starts on behalf of the KL-AK-* account that is created
automatically and receives the rights of a local administrator (not literally, but effectively the same). It has no rights
on remote computers.
So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain
environment, a domain administrator account is the best choice for remote installations. In large companies, there is
usually a special account for remote installations, or the IT personnel accounts have the necessary rights.
I-67
Unit I. Deployment
I-68
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To view the task log, click the View results link under the statistics on the task page. The upper part of the results
window contains the list of all target computers and the current task status for every one of them; and the lower part
shows the task log for the selected computer.
The task log contains the history of each task status changing on the computer. The status can be the same, while its
description may vary. For example, an installation task log usually contains several records of the Running status,
where the first one informs of starting file copying to the remote computer, the second oneof starting the installer,
and the third oneof the installation completion.
The typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky
Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer, and then
the Administration Server waits for the connection with the installed Agent to start the installation of Kaspersky
Endpoint Security.
Installation specifics
Installation using Windows tools
This term implies the following sequence of actions:
The Administration Server copies installation files over the network into the admin$\Temp shared folder
on the remote computer (i.e. \\COMPUTER\Admin$\Temp)
The Administration Server sends the command to start the copied setup.exe file with the necessary
parameters over RPC (Remote Procedure Call protocol)
TCP ports 139 and 445 are used for copying, and TCP port 135for starting. The operations are performed either
on behalf of the Administration Server service account, or on behalf of the accounts specified by the administrator in
the installation wizard.
I-69
Unit I. Deployment
I-70
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Possible obstacles
An installation using Network Agent is usually trouble-free. If the Agent can connect to the Administration Server,
it can usually download the files and install the product10.
An installation failure using Windows tools is typically related to access problems. Windows operating system
would not allow anybody and everybody to remotely copy files and start programs on the computer. There are
several obstacles here.
Windows Firewall blocks access to shared files and printers by default on the computer. In the task details,
the access error is explained by the failure to connect to the computer over the network. In some cases,
the Administration Server cannot resolve the computer name into its IP address; this information is also logged in
the installation task details.
User Account Control in Windows Vista / 7 / 8 / 10 prompts the user to confirm the action, which is impossible to
do remotely, and consequently the files are not copied. The task returns an error of insufficient rights for accessing
the folder.
The Simple File Sharing setting in Windows XP has the same effect. In this mode, all users connected over
the network receive guest rights. The result is insufficient rights for copying the files.
Sometimes the insufficient access rights error arises because the administrator either did not specify a user account
having administrator permissions on the computer in the remote installation wizard or mistyped the password.
There are also two rather unusual obstacles that need attention:
The Server service is not installed or is not started. Without this service, shared files and folders cannot be
accessed
An account with an empty password is used for the installation. Windows security policy by default denies
network access to the user accounts with empty passwords, even administrators
In both cases, the task returns the same error of insufficient rights to access the shared folder.
You can see that various obstacles result in the same installation task problems. Usually, they cannot be solved
remotely since most of them are related to the local computer settings. An installation error often means that
the remote installation using Windows tools is impossible on the computer. Another method should be tried.
Obviously, this does not apply to those situations when the computer is temporarily turned off, or when
the administrator mistyped the user name and password.
10
This approach does not work for remote installation on a server with the Remote Desktop Services (Terminal Services) role. On these
servers, the local system account has no administrative permissions. We recommend that you manually install Kaspersky Security for
Windows Server on terminal servers.
I-71
Unit I. Deployment
I-72
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
riprep.exe relieves the administrator of investigating why the Administration Server cannot access the admin$
folder. The utility removes most potential obstacles.
Sometimes, system administrators e-mail the utility to the users for them to prepare the computers for remote
installation. This will only work if the users have local administrator rights.
If the users do not have local administrator permissions, the system administrators must have the groundwork for
deploying programs on the computers.
I-73
Unit I. Deployment
I-74
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
User Account Control settings are also located there, at the end of the list. If necessary, you can disable UAC.
Windows XP Firewall parameters are located in Computer Configuration, Administrative Templates, Network,
Network Connections. In the Windows Firewall parameters, allow the file and printer sharing exception in
the domain profile.
Windows Vista / 7 / 8 / 10 Firewall parameters are located in: Computer Configuration, Policies, Windows
Settings, Security Settings, Windows Firewall with advanced security. Here, creating the necessary exception is
more difficult. You can open the necessary ports, or export the necessary rules from the local Firewall settings and
import them into the policy, but usually it is easier to disable the firewall for the domain profile.
I-75
Unit I. Deployment
I-76
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-77
Unit I. Deployment
I-78
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The Network Agent can detect incompatible applications and inform the Administration Server about them. This
information is available in the computer properties: System Info, Applications registry. The Network Agent
reports all installed programs, not just the incompatible ones, but in the computer properties window you can select
to view incompatible applications only.
To view information about incompatible applications on all managed computers, open the corresponding report on
the Reports tab of the Administration Server node.
I-79
Unit I. Deployment
I-80
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-81
Unit I. Deployment
I-82
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To uninstall incompatible applications, select the Kaspersky Security Center Administration Server | Advanced |
Uninstall application remotely task type in the task creation wizard.
This task is used in various scenarios concerning uninstallation of programs and service packs. Here, we are
interested in the Uninstall incompatible application option.
After this step, specify the name of the incompatible application to be uninstalled. You can select several programs
or even all of them. This increases the task run time though, because such a task executes, step by step, the uninstall
scripts for all the selected programs.
The uninstallation task also has computer restart parameters. The restart is often necessary to finish
the uninstallation. By default, the user is prompted to restart the computer. If they choose to postpone the restart,
the prompt reappears every 5 minutes, and in half an hour the restart is forced.
The administrator can modify these intervals and the message text. If the administrator selects a forced restart,
the users data may be lost. Another alternative is to wait for a regular restart, which may happen, for example,
the next morning; however, the task will remain uncompleted for a while.
I-83
Unit I. Deployment
I-84
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The administrator should also select the target computers. The available options include:
Picking computers from the Managed computers group and the Unassigned devices node
Typing the names or addresses of the computers
Specifying a computer group name
Pointing to a selection of computers
The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers
where incompatible applications are detected.
The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because
Network Agent is already installed on the computers and will run the uninstallation task under the local system
account. The account does need to be specified if the task is run either on computers without a Network Agent, or on
computers where the Network Agent has no administrator permissions.
At the last steps of the wizard, select the schedule, task name, and whether to start the task immediately. Once
the incompatible programs are uninstalled, Kaspersky Endpoint Security can be deployed by running the remote
installation wizard or an automatic installation task, which are described later in this chapter.
I-85
Unit I. Deployment
I-86
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-87
Unit I. Deployment
I-88
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-89
Unit I. Deployment
I-90
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The wizard suggests that the administrator takes one of the following actions:
Open the folder containing the packagefor example, to copy it on a flash drive
E-mail users an invitation to run the packageAdministration Server starts the default e-mail client and
automatically fills in the message subject and body providing a link to the package located in the shared
folder; the only thing the administrator has to do is to specify the recipient addresses
Place a link to the package on a web resourcea text window opens, which contains HTML code of
the link to the package that can be added to a web page
Later, the list of created standalone packages can be opened from the Installation packages node within the
Advanced, Remote installation container. You can delete unnecessary packages or send another e-mail message to
the users.
The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server.
If non-domain users who are not registered on the Administration Server try to click it, they will not be able to
access the resource.
The link to the network folder should be replaced with an http link to the package that can be copied from its
properties. There is a built-in web server on the Administration Server where any user can download the package.
Each standalone package gets a unique http link based on the package id. The administrator can find the link in
the package properties in the list of all standalone packages.
If standalone package creation wizard is started for a package repeatedly, the administrator can either re-create
the standalone package or create another one.
I-91
Unit I. Deployment
I-92
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Schedule
Kaspersky Security Center allows configuring almost any sensible schedule for an installation task:
Manuallywithout schedule
Immediatelyright after creating
Onceon the specified day, at the specified time
Every N hoursincluding every hour
Dailyevery N days, at the specified time
Weeklyon the specified weekday, at the specified time
Monthlyon the specified day, at the specified time
On completing another task
As a rule, single launch is used for installation; usually, Manually. The Immediately option can also be used (as in
the deployment wizard), or Once, for example, to run installation on servers at night.
Occasionally, the administrator might want to restart a deployment task, for example, to force deployment to
the computers where the task failed the first time around. This will not cause the reinstallation on the computers
where the task succeeded. If Kaspersky Security Center detects that the packages are already installed on
the computer, the task immediately completes for this computer.
If some of the computers selected for the installation are shut down, but they support the Wake-on-LAN function,
the Administration Server can send the turn-on signal to these computers before running the task. To use this
technology, enable the corresponding option in the installation tasks schedule parameters.
You can stop a task after some time. A task might hang in the Running status if the computer is powered off
unexpectedly. With the automatic stop option enabled, the task will be stopped and can be started again later, to
repeat the installation attempt.
I-93
Unit I. Deployment
I-94
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Program reinstallation
By default, reinstallation is disabled. The task gets the information about the installed programs from
the Administration Server database. If the database reports that the Kaspersky Endpoint Security version installed on
the computer is the same as the one to be installed by the task, the installation will finish with the Program already
installed verdict. Vice versa, if the server has the data that Kaspersky Endpoint Security is not installed on
the computer, the installer will install Kaspersky Endpoint Security even if the same version is actually installed on
the computer.
In some cases, the administrator may want to reinstall an already installed program. For example, the Network
Agent can be reinstalled with the purpose of editing its connection settings. To perform reinstallation, disable the Do
not install application if it is already installed parameter.
Installation of a newer product version than what is already installed on the computer is not considered to be reinstallation and is always allowed. Installation of an older version is treated as a re-installation and is regulated by
the same option.
I-95
Unit I. Deployment
I-96
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
If this option is selected, the Administration Server creates a new group in Active Directory named
Kaspersky_AK{GUID} and includes within it the accounts of the computers to which the task applies.
Also, the Administration Server creates a new group policy object of the domain level that is named
Kaspersky_AK{a different GUID} in Active Directory and assigns within it the installation of the Network Agent
MSI package located in the shared folder on the server.
The permission to apply the policy is granted only to the created group which contains the accounts of the target
computers. So, the domain level policy will be applied to the selected domain computers, not all domain computers.
After this, the standard installation is performed. The policy eventually applies to the computers. At the next restart,
computers download the Network Agent MSI package from the shared folder on the Administration Server and
install it. The installation parameters, which include server address and ports, are taken from the answer file located
in the same folder as the MSI package. Thus computers automatically connect to the Administration Server.
If the task is configured to install not only the agent, but also another program, for example, Kaspersky Endpoint
Security, the installation will resume after the agent connects to the server.
The security group and group policy object created by the task persist in the Active Directory until the task is
removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory
group policies option is cleared in the task properties.
I-97
Unit I. Deployment
I-98
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-99
Unit I. Deployment
I-100
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The Settings section allows changing the installation folder and also setting the uninstallation password. If
the Network Agent installation folder is not specified explicitly, the standard path is used:
%ProgramFiles%\Kaspersky Lab\NetworkAgent
Agent uninstallation can be protected with a password that can be specified in the package properties. Even users
with administrator permissions will not be able to uninstall the agent using regular tools unless they know
the password. However, users with administrator permissions can make the agent inoperative if they really want to.
The same password protection function is also available in the Network Agent policy.
The Connection section of the Network Agent installation package properties contains the Administration Server
connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive
installation.
The main connection parameters are the Administration Server address and ports. Initially they take the values
specified during the Administration Server installation. If the client computers and Administration Server belong to
different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation
package properties. These standard parameters include the proxy server address and port, and also the user name and
password for authorization. Remember that these parameters will be used by Network Agents when connecting to
the Server, not vice versa.
When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP
port. So that the Windows Firewall would not block requests on this port, the Network Agent can automatically
create the necessary exception. To modify this behavior, clear the Open Network Agent ports in Microsoft
Windows Firewall check box. By default, Network Agent accepts connections on UDP port 15000. This value can
be changed both in the package properties and later in the Network Agent policy.
Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted
connections to the Server. By default SSL is enabled. Network Agents automatically download and use
the Administration Server certificate. The certificate can be specified manually in networks with strict security
requirements to exclude the possibility of Administration Server substitution.
None of the Network Agent parameters are specified in the deployment wizard. The Network Agent is installed and
connected to the Server using the standard settings from the package.
The advanced parameters of the Network Agent installation package are useful in networks with complicated
infrastructure. These are described in KL 009.10. Systems Management and KL 302.10. Kaspersky Endpoint
Security and Management: Advanced Skills courses.
The Tags section is described later in this unit.
I-101
Unit I. Deployment
I-102
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Parameters
Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters.
The main parameters are the list of components and the program files folder.
The set of components depends on the Installation type parameter. The administrator can select one of the two preset installation types:
Basic installation: all components whose names includes the Anti-Virus word, Firewall, Network Attack
Blocker, System Watcher and Application Privileges Control
Standard installation: all components except encryption
If you need some other configuration, choose the Custom installation type and select the components you want to be
installed. The Encryption and BadUSB Attack Prevention components can only be installed through Custom
installation.
By default, the Standard installation is selected, which includes all components except for Encryption and BadUSB
Attack Prevention. The administrator may switch between the preset installation types, or choose Custom
installation and select individual components on the list. Remember that some of the components only work on
workstations, while a package can be installed on any supported operating system. On server systems, only
the following components can be installed:
File Anti-Virus
Firewall
Network Attack Blocker
BadUSB Attack Prevention
I-103
Unit I. Deployment
Although Application Privilege Control settings will also show up in Kaspersky Endpoint Security on servers,
the component is not actually installed. Kaspersky Endpoint Security wont control application privileges on servers,
e.g., it wont block Untrusted applications on servers. The reason why Application Privilege Control settings are
visible on servers is that a part of these settings are also used by the Firewall component. Application Privilege
control and Firewall are described in more detail in Units II and III of this course.
In addition to the components, local tasks are installed. They cannot be selected in the package properties and are
installed on all operating systems:
Updates
Update rollback
Virus Scan tasks
Full scan
Critical areas scan
Custom scan
Background scan
Scan removable drives on connection
Integrity check
Vulnerability scan
I-104
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-105
Unit I. Deployment
I-106
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Key
Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code
or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed
product. One of them is to specify the key file in the installation package properties.
This is a reliable, although not always the most convenient way for key distribution. License management is
described in detail in Unit IV Maintenance.
I-107
Unit I. Deployment
I-108
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The wizard starts with a choice of the package type. There are three (or four, depending on the Kaspersky Security
Center interface settings), options:
A package for a Kaspersky Lab application. This package type requires a special package description file,
which is included in the distribution of most Kaspersky Lab applications. A description file can be created
manually, but this is an advanced topic outside the scope of this course.
A package for an executable file. This package type allows running the specified file (not necessarily
an installer, it could be a script or a utility) on remote computers.
A package for a 3rd-party application based on Kaspersky Lab application database. This allows installing
3rd-party applications without the need to look for and manually download their installation files.
The feature is described in course KL 009.10 Systems Management.
The fourth option which may not be visible depending on the settings is a package for operating system deployment
based on a disk image. It is also explained in course KL 009.10 Systems Management.
Now, we are interested in the first option. After you select it, the wizard prompts for the package name and path to
the folder that contains the installation files and the package description file.
I-109
Unit I. Deployment
I-110
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Installation files may be unpacked (this is how they are usually supplied on CD), or packed into a self-extracting
archive (in this form they are available for downloading from Kaspersky Lab web site). The package creation wizard
supports both formats. If a self-extracting archive is specified, the wizard will automatically unpack it into
a temporary folder and extract all necessary files.
Installation packages for Kaspersky Lab products are created based on description files having a .kpd or .kud
extension. The files are identical, except for the character encoding: .kpd files use ANSI encoding, while .kud files
are in Unicode. The files contain the product version, the name of the installer, installation parameters, error
descriptions and additional options depending on the application.
A .kpd/.kud file alone is not enough to create a package. It is just a description, not an archive. The description files
are located within the distribution package, and must not be separated from it. To create an installation package
correctly, select the .kpd/.kud file located within the corresponding distribution package. It is a common mistake to
copy just the description file into a separate folder and try to create a package from it. This will not work.
A way to avoid this mistake is to point the wizard to the self-extracting installer of the application downloaded from
the Kaspersky Lab website. This option is not apparent in the wizard though. What you need to do is when prompted
for the description file, change the file type from .kpd/.kud to Self-extracting archive. And then point to the
downloaded installer. The package creation wizard will automatically unpack the specified file to a temporary folder
and extract the description file from it.
After the package description file is selected, the wizard will show the application name and version for you to
check that it is exactly the application you want. At the next step, the wizard may ask to accept the license
agreement.
Then, depending on the application, the wizard may ask for some installation parameters. In the case of Kaspersky
Endpoint Security, the wizard prompts for the installation type: Basic or Standard. This can be modified later in
the package properties, especially if you need a custom selection of components.
I-111
Unit I. Deployment
I-112
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To create an installation package for a Kaspersky Lab program, the administrator does not need to search for and
download the installation files. Kaspersky Security Center monitors current versions of Kaspersky Security Center,
Kaspersky Endpoint Security and Kaspersky Security for Windows Server and allows the administrator to create
installation packages right from the distributions available on Kaspersky Lab servers.
In the Installation packages node, there is the Additional actions button, and the View current version of
Kaspersky Lab applications link beneath. It opens the list of available distributions for various versions and
localizations11. The administrator just selects the necessary distribution and clicks the Download applications and
create installation packages button; and the Administration Server automatically completes the job.
Kaspersky Security Center also notifies the administrator about new versions of distributions. When they are issued,
the corresponding message appears on the Monitoring tab of the Administration Server node, in the Deployment
area.
