KESWin 12.5 en US
KESWin 12.5 en US
5 for
Windows
1
Contents
Kaspersky Endpoint Security for Windows Help
What's new
Frequently asked questions
Kaspersky Endpoint Security for Windows
Distribution kit
Hardware and software requirements
Comparison of available application features depending on the type of operating system
Comparison of application functions depending on the management tools
Compatibility with other applications
Installing and removing the application
Deployment through Kaspersky Security Center
Standard installation of the application
Creating an installation package
Updating databases in the installation package
Creating a remote installation task
Installing the application locally using the Wizard
Remotely installing the application using System Center Con guration Manager
Description of setup.ini le installation settings
Change application components
Upgrading from a previous version of the application
Removing the application
Application licensing
About the End User License Agreement
About the license
About the license certi cate
About subscription
About license key
About activation code
About the key le
Comparison of application functionality depending on license type for workstations
Comparison of application functionality depending on license type for servers
Activating the application
Viewing license information
Purchasing a license
Renewing subscription
Data provision
Data provision under the End User License Agreement
Data provision when using Kaspersky Security Network
Data provision when using Detection and Response solutions
Kaspersky Endpoint Detection and Response
Kaspersky Sandbox
Kaspersky Anti Targeted Attack Platform (EDR)
Compliance with European Union legislation (GDPR)
Getting started
About the Kaspersky Endpoint Security for Windows Management Plug-in
Special considerations when working with di erent versions of management plug-ins
2
Special considerations when using encrypted protocols for interacting with external services
Application interface
Application icon in the taskbar noti cation area
Simpli ed application interface
Con guring the display of the application interface
Getting started
Managing policies
Task management
Con guring local application settings
Starting and stopping Kaspersky Endpoint Security
Pausing and resuming computer protection and control
Creating and using a con guration le
Restoring the default application settings
Malware Scan
Scanning the computer
Scanning removable drives when they are connected to the computer
Background scan
Scan from context menu
Application Integrity Check
Editing the scan scope
Running a scheduled scan
Running a scan as a di erent user
Scan optimization
Updating databases and application software modules
Database and application module update scenarios
Updating from a server repository
Updating from a shared folder
Updating using Kaspersky Update Utility
Updating in mobile mode
Starting and stopping an update task
Starting an update task under the rights of a di erent user account
Selecting the update task run mode
Adding an update source
Updating application modules
Using a proxy server for updates
Last update rollback
Working with active threats
Disinfection of active threats on workstations
Disinfection of active threats on servers
Enabling or disabling Advanced Disinfection technology
Processing of active threats
Computer protection
File Threat Protection
Enabling and disabling File Threat Protection
Automatic pausing of File Threat Protection
Changing the action taken on infected les by the File Threat Protection component
Forming the protection scope of the File Threat Protection component
Using scan methods
3
Using scan technologies in the operation of the File Threat Protection component
Optimizing le scanning
Scanning compound les
Changing the scan mode
Web Threat Protection
Enabling and disabling Web Threat Protection
Con guring malicious web address detection methods
Anti-Phishing
Creating the list of trusted web addresses
Exporting and importing the list of trusted web addresses
Mail Threat Protection
Enabling and disabling Mail Threat Protection
Changing the action to take on infected email messages
Forming the protection scope of the Mail Threat Protection component
Scanning compound les attached to email messages
Email messages attachment ltering
Exporting and importing extensions for attachment ltering
Scanning emails in Microsoft O ice Outlook
Network Threat Protection
Enabling and disabling Network Threat Protection
Blocking an attacking computer
Con guring addresses of exclusions from blocking
Exporting and importing the list of exclusions from blocking
Con guring protection against network attacks by type
Firewall
Enabling or disabling Firewall
Changing the network connection status
Managing network packet rules
Creating a network packet rule
Enabling or disabling a network packet rule
Changing the Firewall action for a network packet rule
Changing the priority of a network packet rule
Exporting and importing network packet rules
De ning network packet rules in XML
Managing application network rules
Creating an application network rule
Enabling and disabling an application network rule
Changing the Firewall action for an application network rule
Changing the priority of an application network rule
Network Monitor
BadUSB Attack Prevention
Enabling and disabling BadUSB Attack Prevention
Using On-Screen Keyboard for authorization of USB devices
AMSI Protection
Enabling and disabling the AMSI Protection
Using AMSI Protection to scan compound les
Exploit Prevention
Enabling and disabling Exploit Prevention
4
System processes memory protection
Behavior Detection
Enabling and disabling Behavior Detection
Selecting the action to take on detecting malware activity
Protection of shared folders against external encryption
Enabling and disabling protection of shared folders against external encryption
Selecting the action to take on detection of external encryption of shared folders
Creating an exclusion for protection of shared folders against external encryption
Con guring addresses of exclusions from protection of shared folders against external encryption
Exporting and importing a list of exclusions from protection of shared folders against external encryption
Host Intrusion Prevention
Enabling and disabling Host Intrusion Prevention
Managing application trust groups
Changing the trust group of an application
Con guring trust group rights
Selecting a trust group for applications started before Kaspersky Endpoint Security
Selecting a trust group for unknown applications
Selecting a trust group for digitally signed applications
Managing application rights
Protecting operating system resources and personal data
Deleting information about unused applications
Monitoring Host Intrusion Prevention
Protecting access to audio and video
Remediation Engine
Kaspersky Security Network
Enabling and disabling the usage of Kaspersky Security Network
Limitations of Kaspersky Private Security Network
Enabling and disabling cloud mode for protection components
KSN Proxy settings
Checking the reputation of a le in Kaspersky Security Network
Encrypted connections scan
Enabling encrypted connections scan
Installing trusted root certi cates.
Scanning encrypted connections with an untrusted certi cate
Adding Kaspersky certi cate to the own certi cate store
Excluding encrypted connections from scanning
Administration Server connection protection
Wipe Data
Computer control
Web Control
Adding a web resource access rule
Filter by web resource addresses
Filter by web resource content
Testing web resource access rules
Exporting and importing Web Control rules
Exporting and importing web resource addresses of the Web Control rule
Monitoring user Internet activity
Editing templates of Web Control messages
5
Editing masks for web resource addresses
Device Control
Enabling and disabling Device Control
About access rules
Editing a device access rule
Editing a connection bus access rule
Managing access to mobile devices
Managing access to Bluetooth devices
Control of printing
Control of Wi-Fi connections
Monitoring usage of removable drives
Changing the caching duration
Actions with trusted devices
Adding a device to the Trusted list from the application interface
Adding a device to the Trusted list from Kaspersky Security Center
Exporting and importing the list of trusted devices
Obtaining access to a blocked device
Online mode for granting access
O line mode for granting access
Editing templates of Device Control messages
Anti-Bridging
Enabling Anti-Bridging
Changing the status of a connection rule
Change the priority of a connection rule
Adaptive Anomaly Control
Enabling and disabling Adaptive Anomaly Control
Enabling and disabling an Adaptive Anomaly Control rule
Modifying the action taken when an Adaptive Anomaly Control rule is triggered
Creating an exclusion for an Adaptive Anomaly Control rule
Exporting and importing exclusions for Adaptive Anomaly Control rules
Applying updates for Adaptive Anomaly Control rules
Editing Adaptive Anomaly Control message templates
Viewing Adaptive Anomaly Control reports
Application Control
Application Control functionality limitations
Receiving information about the applications that are installed on users' computers
Enabling and disabling Application Control
Selecting the Application Control mode
Managing Application Control rules
Adding a trigger condition for the Application Control rule
Adding executable les from the Executable les folder to the application category
Adding event-related executable les to the application category
Adding an Application Control rule
Changing the status of an Application Control rule via Kaspersky Security Center
Exporting and importing Application Control rules
Viewing events resulting from operation of the Application Control component
Viewing a report on blocked applications
Testing Application Control rules
6
Enabling and disabling Application Control rule testing
Viewing a report on blocked applications in test mode
Viewing events resulting from test operation of the Application Control component
Application activity monitor
Rules for creating name masks for les or folders
Editing Application Control message templates
Best practices for implementing a list of allowed applications
Con guring allowlist mode for applications
Testing the allowlist mode
Support for allowlist mode
Network ports monitoring
Enabling monitoring of all network ports
Creating a list of monitored network ports
Creating a list of applications for which all network ports are monitored
Exporting and importing lists of monitored ports
Log Inspection
Con guring prede ned rules
Adding custom rules
File Integrity Monitor
Editing the monitoring scope
Viewing system integrity information
Password protection
Enabling Password protection
Granting permissions to individual users or groups
Using a temporary password to grant permissions
Special aspects of Password protection permissions
Resetting the KLAdmin password
Trusted zone
Creating a scan exclusion
Selecting types of detectable objects
Editing the list of trusted applications
Creating a local trusted zone
Exporting and importing the trusted zone
Using trusted system certi cate storage
Managing Backup
Con guring the maximum storage period for les in Backup
Con guring the maximum size of Backup
Restoring les from Backup
Deleting backup copies of les from Backup
Noti cation service
Con guring event log settings
Con guring the display and delivery of noti cations
Con guring the display of warnings about the application status in the noti cation area
Messaging between users and the administrator
Managing reports
Viewing reports
Con guring the maximum report storage term
Con guring the maximum size of the report le
7
Saving a report to le
Clearing reports
Kaspersky Endpoint Security Self-Defense
Enabling and disabling Self-Defense
Enabling and disabling AM-PPL support
Protection of application services against external management
Supporting remote administration applications
Kaspersky Endpoint Security performance and compatibility with other applications
Enabling or disabling energy-saving mode
Enabling or disabling conceding of resources to other applications
Best practices for optimizing Kaspersky Endpoint Security performance
Data Encryption
Encryption functionality limitations
Changing the length of the encryption key (AES56 / AES256)
Kaspersky Disk Encryption
Special features of SSD drive encryption
Starting Kaspersky Disk Encryption
Creating a list of hard drives excluded from encryption
Exporting and importing a list of hard drives excluded from encryption
Enabling Single Sign-On (SSO) technology
Managing Authentication Agent accounts
Using a token and smart card with Authentication Agent
Hard drive decryption
Restoring access to a drive protected by Kaspersky Disk Encryption technology
Signing in with the Authentication Agent service account
Updating the operating system
Eliminating errors of encryption functionality update
Selecting the Authentication Agent tracing level
Editing Authentication Agent help texts
Removing leftover objects and data after testing the operation of Authentication Agent
BitLocker Management
Starting BitLocker Drive Encryption
Decrypting a hard drive protected by BitLocker
Restoring access to a drive protected by BitLocker
Pausing BitLocker protection to update software
File Level Encryption on local computer drives
Encrypting les on local computer drives
Forming encrypted le access rules for applications
Encrypting les that are created or modi ed by speci c applications
Generating a decryption rule
Decrypting les on local computer drives
Creating encrypted packages
Restoring access to encrypted les
Restoring access to encrypted data after operating system failure
Editing templates of encrypted le access messages
Encryption of removable drives
Starting encryption of removable drives
Adding an encryption rule for removable drives
8
Exporting and importing a list of encryption rules for removable drives
Portable mode for accessing encrypted les on removable drives
Decryption of removable drives
Viewing data encryption details
Viewing the encryption status
Viewing encryption statistics on Kaspersky Security Center dashboards
Viewing le encryption errors on local computer drives
Viewing the data encryption report
Working with encrypted devices when there is no access to them
Recovering data by using the FDERT Restore Utility
Creating an operating system rescue disk
Detection and Response solutions
Kaspersky Endpoint Agent
Migrating the [KES+KEA] con guration to [KES+built-in agent] con guration
Policy and Task Migration for Kaspersky Endpoint Agent
Endpoint Detection and Response Agent
Installing EDR Agent
Integrating EDR Agent with MDR
Integrating EDR Agent with KATA (EDR)
Compatibility with third-party EPP applications
Managed Detection and Response
Integration of the built-in agent with MDR
KEA to KES Migration Guide for MDR
Endpoint Detection and Response
Integration of the built-in agent with EDR Optimum / EDR Expert
Scan for indicators of compromise (standard task)
Move le to Quarantine
Get le
Delete le
Process start
Terminate process
Execution prevention
Computer network isolation
Cloud Sandbox
KEA to KES Migration Guide for EDR Optimum
Kaspersky Sandbox
Integration of the built-in agent with Kaspersky Sandbox
Adding a TLS certi cate
Add Kaspersky Sandbox servers
Scan for indicators of compromise (stand-alone task)
KEA to KES Migration Guide for Kaspersky Sandbox
Kaspersky Anti Targeted Attack Platform (EDR)
Integration of the built-in agent with EDR (KATA)
Con guring telemetry
EDR telemetry exclusions
KEA to KES Migration Guide for EDR (KATA)
Managing Quarantine
Con guring the maximum Quarantine size
9
Sending data about quarantined les to Kaspersky Security Center
Restoring les from Quarantine
KSWS to KES Migration Guide
Correspondence of KSWS and KES components
Correspondence of KSWS and KES settings
Migrating KSWS components
Migrating KSWS tasks and policies
Migrating the KSWS trusted zone
Installing KES instead of KSWS
Migrating the [KSWS+KEA] con guration to [KES+built-in agent] con guration
Making sure Kaspersky Security for Windows Server was successfully removed
Activating KES with a KSWS key
Special considerations for migrating high-load servers
Managing the application on a Core Mode server
Migrating from [KSWS+KEA] to [KES+built-in agent]
Managing the application from the command line
Setup. Installing the application
Setup /x. Removing the application
AVP commands
SCAN. Malware Scan
UPDATE. Updating databases and application software modules
ROLLBACK. Last update rollback
TRACES. Tracing
START. Start the pro le
STOP. Stopping a pro le
STATUS. Pro le status
STATISTICS. Pro le operation statistics
RESTORE. Restoring les from Backup
EXPORT. Exporting application settings
IMPORT. Importing application settings
ADDKEY. Applying a key le
LICENSE. Licensing
RENEW. Purchasing a license
PBATESTRESET. Reset the disk check results before encrypting the disk
EXIT. Exit the application
EXITPOLICY. Disabling policy
STARTPOLICY. Enabling policy
DISABLE. Disabling protection
SPYWARE. Spyware detection
KSN. Switching between KSN / KPSN
SERVERBINDINGDISABLE. Disabling the server connection protection
KESCLI commands
Scan. Malware Scan
GetScanState. Scan completion status
GetLastScanTime. Determining the scan completion time
GetThreats. Obtaining data on detected threats
UpdateDe nitions. Updating databases and application software modules
GetDe nitionState. Determining the release date and time of the databases
10
EnableRTP. Enabling protection
GetRealTimeProtectionState. File Threat Protection status
GetEncryptionState. Disk encryption status
Version. Identifying the application version
Detection and Response management commands
SANDBOX. Managing Kaspersky Sandbox
PREVENTION. Managing Execution prevention
ISOLATION. Managing Network isolation
RESTORE. Restoring les from Quarantine
IOCSCAN. Scan for indicators of compromise (IOC)
MDRLICENSE. MDR activation
EDRKATA. Integration with EDR (KATA)
Error codes
Appendix. Application pro les
Managing the application through the REST API
Installing the application with the REST API
Working with the API
Sources of information about the application
Contacting Technical Support
Contents and storage of trace les
Application operation tracing
Application performance tracing
Dump writing
Protecting dump les and trace les
Limitations and warnings
Glossary
Active key
Additional key
Administration group
Anti-virus databases
Archive
Authentication Agent
Certi cate issuer
Database of malicious web addresses
Database of phishing web addresses
Disinfection
False alarm
Infectable le
Infected le
IOC
IOC le
License certi cate
Mask
Network Agent
Normalized form of the address of a web resource
OLE object
OpenIOC
Portable File Manager
11
Protection scope
Scan scope
Task
Trusted Platform Module
Appendices
Appendix 1. Application settings
File Threat Protection
Web Threat Protection
Mail Threat Protection
Network Threat Protection
Firewall
BadUSB Attack Prevention
AMSI Protection
Exploit Prevention
Behavior Detection
Host Intrusion Prevention
Remediation Engine
Kaspersky Security Network
Log Inspection
Web Control
Device Control
Application Control
Adaptive Anomaly Control
File Integrity Monitor
Endpoint Sensor
Kaspersky Sandbox
Managed Detection and Response
Endpoint Detection and Response
Endpoint Detection and Response (KATA)
Full Disk Encryption
File Level Encryption
Encryption of removable drives
Templates (data encryption)
Exclusions
Application settings
Reports and storage
Network settings
Interface
Manage Settings
Updating databases and application software modules
Appendix 2. Application trust groups
Appendix 3. File extensions for quick removable drives scan
Appendix 4. File Types for the Mail Threat Protection attachment lter
Appendix 5. Network settings for interaction with external services
Appendix 6. Application events
Critical
Functional failure
Warning
12
Informational message
Appendix 7. Supported le extensions for Execution prevention
Appendix 8. Supported script interpreters for Execution prevention
Appendix 9. IOC scan scope in the registry (RegistryItem)
Appendix 10. IOC le requirements
Appendix 11. User accounts in application component rules
Information about third-party code
Trademark notices
13
Kaspersky Endpoint Security for Windows Help
A new category of web resources Generative AI Tools has been added. You can con gure access to websites
from the new category using Web Control.
The option to scan tra ic for MyO ice Mail and R7-O ice Organizer mail clients has been added. The Mail
Threat Protection component now scans not only message attachments at download, but also sent and
received messages.
Getting started
Eliminating threats
On workstations
On servers
Kaspersky EDR
Kaspersky Sandbox
Kaspersky MDR
14
Data provision
GDPR
What's new
Update 12.5
Kaspersky Endpoint Security 12.5 for Windows o ers the following features and improvements:
1. The option to con gure telemetry exclusions has been added. Telemetry is a list of events that have occurred
on the protected computer. Telemetry data is used by Kaspersky Anti Targeted Attack Platform (EDR) to
monitor and protect the organization's IT infrastructure. Con guring telemetry exclusions allows to improve
computer performance and to optimize data transmission to the Telemetry server.
2. The interface of the application's trusted zone has been improved. Kaspersky Endpoint Security now hides
trusted zone objects from the user if the administrator has prohibited the user from adding their own (local)
scan exclusions and trusted applications. This prevents unauthorized access to the trusted zone by an intruder,
increasing the level of computer security.
3. The option to scan tra ic for MyO ice Mail and R7-O ice Organizer mail clients has been added. The Mail
Threat Protection component now scans not only message attachments at download, but also sent and
received messages.
4. A new category of web resources Generative AI Tools has been added. You can con gure access to websites
from the new category using Web Control.
5. Now you can select the location of a network packet rule in the Firewall list . The location of a network packet
rule in the list determines its priority. In previous versions of the application, a new rule could only be added to
the end of the list, after which you had to manually move the rule through the list to prioritize it. Now, when
adding a rule, you can choose whether the rule should be placed at the beginning, at the end of the list, or next
to the selected rule.
6. In the rules of Kaspersky Endpoint Security components, now you can select users not only from Active
Directory, but also from the list of users in Kaspersky Security Center. You can also enter local user account
data manually. This possibility has been added for the rules of the following components: Application Control,
Device Control, Web Control, Adaptive Anomaly Control and Log Inspection.
7. The network attack detection report now includes a column with the MAC address of the attacking computer
(the Network Threat Protection component). Now you can see the MAC address of the attacking computer in
the report in addition to its IP address. This is helpful for incident investigation. Reports, containing the MAC
address of the attacking computer, will also be available in the Kaspersky Security Center Linux console version
15.1 and higher.
15
8. The level of computer protection requirements has been increased. The high protection level now requires
enabling Protection of application services against external management. Check the security level indicator in
the upper part of the policy window. If you have a medium or low security level, you can enable Protection of
application services against external management in the security level indicator recommendation window.
9. Support for new events of object detection when the application is running in the Endpoint Detection and
Response Agent (EDR Agent) con guration has been added. These events were already supported in the
[KES+built-in agent] con guration.
10. When developing this version of Kaspersky Endpoint Security for Windows, we incorporated the changes
included in the following private patches: pf9640, pf9830, pf9831, pf10047, pf10351, pf12102, pf12105, pf13084,
pf13089, pf14040, pf14047, pf15026, pf15028, pf16013.
Update 12.4
Kaspersky Endpoint Security 12.4 for Windows o ers the following features and improvements:
1. Added new functionality to protect the connection of the computer to Kaspersky Security Center . New
Administration Server connection protection task allows setting a password for connecting to a trusted server.
This means that it is not possible to reconnect the computer and run commands from another server without
this password.
2. For the Password Protection component, the ability to select users manually and not only from Active
Directory has been added . That is, you can manually specify a user name and password and assign access
rights to Kaspersky Endpoint Security for this account. This way, you do not need to share your KLAdmin
password with other users or create new Active Directory accounts to control access to the application.
Update 12.3
Kaspersky Endpoint Security 12.3 for Windows o ers the following features and improvements:
1. Now you can install the application in the Endpoint Detection and Response Agent con guration. This
con guration allows installing the application with a set of components required by Detection and Response
solutions by Kaspersky: Kaspersky Managed Detection and Response, and Kaspersky Anti Targeted Attack
Platform (EDR). You can install the application in this con guration alongside third-party solutions (for example,
Dr.Web, Dallas Lock, ESET). This lets you use third-party infrastructure security tools alongside Detection and
Response by Kaspersky.
2. Kaspersky Endpoint Security operation with Bluetooth devices has been improved. Now you can con gure
exclusions and restrict access to all Bluetooth devices except input devices (wireless keyboards, mice, etc).
3. The operation of Application Control component with the database of executable les has been optimized.
Kaspersky Endpoint Security now automatically removes le information from the database if the le is deleted
from the computer. This allows keeping the database up to date and saving Kaspersky Security Center
resources.
4. The level of computer protection requirements has been increased. The high protection level now requires
enabling Password protection . Check the security level indicator in the upper part of the policy window . If
you have a medium or low protection level, you can enable Password protection in the security level indicator
recommendation window.
5. HTTPS protocol support has been added to enable the application to work with Kaspersky Security Network.
Enable HTTPS usage in the Administration Server properties in the KSN proxy server settings.
16
Update 12.2
Kaspersky Endpoint Security 12.2 for Windows o ers the following features and improvements:
1. WPA3 protocol support has been added to control connections to Wi-Fi networks (Device Control). Now you
can select WPA3 protocol in the trusted Wi-Fi network settings and deny connection to the network using a
less secure protocol.
2. Now you can choose a protocol and ports for Network Threat Protection exclusions . Now in addition to
specifying IP addresses of trusted devices, you can also select a port and protocol. This lets you exclude
individual data streams and prevent network attacks from trusted IP addresses.
3. Di erent order of update sources for the local Update task if a policy is applied to the computer. The
Kaspersky Security Center server is now used by default as the rst update source instead of Kaspersky
servers. This helps save tra ic when the user runs the local Update task.
Update 12.1
Kaspersky Endpoint Security 12.1 for Windows o ers the following features and improvements:
1. A built-in agent for the Kaspersky Anti Targeted Attack Platform solution has been added. You no longer need
Kaspersky Endpoint Agent in order to use EDR (KATA). All functions of Kaspersky Endpoint Agent will be
performed by Kaspersky Endpoint Security. To migrate Kaspersky Endpoint Agent policies, use the Migration
Wizard. After updating the application, Kaspersky Endpoint Security switches to using the built-in agent and
removes Kaspersky Endpoint Agent. Kaspersky Endpoint Agent has been added to the list of incompatible
software. Kaspersky Endpoint Security has built-in agents for all Detection and Response solutions, therefore
installing Kaspersky Endpoint Agent to integrate with those solutions is no longer necessary.
2. Azure WVD compatibility mode is now supported. This feature allows correctly displaying the state of the
Azure virtual machine in the Kaspersky Anti Targeted Attack Platform console. Azure WVD compatibility mode
allows assigning a permanent unique Sensor ID to these virtual machines.
3. Now you can con gure user access to mobile devices in iTunes or similar applications. That is, you can, for
example, allow the mobile device to be used only in iTunes and block using the mobile device as a removable
drive. The application also supports these rules for the Android Debug Bridge (ADB) application.
4. Kaspersky Security Center version 11 is no longer supported. Upgrade Kaspersky Security Center to the latest
version.
Update 12.0
Kaspersky Endpoint Security 12.0 for Windows o ers the following features and improvements:
1. The operation of Kaspersky Endpoint Security on servers has been improved. Now you can migrate from
Kaspersky Security for Windows Server to Kaspersky Endpoint Security for Windows and use a single solution
to protect workstations and servers. To migrate the application settings, run the Policies and tasks batch
conversion wizard. The KSWS license key can be used to activate KES. After migrating to KES, you do not even
need to restart the server. For more information about migrating to KES, see Migration Guide .
2. The licensing of the application as part of a paid virtual machine image in Amazon Machine Image (AMI) has
been improved. There is no need to activate the application separately. In this case, Kaspersky Security Center
uses the license key for the cloud environment that is already added to the application.
17
For portable devices (MTP), you can con gure access rules (read/write), select users or a user group that
have access to devices, or con gure a device access schedule. Now you can create access rules for
portable devices in the same way as for removable drives.
Now you can con gure user access to mobile devices in Android Debug Bridge (ADB) or similar applications.
That is, you can, for example, allow the mobile device to be used only in ADB and block using the mobile
device as a removable drive.
Now you can recharge a mobile device by connecting it to the computer's USB port even if access to the
mobile device is blocked.
For printers, you can now con gure printing permissions for users. Kaspersky Endpoint Security supports
control over access to local and network printers. Now you can allow or block printing on local or network
printers for individual users.
WPA3 protocol support has been added to control connections to Wi-Fi networks. Now you can select to
use WPA3 protocol in the trusted Wi-Fi network settings and deny connection to the network using a less
secure protocol.