11
English, French, German and Russian localizations of Kaspersky Security Center, Kaspersky Endpoint Security for Windows and
Kaspersky Security for Windows Server are displayed.
I-113
Unit I. Deployment
I-114
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-115
Unit I. Deployment
I-116
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Discovery management
Polling results are shown in the Advanced | Network poll node separately for each discovery method:
Domainscomputers detected during Windows network polling; workgroups and domains are represented
as folders containing computers
Active Directorydomains and organizational units are represented as folders containing computers
IP subnetsIP subnets are represented as folders
The discovered computers are also displayed in the Unassigned devices node.
One computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its
address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in
the corresponding folders.
To modify the poll settings for every method, go to the Advanced | Network poll node and then click the respective
Edit polling settings link. You can also start any type of polling manually on this page.
I-117
Unit I. Deployment
I-118
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Full poll
During the full Windows network polling, the Administration Server goes through the list received as a result of
the quick poll, and then tries to connect to every computer using the NetBIOS protocol. The purpose of this poll is
identifying computers IP addresses and operating systems.
As the number of requests is proportionate to the number of computers, the network activity is much higher than
with quick poll. That is why full poll is performed hourly by default.
I-119
Unit I. Deployment
I-120
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-121
Unit I. Deployment
I-122
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IP subnet polling
IP subnet polling is more complicated than it may seem to be. The Administration Server tries to perform reverse
name resolution for every address from the specified range into a DNS name using standard DNS requests. If this
operation succeeds, the server sends an ICMP ECHO REQUEST (the same as the ping command) to the received
name. If the computer responds, the information about it is added in the Server database.
The reverse name resolution is necessary to exclude network devices other than computers, such as network printers,
routers and other devices that can have an IP address but are not endpoints that require protection.
This polling method relies upon a correctly configured local DNS service. It must have a reverse lookup zone. If this
zone is not configured, IP subnet polling will bring no results. At the same time, such a zone is not necessary for
many network services, and is often neglected in small networks. In the networks where Active Directory is used,
such a zone is maintained automatically. But in these networks IP subnet polling does not provide more information
than Active Directory polling. Due to all those complications, IP subnet polling is disabled by default.
Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is
installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0,
the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses
from 192.168.0.1 to 192.168.0.254.
I-123
Unit I. Deployment
I-124
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Configuring subnets
In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually.
You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also,
the name of the subnet should be specified.
One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas
named subnets are not allowed to overlap, unnamed ranges inside a subnet have no such restrictions.
You can enable and disable scanning independently for every subnet.
I-125
Unit I. Deployment
I-126
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Polling statistics
When the network is polled, the Advanced | Network poll page displays the progress. Detailed information is
available in the Administration Server statistics. There you can find the time of the last poll performed by each
method, polling progress percentage and the name of the polled domain for Windows network polling.
12
Kaspersky Security Center 10 Service Pack 1 provides the capability to apply different policies (to be more precise, different configuration
profiles) to different computers within the same group. For more details, refer to course KL 302.10.
I-127
Unit I. Deployment
I-128
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Managing groups
Creation of groups in the Administration Console is as simple as folder creation in Windows Explorer. First, groups
are created within the Managed computers node. Then you can create new groups either in the same node or inside
the created groups.
In the Administration Console interface, you can use any of the following methods to create a new group:
Select the Managed computers node or an existing group and click the New group button on
the Computers tab of the group management page
On the shortcut menu of the necessary node, click New, Group
Enter the name of the group in the displayed dialog window: it will then appear as a subfolder in the structure of
managed computers. Each group page contains tabs for managing the hosts included into the group, group tasks and
group policies.
If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or
subgroups.
Groups can also be moved within the hierarchy of managed computers. For example, if the structure of groups
reflects physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup
can be easily relocated together with its computers from the Building 1 group to the Building 2 group. The task can
be accomplished using traditional Cut and Paste or Drag and Drop methods.
I-129
Unit I. Deployment
I-130
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Regardless of the method, you can add only the computers that have been discovered by the Administration Server
after polling the network. Even in the Add client computers wizard, if you specify a name or an address of
a computer that is missing from the Administration Server polling results, the wizard will inform about the inability
to add the unidentified computer.
If a computer exists in the network but cannot be discoveredfor example, its firewall allows only outbound
connectionsinstall Network Agent there. As soon as the Network Agent connects to the Server, the computer will
be added to the database.
Importing groups
If the network is large enough and the planned structure of managed computers requires a large number of groups,
creating a hierarchy using the methods described above can be very labor-intensive. In some cases you can use
the automation tools available in Kaspersky Security Center to reduce the amount of work.
If administrators want to arrange the managed computers in the exact same order as their network, to combine them
into the same workgroups or domains and subdivisions, they can use the structure import functionality.
You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In
the first two cases you may import either the entire structure (groups including computers) or just groups. When
importing the topology from a text file, only groups can be created.
Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit
that is being imported are already present in a group of managed computers, the wizard will not relocate them.
To run the wizard, right-click the Managed computers group and select the All tasks, Create group structure
command on the shortcut menu. In the wizard, specify the structure to be imported and the destination group. For
a structure to be imported from the Windows network or Active Directory, you may disable importing the
computers.
Windows network topology and a structure defined in a text file are always imported completely. When importing
an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be
ignored.
I-131
Unit I. Deployment
I-132
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
A structure import via a text file must be prepared manually. Every group or subgroup must be specified on
a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters,
for example:
Office1\Subdivision1\Department1
Office1\Subdivision1\Department2
Office2
Office3\Subdivision1
If a subgroup path contains groups that do not exist yet, they are created.
Groups created during the import procedure are completely identical to the groups created manually. You can
rename, move, delete them, etc.
The structure creating wizard is designed for initial creation of the structure of managed computers. It is not
intended for regular synchronization of structures of Kaspersky Security Center, and, for example, Active Directory.
If you need to synchronize, configure the computer relocation rules.
I-133
Unit I. Deployment
I-134
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Where to move to
When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on
the rule list. Also, you will need to select the destination groupwhere to move the computers.
When to move
After this, decide when to apply the rule to the computers. Three capabilities are available:
Run once for each computeras soon as the rule is created, it will be applied to all computers in the server
database, and then it will be applied only to new computers when they are discovered
Run once for each computer, then at every Network Agent reinstallation on computeris similar to
the previous option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such
a host
Rule works permanentlythe rule is permanent; if a computer matching its conditions is manually moved
to another group, the Administration Server will immediately return it to the location specified in the rule.
If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will
not
The rules created by the Administration Server for installation tasks and standalone packages are Run once for each
computer, then at every Network Agent reinstallation on computer.
Permanent rules are somewhat more convenient, but create a persistent computational load on the Administration
Server.
What to move
Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is
located in the General section and is named Move only computers not added to administration groups.
With this option selected, a ruleeven a permanent onewill not hamper the administrator to manually move
computers in the groups. It affects only unassigned computers. To apply such a rule to a computer within a group,
just delete the computer from the group. When deleted from the managed computers structure, the computer
becomes unassigned and the rule applies to it.
If this check box is cleared, the rule applies to all computers in the server database and the corresponding computers
are moved into the specified group no matter what happens. This does not prevent the administrator from deleting
these computers from the Administration Server database, though.
Other conditions are located in additional sections in the rule properties.
Network
Many of the relocation conditions are related to the network attributes of the computers:
NetBIOS name
Name of the domain or workgroup
DNS name
DNS domain
IP address
Server connection IP address (if a computer is behind a NAT gateway, the connection address is
the gateway address)
I-135
Unit I. Deployment
To be able to apply a rule to several computers, IP addresses can be specified as ranges, and names can be specified
as masks with * and ? wildcards. If these options are not enough, you can always create several rules with
different conditions that will move computers to the same group.
If the rule is to be applied to unassigned computers, the conditions can be specified in the terms of unassigned
computer representation in Kaspersky Security Center:
IP subnets specified in the Advanced | Network poll node
Subgroups in the Domains structure of the Advanced | Network poll nodethese are names of
the domains and workgroups detected by the Administration Server when polling the network
I-136
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Active Directory
There are similar conditions for the computers within the Active Directory structure:
Active Directory unit name
Active Directory group name
Relocation rules allow configuring synchronization with Active Directory. For this purpose, enable additional
options under the Apply rule to Active Directory organization unit condition:
Including child organization unitsif the selected unit has child units, computers within them will be
moved into the destination group
Move computers from child organizational units to corresponding subgroupsif the selected unit has
child units, and the destination group has the corresponding subgroups, computers from the child units will
be moved into the corresponding subgroups
Create missing subgroupsif the selected unit has child units, and the destination group has no
corresponding subgroups, the Administration Server will create these subgroups and move the computers of
the child unit there
Delete subgroups that are not present in Active Directorythe opposite of the previous option. When
an organizational unit is deleted in the Active Directory, this option will remove the respective group from
the Kaspersky Security Center.
If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination
group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another,
Kaspersky Security Center will automatically repeat these changes in its group structure.
Software
Conditions for computers may include operating system version, architecture and currently installed Service Pack.
Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers
into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions
used in the network. For example, Windows Servers 2008 R2 and Windows Servers 2012.
Also, there is the Network Agent is running condition. This condition can separate the computers already connected
to the Administration Server from those that need to be connected.
I-137
Unit I. Deployment
I-138
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Tags
Relocation rules support a limited number of conditions, which might be insufficient for performing some tasks. For
example, the administrator might need to move computers having a particular hardware configuration (e.g., with
SSD drives) to a special group. Or it might be necessary to prohibit some computers from being relocated by rules.
This cannot be configured with standard conditions, but tags can be of help here.
Tags are manually assigned to computers by the administrator. Any word or phrase can be used as a tag. After
the administrator assigns a tag to a computer, the tag is automatically added to the global tag list. Tags from
the global list can be used in the relocation rules and assigned to other computers.
A condition specified for a tag in a relocation rule can be including or excluding, depending on whether the Apply
to computers without specified tags check box is selected under the list of tags. It is cleared by default, which
means that the rule will be applied to the computers having the specified tag assigned.
If you need the rule to be applied to all computers except those having the selected tags, select the check box. For
example, you can assign, say, Dont move! tag to some computers and then configure relocation rules to be
applied only to the computers without this tag.
If several tags are selected in the rule, the condition can apply either to the computers that have all of these tags or to
the computers that have at least one of them. This depends on the Apply if at least one specified tag matches check
box, which is not selected by default.
To assign a tag to a computer, open its properties and switch to the Tags section. Here you can either select tags
from the global list (i.e. tags that have already been assigned to other computers), or write a word or phrase for
a new tag under the list and click the Add button. This word or phrase will be assigned as a tag to the current
computer and will also be added to the global list.
You can do the same to several computers at once. Just select them and then choose the Properties option on
the shortcut menu. The collective Properties window would open, which has only the Tags section.
You can add tags to computers when installing the Network Agent. To do this, select or create the necessary tags in
the Network Agent installation package properties. It is a typical example of why you may need to have several
packages for the same application (e.g. Network Agent): this way, it is easier to assign different tags to different
computers.
Tags can be renamed and deleted. If a tag is renamed, it will be updated on all computers to which it is assigned. If
a tag is deleted, it will be unassigned from all computers and removed from the global list. If you need to just take
a tag off a machine, open the computers properties and clear the corresponding check box.
Starting with version 10 Service Pack 2, you can create tagging rules in Kaspersky Security Center. The list of
tagging rules is located in the properties of the Administration Server node.
The Administration Server will assign tags to computers automatically according to the specified conditions.
The tagging conditions are similar to those of computer relocation rules. You can automatically assign a tag to
computers within the specified subnet or computers running Windows 10. You can also automatically assign a tag to
computers where the specified application is installed.
Tagging is described in more detail in course KL 302.10 Kaspersky Endpoint Security and Management. Advanced
Skills.
I-139
Unit I. Deployment
I-140
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
I-141
Unit I. Deployment
I-142
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II1
Unit II. Protection Management
II2
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II3
Unit II. Protection Management
II4
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II5
Unit II. Protection Management
The third method of components classification considers the operating system class. Some components can be
installed on any supported Windows version, while others cannot be installed on embedded or server operating
systems. This is due to the fact that server systems are less vulnerable to some threats (for example, web threats) in
a corporate environment, and at the same time have stricter requirements for software compatibility.
The table below represents the system components, their grouping in the policy, the corresponding functionality
levels and supported operating system types.
Workstations
Embedded
Servers
Installation type
File Anti-Virus
Basic
Virus Scan
Basic
Mail Anti-Virus
Basic
Web Anti-Virus
Basic
IM Anti-Virus
Basic
Firewall
Basic
Basic
System Watcher
Vulnerability Monitor
Vulnerability Scan
Basic
Basic
Standard
Device Control
Standard
Web Control
Standard
Anti-Virus protection
Basic
+
Custom
Control components
Basic
Custom
Custom
It should also be noted that installation types (license bundles) and functionality levels nearly coincide. The Basic
installation includes all components of the Anti-Virus protection minus BadUSB Attack Prevention, but plus
Application Privilege Control. The Standard installation includes all of the Anti-Virus protection and Control
components, again without BadUSB Attack Prevention. The Custom installation additionally includes Encryption
and BadUSB Attack Prevention.
Although the Application Privilege Control section is displayed in the settings of Kaspersky Endpoint Security for
Windows under all operating systems, this component does not work on servers. It will not block programs or restrict their
activities. In the settings, this section is displayed only because some of these options influence the Firewall component
configuration.
II6
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Protection components
This Unit is devoted to the Anti-Virus protection components. These components can be broken down into three
groups:
File System Protection
File Anti-Virus
Virus Scan (tasks)
Network protection and traffic scanning
Mail Anti-Virus
Web Anti-Virus
IM Anti-Virus
Network Attack Blocker
Firewall
Proactive Defense
System Watcher
BadUSB Attack Prevention
They are directly responsible for antivirus protection, that is, they prevent computer infection and minimize
probable harm.
Control components are described in Unit III, and Encryption is explained in course KL 008.10.
Policies
Policies are the main remote management tool for Kaspersky Endpoint Security. The policies help to specify
parameters for the product in general, for its interface and protection components.
A policy helps to set up parameters and control their use on the computers. After the administrator locks a setting
in the policy, the user cannot change this setting using the local interface of Kaspersky Endpoint Security.
The Network Agent transfers policy parameters to the client computers within the framework of a special procedure
called synchronization. By default, the Administration Server tries to synchronize with the clients right after
the changes are made to the policy by sending a signal to UDP port 15000 of the computers. Clients in their turn
connect to the server every 15 minutes to check for changes in policies and tasks. So if the Server fails to
synchronize with a client right after the changes are made, the synchronization will take place during the planned
connection initiated by the client.
II7
Unit II. Protection Management
Even in case of an unforeseen situation, it can be easier and faster to create a new policy with special settings than to
modify the current active policy. Then, after the problem has been resolved, just activate the old policy instead of
trying to remember which settings have been modified and rolling back the changes to return to the regular settings.
II8
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Policy inheritance
By default, a policy applies to all computers within the group and its subgroups. For example, the policy for
Kaspersky Endpoint Security created by the Quick Start wizard in the Managed computers group initially applies
to all managed computers.
If active policies for Kaspersky Endpoint Security exist in both parent and child groups, the child group policy is
used. However, the settings which are locked in the parent policy will be enforced on the subgroup policy. So,
the policy of the child group inherits all locked settings of the parent group, and at the subgroup level you can
specify only additional restrictions.
This behavior may not always be desired. The optimal balance between the protection and usability may vary
considerably on different computers. If you want the policy of a child group to override the values of the locked
settings of the parent group's policy, disable the Inherit settings from parent policy check box within its settings.
After this, the settings of the child group policy can be changed as if the parent group policy did not exist.
If a subgroup does not have an active policy of its own, the active policy of the parent group will be applied, as we
mentioned earlier. This is called policy inheritance (as distinct from inheritance of policy settings, which was
described earlier).
Inherited policies are displayed by default. To conceal them, click the Hide link next to the Inherited policies text
above the list of policies. This option controls representation of inherited policies within the current group. To make
inherited policies visible again, click the Show link.
Compared to a policy created in the group, an inherited policy is visually different: its icon is dimmed, Inherited
from Group name is written in the Inherited column, and in the properties, there is a warning that you can
modify this policy only in its native group. To jump to the group from which the policy is inherited, click Show
policy in group where it was created on the shortcut menu of the policy.
Policy profiles
In Kaspersky Security Center 10 Service Pack 1, a new approach to policies was additionally implemented. The
previously described approach presumes that if some computers need special settings, they need to be joined into
a dedicated group. Starting with Kaspersky Security Center 10 Service Pack 1, there is also an alternative approach.
To apply special settings to a set of computers, you can create a profile in a policy and specify these special
parameters there, along with the profile applying conditions. If a computer meets those conditions, the profile will
be applied to it.
II9
Unit II. Protection Management
II10
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Profiles are supported in the policies of Kaspersky Endpoint Security 10 SP1 for Windows and Kaspersky Endpoint
Security 10 SP1 for Mobile.
The Policy profiles section in the policy allows configuring profiles. By default, there are no profiles in a policy.
Profiles are described in detail in course KL 302.10. Advanced Skills. In the Fundamentals course, the following
recommendations are appropriate:
Do not use policy profiles and child group policies concurrently. This structure will be too complicated. We
recommended either using one policy with profiles configured in the Managed computers group, or
setting up policies in the child groups without any profiles.
However, if profiles are configured in a parent policy and a child policy is created within it, the child policy
will by default inherit all the locked parameters of the parent policy, including profiles (entirely). Thus
profiles configured in a parent group will be applied to all subgroups except those where inheritance is
disabled in the policies.
Tag-based conditions are most useful for activating the profiles. If you need to apply special settings to
some computers, assign a common tag to them and configure a profile for computers having this tag.
The special settings are to be specified in the profile.
A profile is enforced over the policy rather than instead of it. By default, all parameters are unlocked in
a profile and are not applied. In a profile, you need to configure only those settings that differ from
the policy settings. When you specify those special parameters, close the respective locks.
As a result, a profile is applied as follows: if the lock related to a parameter or a group of parameters is
open, the policy settings are enforced. If the lock is closed, the profile parameters are used.
Avoid situations when several profiles are applied to a computer. The resulting settings are hard to control,
especially if two or more overlapping profiles assign different values to the same parameter. In case of
a conflict, the higher a profile is located on the list of profiles, the higher its priority.
II11
Unit II. Protection Management
II12
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Tasks
Policies affect all protection components except for Virus Scan and Vulnerability Scan. Scanning is performed by
tasks that can be started either by command or as scheduled.
Tasks can run on multiple computers at once and they can differ in how the list of target computers is defined:
Tasks for specific computers apply to a selection of computers that can belong to different groups. These
tasks are displayed only in the Tasks node. In such a task, the list of target computers can be specified
either explicitly, or implicitly as a name of a computer selection. In the latter case, at each start, the task
will check which computers belong to the selection, and then run.
Group tasks, just like policies, apply to all computers of their respective groups and subgroups.
The number of scan tasks of the same type within a group is unlimited. There may be several scan tasks
running simultaneously on a computer (which is not recommended though)
Sometimes scanning parameters of a group task do not fit all of the computers in the group. The administrator can
then specify the subgroups where the task must not be run in the Exclusions from task scope in the task properties.
The administrator can also use this section to exclude computers with either server operating systems or workstation
operating systems if this makes sense for a task.
Just like policies, task settings (of group tasks and tasks for specific computers equally) are transferred to client
computers during the synchronization. After the settings are transferred, the task will run on schedule regardless of
whether the computer remains connected to the Administration Server.
II13
Unit II. Protection Management
II14
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Similar to a global list of policies, there is also a global list of all tasks. It is located in the Tasks node and exhibits
the same behavior as the list of policies. The list includes all tasks created on the Administration Server:
Administration Server tasks, group tasks, and tasks for specific computers. The tasks can be viewed, created,
modified and deleted here. For group tasks, the target group is displayed, and the Show task in group where it was
created shortcut menu command takes you directly to that group.
II15
Unit II. Protection Management
II16
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II17
Unit II. Protection Management
II18
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II19
Unit II. Protection Management
II20
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
KSN proxy
To reduce the traffic volume induced by KSN requests from protected computers, the Administration Server can act
as KSN proxy.
As KSN proxy, the Administration Server becomes an intermediate between the managed computers and
the Kaspersky Lab KSN servers. The information requested by a managed computer is saved in the Administration
Server cache and when other computers need this record, it is taken from the server cache without accessing
the external servers. Unlike client computers where KSN cache is stored on the hard drive, the Administration
Server stores KSN cache in RAM and it is lost when the server is reset.
If KSN use is enabled in the policy, the administrator can either completely prohibit the managed computers from
directly connecting to the Kaspersky Lab KSN servers, or allow using external servers when the Administration
Server is inaccessible.
When using KSN via the Administration Server proxy, client computers connect to the Administration Server over
TCP on port 131112. You can change the port number in the Administration Server properties. Network Agents
deliver this port number to the computers along with the policy settings. In KSN requests, the Network Agent does
not participate: Kaspersky Endpoint Security connects to the KSN proxy directly.
KSN proxy settings are located in the properties window of the Administration Server node. There, in the KSN
proxy server section, the administrator can opt out of using KSN proxy and decide which KSN to use: global or
private.
In this section, the administrator can also enable sending the statistics of update and patch installations to Kaspersky
Lab (the I agree to participate in Kaspersky Security Network checkbox). This data helps to improve
the vulnerability and patch management subsystem, a part of the Systems Management functionality, which is
described in course KL 009.10.
If the Use Administration Server as proxy server check box is cleared, KSN proxy will be disabled and managed
computers would either be unable to use KSN or resort to using KSN directly without a proxy. Global or private
KSN determines the destination of KSN requests redirected by the KSN proxy. With global KSN, the requests are
redirected to Kaspersky Lab KSN servers. If private KSN is used, requests will be sent to the KSN infrastructure
deployed at the customers site. This option is described in more detail in course KL 302.10. Kaspersky Endpoint
Security and Management. Advanced Skills.
The Network Agents inform the client computers which KSN to use. Even if KSN proxy is inaccessible for some
reason, Kaspersky Endpoint Security will keep using the same KSN, global or private, depending on
the Administration Server settings. Unmanaged computers cannot use private KSN.
Deployment and configuration of a private KSN infrastructure requires inviting Kaspersky Lab experts.
The customers administrator must not and cannot do it alone.
UDP port 15111 was used by the old version of Kaspersky Security Network module and is incompatible with the KSN module implemented in Kaspersky
Endpoint Security 10.
II21
Unit II. Protection Management
II22
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Scanning technologies
File Anti-Virus uses the following scanning technologies:
Signature analysis is a malware detection method that uses signatures. A signature is a part of executable
code, a checksum, or some other binary string, which helps to detect whether the file is infected by
the corresponding malware. Consecutive file checks against the signatures of known malware returns
the verdict whether the file is infected in general. This scanning method is very reliable, but only allows
detecting the malware whose signatures have been added to anti-malware databases.
Heuristic analysis. This scanning method applies only to executable files. Kaspersky Endpoint Security
starts the scanned file in a virtual environment isolated from the operating systema so-called sandbox
and monitors the files behavior. This method requires more time when compared with the signature
analysis, but helps to detect some new viruses
Check against KSN lists. This method also applies to executable files only. A checksum is calculated for
every scanned file, which is compared with the records in the local KSN database. Further, the following
alternatives exist:
II23
Unit II. Protection Management
If neither signature nor heuristic analysis has detected an infection, the decision is made based on
the information available in the local KSN cache on the client computer. If the local cache lacks
information about this file, access to the file is allowed, and a background request is simultaneously
sent to the KSN cloud. If the answer is received that the file is dangerous, File Anti-Virus scans it
again. If KSN returns information that the file is harmless or if KSN servers cannot be reached, file
scanning is finished
If either signature or heuristic analysis has detected that the file is infected, File Anti-Virus sends
the request to KSN. If the local database lacks information about the file, File Anti-Virus will wait for
the answer from the KSN cloud. If KSN considers the file to be clean, it is treated as non-infected
despite the verdicts of signature and heuristic analysis. If the verdict is reaffirmed or information
cannot be received from KSN (connection with KSN servers cannot be established), the file is
processed as an infected one
As you can see from the scanning algorithm, the check against the KSN database complements the signature
analysis and helps to decrease the probability of false positives.
II24
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Scanning parameters
Scanning parameters and other File Anti-Virus settings that define the protection scope are gathered in the Security
level group of parameters. In the policy, these parameters have a common lock, that is, they are locked or unlocked
together. Considering the importance of File Anti-Virus, the users should not be allowed to change the scanning
parameters and the lock should be closed in the Security level area.
Protection scope
By default, Protection scope of the File Anti-Virus includes:
All removable drives
All hard drives
All network drives
In other words, all drives from which malware can be run. A protection area allows adding individual drives and
folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection
level. That is why this group of settings should be modified very cautiously. For example, if Cisco NAC, Microsoft
NAP or another tool guarantees that all network nodes are protected with Anti-Viruses, then All network drives can
be removed from the protection scope. In this case, if a file from a network drive is accessed, it will be scanned by
the Anti-Virus installed on the local computer where the drive is located.
Heuristic analysis
Heuristic analysis parameters are configured in the Scan methods group. Heuristics levelsLight, Medium or
Deepdefine the period of observing the object in the virtual environment. In the context of the File Anti-Virus
operation this means an increased delay when a program is run. Therefore, completely disabling heuristic analysis
within the File Anti-Virus component is acceptable.
These include not only executable files but also, for example, Microsoft Office documents that may contain infected macros and some graphic formats that
may contain active executable elements.
II25
Unit II. Protection Management
II26
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Scan optimization
The Scan only new and changed files option ultimately decreases the number of scans performed by File AntiVirus. If an object was scanned and has not been modified ever since, it will not be scanned again. Kaspersky
Endpoint Security receives information about the changes using iSwift and iChecker technologies, whose settings
are located in the Additional tab.
II27
Unit II. Protection Management
Scan mode
The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse
order of their appearance:
On executiononly executable files are scanned and only when they are started. Copying an infected
executable file will remain unnoticed. Switching File Anti-Virus into this mode decreases the security level
considerably
On accessfiles are scanned when they are opened for reading or execution. The user may download
malicious code from a website but will not be able to do anything with this file
On access and modificationfiles are scanned when any operation is performed on them. This is
the safest mode, yet the most resource-consuming
Smart modethe order of operations performed with the file is analyzed. If a file is opened for writing,
the scan will be performed after it is closed and all changes to it are made. Intermediate changes made to
the file are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not be
rescanned on intermediate read operations until the file is closed
Essentially, Smart mode ensures the same protection as On access and modification, but consumes less resources.
Therefore it is recommended for most computers. On access or On execution modes can be used on the computers
where efficiency is more important than security, understanding that the probability of infection or virus spreading
increases.
II28
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Recommended
High
Setting
File types
Files scanned by
extension
Files scanned by
format
All files
Protection scope
Heuristic analysis
Light scan
Light scan
Medium scan
Scan mode
Smart
Smart
Smart
Scan technologies
iSwift technology
iChecker technology
iSwift technology
iChecker technology
iSwift technology
iChecker technology
Pause task
If any setting is modified, the security level is changed to Custom. In order to return to the Recommended level,
click the By default button.
Actions
Malware detected by File Anti-Virus should not be left unprocessed. That is why the settings that regulate File AntiVirus actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected
files6. Most malicious files cannot be disinfected, because they contain nothing but the infected code.
Before a file is disinfected or deleted, its copy is placed into the Backup repository or Quarantine, depending on
the verdict. That way, if it contains important information or is deleted because of a false positive, the file can be
recovered.
If the Roll back malware actions during disinfection option is enabled within the properties of the System
Watcher component, Kaspersky Endpoint Security not only deletes malicious files, but also rolls back their actions 7.
6
7
The Select action automatically option is equivalent to the Disinfect. Delete if disinfection fails option.
The rollback procedure is described in Chapter 4 of this Unit.
II29
Unit II. Protection Management
II30
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Configuring exclusions
Scan exclusions
Sometimes File Anti-Virus erroneously returns the infected verdict. Such cases are rare, and usually concern
tailor-made software. This problem is reduced by creating exclusion rules for objects.
Exclusions are configured in the General protection settings and are used by all protection components. A scan
exclusion consists of three attributes:
File or folderthe name of the file or folder to which the exclusion applies. The name of the object may
include environment variables (%systemroot%, %userprofile% and others) and also * and ? wildcard
characters
Object namethe name of the threat to be ignored (usually corresponds to a malware name), which can
also be specified using wildcard characters
Protection componentsthe list of protection components to which the rule applies
Of the three attributes, one of the first two attributes and the third one are mandatory. You can create a scan
exclusion for a file or folder without specifying the threat type; then the selected components will ignore any threats
in the specified file or folder. Conversely, you can create a scan exclusion for a threat type, for example, for
the UltraVNC remote administration tool, so that the selected protection components would not respond to this
threat regardless of where it is detected.
All three attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for
widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object
(typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security
would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from
another folder, Kaspersky Endpoint Security would consider it a threat.
Trusted applications
Security level settings can be adjusted so as to achieve the optimal performance-reliability balance for an average
computer. But if the computer runs resource-consuming programs, their operation can be slowed down by the File
Anti-Virus. This is especially true for the programs that perform numerous file operations, for example, backup
copying or defragmentation. To avoid slowdowns, a number of measures can be taken.
The first thing to do is to configure an exclusion so that File Anti-Virus ignores file operations performed by
the program. When adding exclusions under Trusted applications, within the Scan exclusions for Application
window, specify the path to the executable file of the program and select the Do not scan opened files action.
The path may contain environmental variables and *, ? wildcards.
If the program has many processes, and the data files are located in one directory, it might be worthwhile to exclude
this directory from the File Anti-Virus scan scope: Under Scan exclusions, add the rule, specify the necessary
directory in the File or folder parameter, do not specify any Object name, and select File Anti-Virus in the list of
components to apply the rule.
II31
Unit II. Protection Management
II32
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
If the desired effect is not achieved by setting up exclusions, as a last resort, configure pausing File Anti-Virus while
the program runs (in the Security Level settings, on the Additional tab).
Exclusion settings should be locked. Users are often unable to properly configure their exclusions and may abuse
such a capability and considerably weaken the protection of the computer.
When a policy is applied, all local exclusions are disabled and replaced with centralized ones. In order to create
a useful set of exclusions, the administrator should find out which exclusions are required to minimize impact to
the users, and to set them up in the policy. The best way to do this is to create exclusions in the local Kaspersky
Endpoint Security interface and then import them into the policy.
II33
Unit II. Protection Management
II34
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Security level
Security level parameters in virus scan tasks are almost identical to the security level parameters specified for File
Anti-Virus. Different settings include a couple of additional parameters in the Scan of compound files section and
the Skip files that are scanned for longer than N sec option. This timeout is necessary to avoid the task freezing
when it scans archives that are deliberately corrupted by criminals for this purpose.
Virus scan tasks are also used to check archives. This is important because the File Anti-Virus usually does not scan
archives. A virus scan task can check the same types of compound objects as the File Anti-Virus, and two more:
Archives
Installation packages
Embedded OLE-objects
Email formats
Password-protected archiveswhen scanning these, Kaspersky Endpoint Security will prompt the active
user for the password to unpack the archive. Since scheduled scans usually run in off hours when there is
no user, this option should be reserved for manual scans performed locally.
Processing of compound objects is regulated by another option that becomes available after clicking the Additional
buttonDo not unpack large compound files.
The other security level parameters are identical to those of File Anti-Virus.
II35
Unit II. Protection Management
II36
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
You can also change the scan settings using the Security level slider. In that case the following settings will be
used:
Level Low
Recommended
High
Setting
File types
Files scanned by
format
All files
All files
180 sec
Scan archives
New
All
All
New
All
All
New
All
All
Heuristic analysis
Light scan
Medium scan
Deep scan
iChecker technology
iSwift technology
Actions
A virus scan task can take almost the same actions as File Anti-Virus. There are still two main neutralization
options: Disinfect and Delete. We recommended using the default values.
Additionally, Virus Scan tasks include a setting that is missing from the File Anti-Virus parameters: Run Advanced
Disinfection immediately. This option is described in detail at the end of this chapter. This setting has been created
because the advanced disinfection procedure requires restarting the computer. By default, the user is prompted and
may reject it. The Run Advanced Disinfection immediately option enables the administrator to force the start of
the advanced disinfection procedure. The user will be informed of the upcoming restart and will be able to save
the data, but will not be able to cancel the procedure.
Account
By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes
network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem,
an account that has the necessary rights must be specified within the task properties.
II37
Unit II. Protection Management
II38
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Schedule
Virus scan tasks may use any regular schedule: every N minutes, every N hours, every N days, weekly, monthly.
They can also be started once: either automatically at the specified time, or manually.
In addition, special schedule types are available:
After application updatethe task will start after new threat signatures are downloaded and applied. This
is convenient for the scanning of memory and other locations where active threats may appear
At application startthe task will start immediately after the launch of Kaspersky Endpoint Security (or
in a few minutes). This is another opportunity for the scanning of the most vulnerable computer areas
On completing another taska universal schedule that allows arranging tasks into a chain. From
the practical viewpoint, the best approach would be to link virus scan to update completion, but there is
already a special schedule option for that purpose
On virus outbreakwhen the Virus outbreak event8 is registered on the Administration Server
There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task
will start as soon as the computer is switched on. If the computer is not accessible at the time of a manual task start,
it will run once the computer reconnects to the Server. Please note, there are negative aspects to running missed
tasks. If a scan task was scheduled during the weekend but was missed, it will start on Monday morning, which can
cause slowdowns for the user working with that machine.
If scan tasks are run simultaneously on many computers, numerous events are sent to the Administration Server. To
help distribute load, the task start is staggered by default: the task starts with a delay rather than exactly at the
specified time; a random delay is selected for each computer.
By default, the Administration Server automatically selects the maximal delay. To change this, clear the Define task
launch delay automatically check box and select the Randomize the task start with interval (min) check box. If
a large enough interval is specified, tasks will start at different times, and the number of simultaneous connections
on the server will be reduced.
If both check boxes are cleared, the task will start on all computers exactly at the specified time.
The Advanced window contains a few other useful settings:
Activate computer before the task is started by the Wake On LAN function (min)the option allows
you to schedule scan start for the night time or weekends without needing to worry whether the computer is
on. However, to use this feature, you need to enable its support in the BIOS settings of the target computers
Turn off computer after task is completethe option may supplement the previous one. If a scan is
scheduled for the night or a weekend, the computer can be turned off after its completion.
Stop if the task is taking longer than (min)the option allows guaranteed task completion before
the working day begins, so that the running scan does not interfere with the user activity
II39
Unit II. Protection Management
II40
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II41
Unit II. Protection Management
Value
Schedule
Objects
System memory
Startup objects
Boot sectors
%systemroot%\
%systemroot%\system \
%systemroot%\system32 \
%systemroot%\system32\drivers \
%systemroot%\syswow64 \
%systemroot%\syswow64\drivers \
Security level
Recommended
Action
II42
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
On the client computer, the user is prompted to start the advanced disinfection procedure and is warned that
the computer will need to be restarted during the disinfection
2.
If the user agrees, the system is switched into a special restricted operation mode: start of new programs is
blocked and registry changing is prohibited
3.