Update 11.11.0
1. Log Inspection component for servers has been added. Log Inspection monitors the integrity of the
protected environment based on the results of Windows event log analysis. When the application detects
signs of atypical behavior in the system, it informs the administrator, as this behavior may indicate an
attempted cyber attack.
2. File Integrity Monitor component for servers has been added. File Integrity Monitor detects changes to
objects ( les and folders) in a given monitoring area. These changes may indicate a computer security
breach. When object changes are detected, the application informs the administrator.
3. The alert details interface for Kaspersky Endpoint Detection and Response Optimum (EDR Optimum) has
been improved. The elements of the threat development chain have been aligned, the links between the
processes in the chain no longer overlap. This makes it easier to analyze the evolution of the threat.
4. Application performance has been improved. For this purpose, network tra ic processing by the Network
Threat Protection component has been optimized.
5. The option to upgrade Kaspersky Endpoint Security without a restart has been added. This lets you ensure
uninterrupted operation of servers when upgrading the application. You can upgrade the application
without a restart starting with version 11.10.0. You can also install patches without a restart starting with
version 11.11.0.
6. The Virus Scan task has been renamed in the Kaspersky Security Center Console. This task is now called
Malware Scan.
Update 11.10.0
18
Kaspersky Endpoint Security 11.10.0 for Windows o ers the following features and improvements:
1. Support of third-party credential providers for Single Sign-On with Kaspersky Full Disk Encryption is
added. Kaspersky Endpoint Security monitors the user’s password for ADSelfService Plus and updates the
data for Authentication Agent if the user, for example, changes his password.
2. The option to enable display of threats detected by Cloud Sandbox technology has been added. This
technology is available to users of Endpoint Detection and Response solutions (EDR Optimum or EDR
Expert). Cloud Sandbox is a technology that lets you detect advanced threats on a computer. Kaspersky
Endpoint Security automatically forwards detected les to Cloud Sandbox for analysis. Cloud Sandbox
runs these les in an isolated environment to identify malicious activity and decides on their reputation.
3. Additional information about les has been added to alert details for EDR Optimum users. Alert details now
include information about the trust group, digital signature and distribution of the le, and other
information. You will also be able to jump to the detailed le description on the Kaspersky Threat
Intelligence Portal (KL TIP) directly from alert details.
4. Application performance has been improved. To do this, we optimized the operation of the background
scan and added the ability to queue scan tasks if scan is already running.
Update 11.9.0
Kaspersky Endpoint Security 11.9.0 for Windows o ers the following features and improvements:
1. Now you can create an Authentication Agent service account when using Kaspersky disk encryption. The
service account is necessary to gain access to the computer, for example, when the user forgets the
password. You can also use the service account as a reserve account.
2. Kaspersky Endpoint Agent distribution package is no longer part of the application distribution kit. To
support Detection and Response solutions, you can use the Kaspersky Endpoint Security built-in agent. If
necessary, you can download the Kaspersky Endpoint Agent distribution package from the Kaspersky Anti
Targeted Attack Platform distribution kit.
3. The alert details interface for Kaspersky Endpoint Detection and Response Optimum (EDR Optimum) is
improved. Threat Response features now have tooltips. A step-by-step instruction for ensuring the
security of corporate infrastructure is also displayed when indicators of compromise are detected.
4. Now you can activate Kaspersky Endpoint Security for Windows with a Kaspersky Hybrid Cloud Security
license key.
5. New events added about establishing a connection with domains that have untrusted certi cates and
encrypted connections scan errors.
Update 11.8.0
19
Kaspersky Endpoint Security 11.4.0 for Windows o ers the following features and improvements:
1. New design of the application icon in the taskbar noti cation area. The new is now displayed instead of
the old icon. If the user is required to perform an action (for example, restart the computer after
updating the application), the icon will change to . If the protection components of the application are
disabled or have malfunctioned, the icon will change to or . If you hover over the icon, Kaspersky
Endpoint Security will display a description of the problem in computer protection.
2. Kaspersky Endpoint Agent, which is included in the distribution kit, has been updated to version 3.9.
Kaspersky Endpoint Agent 3.9 supports integration with new Kaspersky solutions. For more details about
the application, please refer to the documentation of Kaspersky solutions that support Kaspersky
Endpoint Agent.
3. Added the Not supported by license status for Kaspersky Endpoint Security components. You can view
the status of components in the component list in the main application window.
5. Drivers for Kaspersky Disk Encryption technology are now automatically added to the Windows Recovery
Environment (WinRE) when drive encryption is started. The previous version of Kaspersky Endpoint
Security added drivers when installing the application. Adding drivers to WinRE can improve the stability of
the application when restoring the operating system on computers protected by Kaspersky Disk
Encryption technology.
The Endpoint Sensor component has been removed from Kaspersky Endpoint Security. You can still
con gure Endpoint Sensor settings in a policy provided that Kaspersky Endpoint Security version 11.0.0 to
11.3.0 is installed on the computer.
20
Kaspersky Endpoint Security 11.5.0 for Windows o ers the following features and improvements:
1. Support for Windows 10 20H2. For details about support for the Microsoft Windows 10 operating system,
please refer to the Technical Support Knowledge Base .
2. Updated application interface. Also updated the application icon in the noti cation area, application
noti cations, and dialog boxes.
3. Improved interface of the Kaspersky Endpoint Security web plug-in for the Application Control, Device
Control, and Adaptive Anomaly Control components.
4. Added functionality for importing and exporting lists of rules and exclusions in XML format. The XML
format allows you to edit lists after they are exported. You can manage lists only in the Kaspersky Security
Center Console. The following lists are available for export/import:
Network port monitoring (lists of ports and applications monitored by Kaspersky Endpoint Security).
5. Object MD5 information was added to the threat detection report. In previous versions of the application,
Kaspersky Endpoint Security showed only the SHA256 of an object.
6. Added capability to assign the priority for device access rules in Device Control settings. Priority
assignment enables more exible con guration of user access to devices. If a user has been added to
multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest
priority. For example, you can grant read-only permissions to the Everyone group and grant read/write
permissions to the administrators group. To do so, assign a priority of 0 for the administrators group and
assign a priority of 1 for the Everyone group. You can con gure the priority only for devices that have a le
system. This includes hard drives, removable drives, oppy disks, CD/DVD drives, and portable devices
(MTP).
Cost-Aware Networking Kaspersky Endpoint Security limits its own network tra ic if the Internet
connection is limited (for example, through a mobile connection).
Manage Kaspersky Endpoint Security settings via trusted remote administration applications (such as
TeamViewer, LogMeIn Pro and Remotely Anywhere). You can use remote administration applications to
21
start Kaspersky Endpoint Security and manage settings in the application interface.
Manage the settings for scanning secure tra ic in Firefox and Thunderbird. You can select the
certi cate storage that will be used by Mozilla: the Windows certi cate storage or the Mozilla
certi cate storage. This functionality is available only for computers that do not have an applied policy.
If a policy is being applied to a computer, Kaspersky Endpoint Security automatically enables use of the
Windows certi cate storage in Firefox and Thunderbird.
8. Added capability to con gure the secure tra ic scan mode: always scan tra ic even if protection
components are disabled, or scan tra ic when requested by protection components.
9. Revised procedure for deleting information from reports. A user can only delete all reports. In previous
versions of the application, a user could select speci c application components whose information would
be deleted from reports.
10. Revised procedure for importing a con guration le containing Kaspersky Endpoint Security settings, and
revised procedure for restoring application settings. Prior to importing or restoring, Kaspersky Endpoint
Security shows only a warning. In previous versions of the application, you could view the values of the new
settings before they were applied.
11. Simpli ed procedure for restoring access to a drive that was encrypted by BitLocker. After completing the
access recovery procedure, Kaspersky Endpoint Security prompts the user to set a new password or PIN
code. After setting a new password, BitLocker will encrypt the drive. In the previous version of the
application, the user had to manually reset the password in the BitLocker settings.
12. Users now have the capability to create their own local trusted zone for a speci c computer. This way,
users can create their own local lists of exclusions and trusted applications in addition to the general
trusted zone in a policy. An administrator can allow or block the use of local exclusions or local trusted
applications. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in
the computer properties.
13. Added capability to enter comments in the properties of trusted applications. Comments help simplify
searches and sorting of trusted applications.
There is now the capability to con gure the settings of the Mail Threat Protection extension for
Outlook.
22
Kaspersky Endpoint Security 11.6.0 for Windows o ers the following features and improvements:
1. Support for Windows 10 21H1. For details about support for the Microsoft Windows 10 operating system,
please refer to the Technical Support Knowledge Base .
2. The Managed Detection and Response component was added. This component facilitates interaction with
the solution known as Kaspersky Managed Detection and Response. Kaspersky Managed Detection and
Response (MDR) provides round-the-clock protection from a growing number of threats capable of
bypassing automated protection mechanisms for organizations that have a di icult time nding highly
quali ed experts or have limited internal resources. For detailed information about how the solution works,
please refer to the Kaspersky Managed Detection and Response Help.
3. Kaspersky Endpoint Agent, which is included in the distribution kit, has been updated to version 3.10.
Kaspersky Endpoint Agent 3.10 provides new features, resolves some previous issues, and has improved
stability. For more details about the application, please refer to the documentation of Kaspersky solutions
that support Kaspersky Endpoint Agent.
4. It now provides the capability to manage protection against attacks such as Network Flooding and Port
Scanning in Network Threat Protection settings.
5. Added new method of creating network rules for Firewall. You can add packet rules and application rules
for connections that are displayed in the Network Monitor window. However, network rule connection
settings will be con gured automatically.
6. Network Monitor interface is now improved. Added the information about network activity: process ID, that
initiate network activity; network type (local network or the Internet); local ports. By default, the
information about network type is hidden.
7. There is now the capability to automatically create Authentication Agent accounts for new Windows
users. The Agent allows a user to complete authentication for access to drives that were encrypted using
Kaspersky Disk Encryption technology, and to load the operating system. The application checks
information about Windows user accounts on the computer. If Kaspersky Endpoint Security detects a
Windows user account that has no Authentication Agent account, the application will create a new
account for accessing encrypted drives. This means that you do not need to manually add Authentication
Agent accounts for computers with already encrypted drives.
8. There is now the capability to monitor the disk encryption process in the application interface on users'
computers (Kaspersky Disk Encryption and BitLocker). You can run the Encryption Monitor tool from the
main application window.
23
Kaspersky Endpoint Security for Windows 11.7.0 o ers the following new features and improvements:
A built-in agent for integration with Kaspersky Sandbox was added. The Kaspersky Sandbox solution
detects and automatically blocks advanced threats on computers. Kaspersky Sandbox analyzes object
behavior to detect malicious activity and activity characteristic of targeted attacks on the IT
infrastructure of the organization. Kaspersky Sandbox analyzes and scans objects on special servers
with deployed virtual images of Microsoft Windows operating systems (Kaspersky Sandbox servers).
For details about the solution, refer to the Kaspersky Sandbox Help .
You no longer need Kaspersky Endpoint Agent in order to use Kaspersky Sandbox. All functions of
Kaspersky Endpoint Agent will be performed by Kaspersky Endpoint Security. To migrate Kaspersky
Endpoint Agent policies, use the Migration Wizard. You need Kaspersky Security Center 13.2 for all of
the functions of Kaspersky Sandbox to work. For details about the migrating from Kaspersky Endpoint
Agent to Kaspersky Endpoint Security for Windows, please refer to the application help.
Added the built-in agent to support the operation of the Kaspersky Endpoint Detection and Response
Optimum solution. Kaspersky Endpoint Detection and Response Optimum is a solution for protecting
the organization's IT infrastructure from advanced cyber threats. The functionality of the solution
combines automatic detection of threats with the ability to react to these threats to counteract
advanced attacks including new exploits, ransomware, leless attacks, as well as methods using
legitimate system tools. For more information about the solution, refer to the Kaspersky Endpoint
Detection and Response Optimum Help .
You no longer need Kaspersky Endpoint Agent in order to use Kaspersky Endpoint Detection and
Response. All functions of Kaspersky Endpoint Agent will be performed by Kaspersky Endpoint
Security. To migrate Kaspersky Endpoint Agent policies and tasks, use the Migration Wizard. To use all
the functions, Kaspersky Endpoint Detection and Response Optimum require Kaspersky Security
Center 13.2. For details about the migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint
Security for Windows, please refer to the application help.
4. The Migration Wizard for Kaspersky Endpoint Agent policies and tasks was added. The Migration Wizard
creates new merged policies and tasks for Kaspersky Endpoint Security for Windows. The wizard allows
switching Detection and Response solutions from Kaspersky Endpoint Agent to Kaspersky Endpoint
Security. Detection and Response solutions include Kaspersky Sandbox, Kaspersky Endpoint Detection
and Response Optimum (EDR Optimum), and Kaspersky Managed Detection and Response (MDR).
5. Kaspersky Endpoint Agent, which is included in the distribution kit, is updated to version 3.11.
When upgrading Kaspersky Endpoint Security, the application detects the version and designated purpose
of Kaspersky Endpoint Agent. If Kaspersky Endpoint Agent is designated for the operation of Kaspersky
Sandbox, Kaspersky Managed Detection and Response (MDR) and Kaspersky Endpoint Detection and
Response Optimum (EDR Optimum), Kaspersky Endpoint Security switches the operation of these
solutions to the application’s built-in agent. For Kaspersky Sandbox and EDR Optimum, the application
automatically uninstalls Kaspersky Endpoint Agent. For MDR, you can uninstall Kaspersky Endpoint Agent
manually. If the application is designated for the operation of Kaspersky Endpoint Detection and Response
Expert (EDR Expert), Kaspersky Endpoint Security upgrades the version of Kaspersky Endpoint Agent. For
more details about the application, please refer to the documentation of Kaspersky solutions that support
Kaspersky Endpoint Agent.
Enhanced PIN can now be used with BitLocker Drive Encryption. Enhanced PIN allows using other
characters in addition to numerical characters: uppercase and lowercase Latin letters, special
characters, and spaces.
24
A feature to disable BitLocker authentication for upgrading the operating system or installing update
packages was added. Installing updates may require restarting the computer multiple times. To install
updates correctly, you can temporarily turn o BitLocker authentication and re-enable the
authentication after installing updates.
Now you can set an expiration time for BitLocker encryption password or PIN. When the password or
PIN expires, Kaspersky Endpoint Security prompts the user for a new password.
7. Now you can con gure the maximum number of keyboard authorization attempts for BadUSB Attack
Prevention. When the con gured number of failed attempts to enter the authorization code is reached,
the USB device is temporarily locked.
Now you can con gure a range of IP addresses for Firewall packet rules. You can enter a range of
addresses in IPv4 or IPv6 format. For example, 192.168.1.1-192.168.1.100 or 12:34::2-
12:34::99.
Now you can enter DNS names for Firewall packet rules instead of IP addresses. You should use DNS
names only for LAN computers or internal services. Interaction with cloud services (such as Microsoft
Azure) and other Internet resources should be handled by the Web Control component.
9. Web Control rule search improved. To search a web resource access rule, in addition to the name of the
rule, you can use the URL of the website, a username, a content category, or a data type.
The Virus Scan task in idle mode was improved. If you have rebooted the computer during the scan,
Kaspersky Endpoint Security automatically runs the task, continuing from the point where the scan was
interrupted.
The Virus Scan task was optimized. By default, Kaspersky Endpoint Security runs the scan only when
the computer is idle. You can con gure when the computer scan is run in task properties.
11. Now you can restrict user access to data provided by the Application Activity Monitor. Application Activity
Monitor is a tool designed for viewing information about the activity of applications on a user's computer in
real time. The administrator can hide the Application Activity Monitor from the user in application policy
properties.
12. Improved the security of managing the application through the REST API. Now Kaspersky Endpoint
Security validates the signature of requests sent via the REST API. To manage the program, you need to
install a request identi cation certi cate.
25
Kaspersky Endpoint Security 11.8.0 for Windows o ers the following features and improvements:
1. Added the built-in agent to support the operation of the Kaspersky Endpoint Detection and Response
Expert solution. Kaspersky Endpoint Detection and Response Expert is a solution for protecting the
corporate IT infrastructure from advanced cyber threats. The functionality of the solution combines
automatic detection of threats with the ability to react to these threats to counteract advanced attacks
including new exploits, ransomware, leless attacks, as well as methods using legitimate system tools. EDR
Expert o ers more threat monitoring and response functionality than EDR Optimum. For more information
about the solution, refer to the Kaspersky Endpoint Detection and Response Expert Help .
2. Network Monitor interface is now improved. The Network Monitor now shows the UDP protocol in addition
to TCP.
3. The Virus Scan task was improved. If you have rebooted the computer during the scan, Kaspersky
Endpoint Security automatically runs the task, continuing from the point where the scan was interrupted.
4. Now you can set a limit for task execution time. You can limit the execution time for Virus Scan and IOC
Scan tasks. After the speci ed amount of time, Kaspersky Endpoint Security stops the task. To reduce the
Virus Scan task execution time, you can, for example, con gure the scan scope or optimize the scan.
5. Limitations of server platforms are lifted for the application installed on Windows 10 Enterprise multi-
session. Kaspersky Endpoint Security now considers Windows 10 Enterprise multi-session a workstation
operating system, not a server operating system. Correspondingly, server platform limitations no longer
apply to the application on Windows 10 Enterprise multi-session. The application also uses a workstation
license key for activation instead of a server license key.
GENERAL INTERNET
On what computers can Kaspersky Endpoint Does Kaspersky Endpoint Security scan encrypted
Security operate? connections (HTTPS)?
What has changed since the last version? How do I allow users to connect only to trusted Wi-Fi
networks?
With which other Kaspersky applications can
Kaspersky Endpoint Security operate? How do I block social networks?
How can I conserve computer resources during
operation of Kaspersky Endpoint Security?
APPLICATIONS
How do I nd out which applications are installed on a
DEPLOYMENT user's computer (inventory)?
How do I install Kaspersky Endpoint Security to How do I prevent computer games from running?
all computers of an organization? How do I verify that Application Control has been
Which installation settings can be con gured in correctly con gured?
the command line?
How do I add an application to the trusted list?
How do I remotely uninstall Kaspersky Endpoint
Security?
DEVICES
How do I block the use of ash drives?
UPDATE
How do I add a device to the trusted list?
26
What methods are available to update the Is it possible to obtain access to a blocked device?
databases?
What should I do if problems arise after an
update? ENCRYPTION
How do I update databases outside of the Under which conditions is encryption impossible?
corporate network? How do I use a password to restrict access to an
Is it possible to use a proxy server for updates? archive?
Is it possible to use smart cards and tokens with
encryption?
SECURITY Is it possible to gain access to encrypted data if there is
How does Kaspersky Endpoint Security scan no connection with Kaspersky Security Center?
email?
What should I do if the computer operating system fails
How do I exclude a trusted le from scans? but data remains encrypted?
How do I protect a computer against viruses
from ash drives?
SUPPORT
How can I run a malware scan that is hidden from
the user? Where is the report le stored?
27
Kaspersky Endpoint Security for Windows
Kaspersky Endpoint Security for Windows (hereinafter also referred to as Kaspersky Endpoint Security) provides
comprehensive computer protection against various types of threats, network and phishing attacks.
The application is not intended to be used in technological processes that involve automated control systems.
To protect devices in such systems, it is recommended to use Kaspersky Industrial CyberSecurity for Nodes
application.
Selection tree
Each type of threat is handled by a dedicated component. Components can be enabled or disabled independently,
and their settings can be con gured.
Selection tree
Section Component
28
Essential File Threat Protection
Threat
The File Threat Protection component lets you prevent infection of the le system of the
Protection
computer. By default, the File Threat Protection component permanently resides in the
computer's RAM. The component scans les on all drives of the computer, as well as on
connected drives. The component provides computer protection with the help of anti-virus
databases, the Kaspersky Security Network cloud service, and heuristic analysis.
Mail Threat Protection can scan both incoming and outgoing messages. The application
supports POP3, SMTP, IMAP, and NNTP in the following mail clients:
Mozilla Thunderbird
Windows Mail
To scan tra ic in Mozilla Thunderbird, MyO ice Mail and R7-O ice Organizer mail clients,
you need to add Kaspersky certi cate to the certi cate store and select the own
certi cate store.
Mail Threat Protection does not support other protocols and mail clients.
Mail Threat Protection may not always be able to gain protocol-level access to messages (for
example, when using the Microsoft Exchange solution). For this reason, Mail Threat Protection
includes an extension for Microsoft O ice Outlook. The extension allows scanning messages
at the level of the mail client. The Mail Threat Protection extension supports operations with
Outlook 2010, 2013, 2016, and 2019.
Firewall
29
The Firewall blocks unauthorized connections to the computer while working on the Internet
or local network. The Firewall also controls the network activity of applications on the
computer. This allows you to protect your corporate LAN from identity theft and other
attacks. The component provides computer protection with the help of anti-virus databases,
the Kaspersky Security Network cloud service, and prede ned network rules.
BadUSB Attack Prevention
The BadUSB Attack Prevention component prevents infected USB devices emulating a
keyboard from connecting to the computer.
AMSI Protection
AMSI Protection component is intended to support Antimalware Scan Interface from
Microsoft. The Antimalware Scan Interface (AMSI) allows third-party applications with AMSI
support to send objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for
an additional scan and then receive the results from scanning these objects.
Kaspersky Endpoint Security rolls back the last update of databases and modules. This lets
you roll back the databases and application modules to their previous versions when
necessary, for example, when the new database version contains an invalid signature that
causes Kaspersky Endpoint Security to block a safe application.
Integrity check
Kaspersky Endpoint Security checks the application modules in the application installation
folder for corruption or modi cations. If an application module has an incorrect digital
signature, the module is considered corrupt.
31
The component allows protecting data on removable drives. You can use Full Disk Encryption
(FDE) or File Level Encryption (FLE).
Built-in agent for managing the Endpoint Detection and Response component that is part of
the Kaspersky Anti Targeted Attack Platform solution. Kaspersky Anti Targeted Attack
Platform is a solution designed for timely detection of sophisticated threats such as targeted
attacks, advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti
Targeted Attack Platform includes two functional blocks: Kaspersky Anti Targeted Attack
(hereinafter also referred to as "KATA") and Kaspersky Endpoint Detection and Response
(hereinafter also referred to as "EDR (KATA)"). You can purchase EDR (KATA) separately. For
details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform Help .
Kaspersky Sandbox
Built-in agent for the Kaspersky Sandbox solution. The Kaspersky Sandbox solution detects
and automatically blocks advanced threats on computers. Kaspersky Sandbox analyzes object
behavior to detect malicious activity and activity characteristic of targeted attacks on the IT
infrastructure of the organization. Kaspersky Sandbox analyzes and scans objects on special
servers with deployed virtual images of Microsoft Windows operating systems (Kaspersky
Sandbox servers). For details about the solution, refer to the Kaspersky Sandbox Help .
Managed Detection and Response
Built-in agent to support the operation of the Kaspersky Managed Detection and Response
solution. The Kaspersky Managed Detection and Response (MDR) solution automatically
detects and analyzes security incidents in your infrastructure. To do so, MDR uses telemetry
data received from endpoints and machine learning. MDR sends incident data to Kaspersky
experts. The experts can then process the incident and, for example, add a new entry to Anti-
Virus databases. Alternatively, the experts can issue recommendations on processing the
incident and, for example, suggest isolating computer from the network. For detailed
information about how the solution works, please refer to the Kaspersky Managed Detection
and Response Help .
Distribution kit
The distribution kit includes the following distribution packages:
setup_kes.exe Files that are required for installing the application using any of the available
methods.
kes_win.kud File for creating installation packages for Kaspersky Endpoint Security.
klcfginst.msi Installation package for the application management plug-in in the Kaspersky
Security Center Administration Console.
ksn_<language_ID>.txt File where you can read through the terms of participation in Kaspersky
Security Network.
license.txt File where you can read through the End User License Agreement and the
Privacy Policy.
installer.ini File that contains the internal settings of the distribution kit.
keswin_web_plugin.zip Archive containing the les required for installing the application web plug-in
in the Kaspersky Security Center Web Console.
It is not recommended to change the values of these settings. If you want to change installation options, use
the setup.ini le.
CPU:
Workstation: 1 GHz;
Server: 2 GB;
Server to install the application with a built-in agent for Kaspersky Anti Targeted Attack Platform (EDR): 8
GB.
Workstations
Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise / Enterprise multi-session;
Kaspersky Endpoint Security cannot be installed on Microsoft Windows 7 without installed operating system
updates: KB4490628 (March 12, 2019) and KB4474419 (September 23, 2019).
For details about support for the Microsoft Windows 10 operating system, please refer to the Technical
Support Knowledge Base .
For details about support for the Microsoft Windows 11 operating system, please refer to the Technical
Support Knowledge Base .
Servers
Kaspersky Endpoint Security supports core components of the application on computers running the Windows
operating system for servers. You can use Kaspersky Endpoint Security for Windows instead of Kaspersky
Security for Windows Server on servers and clusters of your organization (Cluster Mode). The application also
supports Core Mode (see known issues ).
Microsoft Small Business Server 2011 Standard (64-bit) is supported only if Service Pack 1 for Microsoft
Windows Server 2008 R2 is installed.
34
Windows MultiPoint Server 2011 (64-bit);
Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter Service Pack 1 or later;
Windows Server 2012 Foundation / Essentials / Standard / Datacenter (including Core Mode);
Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter (including Core Mode);
Windows Server 2022 Standard / Datacenter / Datacenter: Azure Edition (including Core Mode).
Kaspersky Endpoint Security cannot be installed on Microsoft Windows Server 2008 R2 without installed
operating system updates: KB4490628 (March 12, 2019) and KB4474419 (September 23, 2019).