The product attempts to disinfect the file. If it fails, but the file can potentially be treated, its copy is created
in the same location and is disinfected
4.
Memory scanning starts, to find running copies of the malware and stop them
5.
The records that enable auto-start of the infected file are deleted from the registry and configuration files
6.
The computer is restarted. If the file(s) have not been disinfected at step 3, when the system begins to boot,
the infected file is either replaced with its disinfected copy, or deleted (if disinfection is impossible)
The main drawback of the advanced disinfection is the necessity to restart the computer, which cannot be done
without the consent of the user. That is why by default the Advanced Disinfection Technology is disabled. When
enabled and needs to be applied, the user is warned of the forthcoming procedure and restart.
As we mentioned earlier, the Run Advanced Disinfection immediately option, which is located under the action
settings in virus scan tasks, is closely related to the Advanced disinfection procedure. This option is not used until
the advanced disinfection technology is enabled in Kaspersky Endpoint Security policy. When the advanced
disinfection technology is enabled, this option in the task allows starting the advanced disinfection procedure
automatically, without the users confirmation. That is, the described algorithm will start from step 2.
II43
Unit II. Protection Management
II44
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II45
Unit II. Protection Management
II46
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
10
II47
Unit II. Protection Management
II48
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Actions
Mail Anti-Virus can take the standard actions: Disinfect and Delete against detected dangerous objects. Before
the disinfection or deletion, a copy of the object is placed in the Backup or Quarantine repository. The files deleted
by the attachment filter are also placed into the Backup repository.
If an action is performed with an e-mail message, its subject is modified. The action taken is described in
the message subject.
Security level
Protection scope
Security settings, among other options, determine the Protection scope. Mail Anti-Virus can cover either
Incoming and outgoing messages,
or
Incoming messages only
To ensure minimum computer protection, you can scan incoming messages only. The scan of outgoing messages
can prevent inadvertent sending of an infected file contained in an archive and save the embarrassment.
Additionally, scanning of outgoing messages can be used for blocking transfers of attachments of certain types, for
example, music or videos.
Connectivity
The Connectivity group of settings more precisely defines the protection scope:
POP3/SMTP/NNTP/IMAP trafficenables scanning of mail and news messages transferred over
the specified protocols
Additional: Microsoft Office Outlook plug-inenables scanning of objects11 at the level of Microsoft
Office Outlook client. In addition to the scanning of received and sent objects, the messages are scanned
when the user opens them to read
Additional: The Bat! plug-in enables scanning of mail messages received or sent via The Bat!12
The benefit of scanning at the protocol level is that it operates independently of the mail clients used. On the other
hand, the messages transferred over unsupported protocols (for example, through Microsoft Exchange or Lotus
Notes servers) will not be scanned.
Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of
supported mail clients is rather limited.
If the organization strictly limits the applications used, the administrator can disable scanning for unnecessary plugins or protocols. In other cases, it is recommended to leave all the settings enabled. Mail Anti-Virus decreases
consumption of resources rather than increases. If you disable object scanning by Mail Anti-Virus, they will
eventually be scanned by File Anti-Virus.
11
Not only mail messages are scanned, but also the objects of Public folders and Calendar: any objects received over MAPI from the Microsoft Exchange
repository.
12
A mail client popular in some parts of the world. If you havent heard of it, never mind.
II49
Unit II. Protection Management
Scanning methods
These settings concern scanning attached compound files.
If archives are attached, they can be unpacked and scanned. This behavior is controlled using three settings:
Scan attached archivesthis setting allows the administrator to fully disable archive scanning. As a rule,
it is better to leave this check box enabled and to scan archives on the fly using Mail Anti-Virus. It is
much easier not to allow any infected archive to penetrate into the mail database than to remove it from
the database later using an on-demand scan task
Do not scan archives larger than NN MBlimits the volume of archives to be scanned. Malware is rarely
spread in big files. Enable this limitation to avoid waiting too long when receiving large compound files
Do not scan archives for more than NN sec.this option implements protection against archive bombs
whose scanning requires a very long time and a lot of resources, which slows down the computer.
II50
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Heuristic analysis
The Mail Anti-Virus uses the same heuristic analysis feature as the File Anti-Virus and Virus Scan tasks. It is
applicable only to executable files and is performed by starting these files in a special emulated environment
(sandbox), where Kaspersky Endpoint Security controls all operations. Analysis level defines how long the file
will be supervised in the emulated environment before the verdict is returned.
Attachment filter
These settings concern only attached files. The administrator can:
Disable filteringpermits all kinds of non-malicious attachments
Rename specified attachment types13is used by default and renames attachments of executable types
(.exe, .bat, .cmd, etc.). This is a preventive measure against unknown malware. The user will not be able to
start the attached file without consciously renaming it.
This option can also be used to fight outbreaks of new viruses. If names of the attachments used by
the virus are known, they can be added to the list and then renamed so that the users are unable to open
these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless
attachment matches the specified mask, renaming would not cause any serious problems. The user can
consult the administrator and receive instructions on how to rename the file back
Delete specified attachment typesit is a safe way to prevent infections, which can also be used to
prevent exchange of files of certain types: for example, music or video files
The list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-defined
masks can contain parts of names. * and ? wildcard characters can be used. The added masks will go to
the beginning of the list and will be immediately enabled.
13
Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes file.ex_
II51
Unit II. Protection Management
Recommended
High
Parameter
Protection scope
Incoming
messages only
Incoming and
Incoming and
outgoing messages outgoing
messages
Heuristic analysis
Light scan
Medium scan
Deep scan
Attachment filter
Rename specified
attachment types
Rename specified
attachment types
Rename specified
attachment types
If any setting is changed, the security level switches to Custom. If later these settings are set to the values specified
in the above table, the level displayed will still remain Custom. To visibly return to the standard security levels,
click the By default button.
II52
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Configuring Exclusions
Exclusions for Mail Anti-Virus are configured similarly to File Anti-Virus: in the General Protection Settings,
Exclusions and trusted zone. In the scan exclusion settings, specify the file name only (wildcards are allowed) to
exclude all attachments with matching names from scanning. The same exclusion must be configured for File AntiVirus, or else the received attachments will not be saved or opened.
II53
Unit II. Protection Management
II54
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Actions
You can select the action to be taken against all detected dangerous objects:
Block download 14
Allow download
You should select the Block download action in the policy and lock it so that the users are not able to download
hazardous objects or visit hazardous websites.
When the user attempts to open a black-listed web resource or download an infected object, a notification will be
displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.
Security level
Web Anti-Virus behavior is regulated by only a few settings:
Check if links are listed in the database of malicious URLswe recommend that you do not disable this
setting. If a website was added to the list of malicious web addresses by mistake, we recommend that you
create an exception for it
Heuristic analysis for detecting virusesenables heuristic analysis. This is the same analysis as in
the File Anti-Virus: executable files are started in the virtual environment and their operations are
supervised. The depth of the analysis defines the monitoring time
Check if links are listed in the database of phishing URLsthis setting is similar to the first parameter
and should also remain enabled
Heuristic analysis for detecting phishing linksenables the use of heuristics when detecting phishing
sites. Analysis depth defines which part of the HTML code is analyzed, and which methods are used. At
the Deep scan analysis level, scanning time and thoroughness increase
Limit web traffic caching timesets the time limit for complete downloading of the object to be scanned
(one second). If an object does not download completely in the specified time, Web Anti-Virus will
simulate slow connection and let out small parts while waiting for the whole object to load. If this setting is
disabled, Web Anti-Virus will wait until all objects to be scanned are downloaded. This may cause
problems with audio and video streams; those web addresses will require exceptions
Web Anti-Virus settings can be modified using the Security level switch. The table below explains how
the settings values change depending on the level selected:
Level Low
Recommended
High
Parameter
Heuristic analysis for detecting viruses
Light scan
Medium scan
Deep scan
Scan archives
Scan archives is a hidden setting. If the Security level is switched into the Low position, in addition to the visible
parameter changes, archive scanning is disabled.
The following three parameters:
14
The Select action automatically option works the same as Block download.
II55
Unit II. Protection Management
II56
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Configuring exclusions
Three types of exclusions are available for Web Anti-Virus:
Trusted URLsare specified on a separate tab of the Security level settings (this list does not change
the Security level). The listed site addresses and the objects downloaded from them are not scanned by Web
Anti-Virus. "*" and "?" wildcards can be used in web addresses
Scan exclusionsare configured in the General Protection Settings the same way as exclusions for Mail
Anti-Virus
Trusted applicationsjust like scan exclusions, they are specified in the Exclusions and trusted zone
section of the General protection settings. An exclusion can apply either to all connections established by
a program, or only to the specified IP addresses and ports
II57
Unit II. Protection Management
II58
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
3.4 IM Anti-Virus
IM Anti-Virus performs the same tasks as Mail Anti-Virus for instant messaging applications. Supported programs
include ICQ, MSN, AIM , Yahoo! Messenger, Jabber, Google Talk, Mail.Ru Agent, and IRC. Instant message text
is scanned for:
Links to phishing and malicious sites
Infected code (signature and heuristic analysis are used)
IM Anti-Virus does not scan the files sent via IM clients.
Settings
By default, IM Anti-Virus scans both incoming and outgoing messages. Outgoing messages can be excluded from
scanning, but there is nothing gained from it, as message scanning does not decrease computer performance in any
perceptible way.
Other IM Anti-Virus parameters define message scanning methods:
Check if links are listed in the database of malicious URLsallows blocking links to the sites known to
spread malware (like in Web Anti-Virus)
Check if links are listed in the database of phishing URLsthat is, block links to phishing sites
Heuristic analysis for virus source code in message textregulates heuristic analysis use and its depth
when scanning message text for infected code
If a link to a dangerous site or infected code is detected, IM Anti-Virus replaces the text message with
the notification about the action taken (blocked link or deleted code).
By default, all IM Anti-Virus settings are required (locked). The administrator may choose to unlock them. Overall
security level will not decrease even if IM Anti-Virus is disabled because an attempt to open a link to a potentially
dangerous web resource will be blocked by Web Anti-Virus, and File Anti-Virus will not allow saving and running
malicious code.
II59
Unit II. Protection Management
II60
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Settings
Network Attack Blocker has a few configurable parameters. If the component is enabled, attacks are blocked
automatically.
Additionally, Kaspersky Endpoint Security can block all packets from the attacking computer for a specified time.
The Add the attacking computer to the list of blocked computers option regulates this behavior; by default, it is
enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but
only in the local interface of Kaspersky Endpoint Security.
Special programs that scan network computers to detect vulnerabilities are used in some companies. Their activity
resembles network attacks, and the scanning computers may get blocked. To avoid this, add the addresses of
the scanning computers to the list of Network Attack Blocker exclusions. Attacks from these addresses will still be
blocked, but connections to these addresses will not be blocked entirely.
3.6 Firewall
The Firewall controls connections at the network and transport levels. The control tools are implemented as packet
rules. The Firewall analyzes inbound and outbound packets, compares them with the rules and takes one of the two
actions:
Allow
Block
From the security point of view, the Firewall performs two functions:
Block unauthorized network connections to the computer, thus decreasing the infection probability
Block unauthorized network activity of the programs on the client computer. This decreases the risk of
an outbreak, and also limits actions of the user that consciously or unconsciously violates the security
policy
Settings
The decision about whether a specific packet is allowed or blocked is made based on three lists:
The list of packet rules
The list of applications, each with its own list of packet rules
The list of networks
II61
Unit II. Protection Management
II62
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Network adaptersthe list of network adapters to which the rule applies. If a packet is received (or sent)
through an adapter that is not specified on the list, the rule will not be applied even if the other packet
attributes (address, protocol, port) match the rule conditions. If the list is empty, the rule applies to all
adapters.
To add a network adapter to the list, specify its type, and (optionally) one or a few IP / MAC addresses. Also,
specify a name for the adapter. It will be displayed on the list.
15
II63
Unit II. Protection Management
II64
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Other
Loopback
Wired network (Ethernet)
Wi-Fi network
Tunnel
PPP connection
PPPoE connection
VPN connection
Modem connection
For example, you can easily configure a rule that will block any packets sent through Wi-Fi adapters.
Maximum packet time to livethe packets lifetime. Some attacks, unlike normal applications, use
packets with enormous lifetime. To make a rule applied to packets regardless of their lifetime, type 0
Remote addressesthe list of remote addresses. Possible values:
Any address
Subnet addressall networks that belong to one of the following categories: Trusted, Local, Public16
Addresses from the listthe list of remote DNS addresses, IP addresses and subnets to which the rule
applies. Any can be specified either in IPv4 or IPv6 format. Additionally, if the computer has several
IP addresses, you can specify the local addresses to which the rule applies
Local addressesthe list of local addresses. Possible values
Any address
Addresses from the list
Remote ports, Local portsa rule can be narrowed further by specifying the list or range of ports on
the local and/or remote computer
For convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity,
Browsing web pages, Remote Desktop network activity, etc.)
As we mentioned earlier, a rule applies to a packet whose parameters (protocol, direction, address, etc.) fit the rule
conditions. Rule application will be registered in the Firewall log if the Log events check box is selected.
16
II65
Unit II. Protection Management
II66
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Trusted
Low Restricted
High Restricted
Untrusted
The category is selected based on the KSN information. If KSN servers cannot be contacted or the information
about the program is missing in KSN, the category is selected using a special heuristic algorithm17.
Also, three standard network rules for applications with the following attributes are created for each running
program:
Any network activity in Trusted networks
Any network activity in Local networks
Any network activity in Public networks
For programs from the Trusted and Low Restricted groups, all three rules use the Allow action by default, and for
programs from the High Restricted and Untrusted groupsthe Block action. Standard rules cannot be deleted or
modified, except for the Action attribute, which can be changed by the administrator.
Regarding the processing of network packets, even if the packet does not match any of the packet rules, there is
always an applicable rule for applications. So, regardless of the specified settings, there is always a rule used, where
the Firewall can either allow or block the packet.
17
Application trust categories are described in detail in Unit III together with the Application Privilege Control.
II67
Unit II. Protection Management
II68
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Networks
To be able to conveniently configure rules for packets and applications, you can assign statuses to networks. This
allows the administrator to specify a network status instead of specifying all networks explicitly when setting up
filtering rules. A network can have the following statuses:
Trusted
Local
Public
If a subnet status is specified instead of an address in a packet rule, it is checked whether the packet is related to at
least one subnet having this status. If yes, the rule is applied to the packet.
18
Unit III explains how the information on the executable files is gathered.
II69
Unit II. Protection Management
II70
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The local list of networks contains the list of all network connections. Kaspersky Endpoint Security receives
information about them from the operating system. Kaspersky Security Center automatically detects the status of
these networks. If necessary, it can be modified manually, but only in the local interface of Kaspersky Endpoint
Security.
Also, the list of locally detected networks includes a special Internet network that has address 0.0.0.0/0, which
covers all addresses (includes any other network) and has a permanent status of Public network. So, any packet is
related to at least one network.
After the policy is enforced on the client computer, the list of networks specified in the policy is matched against
the list of networks detected by Kaspersky Endpoint Security locally. If a locally detected network coincides with or
is included as a subnet in a network specified in the policy, its status is ignored when processing packages.
For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And
a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24
respectively. Lets say Kaspersky Endpoint Security automatically assigned the Public status to both these
networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network
effectively becomes Local network, because there is an entry in the policy for network 127.16.0.0/16 that includes
172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching
entry in the policy.
In the default policy settings, there are three network entries, all of which are assigned the Local network status:
172.16.0.0/12
192.168.0.0/16
10.0.0.0/8
These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered
for computers outside the perimeter, e.g., those connecting via VPN or laptop computers on a business trip.
The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external
port 53) and e-mail (over TCP protocol, external ports 25, 465, 143, and 993). The By application rules
action is selected in these rules, that is, programs from the Trusted and Low Restricted groups will be
able to send DNS requests and e-mail, while the others will not
2.
Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted
networks, any activity is allowed by default, except for DNS and e-mail limitations for Untrusted and High
Restricted programs
3.
Rule number 5 defines packet processing within the Local networks. Such packets are processed by
application rules. According to the default application rules, the programs from the Trusted and Low
Restricted groups have no limitations in local networks, while High restricted and Untrusted have no
access
4.
The rest of the rules effectively regulate program behavior in the Public networks, since all packets from
Trusted and Local networks are processed one way or another by the above rules. First, there is a group
that blocks remote desktop connections to the computer from public networks, and also blocks connections
to the local DCOM service, NetBIOS packets, access to Windows shared folders, and access to Universal
Plug & Play devices
5.
The following two rules apply rules for applications to inbound TCP and UDP streams (connections).
Again, considering the default application rules, this means Trusted and Low restricted applications can
II71
Unit II. Protection Management
receive incoming connections from Public networks, whereas High restricted and Untrusted applications
cannot.
6.
The remaining 5 rules block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to
test connection to remote computers
To sum it up, we can say that in Trusted networks, any activity is allowed for all programs. In Local and Public
networks, only Trusted and Low Restricted programs may exchange packets; in public networks, access to some
computer services is additionally blocked (see no 4).
Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed
to exchange data over the network.
II72
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II73
Unit II. Protection Management
Settings
System Watcher has a few settings which correspond to enabling or disabling the abovementioned task components:
Enable Exploit Preventionprotects from various attacks (exploits) whose aim is to receive
administrative permissions in the system or conceal code execution. Exploits typically use buffer overflow
attacks. Incorrect parameters are passed to a vulnerable program or service, which processes them and
therefore executes some parameters as code. Specifically, such attacks against system services running
under the local system account enable the criminals to receive administrative permissions on the computer.
Typically, malware tries to start itself under the administrator account as a result of such an attack. When
this option is enabled, start operations are being monitored and if a vulnerable program starts another
program without the users explicit command, the start is blocked.
II74
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Log application activity for the BSS databasethis parameter regulates whether the program activity log
is saved on the hard drive. Log storing allows improved detection, as activity analysis can consider all
the program actions, including those performed before the last system start. The maximum log size is about
200 MB
Do not monitor the activity of applications that have a digital signaturenot to log events of those
programs that either have a valid digital signature or have the Trusted status in the KSN
Roll back malware actions during disinfectionroll back actions taken by the programs deleted by File
Anti-Virus or scan tasks or quarantined by System Watcher. Rollback means rolling back the changes made
to the file system (creating, relocating, renaming files) and registry keys (the records created by the
malicious program are deleted). Also, a backup copy of some files and keys is created at the time of
the system start, which allows rolling back to this version, if a virus makes changes to these files and keys.
These special objects include hosts and boot.ini files and registry keys responsible for starting programs
and services during the system start.
This option also recovers the files encrypted by malware (so-called cryptolockers).
Use behavior stream signatures (BSS)detect dangerous behavior using updatable patterns of malicious
activity and take one of the following actions:
Skipdo nothing, only record the detection of malicious activity in the report
Terminate the malicious programstop the malware and unload it from the memory
Move file to Quarantinestop the program and move its executable file into the Quarantine
repository
Select action automaticallythe same as Move file to Quarantine
Exclusions
If dangerous activity is detected in the actions of a known good program, the administrator can configure an
exclusion rule for the System Watcher. Exclusions are configured in the Exclusions and trusted zone using two
methods:
Trusted applicationsdisables detecting malicious activity in the program actions
Scan exclusionsspecifies the type of activity to be allowed for the program. In this case, if dangerous
actions of another type are detected, System Watcher will react as usual. To exclude an application from the
System Watchers scope, select the following checkboxes:
Do not monitor application activitynot to react to the actions performed by the application
Do not monitor child application activitynot to react to the actions performed by the applications
child processes
II75
Unit II. Protection Management
II76
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II77
Unit II. Protection Management
II78
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The Reports window allows viewing events locally. Events are grouped by components and tasks, for example, File
Anti-Virus events are separated from Virus Scan Task or Firewall events.
II79
Unit II. Protection Management
II80
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
A more general list of events that contains events from all computers is available on the Events tab of
the Administration Server node. Events are sorted by severity level here. Detection events are Critical, while virus
incident processing results may fall into the Warning or Info category. In order to analyze the history of object
processing, it is logical to view all types of events in chronological order within the Recent events selection.
Reports
Viruses report
The Viruses report shows statistics of processing the malware detected on the managed computers: how many
objects were treated, how many blocked (by Web Anti-Virus), how many deleted and how many still remain
unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics
are available for each type of malware.
The Viruses report can show which malware KES detected using KSN, and which threats were detected using
traditional tools (antimalware databases and heuristics). To be able to see this information, add the By KSN verdict
column to the Details table.
In order for the administrator to be able to properly use the report, it is vital that the information about all results of
the actions taken against malware be sent to the Administration Server. Unit IV Maintenance explains how to set up
events, reports and other reporting tools in more detail.
II81
Unit II. Protection Management
II82
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Anti-Virus statistics
Statistics pages present charts and tables similar to the reports. Statistics are displayed on the corresponding tab of
the Administration Server node. In the upper part of the statistics tab, there are tabs for switching between
the statistics pages. Each page consists of several information panes, which show aspects of protection status.
The detected threats are displayed on the Anti-Virus Statistics page, which by default contains 4 panes:
Virus activity historymalware detection time distribution. By default, the last 24 hours are displayed.
To modify this period in the chart properties, click the
icon
Most frequent virusesthe chart that shows the viruses that are most frequently detected on client
computers
Computers infected most oftenthe chart that shows most often infected network computers (similarly to
the Most infected computers report)
Users causing infection most oftenthe chart that shows the users with the most virus detections
(similarly to the Users of infected computers report)
II83
Unit II. Protection Management
II84
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Anti-Virus Statistics also includes other information panes, which are not displayed by default, but may be added
using the page properties. The following are some notable chart panes that are available:
History of network attacksallows quickly assessing the situation with network attacks over a period of
time
Quarantine historyconsidering the fact that there are no reports about suspicious files, this statistics
pane is the only tool that allows studying the situation with suspicious objects detected in the network
Most frequent incurable virusesshows which types of viruses involve most problems, which is
especially handy when the protection system is deployed in an infected network
Virus outbreak
In addition to threat detection events on managed computers, Kaspersky Security Center has the server-level event
Virus outbreak. This event is registered if many viruses are detected in the network over a short period of time.
The Virus outbreak event registration parameters are specified in the Administration Server properties.
A virus outbreak means that an epidemic may spread or is already sweeping through the network. To help prevent
further virus spread over the network, it might be worthwhile to temporarily tighten protection parameters, for
example, allowing network connections only to trusted programs. For this purpose it is necessary to create a policy
with strict protection parameters in advance, and designate it in the properties of the Virus outbreak event: open
the Administration Server Properties and in the Virus outbreak section, click the Configure policies to activate on
Virus outbreak event link.
In addition to policies, tasks can be started when the Virus outbreak event is registered (they have a special schedule
option On virus outbreak for this purpose). For example, a task can update anti-malware databases, and then
a chained task can scan system folders, system memory and startup objects on the managed computers.
II85
Unit II. Protection Management
II86
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II87
Unit II. Protection Management
A selection is a temporary association of computers selected by an attribute. The standard selections There are
unprocessed objects and Many viruses detected, just like the other selections, are created automatically when
the Administration Server is installed.
You can take group actions on the computers joined into a selection, for example, start update and search tasks, reset
virus counters, move into a group, etc. So, selections are very useful when dealing with the computers having
a problem status.
II88
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
5.4 Repositories
Local repositories
Backup
Before malicious objects are removed or disinfected, they are copied to the Backup repository. This is done as
a precaution in case a removed file needs to be restored, for example, for additional analysis.
The copies are stored in the %ProgramData%\Kaspersky Lab\KES10SP1\QB folder of Kaspersky Endpoint
Security. Copies of dangerous files are encoded, that is why when the drive is scanned by Kaspersky Endpoint
Security or any other antivirus, the malicious code is not detected in them.
The objects can be recovered or deleted from the Backup repository. Also, all objects are automatically deleted from
the repository after 30 days by default.
You can change the default store time and also set a size limit on the storage in the Reports and Storages section of
the policy. For details, see the Object storage settings section below.
Quarantine
The suspicious objects detected are quarantined. Usually these objects are malicious, but until the corresponding
records are added to the signature database, one cannot know that for sure.
Quarantine is a repository similar to the Backup repository and resides in the same folder on the hard drive.
The object storage time and repository size limit are specified for both repositories together.
The administrator can recover or delete an object stored in Quarantine, similarly to the Backup repository.
Additionally, the administrator can manually quarantine an object if it seems suspicious. This simplifies watching
over the object. It will be scanned again after every update, and if new databases help to detect malicious code in it,
the administrator will know it right away.
Unprocessed files
The objects that were detected but were not disinfected are called unprocessed. Their hazard levels vary greatly. It
can be a virus in the system memory that blocks the attempts to delete its file from the drive, or an infected file
detected by on-demand scan task in an old archive, for which the Skip action was selected.
The list of unprocessed objects is not a storage similar to the Backup repository or Quarantine. The detected
objects remain in their locations and the list displays only the information about them.
If you want to try disinfecting or deleting an unprocessed object, click Re-scan on its shortcut menu. This attempt
may succeed if the object is regarded to be an unprocessed object because the Skip action was selected for it. But if
it is a virus in the memory, chances are that neither disinfection nor removing will succeed. In this case
the administrator can open the files location using the Open folder where file was initially located command, and
try to deal with it using special utilities.
II89
Unit II. Protection Management
II90
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Another available action, Delete, can be taken for the objects that cannot be processed by Kaspersky Endpoint
Security for another reason. For example, if the object is located in a network folder for which the antivirus has no
write permissions.
Centralized repositories
Management model
It would be cumbersome if unprocessed and repository objects were only available locally. On the other hand, if all
of the objects were sent to the repository on the Administration Server, it would create extra traffic and set
additional requirements for the Administration Server disk space.
Kaspersky Security Center uses another approach: only information about local repositories and unprocessed objects
is sent to the Administration Server, so that the administrator could see details about these objects in the Kaspersky
Administration Console and issue commands for processing them. The commands are sent to the related client
computer where they are executed.
Sending information about local objects is controlled by the Kaspersky Endpoint Security policy. The Reports and
Storages section allows selecting the types of information to be sent to the Administration Server along with
the parameters that limit repository size and object storage time. The area is named Inform Administration Server,
and the parameters independently enable or disable sending information on every category of objects:
Files in Quarantine
Files in Backup
Unprocessed files
In the standard policy, information sending is enabled for all objects.
Objects representation
In Kaspersky Administration Console, the information about locally stored objects is represented in the Advanced |
Repositories node. Every category of objects has the corresponding repository: Backup, Quarantine and
Unprocessed files.
II91
Unit II. Protection Management
II92
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The Administration Console shows more information on the objects than the local interface. With the default
settings, the following data is displayed for every object:
The description can be added in the object properties window. Also, this window compactly represents the complete
information on the object.
Processing objects
The Administration Console allows taking the same actions with objects as the local interface. The command is just
transferred to the client computer, and the current action is displayed in the corresponding column until
the command results are received.
Let us cover the actions that cannot be performed from the console. First, you cannot manually quarantine a file.
However, you can do this from the local antivirus interface.
Second, you cannot scan an individual quarantined file. You can only scan all quarantined objects on the computer.
Actually, the Scan Quarantined Files command runs the system task for scanning the quarantine storage. It is
a hidden task that also starts after updates, if the corresponding option is enabled. This task is neither visible in
the local interface, nor in Kaspersky Administration Console. Its existence is revealed only in the local reports.
Also, you cannot open the folder where an unprocessed file is located. However, some actions are available in
the console that may provide additional information on an object moved into the repository.
These actions are Go to computer and Computer properties. The former opens the group to which the computer
with the corresponding object belongs. The latter opens the properties of this computer without leaving
the repository. From the computer properties, you can open the list of latest events on this computer and have
an overview of the incident context. It is especially important for unprocessed files. If computer events show that
the Skip command was applied to the file, simply initiate the Disinfect command. On the other hand, if the events
show that disinfection and deletion have already been attempted in vain, this can likely be an active infection and
the incident needs close attention.
II93
Unit II. Protection Management
II94
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
II95
Unit II. Protection Management
II96
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
As far as the real-time protection status is concerned, there are two of them: Running or Stopped. In old versions of
Kaspersky Anti-Virus, there was one real-time protection task instead of a set of protection components; in addition
to the two mentioned statuses, it could have been paused; and could have had several security levels, including
custom. Kaspersky Endpoint Security 10 omitted all those features.
The Real-time protection level is different from the level set by the administrator condition is configurable.
The administrator can select the statuses to be considered as normal, and this condition will change the computer
status if its real-time protection status differs from the selected values.
The settings include three valuesStopped, Paused and Running. The Paused value can be ignored, because it is
not used in Kaspersky Endpoint Security 10.
All things considered, the only reasonable configuration for this condition is to select the Running status; and in this
case the Real-time protection level is different from the level set by the administrator condition will work
the same as the Protection is off condition. That is why only the Protection is off condition is enabled by default,
and the other condition is disabled.
If the administrator disables the Protection is off condition and enables Real-time protection level is different
from the level set by the administrator condition, he or she will be able to select the status to be given to
the computer when the condition is met: Warning or Critical. Also, the status description provided for the latter
condition contains more details.
Protection can be disabled for the following reasons:
Failurestatus description in the Protection section of computer properties is: "Real-time protection status
is 'Stopped' though it should be 'Running'." The administrator should employ diagnostic tools to deal with
failures.
The components are stopped by the userit means that either the computer is not controlled by the policy,
or components start is not required in the policy settings (the locks are not closed). To solve this issue,
make sure that the policy is correctly configured and applied to the computer.
The components are stopped by the administratorit is not a problem if planned
If the Protection is off condition is used, the same status description will be shown in all the three described cases.
In contrast, if the Real-time protection level is different from the level set by the administrator condition is
used, the status description will specify whether protection is just stopped or does not work as a result of a failure.
II97
Unit II. Protection Management
II98
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
A group task is convenient if the Virus outbreak event is registeredit can start protection on all network
computers, in case the protection is stopped somewhere. A task for specific computers can better serve the purpose
of rectifying status. You can create a selection for the computers where Kaspersky Endpoint Security is not running,
and a then a task for specific computers to start protection.
II99
Unit II. Protection Management
II100
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-1
Unit III. Endpoint Control
III-2
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-3
Unit III. Endpoint Control
III-4
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Chapter 1. Introduction
1.1 Purpose of Control Components
In addition to anti-malware protection, Kaspersky Endpoint Security 10 contains control components that restrict
actions harmful to the computers or the company in general. Primarily, Application Control, which can be used to
prohibit computer games, movies, and other activities that have little to do with work.
Device Control enables the administrator to bring the use of various devices to conformity with the company
policy. In particular, blocking removable drives considerably impedes unauthorized data copying; the prohibition to
connect mobile phones and players helps reduce the temptation of listening and copying music; also, Wi-Fi
connections and external network adapters can be blocked.
If network connections are allowed, they can be regulated by Web Control, which allows restricting access to social
networks and non-corporate web e-mail, communications with recruiting agencies or browsing job sites.
III-5
Unit III. Endpoint Control
III-6
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-7
Unit III. Endpoint Control
III-8
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
You can find the package in the %ProgramData%\Kaspersky Lab\KES10SP1\Setup folder on the protected computers.
III-9
Unit III. Endpoint Control
2.2 Settings
Application Startup Control settings are organized as follows:
Program categoriesspecified at the Administration Server level in the Advanced | Application
management | Application categories container
The list of rulesspecified at the computer group level, in Kaspersky Endpoint Security policy
By default, there is an 'Allow all' rule that allows starting any program to any account.
III-10
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Application categories
An application category is a list of conditions and exclusions that allows identifying a program or a group of
programs. The list is displayed in the Advanced | Application management | Application categories container and
is empty by default. New categories are created using a special wizard. There are three types of categories:
Filled manuallytheir conditions are added and changed only manually
Filled automatically from a folderthe administrator selects only the directory where executable files of
programs belonging to this category are located; the Administration Server checks the contents of
this directory on schedule, calculates checksums of executable files (MD5) and updates the list of
the category criteria
Filled automatically from computersthe administrator selects one or several managed computers, and
the Administration Server automatically includes executable files found on the computers into the category
Categories are created on the KSC Administration Server and are transferred to client computers similarly to
policies and tasks. You can monitor categories delivery to computers using the chart in the upper-right corner of
the Advanced | Application management | Application categories page.
III-11
Unit III. Endpoint Control
III-12
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-13
Unit III. Endpoint Control
III-14
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-15
Unit III. Endpoint Control
III-16
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
You can create a condition based on a file certificate in a category. This capability was implemented for the Kaspersky
Critical Infrastructure Protection product, which falls out of the scope of this course. Kaspersky Endpoint Security 10 Service
Pack 1 does not support these conditions and will ignore the categories that include certificate-based conditions.
III-17
Unit III. Endpoint Control
III-18
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-19
Unit III. Endpoint Control
III-20
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-21
Unit III. Endpoint Control
III-22
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Category exclusions
If it is necessary to prohibit all programs corresponding to the specified conditions except for one, add an exclusion
to the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion
condition will be excluded from the category.
III-23
Unit III. Endpoint Control
III-24
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-25
Unit III. Endpoint Control
III-26
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Inventory task
This task is not created automatically. Executable files are reported to the Kaspersky Security Center by Kaspersky
Endpoint Security via the Network Agent. When a file is launched, either Application Startup Control or
Application Privilege Control intercepts the file, collects its data and sends it to the Administration Server.
However, some files may start very rarely. It may take a very long time until all executable files are intercepted and
reported to the Administration Server. A faster way to detect files is by using an Inventory task.
This is a Kaspersky Endpoint Security task, which can be created for both groups and computer selections. With
standard settings, the task searches for executable files in the following directories:
%SystemRoot%
%ProgramFiles%
%ProgramFiles(x86)%
The list of folders can be modified. The information about discovered files is sent to the Administration Server and
is available in the Advanced | Application management | Executable files container.
Unlike the monitoring components, this task can detect executable files within archives and installation packages. In
the task settings, in the Properties section, click the Additional button and select the Scan archives and Scan
installation packages check boxes.
When executable files are being searched for, their checksums are calculated, which may slow down the computers.
To reduce resource consumption, you can use the option to scan only new and changed files. The information about
changes is obtained using the iSwift technology and requires almost no calculations.
Alternatively, you can schedule the task to run during nonworking time, or use the option Suspend scheduled
scanning when the screensaver is off and the computer is unlocked.
Kaspersky Endpoint Security can send information about executable files to the Administration Server. There are
settings in the Kaspersky Endpoint Security policy that control which types of data are sent and which are not. It is
critically important that informing the Administration Server about executable files is disabled by default. The
settings are located in the Reports and Storages section of the policy. As a result, all lists of executable files will be
empty. Even a successful execution of an Inventory task will not change this, unless you enable sending information
About started applications in the Kaspersky Endpoint Security policy.
III-27
Unit III. Endpoint Control
III-28
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-29
Unit III. Endpoint Control
To test what would happen if you disable the Allow all rule, select the Generate test verdict for the default rule
check box, but dont disable the Allow all rule just yet. This way, you will get events about the files that would be
blocked if the Allow all rule were disabled.
The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on
a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of
different application categories; but some programs may belong to several categories at once. If there is at least one
rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say.