For details about support for the Microsoft Windows Server 2016 and Microsoft Windows Server 2019
operating systems, please refer to the Technical Support Knowledge Base .
For details about support for the Microsoft Windows Server 2022 operating system, please refer to the
Technical Support Knowledge Base .
Virtual platforms
35
Citrix Hypervisor 8.2 (Cumulative Update 1).
Terminal servers
Kaspersky Endpoint Security supports operation with the following versions of Kaspersky Security Center:
36
Feature Workstation Server Core Mode server
Behavior Detection
Exploit Prevention
Remediation Engine
Firewall
AMSI Protection
Security Controls
Log Inspection – –
Application Control
Device Control
Web Control –
Cloud Discovery – –
Data Encryption
Kaspersky Sandbox
You can manage the application using the following consoles of Kaspersky Security Center:
Administration Console. Microsoft Management Console (MMC) snap-in installed on the administrator's
workstation.
Web Console. Component of Kaspersky Security Center that is installed on the Administration Server. You can
work in the Web Console through a browser on any computer that has access to the Administration Server.
You can also manage the application by using the Kaspersky Security Center Cloud Console. The Kaspersky
Security Center Cloud Console is the cloud version of Kaspersky Security Center. This means that the
Administration Server and other components of Kaspersky Security Center are installed in the cloud infrastructure
of Kaspersky. For details on managing the application using the Kaspersky Security Center Cloud Console, refer to
the Kaspersky Security Center Cloud Console Help .
Behavior Detection
Exploit Prevention
Remediation Engine
Firewall
AMSI Protection
Security Controls
Log Inspection
Application Control
Device Control
Web Control
Cloud Discovery – –
Data Encryption
Kaspersky Sandbox – –
Tasks
Add key
Inventory
Update
Update rollback
Malware Scan
Wipe data
Get le (EDR) –
Delete le (EDR) –
Kaspersky Anti-Virus.
Kaspersky Free.
Endpoint Sensor as part of the Kaspersky Anti Targeted Attack Platform and Kaspersky Endpoint Detection
and Response solutions.
Kaspersky Endpoint Agent as part of the Detection and Response solutions from Kaspersky.
Kaspersky is switching all Detection and Response to working with the Kaspersky Endpoint Security built-in
agent instead of Kaspersky Endpoint Agent. Starting with version 12.1, the application supports all
Detection and Response solutions.
Starting with Kaspersky Endpoint Security 12.0, you can migrate from Kaspersky Security for Windows
Server to Kaspersky Endpoint Security for Windows and use the same solution for protecting workstations
and servers.
If Kaspersky applications from this list are installed on the computer, Kaspersky Endpoint Security removes these
applications. Please wait for this process to nish before continuing installation of Kaspersky Endpoint Security.
40
If Kaspersky Endpoint Security detects incompatible software on the computer, installation of the application will
not continue. To continue the installation, you need to remove the incompatible software. However, if the vendor of
third-party software has indicated in their documentation that their software is compatible with Endpoint
Protection Platforms (EPP), you can install Kaspersky Endpoint Security to a computer containing an application
from this vendor. For example, the Endpoint Detection and Response (EDR) solution provider may declare their
compatibility with third-party EPP systems. If this is the case, you need to start the installation of Kaspersky
Endpoint Security without running an incompatible software check. To do so, pass the following parameters to the
installer:
SKIPPRODUCTCHECK=1. Disable the check for incompatible software. The list of incompatible software is
available in the incompatible.txt le that is included in the distribution kit. If no value is set for this parameter and
incompatible software is detected, the installation of Kaspersky Endpoint Security will be terminated.
CLEANERSIGNCHECK=0. Disabling digital signature veri cation of detected incompatible software. If this
parameter is not set, veri cation of digital signatures is disabled when deploying the application via Kaspersky
Security Center. When the application is installed locally, digital signature veri cation is enabled by default.
You can pass parameters in the command line when locally installing the application.
Example:
C:\KES\setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=0 /pSKIPPRODUCTCHECK=1
/pSKIPPRODUCTUNINSTALL=1 /pCLEANERSIGNCHECK=0 /s
To remotely install Kaspersky Endpoint Security, you need to add the appropriate parameters to the installation
package generation le named kes_win.kud in [Setup] (see below). The kes_win.kud le is included in the
distribution kit.
kes_win.kud
[Setup]
UseWrapper=1
ExecutableRelPath=EXEC
Params=/s /pAKINSTALL=1 /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=0 /pSKIPPRODUCTCHECK=1
/pSKIPPRODUCTUNINSTALL=1 /pCLEANERSIGNCHECK=0
Executable=setup_kes.exe
RebootDelegated = 1
RebootAllowed=1
ConfigFile=installer.ini
RelPathsToExclude=klcfginst.msi
41
Installing and removing the application
Kaspersky Endpoint Security can be installed on a computer in the following ways:
remotely through the Microsoft Windows Group Policy Management Editor (for more details, visit the Microsoft
Technical Support website ).
You can con gure the application installation settings in several ways. If you simultaneously use multiple methods
for con guring the settings, Kaspersky Endpoint Security applies the settings with the highest priority. Kaspersky
Endpoint Security uses the following order of priorities:
We recommend closing all running applications before starting the installation of Kaspersky Endpoint Security
(including remote installation).
When installing, updating or uninstalling Kaspersky Endpoint Security, errors may occur. For more information
about solving these errors, please refer to the Technical Support Knowledge Base .
42
Kaspersky Security Center also supports other methods of installing Kaspersky Endpoint Security, such as
deployment within an operating system image. For details about other deployment methods, refer to Kaspersky
Security Center Help .
2. Creating the Install application remotely task of the Kaspersky Security Center Administration Server.
How to run the Protection Deployment Wizard in the Administration Console (MMC)
43
1. Open the Kaspersky Security Center Administration Console.
This will start the Protection Deployment Wizard. Follow the instructions of the Wizard.
TCP ports 139 and 445, and UDP ports 137 and 138 must be opened on a client computer.
Select Kaspersky Endpoint Security installation package from the list. If the list does not contain the
installation package for Kaspersky Endpoint Security, you can create the package in the Wizard.
You can con gure the installation package settings in Kaspersky Security Center. For example, you can select
the application components that will be installed to a computer.
Network Agent will also be installed together with Kaspersky Endpoint Security. Network Agent facilitates
interaction between the Administration Server and a client computer. If Network Agent is already installed on
the computer, it is not installed again.
Select the computers for installing Kaspersky Endpoint Security. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. Network
Agent is not installed on unassigned devices. In this case, the task is assigned to speci c devices. The
speci c devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Using Network Agent. If Network Agent has not been installed on the computer, rst Network Agent
will be installed using the tools of the operating system. Then Kaspersky Endpoint Security is installed
by the tools of Network Agent.
Using operating system resources through distribution points. The installation package is delivered
to client computers using operating system resources via distribution points. You can select this option
44
if there is at least one distribution point in the network. For more details about distribution points, refer
to the Kaspersky Security Center Help .
Using operating system resources through Administration Server. Files will be delivered to client
computers by using operating system resources through the Administration Server. You can select this
option if Network Agent is not installed on the client computer, but the client computer is in the same
network as the Administration Server.
Behavior for devices managed through other Administration Servers. Select the Kaspersky Endpoint
Security installation method. If the network has more than one Administration Server installed, these
Administration Servers may see the same client computers. This may cause, for example, an application to
be installed remotely on the same client computer several times through di erent Administration Servers,
or other con icts.
Do not re-install application if it is already installed. Clear this check box if you want to install an earlier
version of the application, for example.
Assign Network Agent installation in Active Directory group policies. Manually installing Network Agent
using Active Directory resources. To install Network Agent, the remote installation task must be run with
domain administrator privileges.
Add a key to the installation package for activating the application. This step is optional. If the Administration
Server contains a license key with automatic distribution functionality, the key will be automatically added
later. You can also activate the application later by using the Add key task.
Select the action to be performed if a computer restart is required. Restart is not required when installing
Kaspersky Endpoint Security. Restart is required only if you have to remove incompatible applications prior to
installation. Restart may also be required when updating the application version.
Carefully read the list of incompatible applications and allow removal of these applications. If incompatible
applications are installed on the computer, installation of Kaspersky Endpoint Security ends with an error.
Select the account for installing Network Agent using the tools of the operating system. In this case,
administrator rights are required for computer access. You can add multiple accounts. If an account does not
have su icient rights, the Installation Wizard uses the next account. If you install Kaspersky Endpoint Security
using Network Agent tools, you do not have to select an account.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties.
45
How to start the Protection Deployment Wizard in the Web Console and Cloud Console
46
In the main window of the Web Console, select Discovery & Deployment → Deployment & Assignment →
Protection Deployment Wizard.
This will start the Protection Deployment Wizard. Follow the instructions of the Wizard.
TCP ports 139 and 445, and UDP ports 137 and 138 must be opened on a client computer.
Select Kaspersky Endpoint Security installation package from the list. If the list does not contain the
installation package for Kaspersky Endpoint Security, you can create the package in the Wizard. To create the
installation package, you do not need to search for the distribution package and save it to computer memory.
In Kaspersky Security Center, you can view the list of distribution packages residing on Kaspersky servers, and
the installation package is created automatically. Kaspersky updates the list after the release of new versions
of applications.
You can con gure the installation package settings in Kaspersky Security Center. For example, you can select
the application components that will be installed to a computer.
Add a key to the installation package for activating the application. This step is optional. If the Administration
Server contains a license key with automatic distribution functionality, the key will be automatically added
later. You can also activate the application later by using the Add key task.
Select the version of Network Agent that will be installed together with Kaspersky Endpoint Security. Network
Agent facilitates interaction between the Administration Server and a client computer. If Network Agent is
already installed on the computer, it is not installed again.
Select the computers for installing Kaspersky Endpoint Security. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. Network
Agent is not installed on unassigned devices. In this case, the task is assigned to speci c devices. The
speci c devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
47
Force installation package download. Select the method of application installation:
Using Network Agent. If Network Agent has not been installed on the computer, rst Network Agent
will be installed using the tools of the operating system. Then Kaspersky Endpoint Security is installed
by the tools of Network Agent.
Using operating system resources through distribution points. The installation package is delivered
to client computers using operating system resources via distribution points. You can select this option
if there is at least one distribution point in the network. For more details about distribution points, refer
to the Kaspersky Security Center Help .
Using operating system resources through Administration Server. Files will be delivered to client
computers by using operating system resources through the Administration Server. You can select this
option if Network Agent is not installed on the client computer, but the client computer is in the same
network as the Administration Server.
Do not re-install application if it is already installed. Clear this check box if you want to install an earlier
version of the application, for example.
Assign package installation in Active Directory group policies. Kaspersky Endpoint Security is installed
by means of Network Agent or manually by means of Active Directory. To install Network Agent, the remote
installation task must be run with domain administrator privileges.
Select the action to be performed if a computer restart is required. Restart is not required when installing
Kaspersky Endpoint Security. Restart is required only if you have to remove incompatible applications prior to
installation. Restart may also be required when updating the application version.
Carefully read the list of incompatible applications and allow removal of these applications. If incompatible
applications are installed on the computer, installation of Kaspersky Endpoint Security ends with an error.
Select the administration group to which the computers will be moved after Network Agent is installed.
Computers need to be moved to an administration group so that policies and group tasks can be applied. If a
computer is already in any administration group, the computer will not be moved. If you do not select an
administration group, computers will be added to the Unassigned devices group.
Select the account for installing Network Agent using the tools of the operating system. In this case,
administrator rights are required for computer access. You can add multiple accounts. If an account does not
have su icient rights, the Installation Wizard uses the next account. If you install Kaspersky Endpoint Security
using Network Agent tools, you do not have to select an account.
48
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties.
49
1. In the Administration Console, go to the folder Administration Server → Advanced → Remote
installation → Installation packages.
This opens a list of installation packages that have been downloaded to Kaspersky Security Center.
The New Package Wizard starts. Follow the instructions of the Wizard.
Enter the name of the installation package, for example, Kaspersky Endpoint Security for Windows 12.5.
Click the Browse button and select the kes_win.kud le that is included in the distribution kit.
If required, update the anti-virus databases in the installation package by using the Copy updates from
repository to installation package check box.
Read and accept the terms of the End User License Agreement and Privacy Policy.
The installation package will be created and added to Kaspersky Security Center. Using the installation
package, you can install Kaspersky Endpoint Security on corporate network computers or update the
application version. In the installation package settings, you can also select the application components and
con gure the application installation settings (see the table below). The installation package contains anti-
virus databases from the Administration Server repository. You can update the databases in the installation
package to reduce tra ic consumption when updating the databases after installing Kaspersky Endpoint
Security.
How to create an installation package in the Web Console and Cloud Console
50
1. In the main window of the Web Console, select Discovery & deployment → Deployment & assignment →
Installation packages.
This opens a list of installation packages that have been downloaded to Kaspersky Security Center.
The New Package Wizard starts. Follow the instructions of the Wizard.
The Wizard will create an installation package from the distribution package residing on Kaspersky servers. The
list is updated automatically as new versions of applications are released. It is recommended to select this
option for installation of Kaspersky Endpoint Security.
51
Types of installation packages
Select the Kaspersky Endpoint Security for Windows installation package. The installation package creation
process starts. During creation of the installation package, you must accept the terms of the End User
License Agreement and Privacy Policy.
The installation package will be created and added to Kaspersky Security Center. Using the installation
package, you can install Kaspersky Endpoint Security on corporate network computers or update the
application version. In the installation package settings, you can also select the application components and
con gure the application installation settings (see the table below). The installation package contains anti-
virus databases from the Administration Server repository. You can update the databases in the installation
package to reduce tra ic consumption when updating the databases after installing Kaspersky Endpoint
Security.
52
Components included in the installation package
53
Installation settings of the installation package
Section Description
Protection In this section, you can select the application components that will be available. You can
components change the set of application components at a later time by using the Change application
components task.
The set of available components depends on the con guration of the application:
Full functionality
The default con guration. This con guration lets you use all components of the application,
including components that provide support for Detection and Response solutions. This
con guration is used for comprehensive protection of the computer from a variety of
threats, network attacks, and fraud. You can select the components that you want to install
at the next step of the Setup Wizard.
The BadUSB Attack Prevention component, Detection and Response component, and data
encryption components are not installed by default. These components can be added in the
installation package settings.
If you need to install Detection and Response components, Kaspersky Endpoint Security
supports the following con gurations:
54
Endpoint Detection and Response (KATA) only
Kaspersky Endpoint Security veri es the selection of components before installing the
application. If the selected con guration of Detection and Response components is not
supported, Kaspersky Endpoint Security cannot be installed.
License key In this section, you can activate the application. To activate the application, you must select
a license key. Before you do that, you must add the key to the Administration Server. For
more details about adding keys to the Kaspersky Security Center Administration Server,
please refer to Kaspersky Security Center Help .
Incompatible Carefully read the list of incompatible applications and allow removal of these applications.
applications If incompatible applications are installed on the computer, installation of Kaspersky
Endpoint Security ends with an error.
Installation Add the path to the le avp.com to the system variable %PATH%. You can add the
settings installation path to the %PATH% variable for convenient use of the command line interface.
Protect the installation process. Installation protection includes protection against
replacement of the distribution package with malicious applications, blocking access to the
installation folder of Kaspersky Endpoint Security, and blocking access to the system
registry section containing application keys. However, if the application cannot be installed
(for example, when performing remote installation with the help of Windows Remote
Desktop), you are advised to disable protection of the installation process.
Ensure compatibility with Citrix PVS. You can enable support of Citrix Provisioning
Services to install Kaspersky Endpoint Security to a virtual machine.
Use Azure WVD compatibility mode. This feature allows correctly displaying the state of
the Azure virtual machine in the Kaspersky Anti Targeted Attack Platform console. To
monitor the performance of the computer, Kaspersky Endpoint Security sends telemetry to
KATA servers. Telemetry includes an ID of the computer (Sensor ID). Azure WVD
compatibility mode allows assigning a permanent unique Sensor ID to these virtual
machines. If the compatibility mode is turned o , the Sensor ID can change after the
computer is restarted because of how Azure virtual machines work. This can cause
duplicates of virtual machines to appear on the console.
Path to application installation folder. You can change the installation path of Kaspersky
Endpoint Security on a client computer. By default, the application is installed in the
%ProgramFiles%\Kaspersky Lab\KES folder.
Con guration le. You can upload a le that de nes the settings of Kaspersky Endpoint
Security. You can create a con guration le in the local interface of the application.
55
Updating databases in the installation package
The installation package contains anti-virus databases from the Administration Server repository that are up to
date when the installation package is created. After creating the installation package, you can update the anti-
virus databases in the installation package. This lets you reduce tra ic consumption when updating anti-virus
databases after installing Kaspersky Endpoint Security.
To update the anti-virus databases in the Administration Server repository, use the Download updates to the
Administration Server repository task of the Administration Server. For more information about updating the anti-
virus databases in the Administration Server repository, please refer to the Kaspersky Security Center Help .
You can update the databases in the installation package only in the Administration Console and Kaspersky
Security Center Web Console. It is not possible to update the databases in the installation package in the
Kaspersky Security Center Cloud Console.
How to update the anti-virus databases in the installation package through the Administration Console (MMC)
2. In the console tree, select the Advanced → Remote installation → Installation packages folder.
This opens a list of installation packages that have been downloaded to Kaspersky Security Center.
As a result, the anti-virus databases in the installation package will be updated from the Administration
Server repository. The bases.cab le that is included in the distribution kit will be replaced by the bases
folder. The update package les will be inside the folder.
How to update anti-virus databases in an installation package through the Web Console
1. In the main window of the Web Console, select Discovery & deployment → Deployment & assignment →
Installation packages.
This opens a list of installation packages downloaded to Web Console.
2. Click on the name of the Kaspersky Endpoint Security installation package in which you want to update the
anti-virus databases.
The installation package properties window opens.
As a result, the anti-virus databases in the installation package will be updated from the Administration
Server repository. The bases.cab le that is included in the distribution kit will be replaced by the bases
folder. The update package les will be inside the folder.
56
Creating a remote installation task
The Install application remotely task is designed for remote installation of Kaspersky Endpoint Security. The Install
application remotely task allows you to deploy the installation package of the application to all computers in the
organization. Before deploying the installation package, you can update the anti-virus databases inside the
package and select the available application components in the properties of the installation package.
57
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security installation package from the list. If the list does not contain the
installation package for Kaspersky Endpoint Security, you can create the package in the Wizard.
You can con gure the installation package settings in Kaspersky Security Center. For example, you can select
the application components that will be installed to a computer.
Network Agent will also be installed together with Kaspersky Endpoint Security. Network Agent facilitates
interaction between the Administration Server and a client computer. If Network Agent is already installed on
the computer, it is not installed again.
Step 3. Additional
Select the Network Agent installation package. The selected version of Network Agent will be installed
together with Kaspersky Endpoint Security.
Step 4. Settings
Using Network Agent. If Network Agent has not been installed on the computer, rst Network Agent
will be installed using the tools of the operating system. Then Kaspersky Endpoint Security is installed
by the tools of Network Agent.
Using operating system resources through distribution points. The installation package is delivered
to client computers using operating system resources via distribution points. You can select this option
if there is at least one distribution point in the network. For more details about distribution points, refer
to the Kaspersky Security Center Help .
Using operating system resources through Administration Server. Files will be delivered to client
computers by using operating system resources through the Administration Server. You can select this
option if Network Agent is not installed on the client computer, but the client computer is in the same
network as the Administration Server.
58
Behavior for devices managed through other Administration Servers. Select the Kaspersky Endpoint
Security installation method. If the network has more than one Administration Server installed, these
Administration Servers may see the same client computers. This may cause, for example, an application to
be installed remotely on the same client computer several times through di erent Administration Servers,
or other con icts.
Do not re-install application if it is already installed. Clear this check box if you want to install an earlier
version of the application, for example.
Select the action to be performed if a computer restart is required. Restart is not required when installing
Kaspersky Endpoint Security. Restart is required only if you have to remove incompatible applications prior to
installation. Restart may also be required when updating the application version.
Select the computers for installing Kaspersky Endpoint Security. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. Network
Agent is not installed on unassigned devices. In this case, the task is assigned to speci c devices. The
speci c devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Select the account for installing Network Agent using the tools of the operating system. In this case,
administrator rights are required for computer access. You can add multiple accounts. If an account does not
have su icient rights, the Installation Wizard uses the next account. If you install Kaspersky Endpoint Security
using Network Agent tools, you do not have to select an account.
Con gure a schedule for starting a task, for example, manually or when the computer is idle.
Enter a name for the task, for example, Install Kaspersky Endpoint Security for Windows 12.5.
59
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties. The application will be installed in silent mode. After installation,
the icon will be added to the noti cation area of the user's computer. If the icon looks like this , make sure
that you activated the application.
How to create a remote installation task in the Web Console and Cloud Console
60
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
3. In the Task name eld, enter a brief description, such as Installation of Kaspersky Endpoint Security for
Managers.
4. In the Select devices to which the task will be assigned block, select the task scope.
At this step, select the computers on which Kaspersky Endpoint Security will be installed according to the
selected task scope option.
1. Select the Kaspersky Endpoint Security for Windows (12.5) installation package.
3. In the Force installation package download block, select the application installation method:
Using Network Agent. If Network Agent has not been installed on the computer, rst Network Agent
will be installed using the tools of the operating system. Then Kaspersky Endpoint Security is installed
by the tools of Network Agent.
Using operating system resources through distribution points. The installation package is delivered
to client computers using operating system resources via distribution points. You can select this option
if there is at least one distribution point in the network. For more details about distribution points, refer
to the Kaspersky Security Center Help .
Using operating system resources through Administration Server. Files will be delivered to client
computers by using operating system resources through the Administration Server. You can select this
option if Network Agent is not installed on the client computer, but the client computer is in the same
network as the Administration Server.
61
4. In the Maximum number of concurrent downloads eld, set a limit on the number of installation package
download requests sent to the Administration Server. A limit on the number of requests will help prevent
the network from being overload.
5. In the Maximum number of installation attempts eld, set a limit on the number of attempts to install the
application. If installation of Kaspersky Endpoint Security ends with an error, the task will automatically
start the installation again.
6. If necessary, clear the Do not re-install application if it is already installed check box. It allows, for
example, to install one of the previous versions of the application.
7. If necessary, clear the Verify operating system type before downloading check box. This lets you avoid
downloading an application distribution package if the operating system of the computer does not meet
the software requirements. If you are sure that the operating system of the computer meets the software
requirements, you can skip this veri cation.
8. If necessary, select the Assign package installation in Active Directory group policies check box.
Kaspersky Endpoint Security is installed by means of Network Agent or manually by means of Active
Directory. To install Network Agent, the remote installation task must be run with domain administrator
privileges.
9. If necessary, select the Prompt users to close running applications check box. Installation of Kaspersky
Endpoint Security takes up computer resources. For the convenience of the user, the Application
Installation Wizard prompts you to close running applications before starting the installation. This helps
prevent disruptions in the operation of other applications and prevents possible malfunctions of the
computer.
10. In the Behavior for devices managed through other Administration Servers block, select the Kaspersky
Endpoint Security installation method. If the network has more than one Administration Server installed,
these Administration Servers may see the same client computers. This may cause, for example, an
application to be installed remotely on the same client computer several times through di erent
Administration Servers, or other con icts.
Select the account for installing Network Agent using the tools of the operating system. In this case,
administrator rights are required for computer access. You can add multiple accounts. If an account does not
have su icient rights, the Installation Wizard uses the next account. If you install Kaspersky Endpoint Security
using Network Agent tools, you do not have to select an account.
Finish the wizard by clicking the Finish button. A new task will be displayed in the list of tasks. To run a task,
select the check box opposite the task and click the Start button. The application will be installed in silent
mode. After installation, the icon will be added to the noti cation area of the user's computer. If the icon
looks like this , make sure that you activated the application.
62
To install the application or upgrade the application from a previous version using the Setup Wizard:
2. Run setup_kes.exe.
Before installing Kaspersky Endpoint Security on a computer or upgrading it from a previous version, the following
conditions are checked:
Presence of installed incompatible software (the list of incompatible software is available in the incompatible.txt
le that is included in the distribution kit).
Whether or not the user has the rights to install the software product.
If any one of the previous requirements is not met, a relevant noti cation is displayed on the screen. For example, a
noti cation about incompatible software (see the gure below).
If the computer meets the listed requirements, the Setup Wizard searches for Kaspersky applications that could
lead to con icts when running at the same time as the application being installed. If such applications are found,
you are prompted to remove them manually.
If the detected applications include previous versions of Kaspersky Endpoint Security, all data that can be
migrated (such as activation data and application settings) is retained and used during installation of Kaspersky
Endpoint Security 12.5 for Windows, and the previous version of the application is automatically removed. This
applies to the following application versions:
63
Kaspersky Endpoint Security 12.0 for Windows (build 12.0.0.465).
Full functionality. The default con guration. This con guration lets you use all components of the application,
including components that provide support for Detection and Response solutions. This con guration is used for
comprehensive protection of the computer from a variety of threats, network attacks, and fraud. You can select
the components that you want to install at the next step of the Setup Wizard.
Endpoint Detection and Response Agent. In this con guration, you can only install the components that provide
support for Detection and Response solutions: Endpoint Detection and Response (KATA) or Managed Detection
and Response. This con guration is needed if a third-party Endpoint Protection Platform (EPP) is deployed in your
organization alongside a Kaspersky Detection and Response solution. This makes Kaspersky Endpoint Security in
the Endpoint Detection and Response Agent con guration compatible with third-party EPP applications.
During the installation process, you can select the components of Kaspersky Endpoint Security that you want to
install (see the gure below). The File Threat Protection component is a mandatory component that must be
installed. You cannot cancel its installation.