If a program does not belong to any category for which rules are configured and enabled, it will be processed
according to the Allow all rule (will be allowed to start). This operation mode is called default allow or black list
mode. The administrator can disable the Allow all rule and thus switch to the default deny or white list mode. In
the default deny mode, if a program is not included in an allowed category for which rules are configured and
enabled, it will be prohibited from starting. The recommendations for using the default deny mode are provided later
in this chapter.
III-30
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-31
Unit III. Endpoint Control
III-32
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Events
Application Startup Control generates five types of events:
By default, all the events except for Application startup allowed are transferred to the Administration Server.
If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup
prohibited in test mode or Application startup allowed in test mode events, because these events are not
included in the report about blocked starts.
III-33
Unit III. Endpoint Control
III-34
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Various configurations of allowing rules are possible; it will be necessary to create one or several categories for
system executable files and configure allowing rules for them using one of the following methods:
Use a reference computer with the operating system and allowed programs installed for creating
an automatically filled category
Use a directory with distributions of allowed programs for creating an automatically filled category
Use the Golden Image | Operating Systems & Utilities KL categorythis category is used, for example,
if you enable the standard Golden Image rule that is available in the list of rules initially, but is disabled by
default
Under Windows Vista and later versions, you can allow starting all programs on behalf of the System account,
because a non-system application cannot receive system service rights in these operating systems.
For those programs for which allowing rules are configured not to be blocked after upgrades, use the Trusted
updaters standard rule. This rule exists by default in the list and cannot be deleted; but it is disabled by default.
When enabled, the programs downloaded and installed by the applications included in the Trusted updaters
category will not be blocked even if the corresponding allowing rules are not configured.
The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allowing
rule.
III-35
Unit III. Endpoint Control
III-36
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Trusted
Low Restricted
High Restricted
Untrusted
For each category, standard activity limits are pre-defined. The administrator can change these restrictions within
the categories. Additionally, individual limitations can be configured for every program in the policy.
Application Privilege Control can be compared with the Firewall. It uses the same trust groups and similar operation
principles. If individual restrictions are specified for a specific program in the policy, they are used. If individual
restrictions are not specified, Kaspersky Endpoint Security uses KSN, heuristic algorithms and administrators
settings to define the program trust group, and then applies the restrictions specified for this trust group.
It should be noted that Application Privilege Control and Firewall not only use similar operation principles, but also
are inseparably connected. If settings are specified for a program in the Firewall policy, this program will also
appear as an individual element in the Application Privilege Control policy, and vice versa.
The trust groups in Firewall and Application Privilege Control are also the same. General program trust groups are
defined in Kaspersky Endpoint Security, and each component applies its own restrictions to the programs
comprising these groups.
III-37
Unit III. Endpoint Control
Automatically move to groupan alternative to using heuristics. This setting allows assigning one of
the 3 trust levels (High Restricted, Low Restricted, or Untrusted) to all unknown programs without
the analysis
Trust applications that have a digital signatureif this parameter is enabled, the programs having
a valid digital signature are automatically placed in the Trusted group
The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted
depending on the following settings:
Update control rules for previously unknown applications from KSN databasesprogram trust group
will be changed automatically if it appears in the KSN
Delete rules for applications that are not started for more than 60 daysallows wiping out the trust
group information for the programs that have not been started for a long time. The lifetime is adjustable
Also note that if the administrator explicitly specifies the trust group for an executable file in the policy, the value
from the policy will be used. The trust group is defined locally only for the programs that are not explicitly specified
in the policy.
The Application Privilege Control component, which is installed on server operating systems, is responsible only for
program categorization. Access rules cannot be configured on server systems
III-38
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-39
Unit III. Endpoint Control
III-40
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Read
Write
Delete
Create
Generally, the default limitations for the trust groups are as follows:
Trustedno restrictions
Low Restrictedeverything is allowed except for changing important system files (boot.ini, system.ini,
autoexec.bat, executable files within the system directory, etc.)
High Restrictedonly Read access is allowed to the data from the operating system directories and
registry branches
Untrustedthe program is prohibited even from starting
Note: The limitations configured for a program are inherited by all its child processes, even if their executable files
are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions using
the privileges of programs having higher trust levels.
III-41
Unit III. Endpoint Control
III-42
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-43
Unit III. Endpoint Control
III-44
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-45
Unit III. Endpoint Control
III-46
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Printers
CD/DVD drives
Modems
Tape devices
Multifunctional devices
Smart card readers
Windows CE USB ActiveSync devices
Wi-Fi
Cameras and scanners
Smart card readers
Portable devices (MTP)
Bluetooth
Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as
removable drives, if connected as external data carriers.
III-47
Unit III. Endpoint Control
III-48
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking
their connection buses.
Kaspersky Endpoint Security allows blocking connected devices by interface type (bus):
USB
FireWire
Infra Red
Serial Port
Parallel Port
PCMCIA
The administrator can totally block, for example, all USB devices.
Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules
Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash
drive will work correctly.
By default, all devices work in the Depends on bus mode, and all buses are allowed.
III-49
Unit III. Endpoint Control
III-50
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-51
Unit III. Endpoint Control
III-52
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-53
Unit III. Endpoint Control
III-54
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
2.
Generates a request key for it in the Kaspersky Endpoint Security local interface
3.
4.
The administrator examines the request, and in the case of an affirmative answer, creates and sends the user
a special access code
5.
The user activates the received code. After this, the selected device (and only that device) becomes
accessible for the time span specified by the administrator. The user cannot pause temporary access to use
it later; and the administrator cannot remotely revoke temporary access
It goes without saying that many users may believe that their devices are blocked by mistake, and will ask
the administrator for temporary access. To avoid numerous requests, you can disable this capability: in
the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access
check box.
III-55
Unit III. Endpoint Control
III-56
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-57
Unit III. Endpoint Control
III-58
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-59
Unit III. Endpoint Control
III-60
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Adult content
Software, audio, video
Alcohol, tobacco, narcotics
Violence
Profanity, obscenity
Weapons, explosives, pyrotechnics
Gambling, lotteries, sweepstakes
Internet communication media
Electronic commerce
Job search
HTTP query redirection
Computer games
Religions, religious associations
News media
Banners
Video
Sound
Office files
Executable files
Archives
Graphic files
As far as secure connections (HTTPS) are concerned, Kaspersky Endpoint Security has no access to the traffic
contents. Therefore, HTTPs traffic is filtered only be addresses, for example, if social networks are blocked,
https://facebook.com will also be blocked, as this address is included in the signature databases as pertaining to
social networks.
III-61
Unit III. Endpoint Control
III-62
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and
data types.
Filtering by category and data type can be combined within a rule: for example, you can block office files and
archives received by web mail.
Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic
analysis of page content (for non-secure connections only). URL reputation can also be requested from Kaspersky
Security Network.
III-63
Unit III. Endpoint Control
III-64
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Data types are hard-coded in Kaspersky Endpoint Security and include the following file types:
Category
Category contents
Executable
files
Win32 PEexe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files
Visual Basic Scriptvbs, vb
Executable files (not PE) MS-DOS, Win-16, OS/2exe, dll, com
Command Line Scriptcmd, bat
Microsoft Installer Archivemsi
Video
Sound
Office files
Archives
Graphic files
III-65
Unit III. Endpoint Control
Lets mention some specifics of Kaspersky Endpoint Security types and categories:
The type is defined by file format. Therefore, this does not work for secure connections; but it is possible to
use the address filter to block files by extensions. For example, to block .key files, specify the *.key mask
Data types inside archives are not checkedif executable files are prohibited while archives are not,
archived executable files will be allowed
PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites
that use pdf may display incorrectly
In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In
Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web
Control
Flash videos in SWF format can be blocked only by extension maskusually it is *.swf
The rules may be applied depending on the account and access time.
III-66
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Select categories
Select data types
Specify day and time
Select accounts
Type site address (the * wildcard is allowed)
and get the web control verdict with the list of rules applicable to these conditions.
For example, the administrator can check whether access to a personal home mail server of an employee is blocked
by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you
can find out which rule causes the disorder.
III-67
Unit III. Endpoint Control
III-68
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-69
Unit III. Endpoint Control
III-70
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Note: Notifications are displayed only for non-secure connections. If the HTTPS protocol is used to open a Web
site, the user will see only the browser message about inability to display the page in both cases
There is also a Complain link in all types of messages to disagree with the policy and request a policy change to be
able to access the blocked web site freely. Complaints are sent to the Administration Server as events and fall into
the User requests selection.
You can edit both warning and blocking notifications, as well as the complaint template: in the Kaspersky Endpoint
Security policy, switch to the Web Console section and click the Templates button.
III-71
Unit III. Endpoint Control
III-72
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
III-73
Unit III. Endpoint Control
III-74
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-1
Unit IV. Maintenance
IV2
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-3
Unit IV. Maintenance
IV4
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Introduction
This unit covers the following aspects of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10
operation:
Licensing and license managementmost functions of the products in question are inaccessible without
a license; that is why license installation is an important part of deployment. Since a license expires sooner
or later, if the company decides to prolong the license, the administrator should quickly and efficiently
distribute the new license to the computers
Updates the products can operate without updates, but protection efficiency declines quickly. That is why
regular updating is an important part of endpoint protection maintenance
Interaction with userusers dont interact with Kaspersky Security Center (and even with the Network
Agent), they only interact with Kaspersky Endpoint Security. Or rather Kaspersky Endpoint Security may
interact with the user. How much of Kaspersky Endpoint Security is exposed depends on the administratordefined settings. There can be too much of exposure when users are overwhelmed with messages they dont
understand. Or there can be too little interaction, when users are confused about hidden actions taken by
Kaspersky Endpoint Security. Thats why various options, their values and trade-offs are worth discussing.
Out-of-office modewhen computers are outside the network, some of the protection settings need to be
changed. E.g., none of the networks can be trusted; the users cannot rely upon the administrator and must
depend on themselves if security incidents occur; the update settings that are optimal within the network are
not optimal outside, etc. Automation of the configuration change depending on the computer location is
an important aspect of protection management
Backup and recoverywe need not to explain what backup copying is necessary for and why it is
important. Deployment and setup of the protection management system is a time-consuming process.
The built-in backup copying tools of Kaspersky Security Center protect your time and effort
Customizing monitoring toolsusually, the administrator cannot afford looking through events and reports
in the Administration Console all day long. In practice, the administrator opens the console occasionally
and for a short time. They need to quickly evaluate the network protection status and whether they need to
take some actions. Customizing the presentation of the monitoring tools may increase efficiency of
the administrators work
IV-5
Unit IV. Maintenance
IV6
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
License prolongation
Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to
overcome one of the following license limitations:
Prolongthe most typical situation, when the company is satisfied with the product and it is necessary to
renew the license to keep using it
Increase the number of computersif the company grows and the number of computers is about to exceed
the license limit
Extend functionalityif the necessity to use additional product functions has appeared in the company, for
example, Encryption or automatic installation of Windows updates
IV-7
Unit IV. Maintenance
IV8
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
KESB Core
KESB Select
KESB Advanced
Kaspersky Total Security for Business
A license bundle can be used on several different products, e.g., Kaspersky Endpoint Security 10 and Kaspersky
Security Center 10, and allows a customer to use a specific set of functions within each product.
In addition to license bundles, licenses for individual products or functional areas (such as Mobile Devices
Management) can be purchased according to the Kaspersky Targeted Security licensing schema.
Virus Scan
File Anti-Virus
Mail Anti-Virus
Web Anti-Virus
IM Anti-Virus
System Watcher
Firewall
Network Attack Blocker
Vulnerability Scan
Vulnerability Monitor
Application Privilege Control
BadUSB Attack Prevention
Selectthe right to use the following functionality of Kaspersky Endpoint Security 10 on servers and
workstations (considering system requirements):
Core functionality
Application Startup Control
Device Control
Web Control
Advancedthe right to use all functions of Kaspersky Endpoint Security 10 (including encryption) on
servers and workstations
The Kaspersky Total Security license bundle allows a customer to use the same functions of Kaspersky Endpoint
Security 10 for Windows as KESB Advanced.
Kaspersky Endpoint Security 10 for Windows is licensed by the number of protected devices.
IV-9
Unit IV. Maintenance
IV10
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Vulnerability assessment and patch management (reduced functionality is available in the Core license)
Creation and deployment of operating system images
Hardware and software inventory (reduced functionality is available in the Core license)
Network access control
License monitoring for applications by other manufacturers
In the context of Kaspersky Security Center 10, the Kaspersky Total Security license bundle does not add anything
to the KESB Advanced functionality. Kaspersky Total Security additionally allows customers to use Kaspersky Lab
products for perimeter protection and collaboration products.
The Core functionality is available in Kaspersky Security Center without an activation. Using the Select or
Advanced features requires activating the Administration Server with a key or a code.
Kaspersky Security Center 10 is licensed by the number of managed devices.
1.3 Activation
General
A license formally allows a customer to use the product, but to actually start using it, you need to confirm this in
the product interface. This procedure is called activation.
When selling a license, the manufacturer passes a unique object to the customer: a special file or code, which
technically confirms the right to use the product.
The Kaspersky Lab products described in our course can be activated either with a file (so-called key) or with
an activation code to the same result: the product will start performing the functions covered by the license. There
are some differences in practical use of keys and codes.
IV-11
Unit IV. Maintenance
IV12
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Activation key
A key file is almost self-sufficient from the activation point of view. License functionality limitations are specified
in the key file itself. The key file is digitally signed, so any attempts to modify the license parameters will be
detected.
Key activation works on computers that rarely (or never) connect to the Internet. On the other hand, changing
the license parameters (renewal, extending the number of nodes, expanding functionality) requires a new key that
has to be redeployed to all computers.
When Kaspersky Lab suspects that a license key is used improperly (is found publicly available on the Internet, or
product instances connecting to the update server are widely geographically distributed), the key is black-listed.
The black list is distributed with regular signature updates. If the product finds its activation key in the black list, it
deletes the key and requires re-activation with another key (or code).
Activation code
A code does not contain any information about the license limitations.
Kaspersky Endpoint Security activated with a code sends the code to Kaspersky Lab activation servers, where
the code is matched to the issued licenses. The activation server finds the license restrictions for the code, forms
a so-called ticket and sends this ticket back to Kaspersky Endpoint Security. A ticket contains information about
the license and allows Kaspersky Endpoint Security to function within the license limitations.
Kaspersky Endpoint Security renews its ticket once every 24 hours. Activation servers keep track of the number of
issued tickets and when the license limit is reached, stop issuing new tickets 1. This way, Kaspersky Lab ensures that
keys are used properly. Any instance of Kaspersky Endpoint Security that tries to get a ticket over quota will not get
it and will not protect the computer.
Starting with Kaspersky Endpoint Security 10 Service Pack 1, subscription licenses are supported. More details
about that will be given later in this chapter. With regards to keys and codes, subscription licensing is exclusively
based on codes, but not every activation code is designed for subscription licensing. The difference between
ordinary and subscription licenses is in how Kaspersky Endpoint Security and activation servers treat the code.
Activation proxy
To support activation with codes, the activation proxy service is implemented in Kaspersky Security Center. This
service redirects activation requests from the client computers running Kaspersky Endpoint Security 10 for
Windows to the Kaspersky Lab activation servers. So, if Kaspersky Security Center 10 is used for managing
protection, only the Administration Server requires access to the Internet.
In fact, the threshold slightly exceeds the number of purchased licenses. This is done on purpose, to prevent maintenance
issues.
IV-13
Unit IV. Maintenance
IV14
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
By default, Kaspersky Endpoint Security 10 for Windows tries to connect to the activation servers directly.
However, if KSC Network Agent 10 is installed on the computer, the behavior of Kaspersky Endpoint Security 10
for Windows changes: Kaspersky Endpoint Security 10 first tries to send activation requests to the Administration
Server, and only if the Administration Server is inaccessible, contacts the activation servers directly.
The activation proxy server accepts Kaspersky Endpoint Security 10 for Windows connections on port 17000.
The port can be modified in the Administration Server properties.
IV-15
Unit IV. Maintenance
IV16
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Additional keys
When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one
license to another without a time gap and without reducing the effective license period of any of the licenses. You
would rather not replace the old license when there still several days left of the licensing period. However, you want
to activate the new license before the old one expires.
Adding the new license as an additional one solves the problem. Additional keys and codes can be added in almost
all products by Kaspersky Lab. Once the active key expires, the product is automatically activated with
the additional key or code.
This approach guarantees smooth transition from the old key to the new one.
An alternative to installing keys or codes as additional is using the automatic license distribution feature, which will
be described later in this chapter.
IV-17
Unit IV. Maintenance
IV18
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-19
Unit IV. Maintenance
IV20
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-21
Unit IV. Maintenance
IV22
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
License type: commercial, not for resale, trial, for beta-testing, etc.
The products covered by the license
Licensing period
Node limitation
Expiration date
The number of computers where the license is used as the main
The number of computers where the license is used as the reserve
In the properties of each key, you can find names of the hosts where the key is installed.
The key icon informs about the following:
(gray icon, no stripes)this key is used on client computers, but is not registered on the
Administration Server, i.e. this key cannot be installed from the Administration Server onto other network
computers or exported into a file
(colored icon, no stripes)this key is registered on the Administration Server and can be installed on
other client computers, but is not marked for automatic installation
(colored icon, three green stripes)this key is registered on the Administration Server and marked
for automatic installation on client computers
The information about used keys and codes represented in Kaspersky Security Center is calculated based on the data
received from the Network Agents. If a license is used on a computer that is not connected to the server, this
information will not be available in the Administration Console.
IV-23
Unit IV. Maintenance
IV24
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Computer statuses
If the license is about to expire or has expired on a computer, the administrator should pay attention. The computer
statuses configured in the administration group properties are designed to attract the administrators attention.