64
Selecting application components to install
By default, all application components are selected for installation except the following components:
You can change the available application components after the application is installed. To do so, you need to run
the Setup Wizard again and choose to change the available components.
If you need to install Detection and Response components, Kaspersky Endpoint Security supports the following
con gurations:
Kaspersky Endpoint Security veri es the selection of components before installing the application. If the selected
con guration of Detection and Response components is not supported, Kaspersky Endpoint Security cannot be
installed.
Advanced settings
65
Advanced application installation settings
Protect the application installation process. Installation protection includes protection against replacement of
the distribution package with malicious applications, blocking access to the installation folder of Kaspersky
Endpoint Security, and blocking access to the system registry section containing application keys. However, if the
application cannot be installed (for example, when performing remote installation with the help of Windows Remote
Desktop), you are advised to disable protection of the installation process.
Ensure compatibility with Citrix PVS. You can enable support of Citrix Provisioning Services to install Kaspersky
Endpoint Security to a virtual machine.
Add the path to the le avp.com to the system variable %PATH%. You can add the installation path to the
%PATH% variable for convenient use of the command line interface.
These instructions apply to System Center Con guration Manager 2012 R2.
2. In the right part of the console, in the App management block, select Packages.
3. In the upper part of the console in the control panel, click the Create package button.
This starts the New Package and Application Wizard.
In the Source folder eld, specify the path to the folder containing the distribution package of
Kaspersky Endpoint Security.
66
b. In the Application type section, select the Standard program option.
In the Name eld, enter the unique name for the installation package (for example, the application name
including the version).
In the Command line eld, specify the Kaspersky Endpoint Security installation options from the
command line.
Click the Browse button to specify the path to the executable le of the application.
Make sure that the Run mode list has the Run with administrative rights item selected.
Select the Run another program rst check box if you want a di erent application to be started before
installing Kaspersky Endpoint Security.
Select the application from the Application drop-down list or specify the path to the executable le of
this application by clicking the Browse button.
Select the This program can run only on speci ed platforms option in the Platform requirements
block if you want the application to be installed only in the speci ed operating systems.
In the list below, select the check boxes opposite the operating systems in which Kaspersky Endpoint
Security will be installed.
e. In the Summary section, check all entered values of the settings and click Next.
The created installation package will appear in the Packages section in the list of available installation packages.
In the Software eld, enter the unique name of the installation package or select the installation package
from the list by clicking the Browse button.
In the Collection eld, enter the name of the collection of computers on which the application will be
installed, or select the collection by clicking the Browse button.
b. In the Contains section, add distribution points (for more detailed information, please refer to the help
documentation for System Center Con guration Manager).
c. If required, specify the values of other settings in the Deployment Wizard. These settings are optional for
remote installation of Kaspersky Endpoint Security.
d. In the Summary section, check all entered values of the settings and click Next.
After the Deployment Wizard nishes, a task will be created for remote installation of Kaspersky Endpoint
Security.
67
Description of setup.ini le installation settings
The setup.ini le is used when installing the application from the command line or when using the Group Policy
Editor of Microsoft Windows. To apply settings from the setup.ini le, place this le into the folder containing the
Kaspersky Endpoint Security distribution package.
[Components] – selection of application components to be installed. If none of the components are speci ed,
all components that are available for the operating system are installed. File Threat Protection is a mandatory
component and is installed on the computer regardless of which settings are indicated in this section. The
Managed Detection and Response component is also absent from this block. To install this component, you
must activate Managed Detection and Response in the Kaspersky Security Center Console.
[Tasks] – selection of tasks to be included in the list of Kaspersky Endpoint Security tasks. If no task is
speci ed, all tasks are included in the task list of Kaspersky Endpoint Security.
The alternatives to the value 1 are the values yes, on, enable, and enabled.
The alternatives to the value 0 are the values no, off, disable, and disabled.
68
KSN Agreement or refusal to participate in Kaspersky Security N
(KSN). If no value is set for this parameter, Kaspersky Endpo
Security will prompt to con rm your consent or refusal to p
in KSN when Kaspersky Endpoint Security is rst started. A
values:
1 – agreement to participate in KSN.
Login Set the user name for accessing the features and settings
Kaspersky Endpoint Security (the Password protection com
The user name is set together with the Password and
PasswordArea parameters. The user name KLAdmin is use
default.
For example,
PasswordArea=SET;PasswordArea=UNINST;PasswordA
70
0 – protection of the Kaspersky Endpoint Security proc
using AM-PPL technology is disabled.
71
RESTAPI Managing the application through the REST API. To manage
application through the REST API, you must specify the use
(RESTAPI_User parameter).
Available values:
1 – management via REST API is allowed.
RESTAPI_User User name of the Windows domain account used for manag
application through the REST API. Management of the appl
through the REST API is available only to this user. Enter the
name in the format <DOMAIN>\<UserName> (for example,
RESTAPI_User=COMPANY\Administrator). You can selec
user to work with the REST API.
Adding a user name is a prerequisite for managing the appli
through the REST API.
RESTAPI_Port Port used for managing the application through the REST A
6782 is used by default. Make sure that the port is free.
Firewall Firewall.
72
WebControl Web Control.
SB Kaspersky Sandbox.
Please take into account the following special considerations when changing the application components:
On computers running Windows Server, you cannot install all components of Kaspersky Endpoint Security (for
example, the Adaptive Anomaly Control component is not available).
If the hard drives on your computer are protected by Full Disk Encryption (FDE), you cannot remove the Full
Disk Encryption component. To remove the Full Disk Encryption component, decrypt all the hard drives of the
computer.
If the computer has encrypted les (FLE) or the user uses encrypted removable drives (FDE or FLE), it will be
impossible to access the les and removable drives after the Data Encryption components are removed. You
can access the les and removable drives by reinstalling the Data Encryption components.
74
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security for Windows (12.5) → Select components to install.
Full functionality. The default con guration. This con guration lets you use all components of the
application, including components that provide support for Detection and Response solutions. This
con guration is used for comprehensive protection of the computer from a variety of threats, network
attacks, and fraud. You can select the components that you want to install at the next step of the Setup
Wizard.
Endpoint Detection and Response Agent. In this con guration, you can only install the components that
provide support for Detection and Response solutions: Endpoint Detection and Response (KATA) or
Managed Detection and Response. This con guration is needed if a third-party Endpoint Protection
Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and Response solution.
This makes Kaspersky Endpoint Security in the Endpoint Detection and Response Agent con guration
compatible with third-party EPP applications.
Select the application components that will be available on the user's computer.
Con gure the advanced settings for the task (see the table below).
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Con gure a schedule for starting a task, for example, manually or when the computer is idle.
75
Step 5. De ning the task name
Enter a name for the task, for example, Add the Application Control component.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties.
As a result, the set of Kaspersky Endpoint Security components on users' computers will be changed in silent
mode. The settings of available components will be displayed in the local interface of the application. The
components that were not included in the application are disabled, and the settings of these components are
not available.
How to add or remove application components in the Web Console and Cloud Console
76
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
3. In the Task name eld, enter a brief description, for example, Add the Application Control component.
4. In the Select devices to which the task will be assigned block, select the task scope.
Select the computers on which the task will be performed. For example, select a separate administration
group or build a selection.
Select the Open task details when creation is complete check box and nish the wizard.
In the task properties, select the Application settings tab. Next, select the con guration of the application:
Full functionality. The default con guration. This con guration lets you use all components of the
application, including components that provide support for Detection and Response solutions. This
con guration is used for comprehensive protection of the computer from a variety of threats, network
attacks, and fraud. You can select the components that you want to install at the next step of the Setup
Wizard.
Endpoint Detection and Response Agent. In this con guration, you can only install the components that
provide support for Detection and Response solutions: Endpoint Detection and Response (KATA) or
Managed Detection and Response. This con guration is needed if a third-party Endpoint Protection
Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and Response solution.
This makes Kaspersky Endpoint Security in the Endpoint Detection and Response Agent con guration
compatible with third-party EPP applications.
Select the application components that will be available on the user's computer.
Con gure the advanced settings for the task (see the table below).
As a result, the set of Kaspersky Endpoint Security components on users' computers will be changed in silent
mode. The settings of available components will be displayed in the local interface of the application. The
components that were not included in the application are disabled, and the settings of these components are
not available.
77
When installing, updating or uninstalling Kaspersky Endpoint Security, errors may occur. For more information
about solving these errors, please refer to the Technical Support Knowledge Base .
Parameter Description
Use Azure This feature allows correctly displaying the state of the Azure virtual machine in the
WVD Kaspersky Anti Targeted Attack Platform console. To monitor the performance of the
compatibility computer, Kaspersky Endpoint Security sends telemetry to KATA servers. Telemetry
mode includes an ID of the computer (Sensor ID). Azure WVD compatibility mode allows assigning
a permanent unique Sensor ID to these virtual machines. If the compatibility mode is turned
o , the Sensor ID can change after the computer is restarted because of how Azure virtual
machines work. This can cause duplicates of virtual machines to appear on the console.
Use the Administrators typically enable Password protection in settings of these tasks to restrict
password to access to Kaspersky Endpoint Agent (KEA) and Kaspersky Security for Windows Server
uninstall (KSWS). That is, if you are migrating from the [KES+KEA] con guration to [KES+built-in
Kaspersky agent], or if you are migrating from KSWS to KES, you must enter a password to remove
Endpoint these applications.
Agent and
Kaspersky
Security for
Windows
Server
The localization of the new version of Kaspersky Endpoint Security must match the localization of the installed
version of the application. If localizations of the applications do not match, the application upgrade will
complete with an error.
Before updating, Kaspersky Endpoint Security blocks the Full Disk Encryption functionality. If Full Disk
Encryption could not be locked, the upgrade installation will not start. After updating the application, the Full
Disk Encryption functionality will be restored.
Kaspersky Endpoint Security supports updates for the following versions of the application:
78
Kaspersky Endpoint Security 11.10.0 for Windows (build 11.10.0.399).
When installing, updating or uninstalling Kaspersky Endpoint Security, errors may occur. For more information
about solving these errors, please refer to the Technical Support Knowledge Base .
Kaspersky Endpoint Security can be updated on the computer in the following ways:
remotely through the Microsoft Windows Group Policy Management Editor (for more details, visit the Microsoft
Technical Support website ).
If the application that is deployed in the corporate network features a set of components other than the default
set, updating the application through the Administration Console (MMC) is di erent from updating the application
through the Web Console and Cloud Console. When you update Kaspersky Endpoint Security, consider the
following:
Kaspersky Security Center Web Console or Kaspersky Security Center Cloud Console.
If you created an installation package for the new version of the application with the default set of
components, then the set of components on a user's computer will not be changed. To use Kaspersky Endpoint
Security with the default set of components, you need to open the installation package properties, change the
set of components, then revert to the original set of components and save the changes.
79
Upgrading the application without a restart provides uninterrupted server operation when the application version
is updated.
You can upgrade the application without a restart starting with version 11.10.0. To upgrade an earlier version of
the application, you must restart the computer.
You can install patches without a restart starting with version 11.11.0. To install patches for earlier versions of the
application, a computer restart may be required.
Upgrading the application without a restart is not available on computers with enabled data encryption
(Kaspersky encryption (FDE), BitLocker, File Level Encryption (FLE)). To upgrade the application on computers
with enabled data encryption, the computer must be restarted.
After changing application components or repairing the application, you must restart the computer.
How to select the application upgrade mode in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. In the Advanced settings block, select or clear the Install application updates without restart check box
to con gure the application upgrade mode.
80
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Advanced settings block, select or clear the Install application updates without restart check box
to con gure the application upgrade mode.
81
1. In the main application window, click the button.
3. In the General block, select or clear the Install updates without computer restart check box to con gure
the application upgrade mode.
As a result, after upgrading the application without a restart, two versions of the application will be installed on the
computer. The installer installs the new version of the application to separate subfolders in the Program Files and
Program Data folders. The installer also creates a separate registry key for the new version of the application. You
do not have to manually remove the previous version of the application. The previous version will be removed
automatically when the computer is restarted.
You can check the Kaspersky Endpoint Security upgrade using the Kaspersky application version report in the
Kaspersky Security Center console.
Removing Kaspersky Endpoint Security leaves the computer and user data unprotected against threats.
82
When installing, updating or uninstalling Kaspersky Endpoint Security, errors may occur. For more information
about solving these errors, please refer to the Technical Support Knowledge Base .
You can remotely uninstall the application by using the Uninstall application remotely task. When performing the
task, Kaspersky Endpoint Security downloads the application uninstall utility to the user's computer. After
completing uninstallation of the application, the utility will be automatically removed.
83
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Security Center Administration Server → Advanced → Uninstall application remotely.
Force download of the uninstallation utility. Select the utility delivery method:
Using Network Agent. If Network Agent has not been installed on the computer, rst Network Agent
will be installed using the tools of the operating system. Kaspersky Endpoint Security is then uninstalled
by the tools of Network Agent.
Using operating system resources through Administration Server. The utility will be delivered to
client computers by using operating system resources through the Administration Server. You can
select this option if Network Agent is not installed on the client computer, but the client computer is in
the same network as the Administration Server.
Using operating system resources through distribution points. The utility is delivered to client
computers using operating system resources via distribution points. You can select this option if there
is at least one distribution point in the network. For more details about distribution points, refer to the
Kaspersky Security Center Help .
Verify operating system type before downloading. If necessary, clear this check box. This lets you avoid
downloading the uninstall utility if the operating system of the computer does not meet the software
requirements. If you are sure that the operating system of the computer meets the software requirements,
you can skip this veri cation.
84
2. Click the Edit button.
After uninstalling the application, a restart is required. Select the action that will be performed to restart the
computer.
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Select the account for installing Network Agent using the tools of the operating system. In this case,
administrator rights are required for computer access. You can add multiple accounts. If an account does not
have su icient rights, the Installation Wizard uses the next account. If you uninstall Kaspersky Endpoint
Security using Network Agent tools, you do not have to select an account.
Con gure a schedule for starting a task, for example, manually or when the computer is idle.
Enter a name for the task, such as Remove Kaspersky Endpoint Security 12.5.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties.
How to remove the application through the Web Console and Cloud Console
85
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
3. In the Task name eld, enter a brief description, for example, Uninstall Kaspersky Endpoint Security from
Technical Support computers.
4. In the Select devices to which the task will be assigned block, select the task scope.
Select the computers on which the task will be performed. For example, select a separate administration
group or build a selection.
3. Force download of the uninstallation utility. Select the utility delivery method:
Using Network Agent. If Network Agent has not been installed on the computer, rst Network Agent
will be installed using the tools of the operating system. Kaspersky Endpoint Security is then uninstalled
by the tools of Network Agent.
Using operating system resources through Administration Server. The utility will be delivered to
client computers by using operating system resources through the Administration Server. You can
select this option if Network Agent is not installed on the client computer, but the client computer is in
the same network as the Administration Server.
Using operating system resources through distribution points. The utility is delivered to client
computers using operating system resources via distribution points. You can select this option if there
is at least one distribution point in the network. For more details about distribution points, refer to the
Kaspersky Security Center Help .
4. In the Maximum number of concurrent downloads eld, set a limit on the number of requests sent to the
Administration Server to download the application uninstall utility. A limit on the number of requests will
86
help prevent the network from being overload.
5. In the Maximum number of uninstallation attempts eld, set a limit on the number of attempts to uninstall
the application. If uninstallation of Kaspersky Endpoint Security ends with an error, the task will
automatically start the uninstallation again.
6. If necessary, clear the Verify operating system type before downloading check box. This lets you avoid
downloading the uninstall utility if the operating system of the computer does not meet the software
requirements. If you are sure that the operating system of the computer meets the software requirements,
you can skip this veri cation.
Select the account for installing Network Agent using the tools of the operating system. In this case,
administrator rights are required for computer access. You can add multiple accounts. If an account does not
have su icient rights, the Installation Wizard uses the next account. If you uninstall Kaspersky Endpoint
Security using Network Agent tools, you do not have to select an account.
Finish the wizard by clicking the Finish button. A new task will be displayed in the list of tasks.
To run a task, select the check box opposite the task and click the Start button. The application will be
uninstalled in silent mode. After uninstallation is complete, Kaspersky Endpoint Security shows a prompt to
restart the computer.
If the application uninstallation operation is password protected, enter the KLAdmin account password in
the properties of the Uninstall application remotely task. Without the password, the task will not be
performed.
To use the KLAdmin account password in the Uninstall application remotely task:
Restart the computer to complete the uninstallation. To do so, Network Agent displays a pop-up window.
87
You can remotely uninstall the application using a Microsoft Windows group policy. To uninstall the application, you
need to open the Group Policy Management Console (gpmc.msc) and use the Group Policy Editor to create an
application removal task (for more details, please visit the Microsoft Technical Support website ).
If the application uninstallation operation is password protected, you need to do the following:
Example:
msiexec.exe /x{6BB76C8F-365E-4345-83ED-6D7AD612AF76} KLLOGIN=KLAdmin
KLPASSWD=!Password1 /qn
2. Create a new Microsoft Windows policy for the computers in the Group Policy Management Console
(gpmc.msc).
3. Use the new policy to run the created BAT le on the computers.
You can remove the application locally using the Setup Wizard. Kaspersky Endpoint Security is removed using the
normal method for a Windows operating system, which is through the Control Panel. The Setup Wizard starts.
Follow the instructions on the screen.
You can specify which of the data that is used by the application you want to save for future use, during the next
installation of the application (such as when upgrading to a newer version of the application). If you do not specify
any data, the application will be completely removed (see the gure below).
88
Saving data after removal
Activation data, which lets you avoid having to activate the application again. Kaspersky Endpoint Security
automatically adds a license key if the license term has not expired prior to installation.
Backup les – les that are scanned by the application and placed in Backup.
Backup les that are saved after removal of the application can be accessed only from the same version
of the application that was used to save those les.
If you plan to use Backup objects after removal of the application, you must restore those objects before
removing the application. However, Kaspersky experts do not recommend restoring objects from Backup
because this may harm the computer.
Operational settings of the application – values of application settings that are selected during application
con guration.
Local storage of encryption keys – data that provides access to les and drives that were encrypted before
removal of the application. To ensure access to encrypted les and drives, make sure that you selected data
encryption functionality when reinstalling Kaspersky Endpoint Security. No further action is required for access
to previously encrypted les and drives.
You can also delete the application locally using the command line.
89
Application licensing
This section provides information about general concepts related to Kaspersky Endpoint Security licensing.
We recommend carefully reading the terms of the License Agreement before using the application.
You can view the terms of the License Agreement in the following ways:
By reading the license.txt le. This document is included in the application distribution kit and is also located in
the application installation folder %ProgramFiles(x86)%\Kaspersky Lab\KES\Doc\<locale>\KES.
By con rming that you agree with the End User License Agreement when installing the application, you signify your
acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User
License Agreement, you must abort the installation.
The license entitles you to use the application in accordance with the terms of the End User License Agreement,
and to receive technical support. The list of available features and application usage term depend on the type of
license under which the application was activated.
Commercial – a paid license that is provided when you purchase Kaspersky Endpoint Security.
Application functionality available under the commercial license depends on the choice of product. The
selected product is indicated in the License Certi cate. Information on available products may be found on the
Kaspersky website .
When the commercial license expires, key features of the application become disabled. To continue using the
application, you must renew your commercial license. If you are not planning to renew your license, you must
remove the application from your computer.
Limitation on the number of licensed units (for example, the number of devices on which the application can be
used under the license).
License type.
About subscription
A subscription for Kaspersky Endpoint Security is a purchase order for the application with speci c parameters
(such as the subscription expiry date and number of devices protected). You can order a subscription for
Kaspersky Endpoint Security from your service provider (such as your ISP). A subscription can be renewed
manually or automatically, or you may cancel your subscription. You can manage your subscription on the website
of the service provider.
Subscription can be limited (for one year, for example) or unlimited (without an expiry date). To keep Kaspersky
Endpoint Security working after the limited subscription term expires, you need to renew your subscription.
Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.
When a limited subscription expires, you may be provided a subscription renewal grace period during which the
application continues to function. The availability and duration of such a grace period is decided by the service
provider.
To use Kaspersky Endpoint Security under a subscription, you need to apply the activation code received from the
service provider. After the activation code is applied, the active key is added. The active key determines the license
for using the application under the subscription. You cannot activate the application under the subscription using a
key le. The service provider can only provide an activation code. It is not possible to add a reserve key under a
subscription.
Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky
Endpoint Security.
91
A license certi cate is not provided for a key that is added under a subscription.
You can add a license key to the application by either applying a key le or entering an activation code.
The key can be blocked by Kaspersky if the terms of the End User License Agreement are violated. If the key has
been blocked, you need to add a di erent key to continue using the application.
An active key is a key that is currently used by the application. A trial or commercial license key can be added as
the active key. The application cannot have more than one active key.
A reserve key is a key that entitles the user to use the application, but is not currently in use. At the expiry of the
active key, a reserve key automatically becomes active. A reserve key can be added only if the active key is
available.
A key for a trial license can be added only as an active key. It cannot be added as the reserve key. A trial license
key cannot replace the active key to a commercial license.
If a key is added to the list of prohibited keys, the application functionality de ned by the license used to activate
the application remains available for eight days. The application noti es the user that the key has been added to
the list of prohibited keys. After eight days, application functionality becomes limited to the functionality level that
is available after license expiry. You can use protection and control components and run a scan using the
application databases that were installed before the license expired. The application also continues to encrypt les
that had been modi ed and encrypted before license expiration, but does not encrypt new les. Use of Kaspersky
Security Network is not available.
To activate the application with an activation code, Internet access is required to connect to Kaspersky activation
servers.
When the application is activated using an activation code, the active key is added. A reserve key can be added
only by using an activation code and cannot be added using a key le.
If an activation code is lost after activating the application, you can restore the activation code. You may need an
activation code, for example, to register a Kaspersky CompanyAccount . If the activation code was lost after the
application activation, contact Kaspersky partner from whom you purchased the license.
You receive a key le at the email address that you provided when you purchased Kaspersky Endpoint Security or
ordered the trial version of Kaspersky Endpoint Security.
92
You do not need to connect to Kaspersky activation servers in order to activate the application with a key le.
You can recover a key le if it has been accidentally deleted. You may need a key le to register a Kaspersky
CompanyAccount, for example.
Obtain a key le on the Kaspersky website based on your existing activation code.
When the application is activated using a key le, an active key is added. A reserve key can be added only by using
a key le and cannot be added using an activation code.
Advanced
Threat
Protection
Kaspersky
Security
Network
Behavior
Detection
Exploit
Prevention
Host
Intrusion
Prevention
Remediation
Engine
Essential
Threat
Protection
File Threat
Protection
93
Web Threat
Protection
Mail Threat
Protection
Firewall
Network
Threat
Protection
BadUSB
Attack
Prevention
AMSI
Protection
Security
Controls
Log – – – – – – – –
Inspection
Application
Control
Device
Control
Web
Control
Adaptive – –
Anomaly
Control
File Integrity – – – – – – – –
Monitor
Data
Encryption
Kaspersky – –
Disk
Encryption
BitLocker – –
Drive
Encryption
File Level – –
Encryption
Encryption – –
of
removable
drives
Detection
and
Response
Endpoint – – – – – –
Detection
94
and
Response
Optimum
Endpoint – – – – – – –
Detection
and
Response
Expert
Kaspersky
Sandbox
(Kaspersky
Sandbox
license must
be
purchased
separately)
Advanced
Threat
Protection
Kaspersky
Security
Network
Behavior
Detection
Exploit
Prevention
Host – – – – – – – –
Intrusion
Prevention
Remediation
Engine
Essential
Threat
95
Protection
File Threat
Protection
Web Threat –
Protection
Mail Threat –
Protection
Firewall
Network
Threat
Protection
BadUSB
Attack
Prevention
AMSI
Protection
Security
Controls
Log – – – – – – –
Inspection
Application – –
Control
Device –
Control
Web –
Control
Adaptive – – – – – – – –
Anomaly
Control
File Integrity – – – – – – –
Monitor
Data
Encryption
Kaspersky – – – – – – – –
Disk
Encryption
BitLocker – –
Drive
Encryption
File Level – – – – – – – –
Encryption
Encryption – – – – – – – –
of
removable
drives
Detection
and
96
Response
Endpoint – – – – – –
Detection
and
Response
Optimum
Endpoint – – – – – – –
Detection
and
Response
Expert
Kaspersky
Sandbox
(Kaspersky
Sandbox
license must
be
purchased
separately)
Locally from the application interface, by using the Activation Wizard. You can add both the active key and the
reserve key in this way.
By distributing a key stored on the Kaspersky Security Center Administration Server to the computers.
This method lets you automatically add a key to computers that are already connected to Kaspersky
Security Center, and to new computers. To use this method, you need to rst add the key to the Kaspersky
Security Center Administration Server. For more details about adding keys to the Kaspersky Security
Center Administration Server, please refer to Kaspersky Security Center Help .
The activation code purchased under subscription is distributed in the rst place.
97
It may take some time for the application to be activated with an activation code (during either remote or
non-interactive installation) due to load distribution across activation servers of Kaspersky. If you need to
activate the application right away, you may interrupt the ongoing activation process and start activation
using the Activation Wizard.
98
1. Open the Kaspersky Security Center Administration Console.
For more details about adding keys to the Kaspersky Security Center repository, please refer to the Kaspersky
Security Center Help .
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Con gure a schedule for starting a task, for example, manually or when the computer is idle.
Enter a name for the task, such as Activate Kaspersky Endpoint Security for Windows.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties. As a result, Kaspersky Endpoint Security will be activated on
users' computers in silent mode.
99
How to activate the application in the Web Console and Cloud Console
2. Click Add.
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
3. In the Task name eld, enter a brief description, such as Activation of Kaspersky Endpoint Security for
Windows.
4. In the Select devices to which the task will be assigned block, select the task scope. Go to the next step.
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Select the license that you want to use to activate the application. Go to the next step.
Finish the wizard by clicking the Finish button. A new task will be displayed in the list of tasks. To run a task,
select the check box opposite the task and click the Start button. As a result, Kaspersky Endpoint Security
will be activated on users' computers in silent mode.
100
1. In the main application window, go to the License section.
In the properties of the Add key task, you can add a reserve key to the computer. A reserve key becomes active
when the active key expires or is deleted. The availability of a reserve key lets you avoid application functionality
limitations when a license expires.
How to automatically add a license key to computers through the Administration Console (MMC)
101
1. In the Administration Console, go to the folder Kaspersky Licenses.
A list of license keys opens.
3. In the General section, select the Automatically distribute license key to managed devices check box.
As a result, the key will be automatically distributed to the appropriate computers. During automatic
distribution of a key as an active or a reserve key, the licensing limit on the number of computers (set in the
key properties) is taken into account. If the licensing limit is reached, distribution of this key to computers
ceases automatically. You can view the number of computers to which the key has been added and other
data in the key properties in the Devices section.
How to automatically add a license key to computers through the Web Console and Cloud Console
1. In the main window of the Web Console, select Operations → Licensing → Kaspersky licenses.
A list of license keys opens.
3. On the General tab, enable the Automatically distribute license key to managed devices toggle switch.
As a result, the key will be automatically distributed to the appropriate computers. During automatic
distribution of a key as an active or a reserve key, the licensing limit on the number of computers (set in the
key properties) is taken into account. If the licensing limit is reached, distribution of this key to computers
ceases automatically. You can view the number of computers to which the key has been added and other
data in the key properties on the Devices tab.
If you are activating the application with an activation code, you need internet access to connect to Kaspersky
activation servers. If you are activating the application with a key le, internet access is not necessary. If the
computers are in an isolated network segment without internet access, to activate the application with a code, you
must allow using the Kaspersky Security Center Administration Server as a proxy server. That is, the application
can gain access to the activation servers through the Administration Server that has internet access.
How to allow using the Administration Server as a proxy server for activating the application in the Administration
Console (MMC)
102
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Select the Use Kaspersky Security Center as proxy server for activation check box.
How to allow using the Administration Server as a proxy server for activating the application in the Web Console
and Cloud Console
103
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Select the Use Kaspersky Security Center as proxy server for activation check box.
If you cannot activate the application with an activation code, you can try getting a key le using the Kaspersky
service and trying to activate the application again using a di erent method.
View the Key usage report for the organization's infrastructure (Monitoring & reporting → Reports).
104
View the statuses of computers on the Managed devices → Devices tab. If the application is not activated,
the computer will have the Application is not activated status.
Speci cs of activating the application as a part of Kaspersky Security Center Cloud Console
A trial version is provided for Kaspersky Security Center Cloud Console. The trial version is a special version of
Kaspersky Security Center Cloud Console designed to familiarize a user with the features of the application. In this
version, you can perform actions in a workspace for a period of 30 days. All managed applications are automatically
run under a trial license for Kaspersky Security Center Cloud Console, including Kaspersky Endpoint Security.
However, you cannot activate Kaspersky Endpoint Security using its own trial license when the trial license for
Kaspersky Security Center Cloud Console expires. For detailed information about Kaspersky Security Center
licensing, please refer to the Kaspersky Security Center Cloud Console Help .
The trial version of Kaspersky Security Center Cloud Console does not allow you to subsequently switch to a
commercial version. Any trial workspace will be automatically deleted with all its contents after the 30-day
period expires.
In the main application window, go to the License section (see the gure below).
105
Licensing window
Key status. Several keys can be stored on a computer. There are two types of keys: active and reserve. The
application cannot have more than one active key. A reserve key can become active only after the active key
expires or after the active key is deleted by clicking Delete.
License type. The following types of licenses are available: trial and commercial.
Functionality. Application features that are available under your license. Features may include Protection,
Security Controls, Data Encryption, and others. The list of available features is also provided in the License
Certi cate.
Additional information about the license. Start date and end date of the license term (only for the active key),
remaining duration of the license term.
License expiration time is displayed according to the time zone con gured in the operating system.
Key. A key is a unique alphanumeric sequence that is generated from an activation code or a key le.
Buy license / Renew license. Opens the Kaspersky online store website, where you can purchase or renew a
license. To do so, please enter your company information and pay for the order.
106
Activate the application using a new license. Starts the Application Activation Wizard. In this Wizard you can
add a key using an activation code or a key le. The Application Activation Wizard allows you to add an active
key and only one reserve key.
Purchasing a license
You may purchase a license after installing the application. On purchasing a license, you receive an activation code
or a key le for activating the application.
To purchase a license:
If no keys have been added or a key for trial license has been added, click the Buy license button.
If the key for a commercial license is added, click the Renew license button.
A window will open with the website of the Kaspersky online store, where you can purchase a license.
Renewing subscription
When you use the application under subscription, Kaspersky Endpoint Security automatically contacts the
activation server at speci c intervals until your subscription expires.
If you use the application under unlimited subscription, Kaspersky Endpoint Security automatically checks the
activation server for renewed keys in background mode. If a key is available on the activation server, the application
adds it by replacing the previous key. In this way, unlimited subscription for Kaspersky Endpoint Security is renewed
without user involvement.
If you are using the application under a limited subscription, on the expiration date of the subscription (or on the
expiration date of the subscription renewal grace period), Kaspersky Endpoint Security noti es you about this and
stops attempting to renew the subscription automatically. In this case, Kaspersky Endpoint Security behaves in the
same way as it does when a commercial license for the application expires: the application operates without
updates and the Kaspersky Security Network is unavailable.
To visit the website of the service provider from the application interface:
You can update subscription status manually. This may be required if the subscription has been renewed after
the grace period and the application has not updated the subscription status automatically.
107
Renewing subscription
108
Data provision
ID of the computer and ID of the speci c Kaspersky Endpoint Security installation on the computer;
type, version and bit rate of the operating system, and name of the virtual environment (if Kaspersky Endpoint
Security is installed in a virtual environment);
IDs of Kaspersky Endpoint Security components that are active when the information is transmitted.
Kaspersky may also use this information to generate statistics on the dissemination and use of Kaspersky
software.
By using an activation code, you agree to automatically transmit the data listed above. If you do not agree to
transmit this information to Kaspersky, you should use a key le to activate Kaspersky Endpoint Security.
By accepting the terms of the End User License Agreement, you agree to automatically transmit the following
information:
active key;
109
key creation date;
hash of the detected le with a threat, and the name of this threat according to the Kaspersky
classi cation;
number of days that have elapsed since the key was added;
active key;
application type;
Received information is protected by Kaspersky in accordance with the law and the requirements and applicable
regulations of Kaspersky. Data is transmitted over encrypted communication channels.
Read the End User License Agreement and visit the Kaspersky website to learn more about how we receive,
process, store, and destroy information about application usage after you accept the End User License
Agreement and consent to the Kaspersky Security Network Statement. The license.txt and ksn_<language ID>.txt
les contain the text of the End User License Agreement and Kaspersky Security Network Statement and are
included in the application distribution kit.
110
Use of KSN under license on no more than 4 computers
By accepting the Kaspersky Security Network Statement, you agree to automatically transmit the following
information:
information about KSN con guration updates: identi er of the active con guration, identi er of the
con guration received, error code of the con guration update;
information about les and URL addresses to be scanned: checksums of the scanned le (MD5, SHA2-256,
SHA1) and le patterns (MD5), the size of the pattern, type of the detected threat and its name according to
Rightholder's classi cation, identi er for the anti-virus databases, URL address for which the reputation is
being requested, as well as the referrer URL address, the connection's protocol identi er and the number of the
port being used;
information about digital certi cates being used needed to verify their authenticity: the checksums (SHA256)
of the certi cate used to sign the scanned object and the certi cate's public key;
IDs of the anti-virus databases and of the records in these anti-virus databases;
Information about activation of the Software on the Computer: signed header of the ticket from the activation
service (identi er of the regional activation center, checksum of the activation code, checksum of the ticket,
ticket creation date, unique identi er of the ticket, ticket version, license status, start/end date and time of
ticket validity, unique identi er of the license, license version), identi er of the certi cate used to sign the ticket
header, checksum (MD5) of the key le;
Information about the Rightholder's Software: full version, type, version of the protocol used to connect to
Kaspersky services.
By accepting the Kaspersky Security Network Statement, you agree to automatically transmit the following
information:
If the Kaspersky Security Network check box is selected and the Enable extended KSN mode check box is
cleared, the application sends the following information:
information about KSN con guration updates: identi er of the active con guration, identi er of the
con guration received, error code of the con guration update;
information about les and URL addresses to be scanned: checksums of the scanned le (MD5, SHA2-256,
SHA1) and le patterns (MD5), the size of the pattern, type of the detected threat and its name according to
Rightholder's classi cation, identi er for the anti-virus databases, URL address for which the reputation is
being requested, as well as the referrer URL address, the connection's protocol identi er and the number of the
port being used;
information about digital certi cates being used needed to verify their authenticity: the checksums (SHA256)
of the certi cate used to sign the scanned object and the certi cate's public key;
111
IDs of the anti-virus databases and of the records in these anti-virus databases;
Information about activation of the Software on the Computer: signed header of the ticket from the activation
service (identi er of the regional activation center, checksum of the activation code, checksum of the ticket,
ticket creation date, unique identi er of the ticket, ticket version, license status, start/end date and time of
ticket validity, unique identi er of the license, license version), identi er of the certi cate used to sign the ticket
header, checksum (MD5) of the key le;
Information about the Rightholder's Software: full version, type, version of the protocol used to connect to
Kaspersky services.
If the Enable extended KSN mode check box is selected in addition to the Kaspersky Security Network check
box, the application sends the following information in addition to the information listed above:
information about the results of categorization of the requested web-resources, which contains the processed
URL and IP address of the host, the version of the Software's component that performed the categorization,
the method of categorization and set of the categories de ned for the web-resource;
information about the software installed on the Computer: names of the software applications and software
vendors, registry keys and their values, information about les of the installed software components
(checksums (MD5, SHA2-256, SHA1), name, path to the le on the Computer, size, version and the digital
signature);
information about the state of anti-virus protection of the Computer: the versions and the release timestamps
of the anti-virus databases being used, the ID of the task and the ID of Software that performs scanning;
information about les being downloaded by the End User: the URL and IP addresses of the download and the
download pages, download protocol identi er and connection port number, the status of the URLs as malicious
or not, le's attributes, size and checksums (MD5, SHA2-256, SHA1), information about the process that
downloaded the le (checksums (MD5, SHA2-256, SHA1), creation/build date and time, autoplay status,
attributes, names of packers, information about signatures, executable le ag, format identi er, and entropy),
le name and its path on the Computer, the le's digital signature and timestamp of its generation, the URL
address where detection occurred, the script's number on the page that appears to be suspicious or harmful,
information about HTTP requests generated and the response to them;
information about the running applications and their modules: data about processes running on the system
(process ID (PID), process name, information about the account the process was started from, the application
and command that started the process, the sign of trusted program or process, the full path to the process's
les and their checksums (MD5, SHA2-256, SHA1), and the starting command line, level of the process's
integrity, a description of the product that the process belongs to (the name of the product and information
about the publisher), as well as digital certi cates being used and information needed to verify their
authenticity or information about the absence of a le's digital signature), and information about the modules
loaded into the processes (their names, sizes, types, creation dates, attributes, checksums (MD5, SHA2-256,
SHA1), the paths to them on the Computer), PE- le header information, names of packers (if the le was
packed);
information about all potentially malicious objects and activities: name of the detected object and full path to
the object on the computer, checksums of processed les (MD5, SHA2-256, SHA1), detection date and time,
names and sizes of infected les and paths to them, path template code, executable le ag, indicator of
whether the object is a container, names of the packer (if the le was packed), le type code, le format ID, list
of actions performed by malware and the decision made by the software and user in response to them, IDs of
the anti-virus databases and of the records in these anti-virus databases that were used to make the decision,
indicator of a potentially malicious object, the name of the detected threat according to the Rightholder’s
classi cation, the level of danger, the detection status and detection method, reason for inclusion into the
analyzed context and sequence number of the le in the context, checksums (MD5, SHA2-256, SHA1), the name
and attributes of the executable le of the application through which the infected message or link was
transmitted, depersonalized IP addresses (IPv4 and IPv6) of the host of the blocked object, le entropy, le
autorun indicator, time when the le was rst detected in the system, the number of times the le has been run
since the last statistics were sent, information about the name, checksums (MD5, SHA2-256, SHA1) and size of
112
the mail client through which the malicious object was received, ID of the software task that performed the
scan, indicator of whether the le reputation or signature was checked, le processing result, checksum (MD5)
of the pattern collected for the object, the size of the pattern in bytes, and the technical speci cations of the
applied detection technologies;
information about scanned objects: the assigned trust group to which and/or from which the le has been
placed, the reason the le was placed in that category, category identi er, information about the source of the
categories and the version of the category database, the le's trusted certi cate ag, name of the le's vendor,
le version, name and version of the software application which includes the le;
information about vulnerabilities detected: the vulnerability ID in the database of vulnerabilities, the vulnerability
danger class;
information about emulation of the executable le: le size and its checksums (MD5, SHA2-256, SHA1), the
version of the emulation component, emulation depth, an array of properties of logical blocks and functions
within logical blocks obtained during the emulation, data from the executable le's PE headers;
the IP addresses of the attacking computer (IPv4 and IPv6), the number of the port on the Computer that the
network attack is directed at, identi er of the protocol of the IP packet containing the attack, the attack's
target (organization name, website), ag for the reaction to the attack, the attack's weight, trust level;
information about attacks associated with spoofed network resources, the DNS and IP addresses (IPv4 and
IPv6) of visited websites;
DNS and IP addresses (IPv4 or IPv6) of the requested web resource, information about the le and web client
accessing the web resource, the name, size and checksums (MD5, SHA2-256, SHA1) of the le, full path to the
le and path template code, the result of checking its digital signature, and its status in KSN;
information about rollback of malware actions: data on the le whose activity was rolled back (name of the le,
full path to the le, its size and checksums (MD5, SHA2-256, SHA1)), data on successful and unsuccessful
actions to delete, rename and copy les and restore the values in the registry (names of registry keys and their
values), and information about system les modi ed by malware, before and after rollback;
Information about the exclusions set for the Adaptive Anomaly Control component: the ID and status of the
rule that was triggered, the action performed by the Software when the rule was triggered, the type of user
account under which the process or the thread performs suspicious activity, information about the process
that performed or was subject to the suspicious activity (script ID or process le name, full path to the process
le, path template code, checksums (MD5, SHA2-256, SHA1) of the process le); information about the object
that performed the suspicious actions and about the object that was subject to the suspicious actions
(registry key name or le name, full path to the le, path template code, and checksums (MD5, SHA2-256, SHA1)
of the le).
information about loaded software modules: name, size and checksums (MD5, SHA2-256, SHA1) of the module
le, full path to it and the path template code, digital signature settings of the module le, data and time of
signature creation, name of the subject and organization that signed the module le, ID of the process in which
the module was loaded, name of the module supplier, and the sequence number of the module in the loading
queue;
information about the quality of Software interaction with the KSN services: start and end date and time of the
period when the statistics were generated, information about the quality of requests and connection to each
of the KSN services used (KSN service ID, number of successful requests, number of requests with responses
from cache, number of unsuccessful requests (network problems, KSN being disabled in the Software settings,
incorrect routing), time spread of the successful requests, time spread of the cancelled requests, time spread
of the requests with exceeded time limit, number of connections to KSN taken from cache, number of
successful connections to KSN, number of unsuccessful connections to KSN, number of successful
transactions, number of unsuccessful transactions, time spread of the successful connections to KSN, time
spread of the unsuccessful connections to KSN, time spread of the successful transactions, time spread of the
unsuccessful transactions);
113
if a potentially malicious object is detected, information is provided about data in the processes' memory:
elements of the system object hierarchy (ObjectManager), data in UEFI BIOS memory, names of registry keys
and their values;
information about events in the systems logs: the event's timestamp, the name of the log in which the event
was found, type and category of the event, name of the event's source and the event's description;
information about network connections: version and checksums (MD5, SHA2-256, SHA1) of the le from which
process was started that opened the port, the path to the process's le and its digital signature, local and
remote IP addresses, numbers of local and remote connection ports, connection state, timestamp of the port's
opening;
information about the date of Software installation and activation on the Computer: the ID of the partner that
sold the license, the serial number of the license, the signed header of the ticket from the activation service
(the ID of a regional activation center, the checksum of the activation code, the checksum of the ticket, the
ticket creation date, the unique ID of the ticket, the ticket version, the license status, the ticket start/end date
and time, the unique ID of the license, the license version), the ID of the certi cate used to sign the ticket
header, the checksum (MD5) of the key le, the unique ID of Software installation on the Computer, the type
and ID of the application that gets updated, the ID of the update task;
information about the set of all installed updates, and the set of most recently installed/removed updates, the
type of event that caused the update information to be sent, duration since the installation of last update,
information about any currently installed anti-virus databases;
information about software operation on the computer: data on CPU usage, data on memory usage (Private
Bytes, Non-Paged Pool, Paged Pool), number of active threads in the software process and pending threads,
and the duration of software operation prior to the error;
number of software dumps and system dumps (BSOD) since the Software was installed and since the time of
the last update, the identi er and version of the Software module that crashed, the memory stack in the
Software's process, and information about the anti-virus databases at the time of the crash;
data on the system dump (BSOD): a ag indicating the occurrence of the BSOD on the Computer, the name of
the driver that caused the BSOD, the address and memory stack in the driver, a ag indicating the duration of
the OS session before the BSOD occurred, memory stack of driver that crashed, type of stored memory dump,
ag for the OS session before BSOD lasted more than 10 minutes, unique identi er of the dump, timestamp of
the BSOD;
information about errors or performance problems that occurred during operation of the Software
components: the status ID of the Software, error type, code and cause as well of the time when the error
occurred, the IDs of the component, module and process of the product in which the error occurred, the ID of
the task or update category during which the error occurred, logs of drivers used by the Software (error code,
module name, name of the source le and the line where the error occurred);
information about updates of anti-virus databases and Software components: the name, date and time of
index les downloaded during the last update and being downloaded during the current update;
information about abnormal termination of the Software operation: the creation timestamp of the dump, its
type, the type of event that caused the abnormal termination of the Software operation (unexpected power-
o , third-party application crash), date and time of the unexpected power-o ;
information about the compatibility of Software drivers with hardware and Software: information about OS
properties that restrict the functionality of Software components (Secure Boot, KPTI, WHQL Enforce,
BitLocker, Case Sensitivity), type of download Software installed (UEFI, BIOS), Trusted Platform Module (TPM)
identi er, TPM speci cation version, information about the CPU installed on the Computer, operating mode
and parameters of Code Integrity and Device Guard, operating mode of drivers and reason for use of the
current mode, version of Software drivers, software and hardware virtualization support status of the
Computer;
114
information about third-party applications that caused the error: their name, version and localization, the error
code and information about the error from the system log of applications, the address of the error and memory
stack of the third-party application, a ag indicating the occurrence of the error in the Software component,
the length of time the third-party application was in operation before the error occurred, checksums (MD5,
SHA2-256, SHA1) of the application process image, in which the error occurred, path to the application process
image and template code of the path, information from the system log with a description of the error
associated with the application, information about the application module, in which an error occurred
(exception identi er, crash memory address as an o set in the application module, name and version of the
module, identi er of the application crash in the Rightholder's plug-in and memory stack of the crash, duration
of the application session before crash);
version of the Software updater component, number of crashes of the updater component while running
update tasks over the lifetime of the component, ID of the update task type, number of failed attempts of the
updater component to complete update tasks;
information about the operation of the Software system monitoring components: full versions of the
components, date and time when the components were started, code of the event that over owed the event
queue and number of such events, the total number of queue over ow events, information about the le of the
process of the initiator of the event ( le name and its path on the Computer, template code of the le path,
checksums (MD5, SHA2-256, SHA1) of the process associated with the le, le version), identi er of the event
interception that occurred, the full version of the interception lter, identi er of the type of the intercepted
event, size of the event queue and the number of events between the rst event in the queue and the current
event, number of overdue events in the queue, information about the le of the process of the initiator of the
current event ( le name and its path on the Computer, template code of the le path, checksums (MD5, SHA2-
256, SHA1) of the process associated with the le), duration of the event processing, maximum duration of the
event processing, probability of sending statistics, information about OS events for which the processing time
limit was exceeded (date and time of the event, number of repeated initializations of anti-virus databases, date
and time of the last repeated initialization of anti-virus databases after their update, event processing delay
time for each system monitoring component, number of queued events, number of processed events, number
of delayed events of the current type, total delay time for the events of the current type, total delay time for all
events);
information from the Windows event tracing tool (Event Tracing for Windows, ETW) in the event of Software
performance problems, suppliers of SysCon g / SysCon gEx / WinSATAssessment events from Microsoft:
information about the Computer (model, manufacturer, form factor of the housing, version), information about
Windows performance metrics (WinSAT assessments, Windows performance index), domain name, information
about physical and logical processors (number of physical and logical processors, manufacturer, model,
stepping level, number of cores, clock frequency, CPUID, cache characteristics, logic processor characteristics,
indicators of supported modes and instructions), information about RAM modules (type, form factor,
manufacturer, model, capacity, granularity of memory allocation), information about network interfaces (IP and
MAC addresses, name, description, con guration of network interfaces, breakdown of number and size of
network packages by type, speed of network exchange, breakdown of number of network errors by type),
con guration of IDE controller, IP addresses of DNS servers, information about the video card (model,
description, manufacturer, compatibility, video memory capacity, screen permission, number of bits per pixel,
BIOS version), information about plug-and-play devices (name, description, device identi er [PnP, ACPI],
information about disks and storage devices (number of disks or ash drives, manufacturer, model, disk
capacity, number of cylinders, number of tracks per cylinder, number of sectors per track, sector capacity,
cache characteristics, sequential number, number of partitions, con guration of SCSI controller), information
about logical disks (sequential number, partition capacity, volume capacity, volume letter, partition type, le
system type, number of clusters, cluster size, number of sectors per cluster, number of empty and occupied
clusters, letter of bootable volume, o set address of partition in relation to the start of the disk), information
about BIOS motherboard (manufacturer, release date, version), information about motherboard (manufacturer,
model, type), information about physical memory (shared and free capacity), information about operating
system services (name, description, status, tag, information about processes [name and PID]), energy
consumption parameters for the Computer, con guration of interrupt controller, path to Windows system
folders (Windows and System32), information about the OS (version, build, release date, name, type, installation
date), size of page le, information about monitors (number, manufacturer, screen permission, resolution
capacity, type), information about video card driver (manufacturer, release date, version);
115
information from ETW, suppliers of EventTrace / EventMetadata events from Microsoft: information on the
sequence of system events (type, time, date, time zone), metadata about the le with tracing results (name,
structure, tracing parameters, breakdown of number of trace operations by type), information about the OS
(name, type, version, build, release date, start time);
information from ETW, suppliers of Process / Microsoft Windows Kernel Process / Microsoft Windows Kernel
Processor Power events from Microsoft: information about started and completed processes (name, PID, start
parameters, command line, return code, power management parameters, start and completion time, access
token type, SID, SessionID, number of descriptors installed), information about changes in thread priorities (TID,
priority, time), information about disk operations of the process (type, time, capacity, number), history of
changes to the structure and capacity of usable memory processes;
information from ETW, suppliers of StackWalk / Per nfo events from Microsoft: information about
performance counters (performance of individual code sections, sequence of function calls, PID, TID, addresses
and attributes of ISRs and DPCs);
information from ETW, suppliers of FileIo / DiskIo / Image / Windows Kernel Disk events from Microsoft:
information on le and disk operations (type, capacity, start time, completion time, duration, completion status,
PID, TID, driver function call addresses, I/O Request Packet (IRP), Windows le object attributes), information
about les involved in le and disk operations (name, version, size, full path, attributes, o set, image checksum,
open and access options);
information from ETW, supplier of PageFault events from Microsoft: information on memory page access errors
(address, time, capacity, PID, TID, attributes of Windows le object, memory allocation parameters);
information from ETW, supplier of Thread events from Microsoft: information on thread creation/completion,
information on threads started (PID, TID, size of stack, priorities and allocation of CPU resources, I/O resources,
memory pages between threads, stack address, address of init function, address of Thread Environment Block
(TEB), Windows service tag);
information from ETW, supplier of Microsoft Windows Kernel Memory events from Microsoft: information about
memory management operations (completion status, time, quantity, PID), memory allocation structure (type,
capacity, SessionID, PID);
information about Software operation in the event of performance problems: Software installation identi er,
type and value of drop in performance, information about the sequence of events within the Software (time,
time zone, type, completion status, Software component identi er, Software operating scenario identi er, TID,
PID, function call addresses), information about network connections to be checked (URL, direction of the
connection, size of network package), information about PDB les (name, identi er, image size of executable
le), information about les to be checked (name, full path, checksum), Software performance monitoring
parameters;
information about the last unsuccessful OS restart: the number of unsuccessful restarts since OS installation,
data on the system dump (code and parameters of an error, name, version and checksum (CRC32) of the
module that caused an error in the OS operation, error address as an o set in the module, checksums (MD5,
SHA2-256, SHA1) of the system dump);
information to verify authenticity of digital certi cates being used to sign les: the certi cate's ngerprint, the
checksum algorithm, the certi cate's public key and serial number, the name of the issuer of the certi cate, the
result of certi cate validation and the certi cate's database identi er;
information about the process executing the attack on the Software's self-defense: the name and size of the
process le, its checksums (MD5, SHA2-256, SHA1), the full path to the process le and the template code of
116
the le path, the creation/build timestamps, executable le ag, attributes of the process le, information
about the certi cate used to sign the process le, code of the account used to launch the process, ID of
operations performed to access the process, type of resource with which the operation is performed (process,
le, registry object, FindWindow search function), name of resource with which the operation is performed, ag
indicating success of the operation, the status of the le of the process and its signature according to the KSN;
information about the Rightholder's Software: full version, type, localization and operation state of Software
used, versions of the installed Software components and their operation state, information about the installed
Software updates, the value of the TARGET lter, the version of the protocol used to connect to the
Rightholder's services;
information about hardware installed on the Computer: type, name, model name, rmware version, parameters
of built-in and connected devices, the unique identi er of the Computer with the installed Software;
information about the versions of the operating system and installed updates, the word size, edition and
parameters of the OS run mode, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel le, and OS
startup date and time;
the name, size and version of the le being sent, its description and checksums (MD5, SHA2-256, SHA1), le
format identi er, the name of the le's vendor, the name of the product to which the le belongs, full path to
the le on the Computer, template code of the path, the creation and modi cation timestamps of the le;
start and end date/time of the validity period of the certi cate (if the le has a digital signature), the date
and the time of the signature, the name of the issuer of the certi cate, information about the certi cate
holder, the ngerprint, the certi cate's public key and appropriate algorithms, and the certi cate's serial
number;
checksums (MD5, SHA2-256, SHA1) of the name of the Computer on which the process is running;
Identi er for the anti-virus databases, name of the detected threat according to the Rightholder's
classi cation;
data about the installed license, its identi er, type and expiration date;
names and paths of the les that were accessed by the process;
names of registry keys and their values that were accessed by the process;
117
URL and IP addresses that were accessed by the process;
The speci c set of data depends on the solution within which Kaspersky Endpoint Security is used.