Two status conditions relate to licenses:
License term expiredsets the computer status to Critical. By default, the condition is triggered in 0
days, meaning, right after the license expires. It can be configured to trigger several days after the license
expiration so that the license could update automatically and not waste the administrators time
License term expires soonsets the computer status to Warning. By default, is displayed 7 days before
the expiration, but this parameter is adjustable
When the license that activates the Administration Server is about to expire, a pop-up message is displayed to
the administrator every time the Administration Console starts. Upcoming expiration is also indicated in the
Deployment area of the Monitoring tab of the Administration Server node.
IV-25
Unit IV. Maintenance
IV26
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-27
Unit IV. Maintenance
IV28
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To be more precise, there can be one, but not necessarily. Subscriptions may have a time limit.
IV-29
Unit IV. Maintenance
IV30
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Chapter 2. Updates
2.1 Overview
The version 10 of Kaspersky Security Center and Kaspersky Endpoint Security constitute a multifunctional program
complex solving numerous distinct types of tasks.
During its operation, much data is transferred from the Administration Server to the client computers, a large part of
which can be considered as updates. These include traditional malware signature updates, KL categories for
application startup control, module updates of Kaspersky Security Center and Kaspersky Endpoint Security,
Windows Updates, updates for 3rd-party applications, and latest information from the KSN database.
This chapter considers only some of these update types: signature updates of Kaspersky Endpoint Security, and
module updates of Kaspersky Endpoint Security and Kaspersky Security Center. Windows updates and updates of
3rd-party programs are described in course KL 009.10 Systems Management, and KSN in Unit II of this course.
In other words, this chapter is devoted to two tasks:
Download updates to the repositoryKaspersky Security Center
UpdateKaspersky Endpoint Security
In this chapter, the term update means updates downloaded and distributed by these two tasks.
Update types
Kaspersky Endpoint Security, which uses the majority of updates, requires two types of updates:
Signature database updates, which include malware signatures, network attack descriptions, databases of
suspicious and phishing web addresses, banner database, Anti-Spam databases, etc., are issued regularly,
hourly on average, and their installation does not require a restart. Crucial for protection, they must always
be up to date.
The major part of the database is downloaded during the first update or if updates have not been
downloaded for a long time: for example, if an employee was on vacation for a month and the computer
was powered off. Later, only the changes will be downloaded. The typical volume of an hourly update can
be from several hundreds of kilobytes to a couple of megabytes.
Usually, the computer does not need to be restarted to be able to use new signature databases. If
the necessity arises, the Restart required to complete the task event will be sent to the Server, and the user
will see the corresponding notification in the local interface. This event is not critical, that is why
the computer is not restarted automatically, and Kaspersky Endpoint Security just waits for the restart.
IV-31
Unit IV. Maintenance
IV32
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Module updates are updates to program modules meant to improve performance and fix the problems
discovered in the product. These updates are released less frequently. In other words, these are fixes for
Kaspersky Endpoint Security, Network Agent, and Administration Server program modules. Sometimes
module updates can introduce changes to components behavior and even new functionality
A module update is a more risky intervention than signature updates. In some companies, any update that
involves executable code requires testing and approval. Kaspersky Endpoint Security 10 SP1 and
Kaspersky Security Center 10 SP1 support this practice by allowing the administrator to mark updates as
Approved (the options include Approved, Declined and, by default, Undefined) and to configure update
tasks to deploy only the approved updates.
Older versions of Kaspersky Endpoint Security and Kaspersky Security Center dont support this
mechanism. To test module updates prior to installing on older versions, the administrator can make
separate tasks for signature updates and module updates, and run the module update task manually only
after the updates have been tested and approved.
Kaspersky Endpoint Security 10 Service Pack 1 module updates can be either critical or non-critical. This
classification is applied at Kaspersky Lab and reflects the updates importance for computer protection.
Updates that fix severe bugs or help protect against new threats are critical.
Update management
In a centralized protection system, updates are distributed centrally.
This helps to decrease external traffic since updates are downloaded only once into the network. Also,
administrators have more control over the update process.
The simplest scenario is where updates are downloaded to the repository on the Administration Server and then
distributed to client computers. More complex scenarios, with intermediate distribution sources, are described in
course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills.
Centralized updates in Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 are based on two tasks,
one of which downloads updates to the repository, and the other which distributes them to the endpoints:
Download updates to the repositoryis a task of Kaspersky Security Center Administration Server; only
one task of this type can be configured on the server
Install updateis a task of Kaspersky Endpoint Security, there may exist any number of such tasks, but
usually one or two tasks per group are configured
IV-33
Unit IV. Maintenance
IV34
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Schedule
Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging
from 15-20 minutes to several hours. The default value is 1 hour.
Sources
The following update sources are possible:
Kaspersky Lab update serversa list of FTP and HTTP servers officially maintained by Kaspersky Lab.
These servers are located in various countries worldwide to help ensure a high reliability of the updating
procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of
servers is downloaded together with the other updates
Master Administration Serverthis option is used if there are several Administration Servers and they
are connected in a hierarchy (described in detail in course KL 302.10 Kaspersky Endpoint Security and
Management: Advanced Skills)
Local or network folderan update source created by administrators. You may specify not only a
network folder, but also an FTP or HTTP address
The task can have several different sources organized in a list. If the first source turns out to be inaccessible 3,
the task will attempt to download updates from the next.
Connection parameters
You may need to specify the proxy server parameters for the update sources. All sources would share the same
proxy server. If some sources are accessed without it, enable the Do not use proxy server option in their properties.
The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.
IV-35
Unit IV. Maintenance
IV36
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Proxy server address, port and authentication parameters: user name and password can be specified in
the Administration Server properties, in the Advanced | Configuring Internet access section. These settings will be
used for downloading updates and for KSN requests.
Updates list
Administrators can choose the types of updates to be downloaded in the Updates content window. By default,
Kaspersky Security Center detects the required updates automatically, depending on the products installed on
the client computers, and the products for which it has installation packages. This behavior is determined by
the Autodetect updates list option.
Alternatively, administrators can manually select the updates for downloading. This may be necessary if the server
updates folder functions as an update source for both managed computers and, for example, Kaspersky Anti-Spam
for Linux Mail Servers. In this case, enable the Force downloading of the following types of updates option and
select the corresponding update types. Some update types available in this list relate to obsolete products and are not
currently used.
IV-37
Unit IV. Maintenance
IV38
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The simplest method is to copy a task and then modify its settings.
IV-39
Unit IV. Maintenance
IV40
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Schedule
The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to
the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts
the task regardless of whether the Administration Server can be reached or not, the When new updates are
downloaded to the repository schedule means that the task is always started by the Administration Server
command.
The Administration Server sends a wake up call to UDP port 15000 of all affected client computers that there are
new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect
to the Administration Server and download whatever new settings are available. In this particular example, the
Agents will receive the update task start command and pass it to Kaspersky Endpoint Security. If the wake up call
doesnt reach some computers, they will receive the command during a planned synchronization performed every 15
minutes (the period is defined in the Network Agent policy).
The When new updates are downloaded to the repository schedule guarantees that the client computers will
receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple
periodical schedule can be used (for example, once an hour).
To prevent serious peak loads on the update source and the network at the moment of task start, randomization of
the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin
the next scheduled update after a random delay ranging from 0 to 5 minutes.
By default, the Administration Server automatically defines the randomization interval depending on the number of
computers in the group. The administrator can also specify it manually.
Sources
To specify the list of sources, open the Properties section of the task properties and click the Settings button.
Updates can be retrieved from the following sources:
Kaspersky Security Centerthe recommended source for all managed computers. Moreover, the most
natural source for the When new updates are downloaded to the repository schedule
Kaspersky Lab update serversthe recommended source for the computers outside the corporate
perimeter or a backup source if the specified Administration Server is not accessible. However,
the administrators often prefer the computers to wait for the Administration Server connection rather than
create extra Internet traffic
Local or network update folderanother option for backup update sources. An HTTP or FTP address
may be specified instead of a network folder. For example, if there are several Administration Servers in
the network (which is described in course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources
Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky
Lab or other FTP or HTTP locations, updates are downloaded over standard network protocols. If a proxy server is
required for accessing the source, its parameters are specified in the policy of Kaspersky Endpoint Security (in
the Advanced Settings | Application Settings section). By default, an automatically detected proxy server is used.
In the update task properties you can configure copying updates into a separate folder. This mode can be used for
creating an update source in small networks or subnets without their own Administration Server. In larger networks,
update agents are used to create intermediate update sources. Update agents are created automatically for every
group that contains more than 100 computers (for more details, refer to course KL 302.10 Kaspersky Endpoint
Security and Management: Advanced Skills.)
IV-41
Unit IV. Maintenance
IV42
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Module updates
Signature updates are always downloaded by an update task. There is no way to disable this as there is little sense in
doing so. Module updates are more configurable.
Kaspersky Endpoint Security can do without module updates. Unless there is a critical issue that needs to be fixed,
you can keep using Kaspersky Endpoint Security without updating its modules until a new major version comes out.
Still, module updates can be useful. They can improve computer performance, increase protection efficiency and
add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing
the updates and installing only approved ones.
The possible choices regarding the module updates include:
Download updates of application modulesenabled by default. Can be disabled in the groups where
computers are extremely sensitive to changes, e.g., groups with important servers
Install critical and approved updatesinstalls the updates marked as approved by the administrator
and the updates marked as critical by Kaspersky Lab without the administrators approval. Installing
unapproved updates may be risky because unforeseen issues might arise
Install only approved updates (the default choice)
How does the administrator approve an update? All available updates can be found in the Advanced | Application
management | Software updates node. It contains a lot of updates, including Windows updates and updates to 3 rdparty applications. Use filters to find Kaspersky Lab application modules updates.
To approve an update, select it in the list and scroll down the description on the right until you see the Actions area.
There is the Update approved parameter there, which can be set to Undefined (default), Approved or Declined. You
can find it in the updates properties too. Also, you can select several updates on the list and approve them all at
once.
Now, why would the administrator decide to approve an update? Generally, there should be a process of installing
an update on a small number of computers (representative of the entire network) and monitoring these computers for
some time. If no problems are detected, the update gets approved and is automatically installed on other computers.
IV-43
Unit IV. Maintenance
IV44
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Computer statuses
If for some reason a computer uses old databases, the risk of infection increases. Moreover, if the latest databases
are missing, a virus can remain unnoticed and, for example, steal valuable data.
That is why computers with old databases receive a Warning or Critical status depending on how old their
databases are. The status criteria are configured in the group properties. By default, the Warning status is given to
the computers whose databases are 7 or more days old, and Critical is assigned after 14 days.
IV-45
Unit IV. Maintenance
IV46
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
You can identify that the computer status changed from OK due to outdated databases by the status description in
the Protection section of computer properties, or in the panel displaying computer characteristics in the lower-right
part of the Administration Console. To view detailed information about the databases and, specifically, the last
update date, open the properties of the Kaspersky Endpoint Security program in the Applications section of
computer properties.
Global status
The Monitoring page also provides the information about the databases in use. If everything is fine, the Update
area displays the time when the latest updates were downloaded to the server repository. If there is a problem,
the light will turn yellow or red and a problem description will appear, which also acts as a link to remediation (run
a task) or troubleshooting (check a computer selection) tools.
The Databases in the repository not updated for a long time link opens the properties of the Download updates to
the repository task. The Databases are out of date: N computers link opens the selection of hosts that have
the Databases are outdated status.
The Go to Updates folder link in the Update area of the Monitoring page opens the Advanced | Repositories /
Updates node, which contains links to the settings of the default update tasks and the database version report.
IV-47
Unit IV. Maintenance
IV48
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
If the databases became obsolete on the computer not because it was off, but because of update task errors,
the administrator would need to view update task events to find out the reason. The events sent to the Administration
Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint
Security usually contains more events.
2.5 Rollback
Although rare, sometimes the latest updates may result in false positives. The Rollback task is designed to deal with
this. It is not created by default, but the administrator can easily create it using the task creation wizard.
The update rollback task has no settings, except for the schedule. It makes little sense to roll back updates
periodically. The rollback is typically performed when the administrator needs it, and the best schedule for such
a task is Manually.
During the rollback, new database files are replaced with their previous version. For this purpose, the database files
of the previous version are stored in a special folder locally on every computer where Kaspersky Endpoint Security
is installed. When new databases are downloaded, the old copy for rollback is deleted and a new one is created.
Only one copy of databases for rollback is stored alwaysthe previous one.
KSN has an important role in decreasing false positive risk. Even if a file seems to be infected according to
the databases, KSNs verdict has a higher priority. If according to KSN the file is trusted, Kaspersky Endpoint
Security ignores the false positive. Thus the introduction of Kaspersky Security Network reduced the need for
running the rollback task considerably.
IV-49
Unit IV. Maintenance
IV50
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To prevent the users from weakening or stopping Kaspersky Endpoint Security, the administrator can configure
password protection for the mentioned actions in the policy and make these settings required (locked). Though
a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way
or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which
doesnt allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and
processes in the memory. Together, password protection and self-defense are mostly able to prevent any damage
a user might try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas
password protection is not.
Another, a less evident way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes
after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and
the user will be able to change any settings. There is password protection for the Network Agents too, and it is not
enabled by default either.
To uninstall the product from the command line, the password will also be necessary.
IV-51
Unit IV. Maintenance
Restore access to data on encrypted drivesprevents the user from starting the data recovery tool. It is
the administrators job to recover data, not users
View reportsprompts for a password prior to displaying events in the local KES interface
The advantage of password protection is that it remains active even when the policy is disabled. Once the password
protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product
without a valid password even if the administrator disables the policy.
IV52
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-53
Unit IV. Maintenance
Allow local tasks to be displayed and managed (except custom scan) 6this makes the local tasks
visible and their settings and control commands available to the user. Moreover, local tasks will start
running on schedule which most of them have by default. Typically, you wouldnt want users tinkering
with the task settings, but if they need to, this option gives them this power. There is no way to allow
managing group task settings via the local interface.
If representation of local tasks is enabled, they will start on the specified schedule with all the negative
consequences described earlier. You cannot make local tasks displayed but started only manually. That is why local
tasks should be used only in very special cases, e.g., on roaming computers while they cannot connect to
the management system.
The Custom scan is never hidden; what you allow to be displayed are all the other local tasks in addition to the Custom scan.
IV54
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Below you can find the default settings and schedules of the local tasks:
Task
Update
Full scan
Custom scan
Integrity check
Vulnerability scan
Settings
Sources:
Kaspersky Lab update servers
Kaspersky Security Center
Download updates of application modules
Install critical and approved updates
Security level: Recommended7
Select action automatically
Scan scope:
System memory
Startup objects
Disk boot sectors
System Backup Storage
All hard drives
All removable drives
Security level: High8
Select action automatically
Scan scope:
System memory
Startup objects
Disk boot sectors
Security level: Recommended
Select action automatically
Scan scope: Not defined
Checks integrity of Kaspersky Endpoint Security
files
Vulnerability types:
Microsoft
Other vendors
Scan scope:
%SystemRoot%
%ProgramFiles%
%ProgramFiles(x86)%
Schedule
Automatically (translates to every
two hours)
On Mondays at 7:00 PM
Manually
Manually
Manually
There are also two tasks that are never visible in the local interface but can still run and can be controlled by a policy
(see the Advanced Settings | Protection Settings section):
Idle Scana special task that starts when the screensaver is on or the computer is locked and scans startup
objects, system memory and the system partition of the hard drive. Scanning is performed at
the Recommended security level. In the policy, it can be controlled by the Perform idle scan check box
Scan removable drives on connectionanother special scan task. It starts when a removable drive is
connected to the computer. The scan task scope includes boot sectors and the files located on the removable
drive. Two scanning variants are available: Fullthe scanning is performed with the same settings as in
the local Full Scan task. Quickthe scanning is performed with the same settings as the local Critical
Areas Scan task (in particular, archives and installation packages are not scanned). Scanning large drives
may take a long time. To avoid lengthy delays, you can select to scan only small removable drives.
In the policy, the task is controlled by the Action on removable drive connection option, which is set to
Do not scan by default, but can be changed to either Full scan or Quick scan. When scanning is enabled,
you can also adjust the Maximum removable drive size option.
7
8
Scan all files, including archives, installation packages and OLE objects; heuristics level: medium scan
Scan all files, including OLE objects and mail formats, excluding archives and packages, heuristics level: deep scan
IV-55
Unit IV. Maintenance
IV56
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-57
Unit IV. Maintenance
If the administrator believes that more or fewer notifications should be displayed to the users, they can be
configured in the protection policy. In the Advanced settings | Interface section, in the Notifications area, there is
the Settings button that opens the list of events and local notification methods9. For example, you can enable pop-up
notification for malware detection by File Anti-Virus.
Here you can also configure sending e-mail notifications from the client computer. Typically, it is not required,
because events are sent to the server and the server sends e-mail notification when necessary. But it makes sense for
computers out of office that cant connect to the Administration Server.
In the lower-left corner of the Notifications window, a drop-down list is located that enables the administrator to quickly revert to the default settings.
IV58
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-59
Unit IV. Maintenance
IV60
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
These features can be hidden using the options in the Advanced settings | Interface section:
Display Kaspersky Endpoint Security 10 for Windows interfacewhen deselected, removes the icon
from the notification area, all shortcuts from the Start menu, and the entry for Kaspersky Endpoint Security
from the list of installed applications in the Control panel. To a cursory glance it may appear that
Kaspersky Endpoint Security is not installed
However, a more attentive user will notice Kaspersky-related entries on the shortcut menu of files and
folders, the folder in the Program files, and the service in the list of services. A user with local
administrator rights will find even more traces. But still there is self-defense and password protection to
safeguard Kaspersky Endpoint Security against the user
Display Protected by Kaspersky Lab on Microsoft Windows logon screenwhen this option is
disabled, the sign is not displayed in the upper right corner of the logon screen in Windows XP/2003.
In other version of Windows, this sign is never displayed.