All data that the application stores locally on the computer, is deleted from the computer when Kaspersky
Endpoint Security is uninstalled.
Kaspersky Endpoint Security automatically submits data on the IOC Scan task execution results to Kaspersky
Security Center.
The data in the IOC Scan task execution results may contain the following information:
Log name
Event time
File size
118
Remote IP address and port to which connection was established during scan
Process name
Process arguments
Service name
Service description
Service status
Volume name
Volume letter
Volume type
Registry setting
System (environment)
119
Name and version of the operating system that is installed on the computer
Browser name
Browser version
Full path to the le of the process that made the HTTP request
Windows identi er (PID) of the process that made the HTTP request
Information about the HTTP user agent (the application that made the HTTP request)
Data for creating a threat development chain is stored for seven days by default. The data is automatically sent to
Kaspersky Security Center.
Data for creating a threat development chain may contain the following information:
Detection name
Scan mode
120
Reason why execution of actions on the object failed
Membership of the user account that started the process in the privileged local and domain groups
Web address of the processed object download (only for les on disk)
121
Name of the application that downloaded the le
MD5 and SHA256 hashes of the application that last modi ed the le
Date and time when the processed object was rst started
Identi er of the process into which the malicious code was embedded
Kaspersky Sandbox
All data that the application stores locally on the computer, is deleted from the computer when Kaspersky
Endpoint Security is uninstalled.
Service data
Kaspersky Endpoint Security stores the following data processed during automatic response:
122
Processed les and data entered by the user during con guration of the built-in agent of Kaspersky Endpoint
Security:
Quarantined les
Public key of the certi cate used for integration with Kaspersky Sandbox
ID of the user session in the operating system where the object scan task was created
System identi er (SID) of the operating system user whose account was used to create the task
Information about the tasks for which the built-in agent of Kaspersky Endpoint Security is awaiting scan results
from Kaspersky Sandbox:
ID of the user session in the operating system where the object scan task was created
System identi er (SID) of the operating system user whose account was used to create the task
Processing errors
123
Data in requests to Kaspersky Sandbox
The following data from requests from the built-in agent of Kaspersky Endpoint Security to Kaspersky Sandbox is
stored locally on the computer:
Kaspersky Endpoint Security automatically submits data on the IOC Scan task execution results to Kaspersky
Security Center.
The data in the IOC Scan task execution results may contain the following information:
Log name
Event time
File size
Remote IP address and port to which connection was established during scan
Process name
Process arguments
124
Path to the process le
Service name
Service description
Service status
Volume name
Volume letter
Volume type
Registry setting
System (environment)
Name and version of the operating system that is installed on the computer
Browser name
Browser version
125
URL from the HTTP request
Full path to the le of the process that made the HTTP request
Windows identi er (PID) of the process that made the HTTP request
Information about the HTTP user agent (the application that made the HTTP request)
All data that the application stores locally on the computer, is deleted from the computer when Kaspersky
Endpoint Security is uninstalled.
Service data
The built-in agent of Kaspersky Endpoint Security stores the following data locally:
Processed les and data entered by the user during con guration of the built-in agent of Kaspersky Endpoint
Security:
Quarantined les
Public key of the certi cate used for integration with Central Node
License data
126
Data in requests to KATA (EDR)
When integrating with Kaspersky Anti Targeted Attack Platform, the following data is stored locally on the
computer:
Data from the built-in agent of Kaspersky Endpoint Security requests to the Central Node component:
In synchronization requests:
Unique ID
Computer name
Computer IP address
Name and version of the operating system that is installed on the computer
Basic part of the web address of the server with the Central Node component installed
Host IP address
Host IP address
Information about the objects detected during an IOC scan or YARA scan
127
Task completion time
Information about the objects submitted to the server, quarantined objects, and objects restored from
quarantine: paths to objects, MD5 and SHA256 hashes, identi ers of quarantined objects
Information about the processes started or stopped on a computer at the server's request: PID and
UniquePID, error code, MD5 and SHA256 hashes of the objects
Information about the services started or stopped on a computer at the server's request: service name,
startup type, error code, MD5 and SHA256 hashes of le images of the services
Information about the objects for which a memory dump was made for a YARA scan (paths, dump le
identi er)
Telemetry packets
Process ID
Login session ID
Data on les:
File path
File name
File size
File attributes
File description
Company name
128
Registry key (for autorun points)
Data in errors that occur when information about objects was retrieved:
Full name of the object that was processed when an error occurred
Error code
Telemetry data:
Host IP address
Data from requests of the Central Node component to the built-in agent of Kaspersky Endpoint Security:
Task settings:
Task type
Names and passwords of the accounts under which the tasks can be run
Versions of settings
IOC les
Service name
Folders for which the results of the Get forensic task must be received
Masks of the object names and extensions for the Get forensic task
129
Network isolation settings:
Types of settings
Versions of settings
Lists of network isolation exclusions and exclusion settings: tra ic direction, IP addresses, ports, protocols,
and full paths to executable les
Types of settings
Versions of settings
Lists of execution prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256
hashes of objects
Module names
User names
The built-in agent of Kaspersky Endpoint Security automatically transfers YARA scan results to Kaspersky Anti
Targeted Attack Platform to build a threat development chain.
The data is temporarily stored locally in the queue for sending task execution results to the Kaspersky Anti
Targeted Attack Platform server. The data is deleted from the temporary storage once it has been sent.
File path
File size
Process name
Process arguments
Dump writing.
Irrespective of the data classi cation and territory from which the data is received, Kaspersky adheres to high
standards for data security and employs various legal, organizational and technical measures to protect the data
of users, to guarantee data security and con dentiality, and also to ensure the ful llment of users' rights as
guaranteed by applicable legislation. The text of the Privacy Policy is included in the application distribution kit and
is available on the Kaspersky website .
Prior to using Kaspersky Endpoint Security, please carefully read the description of transmitted data in the End
User License Agreement and Kaspersky Security Network Statement. If speci c data transmitted from Kaspersky
Endpoint Security under any of the described scenarios may be classi ed as personal data according to your local
legislation or standard, you must ensure that such data is processed legally and obtain the consent of end users
for the collection and transmission of such data.
Read the End User License Agreement and visit the Kaspersky website to learn more about how we receive,
process, store, and destroy information about application usage after you accept the End User License
Agreement and consent to the Kaspersky Security Network Statement. The license.txt and ksn_<language ID>.txt
les contain the text of the End User License Agreement and Kaspersky Security Network Statement and are
included in the application distribution kit.
If you do not want to transmit data to Kaspersky, you can disable data provision.
131
Using Kaspersky Security Network
By using Kaspersky Security Network, you agree to automatically provide the data listed in the Kaspersky Security
Network Statement. If you do not agree to provide this data to Kaspersky, use Kaspersky Private Security Network
(KPSN) or disable the use of KSN. For more details about KPSN, please refer to the documentation on Kaspersky
Private Security Network.
By using an activation code, you agree to automatically provide the data listed in the End User License Agreement.
If you do not agree to provide this data to Kaspersky, use a key le to activate Kaspersky Endpoint Security.
By using Kaspersky servers, you agree to automatically provide the data listed in the End User License Agreement.
Kaspersky requires this information to verify that Kaspersky Endpoint Security is being legitimately used. If you do
not agree to provide this information to Kaspersky, use Kaspersky Security Center for database updates or
Kaspersky Update Utility.
By using links in the application interface, you agree to automatically provide the data listed in the End User
License Agreement. The precise list of data transmitted in each speci c link depends on where the link is located in
the application interface and which problem it aims to resolve. If you do not agree to provide this data to
Kaspersky, use the simpli ed application interface or hide the application interface.
Dump writing
If you have enabled dump writing, Kaspersky Endpoint Security will create a dump le that will contain all memory
data from application processes at the moment when this dump le was created.
132
Getting started
After installing Kaspersky Endpoint Security, you can manage the application using the following interfaces:
Kaspersky Security Center lets you remotely install and uninstall, start and stop Kaspersky Endpoint Security,
con gure application settings, change the set of available application components, add keys, and start and stop
update and scan tasks.
The application can be managed via Kaspersky Security Center using the Kaspersky Endpoint Security
Management Plug-in.
For more details on managing the application through Kaspersky Security Center, refer to the Kaspersky Security
Center Help .
Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
Kaspersky Security Center Web Console (hereinafter also referred to as Web Console) is a web application
intended for centrally performing the main tasks to manage and maintain the security system of an organization's
network. Web Console is a Kaspersky Security Center component that provides a user interface. For detailed
information about Kaspersky Security Center Web Console, please refer to the Kaspersky Security Center Help .
Kaspersky Security Center Cloud Console (hereinafter also referred to as the "Cloud Console") is a cloud-based
solution for protecting and managing an organization's network. For detailed information about Kaspersky Security
Center Cloud Console, please refer to the Kaspersky Security Center Cloud Console Help .
Management of Kaspersky Endpoint Security through the Web Console, Cloud Console, and Kaspersky Security
Center Administration Console all provide di erent management capabilities. The available components and tasks
also vary for the di erent Consoles.
133
The Kaspersky Endpoint Security for Windows Management Plug-in enables interaction between Kaspersky
Endpoint Security and Kaspersky Security Center. The Management Plug-in lets you manage Kaspersky Endpoint
Security by using policies, tasks, and local application settings. Interaction with Kaspersky Security Center Web
Console is provided by the web plug-in.
The version of the Management Plug-in may di er from the version of Kaspersky Endpoint Security
application installed on the client computer. If the installed version of the Management Plug-in has less
functionality than the installed version of Kaspersky Endpoint Security, the settings of the missing functions
are not regulated by the Management Plug-in. These settings can be modi ed by the user in the local
interface of Kaspersky Endpoint Security.
The web plug-in is not installed by default in Kaspersky Security Center Web Console. In contrast to the
Management Plug-in for the Kaspersky Security Center Administration Console, which is installed on the
administrator workstation, the web plug-in must be installed on a computer that has Kaspersky Security Center
Web Console installed. The functionality of the web plug-in is available to all administrators that have access to
Web Console in a browser. You can view the list of installed web plug-ins in Web Console interface: Console
settings → Web plug-ins. For more details about the compatibility of web plug-in versions and Web Console,
refer to the Kaspersky Security Center Help .
Install web plug-in using Quick Start Wizard of Kaspersky Security Center Web Console.
Web Console automatically prompts you to run the Quick Start Wizard when connecting Web Console to the
Administration Server for the rst time. You can also run the Quick Start Wizard in the Web Console interface
(Discovery & Deployment → Deployment & Assignment → Quick Start Wizard). The Quick Start Wizard can
also check if the installed web plug-ins are up to date and download the necessary updates. For more details on
the Quick Start Wizard for Kaspersky Security Center Web Console, please refer to the Kaspersky Security
Center Help .
Install web plug-in from the list of available distribution packages in Web Console.
To install the web plug-in, select the distribution package of the Kaspersky Endpoint Security web plug-in in the
Web Console interface: Console settings → Web plug-ins. The list of available distribution packages is
updated automatically after new versions of Kaspersky applications are released.
Download the distribution package to the Web Console from an external source.
To install the web plug-in, add the ZIP-archive of the distribution package for the Kaspersky Endpoint Security
web plug-in in the Web Console interface: Console settings → Web plug-ins. The distribution package of the
web plug-in can be downloaded on the Kaspersky website, for example.
To update the Kaspersky Endpoint Security for Windows Management Plug-in, download the latest version of the
plug-in (included in distribution kit) and run the plug-in installation wizard.
If a new version of the web plug-in becomes available, Web Console will display the noti cation Updates are
available for utilized plug-ins. You can proceed to update the web plug-in version from this Web Console
noti cation. You can also manually check for new web plug-in updates in the Web Console interface (Console
settings → Web plug-ins). The previous version of the web plug-in will be automatically removed during the
update.
134
When the web plug-in is updated, already existing items (for example, policies or tasks) are saved. The new
settings of items implementing new functions of Kaspersky Endpoint Security will appear in existing items and
will have the default values.
Update the web plug-in in the list of web plug-ins in online mode.
To update the web plug-in, you must select the distribution package of the Kaspersky Endpoint Security web
plug-in in the Web Console interface (Console settings → Web plug-ins). Web Console checks for available
updates on Kaspersky servers and downloads the relevant updates.
If any item is opened (such as a policy or task), the web plug-in checks its compatibility information. If the version
of the web plug-in is equal to or later than the version speci ed in the compatibility information, you can change
the settings of this item. Otherwise, you cannot use the web plug-in to change the settings of the selected item. It
is recommended to update the web plug-in.
If any item is opened (such as a policy or task), the Management Plug-in checks its compatibility information. If
the version of the Management Plug-in is equal to or later than the version speci ed in the compatibility
information, you can change the settings of this item. Otherwise, you cannot use the Management Plug-in to
change the settings of the selected item. It is recommended to upgrade the Management Plug-in.
If the Kaspersky Endpoint Security Management Plug-in is installed in the Administration Console, please consider
the following when installing a new version of the Management Plug-in:
The previous version of the Kaspersky Endpoint Security Management Plug-in will be removed.
The new version of the Kaspersky Endpoint Security Management Plug-in supports management of the
previous version of Kaspersky Endpoint Security for Windows on users' computers.
You can use the new version of the Management Plug-in to change the settings in policies, tasks, and other
items created by the previous version of the Management Plug-in.
For new settings, the new version of the Management Plug-in assigns the default values when a policy, policy
pro le, or task are saved for the rst time.
135
After the Management Plug-in is upgraded, it is recommended to check and save the values of the new
settings in policies and policy pro les. If you do not do this, the new groups of Kaspersky Endpoint Security
settings on the user's computer will take the default values and can be edited (the attribute). It is
recommended to check the settings starting with policies and policy pro les at the top level of the
hierarchy. It is also recommended to use the user account that has access rights to all functional areas of
Kaspersky Security Center.
To learn about the new capabilities of the application, please refer to the Release Notes or the application
help.
If a new parameter has been added to a group of settings in the new version of the Management Plug-in, the
previously de ned status of the / attribute for this group of settings is not changed.
Encryption. The contents of messages are con dential and are not disclosed to third-party users.
Integrity. The message recipient is certain that the message contents have not been modi ed since the
message was forwarded by the sender.
Authentication. The recipient is certain that communication is established only with a trusted Kaspersky server.
Kaspersky Endpoint Security uses public key certi cates for server authentication. A public key infrastructure (PKI)
is required for working with certi cates. A Certi cate Authority is part of a PKI. Kaspersky uses its own Certi cate
Authority because Kaspersky services are highly technical and not public. In this case, when root certi cates of
Thawte, VeriSign, GlobalTrust and others are revoked, the Kaspersky PKI remains operational without disruptions.
Environments that have MITM (software and hardware tools that support parsing of the HTTPS protocol) are
considered to be unsafe by Kaspersky Endpoint Security. Errors may be encountered when working with Kaspersky
services. For example, there may be errors regarding the use of self-signed certi cates. These errors may occur
because an HTTPS Inspection tool from your environment does not recognize the Kaspersky PKI. To rectify these
problems, you must con gure exclusions for interacting with external services.
Application interface
136
Main application window
Monitoring
Reports. View events that occurred during operation of the application, individual
components and tasks.
Backup. View a list of saved copies of infected les that the application has deleted.
Network Monitor. View information about network activity of the computer in real time.
Encryption Monitor. Monitors the disk encryption or decryption process in real time.
Encryption Monitor is available if the Kaspersky Disk Encryption component or BitLocker
Drive Encryption component is installed.
137
Security Operating status of installed components. You can also proceed to con guring components
or viewing reports.
Update Manage Kaspersky Endpoint Security update tasks. You can update anti-virus databases and
application modules and roll back the last update. An administrator can hide the section from
the user or restrict task management.
Tasks Manage Kaspersky Endpoint Security scan tasks. You can run a malware scan and application
integrity check. An administrator can hide tasks from a user or restrict management of tasks.
License Application licensing. You can purchase a license, activate the application or renew a
subscription. You can also view information about the current license.
Con gure application settings. An administrator can prohibit changes to settings in Kaspersky
Security Center.
Information about the application: current version of Kaspersky Endpoint Security, database
release date, key, and other information. You can also proceed to Kaspersky information
resources that provide useful information, recommendations, and answers to frequently asked
questions on how to purchase, install, and use the application.
Messages containing information about available updates and requests for access to
encrypted les and devices.
If the application icon in the taskbar noti cation area is hidden, the administrator has disabled the display of
the application interface in the policy.
It acts as a shortcut to the context menu and main window of the application.
The following application icon statuses are provided for displaying application operating information:
The icon signi es that critically important protection components of the application are enabled. Kaspersky
Endpoint Security will display a warning if the user is required to perform an action, for example, restart the
computer after updating the application.
The icon signi es that critically important protection components of the application are disabled or have
malfunctioned. Protection components may malfunction, for example, if the license has expired or as a result of
an application error. Kaspersky Endpoint Security will display a warning with a description of the problem in
computer protection.
The context menu of the application icon contains the following items:
Kaspersky Endpoint Security for Windows. Opens the main application window. In this window, you can adjust
the operation of application components and tasks, and view the statistics of processed les and detected
threats.
138
Pause protection / Resume protection. Pause the operation of all protection and control components that are
not marked by a lock ( ) in the policy. Prior to performing this operation, it is recommended to disable the
Kaspersky Security Center policy.
Prior to pausing the operation of protection and control components, the application requests the password
for accessing Kaspersky Endpoint Security (account password or temporary password). You can then select
the pause period: for a speci c amount of time, until a restart, or upon user request.
This context menu item is available if Password Protection is enabled. To resume the operation of protection
and control components, click Resume protection in the context menu of the application.
Pausing the operation of protection and control components does not a ect the performance of update
and malware scan tasks. The application also continues using Kaspersky Security Network.
Disable policy / Enable policy. Disables a Kaspersky Security Center policy on the computer. All Kaspersky
Endpoint Security settings are available for con guration, including settings that have a closed lock in the policy
( ). If the policy is disabled, the application requests the password for accessing Kaspersky Endpoint Security
(account password or temporary password). This context menu item is available if Password Protection is
enabled. To enable the policy, select Enable policy in the context menu of the application.
Support. This opens a window containing the information necessary for contacting Kaspersky Technical
Support.
Exit. This item quits Kaspersky Endpoint Security. Clicking this context menu item causes the application to be
unloaded from the computer RAM.
Disable policy / Enable policy. Disables a Kaspersky Security Center policy on the computer. All Kaspersky
Endpoint Security settings are available for con guration, including settings that have a closed lock in the policy
( ). If the policy is disabled, the application requests the password for accessing Kaspersky Endpoint Security
(account password or temporary password). This context menu item is available if Password Protection is
enabled. To enable the policy, select Enable policy in the context menu of the application.
139
Rollback of databases to their previous version.
Full Scan.
Custom Scan.
Update.
Support. This opens a window containing the information necessary for contacting Kaspersky Technical
Support.
Exit. This item quits Kaspersky Endpoint Security. Clicking this context menu item causes the application to be
unloaded from the computer RAM.
Context menu of the application icon when displaying the simpli ed interface
Display simpli ed interface. On a client computer, the main application window is inaccessible, and only the
icon in the Windows noti cation area is available. In the context menu of the icon, the user can perform a limited
number of operations with Kaspersky Endpoint Security. Kaspersky Endpoint Security also displays
noti cations above the application icon.
Display user interface. On a client computer, the main window of Kaspersky Endpoint Security and the icon in
the Windows noti cation area are available. In the context menu of the icon, the user can perform operations
with Kaspersky Endpoint Security. Kaspersky Endpoint Security also displays noti cations above the
application icon.
Do not display. On a client computer, no signs of Kaspersky Endpoint Security operation are displayed. The
icon in the Windows noti cation area and noti cations are not available.
How to con gure the application interface display mode in the Administration Console (MMC)
140
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
Select the Display user interface check box if you want the following interface elements to be
displayed on the client computer:
Kaspersky Endpoint Security icon in the Microsoft Windows taskbar noti cation area
If this check box is selected, the user can view and, depending on the available rights, change
application settings from the application interface.
Clear the Display user interface check box if you want to hide all signs of Kaspersky Endpoint Security
on the client computer.
6. In the Interaction with user block, select the Display simpli ed interface check box if you want the
simpli ed application interface to be displayed on a client computer that has Kaspersky Endpoint Security
installed.
How to con gure the application interface display mode in the Web Console and Cloud Console
141
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Interaction with user block, con gure how the application interface will be displayed:
With simpli ed interface. On a client computer, the main application window is inaccessible, and only
the icon in the Windows noti cation area is available. In the context menu of the icon, the user can
perform a limited number of operations with Kaspersky Endpoint Security. Kaspersky Endpoint Security
also displays noti cations above the application icon.
With full interface. On a client computer, the main window of Kaspersky Endpoint Security and the icon
in the Windows noti cation area are available. In the context menu of the icon, the user can perform
operations with Kaspersky Endpoint Security. Kaspersky Endpoint Security also displays noti cations
above the application icon.
No interface. On a client computer, no signs of Kaspersky Endpoint Security operation are displayed.
The icon in the Windows noti cation area and noti cations are not available.
Getting started
After deploying the application on client computers, to work with Kaspersky Endpoint Security from Kaspersky
Security Center Web Console you need to perform the following actions:
142
1. Open the Kaspersky Security Center Administration Console.
Create the list of objects that Kaspersky Endpoint Security will scan while performing a scan task.
Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts to
disinfect all infected les that are detected. If disinfection fails, the application deletes the les.
Disinfect, inform if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically
attempts to disinfect all infected les that are detected. If disinfection is not possible, Kaspersky Endpoint
Security adds the information about the infected les that are detected to the list of active threats.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected les to
the list of active threats on detection of these les.
Run Advanced Disinfection immediately. If the check box is selected, Kaspersky Endpoint Security uses
the Advanced Disinfection technology to treat active threats during the scan.
Advanced disinfection technology is aimed at purging the operating system of malicious applications that
have already started their processes in RAM and that prevent Kaspersky Endpoint Security from removing
them by using other methods. The threat is neutralized as a result. While Advanced Disinfection is in
progress, you are advised to refrain from starting new processes or editing the operating system registry.
The advanced disinfection technology uses considerable operating system resources, which may slow
down other applications. After the advanced disinfection is complete, Kaspersky Endpoint Security will
restart the computer without asking the user for con rmation.
Con gure the task run mode using the Run only when the computer is idle. This check box enables / disables
the function that suspends the Malware Scan task when computer resources are limited. Kaspersky Endpoint
Security pauses the Malware Scan task if the screensaver is o and the computer is unlocked.
Select the computers on which the task will be performed. The following options are available:
143
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Select an account to run the Malware Scan task. By default, Kaspersky Endpoint Security starts the task with
the rights of a local user account. If the scan scope includes network drives or other objects with restricted
access, select a user account with the su icient access rights.
Con gure a schedule for starting a task, for example, manually or after anti-virus databases are downloaded
to the repository.
Enter a name for the task, for example, Daily full scan.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties. As a result, the Malware Scan task will be executed on the user
computers in accordance to the speci ed schedule.
144
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
c. In the Task name eld, enter a brief description, for example, Weekly scan.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
5. Select an account to run the task. By default, Kaspersky Endpoint Security starts the task with the rights
of a local user account.
9. Click Start.
You can monitor the status of the task, and the number of devices on which the task was completed
successfully or completed with an error.
As a result, the Malware Scan task will be executed on the user computers in accordance to the speci ed
schedule.
Managing policies
A policy is a collection of application settings that are de ned for an administration group. You can con gure
multiple policies with di erent values for one application. An application can run under di erent settings for
di erent administration groups. Each administration group can have its own policy for an application.
Policy settings are sent to client computers by Network Agent during synchronization. By default, the
Administration Server performs synchronization immediately after policy settings are changed. UDP port 15000 on
the client computer is used for synchronization. The Administration Server performs synchronization every 15
minutes by default. If synchronization fails after policy settings were changed, the next synchronization attempt
will be performed according to the con gured schedule.
You can create an unlimited number of inactive policies. An inactive policy does not a ect application settings on
computers in the network. Inactive policies are intended as preparations for emergency situations, such as a virus
attack. If there is an attack via ash drives, you can activate a policy that blocks access to ash drives. In this case,
the active policy automatically becomes inactive.
An out-of-o ice policy is activated when a computer leaves the organization network perimeter.
Settings inheritance
Policies, like administration groups, are arranged in a hierarchy. By default, a child policy inherits settings from the
parent policy. Child policy is a policy for nested hierarchy levels, that is a policy for nested administration groups
and secondary Administration Servers. You can disable the inheritance of settings from the parent policy.
Each policy setting has the attribute, which indicates if the settings can be modi ed in the child policies or in the
local application settings. The attribute is applicable only if inheritance of parent policy settings is enabled for
the child policy. Out-of-o ice policies do not a ect other policies through the hierarchy of administration groups.
Settings inheritance
The rights to access policy settings (read, write, execute) are speci ed for each user who has access to the
Kaspersky Security Center Administration Server and separately for each functional scope of Kaspersky Endpoint
Security. To con gure access rights to policy settings, go to the Security section of the properties window of
Kaspersky Security Center Administration Server (by default, this section is hidden in the console interface).
Creating a policy
146
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, select the folder with the name of the
administration group to which the relevant client computers belong.
1. In the main window of the Web Console, select Devices → Policies & Pro les.
4. Please read and accept the terms of the Kaspersky Security Network (KSN) Statement and click Next.
Active. After the next synchronization, the policy will be used as the active policy on the computer.
Inactive. Backup policy. If necessary, an inactive policy can be switched to active status.
Out-of-o ice. The policy is activated when a computer leaves the organization network perimeter.
Inherit settings from parent policy. If this toggle button is switched on, the policy setting values are
inherited from the top-level policy. Policy settings cannot be edited if is set for the parent policy.
Force inheritance of settings in child policies. If the toggle button is on, the values of the policy
settings are propagated to the child policies. In the properties of the child policy, the Inherit
settings from parent policy toggle button will be automatically switched on and cannot be
switched o . Child policy settings are inherited from the parent policy, except for the settings
marked with . Child policy settings cannot be edited if is set for the parent policy.
6. On the Application settings tab, you can con gure the Kaspersky Endpoint Security policy settings.
147
As a result, Kaspersky Endpoint Security settings will be con gured on client computers during the next
synchronization. You can view information about the policy that is being applied to the computer in the Kaspersky
Endpoint Security interface by clicking the button on the main screen (for example, the policy name). To do so, in
the settings of the Network Agent policy, you need to enable the receipt of extended policy data. For more details
about a Network Agent policy, please refer to the Kaspersky Security Center Help .
The security level indicator is displayed in the upper part of the properties window. The indicator can take one of
the following values:
High protection level. The indicator takes this value and turns green if all components from the following
categories are enabled:
Behavior Detection.
Exploit Prevention.
Remediation Engine.
Password protection.
Medium protection level. The indicator takes this value and turns yellow if one of the important components is
disabled.
Low protection level. The indicator takes this value and turns red in one of the following cases:
If the indicator has the Medium protection level or Low protection level value, a link that opens the Component
selection window appears to the right of the indicator. In this window, you can enable any of the recommended
protection components.
148
Security level indicator of the policy
Task management
You can create the following types of tasks to administer Kaspersky Endpoint Security through Kaspersky Security
Center:
Local tasks that are con gured for an individual client computer.
Group tasks that are con gured for client computers within administration groups.
You can create any number of group tasks, tasks for a selection of computers, or local tasks. For more details
about working with administration groups and selections of computers, please refer to Kaspersky Security Center
Help .
Malware Scan. Kaspersky Endpoint Security scans the computer areas speci ed in the task settings for
viruses and other threats. The Malware Scan task is required for the operation of Kaspersky Endpoint Security
and is created during the Quick Start Wizard. It is recommended to schedule the task to run at least once a
week.
Add key. Kaspersky Endpoint Security adds a key for activating applications, including an additional key. Before
running the task, make sure that the number of computers, on which the task is to be executed, does not
exceed the number of computers allowed by the license.
Change application components. Kaspersky Endpoint Security installs or removes components on client
computers according to the list of components speci ed in the task settings. The File Threat Protection
component cannot be removed. The optimal set of Kaspersky Endpoint Security components helps to
conserve computer resources.
Inventory. Kaspersky Endpoint Security receives information about all application executable les that are
stored on computers. The Inventory task is performed by the Application Control component. If the
Application Control component is not installed, the task will end with an error.
Update. Kaspersky Endpoint Security updates databases and application modules. The Update task is required
for the operation of Kaspersky Endpoint Security and is created during the Quick Start Wizard. It is
recommended to con gure a schedule that runs the task at least once per day.
149
Wipe data. Kaspersky Endpoint Security deletes les and folders from users' computers immediately or if there
is no connection with Kaspersky Security Center for a long time.
Update rollback. Kaspersky Endpoint Security rolls back the last update of databases and application modules.
This may be necessary if, for example, new databases contain incorrect data that could cause Kaspersky
Endpoint Security to block a safe application.
Application Integrity Check. Kaspersky Endpoint Security analyzes application les, checks les for corruption
or modi cations, and veri es the digital signatures of application les.
Manage Authentication Agent accounts. Kaspersky Endpoint Security con gures the Authentication Agent
account settings. An Authentication Agent is needed for working with encrypted drives. Before the operating
system is loaded, the user needs to complete authentication with the Agent.
150
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
b. In the Task type drop-down list, select the task that you want to run on user computers.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
5. Select an account to run the task. By default, Kaspersky Endpoint Security starts the task with the rights
of a local user account.
A new task will be displayed in the list of tasks. The task will have the default settings. To con gure the task
settings, you need to go to the task properties. To run a task, you need to select the check box opposite the task
and click the Start button. After the task has started, you can pause the task and resume it later.
In the list of tasks, you can monitor the task results, which include the task status and the statistics for task
performance on computers. You can also create a selection of events to monitor the completion of tasks
(Monitoring & reporting → Event selections). For more details on event selection, refer to the Kaspersky Security
Center Help . Task execution results are also saved locally in Windows event log and in Kaspersky Endpoint
Security reports.
The rights to access Kaspersky Endpoint Security tasks (read, write, execute) are de ned for each user who has
access to Kaspersky Security Center Administration Server, through the settings of access to functional areas of
Kaspersky Endpoint Security. To con gure access to the functional areas of Kaspersky Endpoint Security, go to
the Security section of the properties window of Kaspersky Security Center Administration Server. For more
details on task management through Kaspersky Security Center, please refer to the Kaspersky Security Center
Help .
You can con gure users' rights to access tasks using a policy (task management mode). For example, you can hide
group tasks in the Kaspersky Endpoint Security interface.
How to con gure the task management mode in the Kaspersky Endpoint Security interface through the
Administration Console (MMC)
151
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Con gure the task management mode (see the table below).
How to con gure the task management mode in the Kaspersky Endpoint Security interface through the Web
Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Con gure the task management mode (see the table below).
Parameter Description
Allow use of If the check box is selected, local tasks are displayed in the Kaspersky Endpoint Security
local tasks local interface. When there are no additional policy restrictions, the user can con gure and
run tasks. However, con guring task run schedule remains unavailable for the user. The user
can run tasks only manually.
If the check box is cleared, use of local tasks is stopped. In this mode, local tasks do not run
according to schedule. Tasks cannot be started or con gured in the local interface of
Kaspersky Endpoint Security, or when working with the command line.
A user can still start a scan of a le or folder by selecting the Scan for viruses option in the
context menu of the le or folder. The scan task is started with the default values of
settings for the custom scan task.
Allow group If the check box is selected, group tasks are displayed in the Kaspersky Endpoint Security
tasks to be local interface. The user can view the list of all tasks in the application interface.
displayed If the check box is cleared, Kaspersky Endpoint Security displays an empty task list.
Allow If the check box is selected, users can start and stop group tasks speci ed in Kaspersky
management Security Center. Users can start and stop tasks in the application interface or in the
of group simpli ed application interface.
tasks If the check box is cleared, Kaspersky Endpoint Security starts scheduled tasks
automatically, or the administrator starts tasks manually in Kaspersky Security Center.
152
Con guring local application settings
In Kaspersky Security Center, you can con gure Kaspersky Endpoint Security settings on a particular computer.
They are the local application settings. Some settings may be inaccessible for editing. These settings are locked by
the attribute in the policy properties.
How to con gure the local application settings in the Administration Console (MMC)
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the
administration group to which the relevant client computers belong.
6. In the list of Kaspersky applications installed on the computer, select Kaspersky Endpoint Security for
Windows and double-click to open the application properties.
7. In the General Settings section, con gure Kaspersky Endpoint Security as well as Reports and Storage.
The other sections of the Kaspersky Endpoint Security for Windows application settings window are
standard for Kaspersky Security Center. A description of these sections is provided in the Kaspersky
Security Center Help.
If an application is subject to a policy that prohibits changes to speci c settings, you will not be able to
edit them while con guring application settings in the General settings section.
How to con gure the local application settings in the Web Console and Cloud Console
153
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the computer for which you want to con gure local application settings.
This opens the computer properties.
Local application settings are the same as policy settings, except for encryption settings.
Downloading Kaspersky Endpoint Security anti-virus databases after the operating system starts can take up
to two minutes depending on the capabilities of the computer. During this time, the level of computer
protection is reduced. The downloading of anti-virus databases when Kaspersky Endpoint Security is started
on an already started operating system does not cause a reduction in the level of computer protection.
How to con gure the startup of Kaspersky Endpoint Security in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Start the application on computer startup (recommended) check box to con gure the
application startup.
How to con gure the startup of Kaspersky Endpoint Security in the Web Console
154
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Start the application on computer startup (recommended) check box to con gure the
application startup.
How to con gure the startup of Kaspersky Endpoint Security in the application interface
155
1. In the main application window, click the button.
3. Use the Start the application on computer startup (recommended) check box to con gure the
application startup.
Kaspersky experts recommend against manually stopping Kaspersky Endpoint Security because doing so
exposes the computer and your personal data to threats. If necessary, you can pause computer protection for
as long as you need to, without stopping the application.
You can monitor the application status by using the Protection Status widget.
How to start or stop Kaspersky Endpoint Security in the Administration Console (MMC)
156
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the
administration group to which the relevant client computers belong.
6. In the list of Kaspersky applications installed on the computer, select Kaspersky Endpoint Security for
Windows and double-click to open the application properties.
8. Do the following:
To start the application, click the button to the right of the list of Kaspersky applications.
To stop the application, click the button to the right of the list of Kaspersky applications.
1. In the main window of the Web Console, select Devices → Managed devices.
2. Click the name of the computer on which you want to start or stop Kaspersky Endpoint Security.
The computer properties window opens.
4. Select the check box opposite Kaspersky Endpoint Security for Windows.
How to start or stop Kaspersky Endpoint Security from the command line
157
1. Run the command line interpreter (cmd.exe) as an administrator.
3. To start the application from the command line, enter klpsm.exe start_avp_service.
4. To stop the application from the command line, enter klpsm.exe stop_avp_service.
To stop the application from the command line, enable external management of system services.
The application status is displayed using the application icon in the taskbar noti cation area.
The icon signi es that computer protection and control are paused.
The icon signi es that computer protection and control are enabled.
Pausing or resuming computer protection and control does not a ect scan or update tasks.
If any network connections are already established when you pause or resume computer protection and control, a
noti cation about the termination of these network connections is displayed.
1. Right-click to bring up the context menu of the application icon that is in the taskbar noti cation area.
2. In the context menu, select Pause protection (see the gure below).
This context menu item is available if Password Protection is enabled.
Pause for <time period> – computer protection and control will resume after the amount of time that is
speci ed in the drop-down list below.
158
Pause until application restart – computer protection and control will resume after you restart the
application or restart the operating system. Automatic startup of the application must be enabled to use
this option.
Pause – computer protection and control will resume when you decide to re-enable them.
Kaspersky Endpoint Security will pause the operation of all protection and control components that are not
marked by a lock ( ) in the policy. Prior to performing this operation, it is recommended to disable the Kaspersky
Security Center policy.
1. Right-click to bring up the context menu of the application icon that is in the taskbar noti cation area.
You can resume computer protection and control at any time, regardless of the computer protection and
control pause option that you selected previously.
Perform local installation of Kaspersky Endpoint Security via the command line with prede ned settings.
To do so, you must save the con guration le in the same folder where the distribution package is located.
Perform remote installation of Kaspersky Endpoint Security via Kaspersky Security Center with prede ned
settings.
Migrate Kaspersky Endpoint Security settings from one computer to another (see the instructions below).
3. Click Export.
4. In the window that opens, specify the path to where you want to save the con guration le, and enter its name.
159
To use the con guration le for local or remote installation of Kaspersky Endpoint Security, you must name
it install.cfg.
3. Click Import.
4. In the window that opens, enter the path to the con guration le.
All values of Kaspersky Endpoint Security settings will be set according to the selected con guration le.
160
To restore the default application settings:
3. Click Restore.
161
Malware Scan
Malware scan is vital to computer security. Regularly run malware scans to rule out the possibility of spreading
malware that is undetected by protection components due to a low security level setting or for other reasons.
Kaspersky Endpoint Security does not scan les whose contents are located in OneDrive cloud storage, and
creates log entries stating that these les have not been scanned.
Full Scan
A thorough scan of the entire computer. Kaspersky Endpoint Security scans the following objects:
Kernel memory;
Boot sectors;
Kaspersky experts recommend that you do not change the scan scope of the Full Scan task.
To conserve computer resources, it is recommended to use a background scan task instead of a full scan task.
This will not a ect the security level of the computer.
By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk boot sectors.
Kaspersky experts recommend that you do not change the scan scope of the Critical Areas Scan task.
Custom Scan
Kaspersky Endpoint Security scans the objects that are selected by the user. You can scan any object from the
following list:
System memory
162
Hard, removable, and network drives
Any selected le
Background Scan
Background Scan is a scan mode of Kaspersky Endpoint Security that does not display noti cations for the user.
Background scan requires less computer resources than other types of scans (such as a full scan). In this mode,
Kaspersky Endpoint Security scans startup objects, the boot sector, system memory, and the system partition.
Kaspersky Endpoint Security checks the application modules for corruption or modi cations.
Kaspersky Endpoint Security has the following standard tasks prede ned: Full Scan, Critical Areas Scan, Custom
Scan. If your organization has the Kaspersky Security Center administration system deployed, you can create a
Malware Scan task and con gure the scan. The Background Scan task is also available in Kaspersky Security
Center. The background scan cannot be con gured.
3. Select the scan task and double-click to open the task properties.
If necessary, create the Malware Scan task.
Kaspersky Endpoint Security will start scanning the computer. If the user has interrupted the execution of
the task (for example by powering o the computer), Kaspersky Endpoint Security automatically runs the
task, continuing from the point where the scan was interrupted.
163
How to run a scan task in the Web Console and Cloud Console
Kaspersky Endpoint Security will start scanning the computer. If the user has interrupted the execution of
the task (for example by powering o the computer), Kaspersky Endpoint Security automatically runs the
task, continuing from the point where the scan was interrupted.
Kaspersky Endpoint Security will start scanning the computer. The application will show the scan progress,
the number of scanned les, and the scan time remaining. You can stop the task at any time by clicking the
Stop button. If the scan task is not displayed, it means the administrator has prohibited the use of local
tasks in the policy.
As a result, Kaspersky Endpoint Security scans the computer and if a threat is detected, executes the action
con gured in application settings. Typically the application attempts to disinfect infected les. As a result, the
infected les can receive the following statuses:
Postponed. The infected le could not be disinfected. The application deletes the infected le after computer
restart.
Logged. The infected le could not be disinfected. The application adds information about detected infected
les to the list of active threats.
164
Write not supported or Write error. The infected le could not be disinfected. The application has no write
access.
Already processed. The application detected an infected le earlier. The application disinfects or deletes the
infected le after computer restart.
Scan settings
Parameter Description
Security level Kaspersky Endpoint Security can use di erent groups of settings for running a scan.
These groups of settings that are stored in the application are called security levels:
High. Kaspersky Endpoint Security scans all types of les. When scanning
compound les, the application also scans mail-format les.
Low. Kaspersky Endpoint Security scans only new or modi ed les with the
speci ed extensions on all hard drives, removable drives, and network drives of the
computer. The application does not scan compound les.
You can select one of the preset security levels or manually con gure security level
settings. If you change the security level settings, you can always revert back to the
recommended security level settings.
Action on Disinfect, delete if disinfection fails. If this option is selected, the application
threat automatically attempts to disinfect all infected les that are detected. If disinfection
detection fails, the application deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint
Security automatically attempts to disinfect all infected les that are detected. If
disinfection is not possible, Kaspersky Endpoint Security adds the information about
the infected les that are detected to the list of active threats.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information
about infected les to the list of active threats on detection of these les.
On detection of infected les that are part of the Windows Store application,
Kaspersky Endpoint Security attempts to delete the le.
Run
Advanced
Disinfection Advanced Disinfection during a virus scan task on a computer is performed only if
immediately the Advanced Disinfection feature is enabled in the properties of the policy applied
to this computer.
165
(available only If the check box is selected, Kaspersky Endpoint Security disinfects the active infection
in the immediately after it is detected during the execution of the virus scan task. After the
Kaspersky active infection is disinfected, Kaspersky Endpoint Security reboots the computer
Security without prompting the user.
Center
If the check box is cleared, Kaspersky Endpoint Security does not disinfect the active
Console)
infection immediately after it is detected during the execution of the virus scan task.
Kaspersky Endpoint Security generates active infection events in local application
reports and on the Kaspersky Security Center side. The active infection can be
disinfected when the virus scan task is run again with the Advanced Disinfection
feature turned on. In this way, the system administrator can choose the appropriate
time to do Advanced Disinfection and subsequently reboot the computers
automatically.
Scan scope List of objects that Kaspersky Endpoint Security scans while performing a scan task.
Objects within the scan scope can include the kernel memory, running processes, boot
sectors, system backup storage, mail databases, hard drive, removable drive or network
drive, folder or le.
Scan Manually. Run mode in which you can start scan manually at a time when it is
schedule convenient for you.
By schedule. In this scan task run mode, the application starts the scan task in
accordance with the schedule that you create. If this scan task run mode is selected,
you can also start the scan task manually.
Postpone Postponed start of the scan task after application startup. At operating system
running after startup, many processes are running, therefore it is advantageous to postpone running
application the scan task instead of running it immediately after Kaspersky Endpoint Security
startup for N startup.
minutes
Run skipped If the check box is selected, Kaspersky Endpoint Security starts the skipped task as
tasks soon as it becomes possible. The task may be skipped, for example, if the computer was
o at the scheduled task start time. When the application gets an opportunity to
execute missed tasks, it runs the tasks randomly within a certain time interval to
distribute the load on the computer.
If the check box is cleared, Kaspersky Endpoint Security does not run skipped tasks.
Instead, it carries out the next task in accordance with the current schedule.
Run only Postponed start of the scan task when computer resources are busy. Kaspersky
when the Endpoint Security starts the scan task if the computer is locked or if the screen saver is
computer is on. If you have interrupted the execution of the task, for example by unlocking the
idle computer, Kaspersky Endpoint Security automatically runs the task, continuing from
the point where it was interrupted.
Run scan as By default the scan task is run in the name of the user with whose rights you are
registered in the operating system. The protection scope may include network drives or
other objects that require special rights to access. You can specify a user that has the
required rights in the application settings and run the scan task under this user's
account.
File types
All les. If this setting is enabled, Kaspersky Endpoint Security checks all les without
exception (all formats and extensions).
166
Files scanned by format. If this setting is enabled, the application scans infectable les
only. Before scanning a le for malicious code, the internal header of the le is
analyzed to determine the format of the le (for example, .txt, .doc, or .exe). The scan
also looks for les with particular le extensions.
Files scanned by extension. If this setting is enabled, the application scans infectable
les only. The le format is then determined based on the le's extension.
By default, Kaspersky Endpoint Security scans les by their format. Scanning les by
extension is less safe because a malicious le can have an extension that is not on the
list of potentially infectable (for example, .123).
Scan only Scans only new les and those les that have been modi ed since the last time they
new and were scanned. This helps reduce the duration of a scan. This mode applies both to
modi ed les simple and to compound les.
Skip le that This sets a time limit for scanning a single object. After the speci ed amount of time,
is scanned the application stops scanning a le. This helps reduce the duration of a scan.
for longer
than N
seconds
Do not run Postponed start of scan tasks if a scan is already running. Kaspersky Endpoint Security
multiple scan will enqueue new scan tasks if the current scan continues. This helps optimize the load
tasks at the on the computer. For example, let's assume that the application has started a Full Scan
same time task according to the schedule. If a user attempts to start a quick scan from the
application interface, Kaspersky Endpoint Security will enqueue this quick scan task and
then automatically start this task after the Full Scan task is nished.
However, Kaspersky Endpoint Security immediately starts a scan task even if one of the
following scan tasks is running:
Scan of removable drives on connection.
Critical Areas Scan that was started upon detection of an Indicator of Compromise
(IoC).
If this check box is cleared, Kaspersky Endpoint Security lets you run multiple scan tasks
at the same time. Running multiple scan tasks requires more computer resources.
Scan archives Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The
application scans archives not only by extension, but also by format. When checking
archives, the application performs a recursive unpacking. This allows to detect threats
inside multi-level archives (archive within an archive).
Scan les in Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and other Microsoft extensions).
Microsoft O ice format les include OLE objects as well. Kaspersky Endpoint Security scans
O ice o ice format les that are smaller than 1 MB, regardless of whether the check box is
formats selected or not.
Scan email Scanning email format les and the email database. The application scans PST and OST
format les les used by MS Outlook and Windows Mail mail clients as well as EML les.
167
Kaspersky Endpoint Security does not support the 64-bit version of MS Outlook
email client. This means that Kaspersky Endpoint Security does not scan MS
Outlook les (PST and OST les) if a 64-bit version of MS Outlook is installed on
the computer, even if mail is included in the scan scope.
If the check box is selected, Kaspersky Endpoint Security splits the mail-format le into
its components (header, body, attachments) and scans them for threats.
If this check box is cleared, Kaspersky Endpoint Security scans the mail-format le as a
single le.
Scan If the check box is selected, the application scans password-protected archives. Before
password- les in an archive can be scanned, you are prompted to enter the password.
protected
If the check box is cleared, the application skips scanning of password-protected
archives
archives.
Do not If this check box is selected, the application does not scan compound les if their size
unpack large exceeds the speci ed value.
compound
If this check box is cleared, the application scans compound les of all sizes.
les
The application scans large les that are extracted from archives regardless of whether
the check box is selected or not.
Machine The machine learning and signature analysis method uses the Kaspersky Endpoint
learning and Security databases that contain descriptions of known threats and ways to neutralize
signature them. Protection that uses this method provides the minimum acceptable security level.
analysis
Based on the recommendations of Kaspersky experts, machine learning and signature
analysis is always enabled.
Heuristic The technology was developed for detecting threats that cannot be detected by using
Analysis the current version of Kaspersky application databases. It detects les that may be
infected with an unknown virus or a new variety of a known virus.
When scanning les for malicious code, the heuristic analyzer executes instructions in
the executable les. The number of instructions that are executed by the heuristic
analyzer depends on the level that is speci ed for the heuristic analyzer. The heuristic
analysis level ensures a balance between the thoroughness of searching for new
threats, the load on the resources of the operating system, and the duration of
heuristic analysis.
iSwift This technology allows increasing scan speed by excluding certain les from scanning.
Technology Files are excluded from scans by using a special algorithm that takes into account the
release date of Kaspersky Endpoint Security databases, the date when the le was last
(available only scanned, and any modi cations to the scan settings. The iSwift technology is an
in the advancement of the iChecker technology for the NTFS le system.
Administration
Console
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
iChecker This technology allows increasing scan speed by excluding certain les from scanning.
Technology Files are excluded from scans by using a special algorithm that takes into account the
release date of Kaspersky Endpoint Security databases, the date when the le was last
scanned, and any modi cations to the scan settings. There are limitations to iChecker
Technology: it does not work with large les and applies only to les with a structure
that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM,
ZIP, and RAR).
168
(available only
in the
Administration
Console
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
How to con gure running the Removable drives scan in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. In the Action on a removable drive connection drop-down list, select Detailed Scan or Quick Scan.
6. Con gure advanced options for Removable drives scan (see table below).
How to con gure running the Removable drives scan in the Web Console and Cloud Console
169
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Action on a removable drive connection drop-down list, select Detailed Scan or Quick Scan.
6. Con gure advanced options for Removable drives scan (see table below).
How to con gure running the Removable drives scan in the application interface
3. Use the Removable Drives Scan toggle to enable or disable scans of removable drives upon connection to
the computer.
4. Con gure advanced options for Removable drives scan (see table below).
As a result, Kaspersky Endpoint Security runs a Removable drives scan for removable drives that are not
larger than the speci ed maximum size. If the Removable Drives Scan task is not displayed, it means the
administrator has prohibited the use of local tasks in the policy.
Parameter Description
Action on a Detailed Scan. If this item is selected, when a removable drive is connected, Kaspersky
removable Endpoint Security scans all les on the removable drive, including les nested in compound
drive objects, archives, distribution packages, and les in o ice formats. Kaspersky Endpoint
connection Security does not scan les in mail formats or password-protected archives.
Quick Scan. If this option is selected, after a removable drive is connected Kaspersky
Endpoint Security scans only les of speci c formats that are most vulnerable to infection,
and does not unpack compound objects.