The presence of Kaspersky Network Agent is less apparent, but it will be listed among other installed applications in
the Control Panel. There is no way to hide this.
IV-61
Unit IV. Maintenance
IV62
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Network Agent cannot synchronize with the Administration Server three times in a row. In practice, this
means that the computer is disconnected from the corporate network. By default, the synchronization
period is 15 minutes. Therefore, the client will switch into the mobile mode in 30-45 minutes
In large networks or networks with unstable connections, three consecutive failures may be considered to
be normal and switching into the mobile mode may be undesirable. In this case, it makes sense to disable
automatic switching and configure connection profiles instead. This can be done in the Network |
Connection section of the Network Agent policy. Connection profiles are described in detail in course
KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills
2.
All network adapters are disabled or disconnected on the client computerin this case synchronization is
impossible, and Kaspersky Endpoint Security immediately switches to out-of-office settings
3.
According to connection profiles (see course KL 302.10 Kaspersky Endpoint Security and Management:
Advanced Skills)
IV-63
Unit IV. Maintenance
IV64
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
An out-of-office policy may be created for any group. A group may have only one policy for out-of-office
computers. That policy is propagated in exactly the same manner as an active policy. However, while an active
policy is enforced immediately, a policy for out-of-office computers starts working only when the computer meets
the specified conditions (see above).
If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if
an out-of-office policy exists in both parent and child groups, they are not related in any way. Regardless of
mandatory settings in the parent group policy, they do not restrict the policy of the child group.
In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy,
where the required settings are inherited by the policies of child groups. Out-of-office policies are inherited only
completely by those subgroups where out-of-office policy is not configured.
You can switch a policy into the Out-of-office policy status in its properties window, in the General section, Policy
status area.
Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for Windows and
Kaspersky Anti-Virus for Windows Workstations. Policies of the Network Agent or, for example, Kaspersky AntiVirus for Windows Servers Enterprise Edition do not have such an option.
IV-65
Unit IV. Maintenance
IV66
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
10
Including standalone, but excluding operating system image packages (these packages are described in detail in course KL 009.10 Systems Management).
IV-67
Unit IV. Maintenance
IV68
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-69
Unit IV. Maintenance
IV70
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
However, it is risky to store backup copies on the same disk with the Administration Server, because in the event of
a hardware failure, both the current system and its backup copy might be corrupted. So, it is strongly recommended
that you store backup copies separately. The administrator can either specify a network location or use an additional
process to move backup copies to a safer place for storage.
Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored
data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup
copies is three.
The Administration Server certificate is stored in an encrypted form for security reasons. This security measure
prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption,
you need to provide a password. By default, the password is empty.
The backup data copying task is scheduled by default to start daily at 2 a.m.; therefore, only three backup copies of
the last three days are stored.
No matter how often it is explained that creating a backup copy causes the Administration Server to restart and all
connected consoles to disconnect, somebody will be confused and will ask why is that they leave the Console
connected every night only to find it disconnected the next morning? This is because the default backup task runs
every night at 2:00 AM.
IV-71
Unit IV. Maintenance
IV72
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-73
Unit IV. Maintenance
IV74
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
To make statuses useful for diagnostics, the administrator can modify their settings to disable less important statuses
and the statuses that are not used. For example, the Windows update search has not been performed for a long
time status can be disabled if Windows updates are managed by a different department.
Generally, which statuses to disable and which to use would depend on the components installed on the computers,
and what the administrator believes to be important for network protection.
The administrator can also change the status settings. For example, the period after which databases are considered
to be obsolete can be changed. For some other statuses, their criteria can be modified. For example, the Restart is
required status has seven different conditions in its properties and the administrator can choose which reasons for
restart should trigger the status change and which can wait till the computer is restarted in due course.
The administrator can even configure different status criteria for different groups if computers in these groups serve
different purposes, encounter different threats, or have different components installed. For example, groups with
servers can use more statuses than groups with desktop computers.
By default, all groups inherit status parameters from the settings of the Managed computers node.
The administrator can disable inheritance in any group and adjust the settings.
Each status relates to a component or function of Kaspersky Endpoint Security or Kaspersky Security Center.
The status settings are described in detail in the respective course sections: deployment statuses in Unit I, protection
statuses in Unit II, control statuses in Unit III and some of the rest in this unit. Some statuses related to encryption
and other advanced topics are described in the respective courses.
IV-75
Unit IV. Maintenance
Some of the search settings are described in more detail in the sections devoted to the respective components and
functions.
One of the most frequent search use cases is searching for a computer by its name or IP address to understand in
which group it is located and which policy is enforced there.
The search results are clickable; for example, you can see computer properties, protection status or events on its
shortcut menu. You can also delete the computer from its group or move into a different a group, run a task on the
computer, send a message to the active user and more, all in the search window.
IV76
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Standard selections
For many statuses, standard computer selections are available that display computers having this status. For
example, the There are unprocessed objects computer selection displays the computers where the There are
unprocessed objects status condition is met. When computer statuses change, the contents of computer selections
are updated.
Computer selections are not limited to statuses, though. They allow viewing computers that meet any specified
conditions. Standard selections are hard-coded selections that are initially available in the interface and can be
neither modified, nor deleted. If the administrator feels that standard selections are not enough, they can create
custom selections of their choice.
Custom selections
If you often search for computers with the same parameters, you should consider creating a selection with similar
search conditions.
Selections are located in the respective node of the console tree. In addition to standard selections, the administrator
can create various custom selections using the shortcut menu of the Computer selections node or the Advanced
button on the nodes page.
The selection scope is specified in the General section and may include all computers, managed or unassigned.
Search parameters are specified in the Conditions section. The parameters are the same as in the Search window,
however, while in the Search window you can specify only one set of parameters, in a selection you can create
several conditions with different search parameters.
For example, in the Search window you cannot specify two IP address ranges to search for computers in any of
them. Whereas in a selection, you can create two conditions for this purpose and specify different ranges in each of
them.
If several conditions are specified, a selection displays the computers that meet any of them. Search parameters
within a condition (or in the Search window), on the contrary, are superimposed. If both an IP range and a name of
an installed program are specified in a condition, only those computers will be displayed where both the program is
installed and the IP address belongs to the specified range.
IV-77
Unit IV. Maintenance
IV78
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-79
Unit IV. Maintenance
IV80
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
IV-81
Unit IV. Maintenance
IV82
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
The global event storage parameters are located in the Administration Server properties, in the Events storage
section. There are two parameters:
Maximum number of events stored in the databasethe default value is 400,000 (four hundred
thousand) and the maximum configurable value is 100,000,000 (a hundred million). The optimal value
depends on the number of managed computers and the resources available to the SQL server. Too low a
limit might lead to a rapid event turnover with new events pushing out older events before the administrator
has a chance to see them. Too high a limit might lead to performance issues with the SQL server. You can
learn that the limit is reached and events are not saved any more from the Windows event log.
Store events after removal of computers, supplemented with the Maximum storage time (days)
optionthis parameter was introduced in Kaspersky Security Center 10 MR1. In previous versions of
Kaspersky Security Center, if a computer was removed from the Administration Server database, all events
associated with this computer were promptly removed too. This is not always a good thing, and now
the administrator can keep the events for some time after computer removal. This parameter is disabled by
default, which corresponds to the old Kaspersky Security Center behavior.
Database maintenance
With time, the Administration Server database may slow down. In particular, the reports may be generated slowly,
and lists of events or computers may be displayed only after a noticeable pause.
To speed up the consoles work with the events stored in the database, the database is to be optimized. Before
Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security
Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database
of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize
the database using the database server tools.
To speed up the Administration Server database, the Database maintenance task performs the following:
The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases
the database size. The database is recommended to be optimized once a week.
You can have only one task of this type. It is created by the Quick Start wizard. By default, the task starts every
Saturday, at 1 a.m.
IV-83
Unit IV. Maintenance
IV84
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Event notifications
In addition to saving events to the database, you can set up event notification. This is configured in the properties of
every particular event type that you want to be notified about. Kaspersky Security Center 10 supports four
notification channels:
E-mail
SMS
Start of an executable file
SNMP
Notifications help to draw the administrators attention to the most important events.
By default, notifications are not sent. To receive notifications, the administrator finds the necessary events and
selects the necessary delivery options in their properties.
All events are delivered using the general delivery parameters unless the administrator edits the delivery settings of
an individual event, for example, specifies another delivery address.
Recipients address
SMTP server address
SMTP server port
Message text
These are the main parameters that are configured in the window that opens when you click the Configure
notifications link on the Events page. They are sufficient if the selected SMTP server does not require authorization.
The recipient address will also be used for the sender address, and the subject of the sent notifications will be made
from the event severity level and its type, for example, Critical event: Threats have been detected
To view additional e-mail notification settings, click the Settings link. Then you will be able to modify:
Message subject
Authorization username and password
Senders address
When configuring the notification subject and text, you can use macros, which will be replaced by
the corresponding event attributes in the notifications:
IV-85
Unit IV. Maintenance
The macros can be added using the special buttons located next to the fields where notification text and subject are
edited.
IV86
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
Notification limits
Some events (including important) may occur too frequently to send a notification for each of them. For example,
the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications. To
avoid this, the administrator can limit the number of notifications: follow the General settings of selections |
IV-87
Unit IV. Maintenance
Configure notifications link on the Events page, and in the Notification section, click the Configure numeric
notification limit link.
The limit is set up as the maximum number of notifications over a time span. As soon as the limit is reached,
notifications are suppressed until the specified period is over. If new events are received afterwards, the limit is
counted anew. The same limit is used for all notification types, but applies individually to each event type. E.g., if
notifications for the Threats have been detected event hit the limit, notifications for other event types will not be
affected.
IV88
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
SNMP notification
SNMP or Simple Network Management Protocol is a protocol that allows receiving standardized information about
various network devices. This protocol is used in numerous industry systems management solutions, such as
HP OpenView (HP BTO). The SNMP information can be delivered as notifications (so-called SNMP traps) or
retrieved on demand.
Kaspersky Security Center Administration Server can also be regarded as a device information about which can be
received over SNMP. The following requirements must be met for this purpose. First, the Windows component
named 'SNMP service' must be installed on the computer with the Administration Server. Second, the Kaspersky
Security Center component named 'SNMP agent' must be installed among other Administration Server components.
SNMP agent interacts with SNMP service to provide the Administration Server statistics on demand and for sending
notifications (SNMP traps). SNMP-specific parameters are configured in the properties of the SNMP service.
The settings are standard for SNMP protocol and should not be difficult for an administrator acquainted with
the protocol.
Statistics and notifications are standardized in SNMP. Special files in MIB (Management Information Base) format
are used for their interpretation. MIB files for interpreting the Administration Server notifications become available
in the SNMP subfolder of the Administration Server program files after the SNMP agent component is installed.
The administrator should take these files and import them into the SNMP console they use.
Event selections
The events stored in the Administration Server database can be viewed in the Administration Console as event
selections located on the Events tab of the Administration Server node. By default, there are seven predefined event
selections:
Recent events
Critical events
Functional failures
Warnings
Audit events
Informational events
User requests
The name of the current selection is displayed next to the Selection events text. To view another selection, click
the name of the current selection or the arrow beside it. The drop-down list of all available selections will open.
Predefined selections support some limited configuration, such as time period, but mostly their filtering parameters
are fixed. To see events with some other properties, for example, events related to license use, the administrator
should create a custom event selection. There is no special search tool for events (similar to the computer search
window), which you could use for a quick lookup.
IV-89
Unit IV. Maintenance
IV90
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
In the selection properties, the administrator can also restrict the number of displayed events or the number of
records to search. Both options affect the time it takes the Console to display the events. The larger the database is,
the more time-consuming the process can be.
In custom selections, the administrator can filter events by the properties of the computers they originated from
(computer names, IP ranges, and management groups), by the event types and severity levels, by the product and
component name and by the time period. It is also possible to include task results in the search scope.
Alternatively (or in addition to filtering by computer or event attributes), there is a simple search field where a word
or several words can be typed. All events that contain any of the typed words 11 anywhere in their attributes (event
name, description, component name, etc.) will be displayed.
For example, if Web Control warns that visiting social networks during business hours is undesirable, but a user
opens such a site nevertheless, the corresponding notification is sent to the Administration Server. The administrator
can create a selection of such events and filer it, for example, by twitter.com.
Reports
Select the Reports tab of the Administration Server node to view the list of all available report templates. They
contain report generating parameters. To generate a report to the template, either double-click it, or select it and
click the Show report link. The report will open in a new window.
When the Administration Server is installed, there are more than 20 pre-created templates in the console, all for
different report types. All in all, Kaspersky Security Center 10 supports 42 report types and the administrator can
have multiple templates for the same report type if they want to. These templates can give reports for different time
periods or different parts of the network. Pre-created templates are not hard-coded and can be modified or removed
as necessary.
11
IV-91
Unit IV. Maintenance
IV92
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
A report consists of a header (which contains a phrase, Kaspersky Security Center by default, and a picture,
the Kaspersky Lab logo by default), report name and description, then a chart, a summary table, some statistics and
a details table. The chart usually represents the contents of the summary table.
If the summary table contains the Number of computers column (for example, the number of computers having
the Protection is off status), the figure displayed in the column is a link that takes you to the list of these computers.
Click the link to open the window where you will be able to manage these computers similarly to a selection or
search results.
Everything in the report can be configured to various extents via the template properties or global report parameters.
Template settings include the reporting period, computers or groups whose information is included in the report, and
also the list of information fields that comprise the summary and details tables. Some fields contain insignificant
information and can be deleted not to overload the report. For example, the Virtual server field makes little sense in
a report if virtual Administration Servers are not used in the network12.
The administrator can use information field settings in a report template to create complex filters for the events to be
included in the report. Allowed values can be specified in the field properties. For example, for the Detected object
field, you can specify the malware name. As a result, you will get a report based on the events related to
the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers
with the specified version of the protection software, even if these computers belong to different groups.
In addition to filtering by field value, you can change sort order: ascending, descending, or unsorted.
Starting with version 10 Service Pack 1, you can do it in the generated report too, by clicking the column titles in the
tables. Click again to reverse the sort order.
The report header can also be modified. By default, Kaspersky Lab logo is displayed in the upper-right corner of
the report, and on the left, Kaspersky Security Center is written. If necessary, the administrator can replace the text
and the logo, for example, with the logo and name of their company. These settings are general for all reports and
are specified using the Edit report presentation settings link on the Reports page.
Reports can be saved in the following formats: HTML, XML and PDF. You can use the XML format to import
the summary or details table of a report into a spreadsheet application, for example, Microsoft Excel.
Alternatively, you can schedule the automatic generation of reports, their e-mailing destinations or which directory
they will be stored in. The 'Deliver reports' task serves this purpose. The easiest way to create it is to carry out the
Deliver reports command from the context menu of the selected report.
12
The Virtual Administration Server or Virtual server terms that may be encountered in the reports should not be confused
with Administration Servers running inside a virtual machine. These two usages of the word virtual have almost nothing in
common. If your Administration Server runs in a virtual machine, it is still just a normal Administration Server, not a virtual
server. And virtual servers in the reports and other parts of the Console are something else entirely. Virtual Administration
Servers are described in course 302.10.
IV-93
Unit IV. Maintenance
IV94
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
You can choose the report format (html, xml or pdf) in the task parameters. You can create several tasks to send
different reports to different administrators or managers. A task can send any reports configured in
the Administration Console.
Note: The Quick Start wizard automatically creates a deliver reports task for the Protection status report, if
the administrator fills in the e-mail notification parameters. Later, you can edit this task or create more of them.
Statistics
To get a general idea of the overall protection status, open the Monitoring page of the Administration Console.
Indicators are colored icons and short descriptions which provide general information: how many computers are
protected, when the updates were last downloaded, how many clients have the Critical status.
Detailed statistics are available on the Statistics tab of the Administration Server node, on the statistics pages and
panes. Usually, a pane contains a chart with a legend or a table. By default, they represent events from all managed
computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties
window, which opens with the
button. A statistics page consists of several panes.
By default, Statistics includes 6 pages devoted to various network status aspects: Protection status, Deployment,
Update, Anti-virus statistics, General information, Updates for applications. Each page represents 3 to 4 information
panes. All this can be customized. The administrator can re-arrange the panes on a page at their wish. Or add more
panes or more statistics pages, or remove some.
The statistics is configurable at three levels. The administrator can add, delete and move statistics pages, add, delete
and move panes on a page, and can also modify settings and representation of the panes.
Overall, there are 50 types of panes grouped into six categories for the administrator to choose from.
To rearrange the pages, click the Customize view button to the right of the page tabs. The administrator can add as
many pages as they wish and name them as they wish. They can also delete the default pages, or re-order them.
The tabs are always lined up in a single row.
To modify page contents, click the
button to the right of the page name in its tab. This button is displayed only
for the active page. In the page properties, you can draw up the list of the panes to be displayed and their layout on
the page: one column, two columns (the default choice), 3 columns, etc.
In the pane settings, depending on its type, you can modify the time interval for the displayed data and select
the computers whose data will be shown. There are only two options for the computers: either all computers, or
computers from a specified selection. You cannot specify a group of computers or draw up an arbitrary list of
computers, as in reports.
As far as the pane layout settings are concerned, you can modify the height for the panes to better fit in the console
window. You can also modify chart type, axle orientation, chart appearance (gradient, transparency). Depending on
the pane type, the following chart types can be available: Pie chart, Column chart (the columns can be displayed
either vertically or horizontally), Table, and Graph.
The information panes capability to display the history of parameter changes over the specified period can be
useful. For example, you can view how many viruses were detected during each hour of the last day. This data may
help to select the threshold for the Virus outbreak event. Reports lack this capability.
IV-95
Unit IV. Maintenance
IV96
KASPERSKY LAB
KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals
v1.0.1