Maximum If this check box is selected, Kaspersky Endpoint Security performs the action that is
removable selected in the Action on a removable drive connection drop-down list on removable drives
drive size with a size not more than the speci ed maximum drive size.
If the check box is cleared, Kaspersky Endpoint Security performs the action that is selected
in the Action on a removable drive connection drop-down list on removable drives of any
size.
Show scan If the check box is selected, Kaspersky Endpoint Security displays the progress of removable
progress drives scan in a separate window and in the Tasks section.
170
If the check box is cleared, Kaspersky Endpoint Security performs removable drives scan in
the background.
Block the If this check box is selected, then for the removable drives scan task in the local interface of
stopping Kaspersky Endpoint Security, the Stop button in the Tasks section and the Stop button in
of the scan the removable drives scan window are not available.
task
Background scan
Background Scan is a scan mode of Kaspersky Endpoint Security that does not display noti cations for the user.
Background scan requires less computer resources than other types of scans (such as a full scan). In this mode,
Kaspersky Endpoint Security scans startup objects, the boot sector, system memory, and the system partition.
To conserve computer resources, it is recommended to use a background scan task instead of a full scan task. This
will not a ect the security level of the computer. These tasks have the same scan scope. To optimize the load on
the computer, the application does not run a Full Scan task and a Background Scan task at the same time. If you
have already ran a Full Scan task, Kaspersky Endpoint Security will not start a Background Scan task for seven
days after the Full Scan task is completed.
When the computer is idling for ve minutes or more (the computer is locked or the screensaver is on).
Background scan when the computer is idling is interrupted when any of the following conditions are true:
If the background scan has not been run for more than ten days, the scan is not interrupted.
When performing a background scan, Kaspersky Endpoint Security does not scan les whose contents are
located in OneDrive cloud storage.
171
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Enable Background Scan check box to enable or disable background scanning.
How to enable background scanning in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Enable Background Scan check box to enable or disable background scanning.
If the Background scan is not displayed, it means the administrator has prohibited using local tasks in the
policy.
172
When performing a scan from the context menu, Kaspersky Endpoint Security does not scan les whose
contents are located in OneDrive cloud storage.
How to con gure Scan from Context Menu in Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Local Tasks → Scan from Context Menu.
5. Con gure Scan from Context Menu (see the table below).
How to con gure Scan from Context Menu in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Con gure Scan from Context Menu (see the table below).
How to con gure Scan from Context Menu in the application interface
173
1. In the main application window, go to the Tasks section.
3. Con gure Scan from Context Menu (see the table below).
If the Scan from Context Menu task is not displayed, it means the administrator has prohibited the use of
local tasks in the policy.
Parameter Description
Security Kaspersky Endpoint Security can use di erent groups of settings for running a scan. These
level groups of settings that are stored in the application are called security levels:
High. Kaspersky Endpoint Security scans all types of les. When scanning compound les,
the application also scans mail-format les.
Recommended. Kaspersky Endpoint Security scans only the speci ed le formats on all
hard drives, network drives, and removable storage media of the computer, and also
embedded OLE objects. The application does not scan archives or installation packages.
Low. Kaspersky Endpoint Security scans only new or modi ed les with the speci ed
extensions on all hard drives, removable drives, and network drives of the computer. The
application does not scan compound les.
Action on Disinfect, delete if disinfection fails. If this option is selected, the application automatically
threat attempts to disinfect all infected les that are detected. If disinfection fails, the application
detection deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security
automatically attempts to disinfect all infected les that are detected. If disinfection is not
possible, Kaspersky Endpoint Security adds the information about the infected les that are
detected to the list of active threats.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about
infected les to the list of active threats on detection of these les.
File types
All les. If this setting is enabled, Kaspersky Endpoint Security checks all les without
exception (all formats and extensions).
Files scanned by format. If this setting is enabled, the application scans infectable les
only. Before scanning a le for malicious code, the internal header of the le is analyzed to
determine the format of the le (for example, .txt, .doc, or .exe). The scan also looks for les
with particular le extensions.
Files scanned by extension. If this setting is enabled, the application scans infectable les
only. The le format is then determined based on the le's extension.
174
By default, Kaspersky Endpoint Security scans les by their format. Scanning les by
extension is less safe because a malicious le can have an extension that is not on the list of
potentially infectable (for example, .123).
Scan only Scans only new les and those les that have been modi ed since the last time they were
new and scanned. This helps reduce the duration of a scan. This mode applies both to simple and to
modi ed compound les.
les
Skip le This sets a time limit for scanning a single object. After the speci ed amount of time, the
that is application stops scanning a le. This helps reduce the duration of a scan.
scanned
for longer
than N
seconds
Scan Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The
archives application scans archives not only by extension, but also by format. When checking archives,
the application performs a recursive unpacking. This allows to detect threats inside multi-
level archives (archive within an archive).
Scan les Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and other Microsoft extensions). O ice
in format les include OLE objects as well. Kaspersky Endpoint Security scans o ice format
Microsoft les that are smaller than 1 MB, regardless of whether the check box is selected or not.
O ice
formats
Scan email Scanning email format les and the email database. The application scans PST and OST les
format les used by MS Outlook and Windows Mail mail clients as well as EML les.
Kaspersky Endpoint Security does not support the 64-bit version of MS Outlook email
client. This means that Kaspersky Endpoint Security does not scan MS Outlook les
(PST and OST les) if a 64-bit version of MS Outlook is installed on the computer, even if
mail is included in the scan scope.
If the check box is selected, Kaspersky Endpoint Security splits the mail-format le into its
components (header, body, attachments) and scans them for threats.
If this check box is cleared, Kaspersky Endpoint Security scans the mail-format le as a single
le.
Scan If the check box is selected, the application scans password-protected archives. Before les
password- in an archive can be scanned, you are prompted to enter the password.
protected
If the check box is cleared, the application skips scanning of password-protected archives.
archives
Do not If this check box is selected, the application does not scan compound les if their size
unpack exceeds the speci ed value.
large
If this check box is cleared, the application scans compound les of all sizes.
compound
les The application scans large les that are extracted from archives regardless of whether the
check box is selected or not.
Machine The machine learning and signature analysis method uses the Kaspersky Endpoint Security
learning databases that contain descriptions of known threats and ways to neutralize them.
and Protection that uses this method provides the minimum acceptable security level.
signature
analysis
175
Based on the recommendations of Kaspersky experts, machine learning and signature
analysis is always enabled.
Heuristic The technology was developed for detecting threats that cannot be detected by using the
Analysis current version of Kaspersky application databases. It detects les that may be infected with
an unknown virus or a new variety of a known virus.
When scanning les for malicious code, the heuristic analyzer executes instructions in the
executable les. The number of instructions that are executed by the heuristic analyzer
depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level
ensures a balance between the thoroughness of searching for new threats, the load on the
resources of the operating system, and the duration of heuristic analysis.
iSwift This technology allows increasing scan speed by excluding certain les from scanning. Files
Technology are excluded from scans by using a special algorithm that takes into account the release date
of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any
modi cations to the scan settings. The iSwift technology is an advancement of the iChecker
technology for the NTFS le system.
iChecker This technology allows increasing scan speed by excluding certain les from scanning. Files
Technology are excluded from scans by using a special algorithm that takes into account the release date
of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any
modi cations to the scan settings. There are limitations to iChecker Technology: it does not
work with large les and applies only to les with a structure that the application recognizes
(for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
You can create the Integrity check task both in the Kaspersky Security Center Web Console and in the
Administration Console. It is not possible to create a task in the Kaspersky Security Center Cloud Console.
A malicious object modi ed les of Kaspersky Endpoint Security. In this case, perform the procedure for
restoring Kaspersky Endpoint Security using the tools of the operating system. After restoration, run a full scan
of the computer and repeat the integrity check.
The digital signature expired. In this case, update Kaspersky Endpoint Security.
How to run an application integrity check through the Administration Console (MMC)
176
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security for Windows (12.5) → Application Integrity Check.
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Con gure a schedule for starting a task, for example, manually or when a virus outbreak is detected.
Enter a name for the task, for example, Integrity check after the computer was infected.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties. As a result, Kaspersky Endpoint Security will check the
integrity of the application. You can also con gure an application integrity check schedule in the task
properties (see the table below).
177
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
c. In the Task name eld, enter a brief description, for example, Check the integrity of the application
after a computer infection.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
5. Select an account to run the task. By default, Kaspersky Endpoint Security starts the task with the rights
of a local user account.
As a result, Kaspersky Endpoint Security will check the integrity of the application. You can also con gure an
application integrity check schedule in the task properties (see the table below).
2. This opens the task list; select the Application Integrity Check task and click Run.
As a result, Kaspersky Endpoint Security will check the integrity of the application. You can also con gure an
application integrity check schedule in the task properties (see the table below). If the Application Integrity
Check task is not displayed, it means the administrator has prohibited the use of local tasks in the policy.
Parameter Description
Scan Manually. Run mode in which you can start scan manually at a time when it is convenient for
schedule you.
By schedule. In this scan task run mode, the application starts the scan task in accordance
with the schedule that you create. If this scan task run mode is selected, you can also start the
scan task manually.
Run If the check box is selected, Kaspersky Endpoint Security starts the skipped task as soon as it
skipped becomes possible. The task may be skipped, for example, if the computer was o at the
178
tasks scheduled task start time. When the application gets an opportunity to execute missed tasks,
it runs the tasks randomly within a certain time interval to distribute the load on the computer.
If the check box is cleared, Kaspersky Endpoint Security does not run skipped tasks. Instead, it
carries out the next task in accordance with the current schedule.
Run only Postponed start of the scan task when computer resources are busy. Kaspersky Endpoint
when the Security starts the scan task if the computer is locked or if the screen saver is on. If you have
computer interrupted the execution of the task, for example by unlocking the computer, Kaspersky
is idle Endpoint Security automatically runs the task, continuing from the point where it was
interrupted.
To edit the scan scope, we recommend using the Custom Scan task. Kaspersky experts recommend that you
do not change the scan scope of the Full Scan and Critical Areas Scan tasks.
Kaspersky Endpoint Security has the following prede ned objects as part of the scan scope:
My email.
Files relevant to the Outlook mail client: data les (PST), o line data les (OST).
System memory.
Startup Objects.
Memory occupied by processes and application executable les that are run at system startup.
System Backup.
Contents of the System Volume Information folder.
We recommend creating a separate scan task for scanning network drives or shared folders. In the
settings of the Malware Scan task, specify a user that has write access to this drive; this is necessary to
mitigate detected threats. If the server where the network drive is located has its own security tools, do
not run the scan task for that drive. In this way, you can avoid checking object twice and improve the
performance of the server.
To exclude folders or les from the scan scope, add the folder or le to the trusted zone.
179
How to edit a scan scope in the Administration Console (MMC)
3. Select the scan task and double-click to open the task properties.
If necessary, create the Malware Scan task.
6. In the window that opens, select the objects that you want to add to the scan scope or exclude from it.
a. Click Add.
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
You can use masks anywhere in a le or folder path. For example, if you want the scan scope to include
the Downloads folder for all user accounts on the computer, enter the C:\Users\*\Downloads\
mask.
You can exclude an object from scans without deleting it from the list of objects in the scan scope. To do
so, clear the check box next to the object.
How to edit a scan scope in the Web Console and Cloud Console
180
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
4. In the Scan scope section, select the objects that you want to add to the scan scope or exclude from it.
b. In the File or folder name or mask eld, enter the path to the folder or le.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
You can use masks anywhere in a le or folder path. For example, if you want the scan scope to include
the Downloads folder for all user accounts on the computer, enter the C:\Users\*\Downloads\
mask.
You can exclude an object from scans without deleting it from the list of objects in the scan scope. To do
so, set the toggle switch next to it to the o position.
181
1. In the main application window, go to the Tasks section.
2. This opens the task list; select the Custom Scan task and click Select.
You can also edit the scan scope for other tasks. Kaspersky experts recommend that you do not change
the scan scope of the Full Scan and Critical Areas Scan tasks.
3. In the window that opens, select the objects that you want to add to the scan scope.
If the scan task is not displayed, it means the administrator has prohibited the use of local tasks in the policy.
If con guring an optimum scan schedule proves impossible, Kaspersky Endpoint Security lets you run a computer
scan when the following special conditions are met:
Wake-on-LAN.
Kaspersky Endpoint Security runs a computer scan on schedule even if the computer is powered o . To do so,
the application uses the Wake-on-LAN feature of the operating system. The Wake-on-LAN feature allows
remotely powering on the computer by sending a special signal over the local network. To use this feature, you
must enable Wake-on-LAN in BIOS settings.
You can con gure running the scan using Wake-on-LAN only for the Malware Scan task in Kaspersky Security
Center. You cannot enable Wake-on-LAN for scanning the computer in the application interface.
How to con gure the scan schedule in the Administration Console (MMC)
182
1. Open the Kaspersky Security Center Administration Console.
3. Select the scan task and double-click to open the task properties.
If necessary, create the Malware Scan task.
6. Depending on the selected frequency, con gure advanced settings that specify the task run schedule (see
the table below).
How to con gure the scan schedule in the Web Console and Cloud Console
5. Depending on the selected frequency, con gure advanced settings that specify the task run schedule (see
the table below).
183
You can con gure the scan schedule only if a policy is not applied to the computer. For computers under
policy, you can con gure the Malware Scan task schedule in Kaspersky Security Center.
4. In the window that opens, con gure the scan task run schedule.
5. Depending on the selected frequency, con gure advanced settings that specify the task run schedule (see
the table below).
Parameter Description
Scan schedule Manually. Run mode in which you can start scan manually at a time when it is convenient
for you.
By schedule. In this scan task run mode, the application starts the scan task in
accordance with the schedule that you create. If this scan task run mode is selected, you
can also start the scan task manually.
Postpone Postponed start of the scan task after application startup. At operating system startup,
running after many processes are running, therefore it is advantageous to postpone running the scan
application task instead of running it immediately after Kaspersky Endpoint Security startup.
startup for N
minutes
Run skipped If the check box is selected, Kaspersky Endpoint Security starts the skipped task as soon
tasks as it becomes possible. The task may be skipped, for example, if the computer was o at
the scheduled task start time. When the application gets an opportunity to execute
missed tasks, it runs the tasks randomly within a certain time interval to distribute the
load on the computer.
If the check box is cleared, Kaspersky Endpoint Security does not run skipped tasks.
Instead, it carries out the next task in accordance with the current schedule.
Run only when Postponed start of the scan task when computer resources are busy. Kaspersky
the computer Endpoint Security starts the scan task if the computer is locked or if the screen saver is
is idle on. If you have interrupted the execution of the task, for example by unlocking the
computer, Kaspersky Endpoint Security automatically runs the task, continuing from the
point where it was interrupted.
Use If the check box is selected, the task is not run strictly on schedule, but randomly within a
automatically certain interval, that is, the start times of the task are spread out. Randomized start times
randomized help avoid a great number of computers simultaneously accessing the Administration
delay for task Server when the task is run on schedule.
starts
184
(available only in The range of randomized start times is automatically calculated when the task is created,
the Kaspersky depending on the number of computers that have the task assigned. Subsequently, the
Security task is always run at its calculated start time. However, whenever task settings are
Center modi ed or the task is run manually, the calculated start time changes.
Console)
If the check box is cleared, the task is run exactly at scheduled time.
Stop task if it Limiting the task execution time After the speci ed amount of time, Kaspersky Endpoint
has been Security stops the task. The task is not marked as completed. Next time Kaspersky
running longer Endpoint Security runs the task, it will be run from the beginning and on schedule.
than N (min)
(available only in To reduce the task execution time, you can, for example, con gure the scan scope or
the Kaspersky optimize the scan.
Security
Center
Console)
Activate the If the check box is selected, the operating system of the computer is given a speci ed
device before lead time to complete startup before the task is run. The default lead time is 5 minutes.
the task is
started Select the check box if you want to run the task on all computers including powered o
through Wake- computers.
on-LAN (min)
(available only in
the Kaspersky
Security
Center
Console)
Full Scan.
Custom Scan.
You cannot con gure user rights to run a Removable drives scan, a Background scan, or an Integrity check.
185
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the
administration group to which the relevant client computers belong.
4. Select the scan task and double-click to open the task properties.
6. Enter the account credentials of the user whose rights you want to use to run a scan task.
5. Enter the account credentials of the user whose rights you want to use to run a scan task.
4. In the window that opens, enter the account credentials of the user whose rights you want to use to run a
scan task.
If the scan task is not displayed, it means the administrator has prohibited the use of local tasks in the policy.
186
Scan optimization
You can optimize le scanning: reduce scan time and increase the operating speed of Kaspersky Endpoint Security.
This can be achieved by scanning only new les and those les that have been modi ed since the previous scan.
This mode applies both to simple and to compound les. You can also set a limit for scanning a single le. When the
speci ed time interval expires, Kaspersky Endpoint Security excludes the le from the current scan (except
archives and objects that include several les).
A common technique of concealing viruses and other malware is to implant them in compound les, such as
archives or databases. To detect viruses and other malware that are hidden in this way, the compound le must be
unpacked, which may slow down scanning. You can limit the types of compound les to be scanned and thereby
speed up scanning.
You can also enable the iChecker and iSwift technologies. The iChecker and iSwift technologies optimize the
speed of scanning les, by excluding les that have not been modi ed since the most recent scan.
187
1. Open the Kaspersky Security Center Administration Console.
3. Select the scan task and double-click to open the task properties.
If necessary, create the Malware Scan task.
Scan only new and modi ed les. Scans only new les and those les that have been modi ed since
the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to
simple and to compound les.
You can also con gure scanning new les by type. For example, you can scan all distribution packages
and scan only new archives and o ice format les.
Skip les that are scanned for longer than N sec. This sets a time limit for scanning a single object.
After the speci ed amount of time, the application stops scanning a le. This helps reduce the duration
of a scan.
Do not run multiple scan tasks at the same time. Postponed start of scan tasks if a scan is already
running. Kaspersky Endpoint Security will enqueue new scan tasks if the current scan continues. This
helps optimize the load on the computer. For example, let's assume that the application has started a
Full Scan task according to the schedule. If a user attempts to start a quick scan from the application
interface, Kaspersky Endpoint Security will enqueue this quick scan task and then automatically start
this task after the Full Scan task is nished.
7. Click Additional.
This opens the compound les scanning settings window.
8. In the Size limit block, select the Do not unpack large compound les check box. This sets a time limit for
scanning a single object. After the speci ed amount of time, the application stops scanning a le. This
helps reduce the duration of a scan.
Kaspersky Endpoint Security scans large les that are extracted from archives, regardless of whether
the Do not unpack large compound les check box is selected.
9. Click OK.
11. In the Scan technologies block, select the check boxes next to the names of technologies that you want
to use during a scan:
iSwift Technology. This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into account the release
date of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any
modi cations to the scan settings. The iSwift technology is an advancement of the iChecker
technology for the NTFS le system.
188
iChecker Technology. This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into account the release
date of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any
modi cations to the scan settings. There are limitations to iChecker Technology: it does not work with
large les and applies only to les with a structure that the application recognizes (for example, EXE,
DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
4. In the Action on threat detection block, select the Scan only new and modi ed les check box. Scans
only new les and those les that have been modi ed since the last time they were scanned. This helps
reduce the duration of a scan. This mode applies both to simple and to compound les.
You can also con gure scanning new les by type. For example, you can scan all distribution packages and
scan only new archives and o ice format les.
5. In the Optimization block, select the Do not unpack large compound les check box. This sets a time limit
for scanning a single object. After the speci ed amount of time, the application stops scanning a le. This
helps reduce the duration of a scan.
Kaspersky Endpoint Security scans large les that are extracted from archives, regardless of whether
the Do not unpack large compound les check box is selected.
6. Select the Do not run multiple scan tasks at the same time check box. Postponed start of scan tasks if a
scan is already running. Kaspersky Endpoint Security will enqueue new scan tasks if the current scan
continues. This helps optimize the load on the computer. For example, let's assume that the application has
started a Full Scan task according to the schedule. If a user attempts to start a quick scan from the
application interface, Kaspersky Endpoint Security will enqueue this quick scan task and then automatically
start this task after the Full Scan task is nished.
7. In the Advanced settings block, select the Skip le that is scanned for longer than N sec check box. This
sets a time limit for scanning a single object. After the speci ed amount of time, the application stops
scanning a le. This helps reduce the duration of a scan.
189
1. In the main application window, go to the Tasks section.
Scan only new and modi ed les. Scans only new les and those les that have been modi ed since
the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to
simple and to compound les.
You can also con gure scanning new les by type. For example, you can scan all distribution packages
and scan only new archives and o ice format les.
Skip le that is scanned for longer than N seconds. This sets a time limit for scanning a single object.
After the speci ed amount of time, the application stops scanning a le. This helps reduce the duration
of a scan.
Do not run multiple scan tasks at the same time. Postponed start of scan tasks if a scan is already
running. Kaspersky Endpoint Security will enqueue new scan tasks if the current scan continues. This
helps optimize the load on the computer. For example, let's assume that the application has started a
Full Scan task according to the schedule. If a user attempts to start a quick scan from the application
interface, Kaspersky Endpoint Security will enqueue this quick scan task and then automatically start
this task after the Full Scan task is nished.
5. In the Size limit block, select the Do not unpack large compound les check box. This sets a time limit for
scanning a single object. After the speci ed amount of time, the application stops scanning a le. This
helps reduce the duration of a scan.
Kaspersky Endpoint Security scans large les that are extracted from archives, regardless of whether
the Do not unpack large compound les check box is selected.
6. In the Scan technologies block, select the check boxes next to the names of technologies that you want
to use during a scan:
iSwift Technology. This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into account the release
date of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any
modi cations to the scan settings. The iSwift technology is an advancement of the iChecker
technology for the NTFS le system.
iChecker Technology. This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into account the release
date of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any
modi cations to the scan settings. There are limitations to iChecker Technology: it does not work with
large les and applies only to les with a structure that the application recognizes (for example, EXE,
DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
If the scan task is not displayed, it means the administrator has prohibited the use of local tasks in the policy.
190
Updating databases and application software modules
Updating the databases and application modules of Kaspersky Endpoint Security ensures up-to-date protection
on your computer. New viruses and other types of malware appear worldwide on a daily basis. Kaspersky Endpoint
Security databases contain information about threats and ways of neutralizing them. To detect threats quickly, you
are urged to regularly update the databases and application modules.
Regular updates require a license in e ect. If there is no current license, you will be able to perform an update
only once.
Your computer must be connected to the Internet to successfully download the update package from Kaspersky
update servers. By default, the Internet connection settings are determined automatically. If you are using a proxy
server, you need to con gure the proxy server settings.
Updates are downloaded over the HTTPS protocol. They may also be downloaded over the HTTP protocol
when it is impossible to download updates over the HTTPS protocol.
While performing an update, the following objects are downloaded and installed on your computer:
Kaspersky Endpoint Security databases. Computer protection is provided using databases that contain
signatures of viruses and other threats and information on ways to neutralize them. Protection components
use this information when searching for and neutralizing infected les on your computer. The databases are
constantly updated with records of new threats and methods for counteracting them. Therefore, we
recommend that you update the databases regularly.
In addition to the Kaspersky Endpoint Security databases, the network drivers that enable the application's
components to intercept network tra ic are updated.
Application modules. In addition to the databases of Kaspersky Endpoint Security, you can also update the
application modules. Updating the application modules xes vulnerabilities in Kaspersky Endpoint Security, adds
new functions, or enhances existing functions.
While updating, the application modules and databases on your computer are compared against the up-to-date
version at the update source. If your current databases and application modules di er from their respective up-
to-date versions, the missing portion of the updates is installed on your computer.
If the databases are obsolete, the update package may be large, which may cause additional Internet tra ic
(up to several dozen MB).
Information about the current state of the Kaspersky Endpoint Security databases is displayed in the main
application window or the tooltip that you see when you hover the cursor over the icon of the application in the
noti cation area.
Information on update results and on all events that occur during the performance of the update task is logged in
the Kaspersky Endpoint Security report.
191
Updating the databases and application modules of Kaspersky Endpoint Security ensures up-to-date protection
on your computer. New viruses and other types of malware appear worldwide on a daily basis. Kaspersky Endpoint
Security databases contain information about threats and ways of neutralizing them. To detect threats quickly, you
are urged to regularly update the databases and application modules.
Anti-virus databases. Anti-virus databases include databases of malware signatures, description of network
attacks, databases of malicious and phishing web addresses, databases of banners, spam databases, and other
data.
Application modules. Module updates are intended for eliminating vulnerabilities in the application and to
improve computer protection methods. Module updates may change the behavior of application components
and add new capabilities.
Kaspersky Endpoint Security supports the following scenarios for updating databases and application modules:
Centralized update.
Centralized update reduces external Internet tra ic, and provides for convenient monitoring of the update.
Centralized update consists of the following steps:
Using Kaspersky Endpoint Security Update task. The task is intended for one of the computers in the
local company network.
Using the Kaspersky Update Utility. For detailed information about using Kaspersky Update Utility, refer to
the Kaspersky Knowledge Base .
192
Updating from a server repository
For Kaspersky Security Center, the default list of update sources contains the Kaspersky Security Center
Administration Server and Kaspersky update servers. For the Kaspersky Security Center Cloud Console, the
default list of update sources contains distribution points and Kaspersky update servers. For more details about
distribution points, refer to the Kaspersky Security Center Cloud Console Help . You can add other update
sources to the list. You can specify HTTP/FTP servers and shared folders as update sources. If an update cannot
be performed from an update source, Kaspersky Endpoint Security switches over to the next one.
Updates are downloaded from Kaspersky update servers or from other FTP- or HTTP servers over standard
network protocols. If connection to a proxy server is required for accessing the update source, specify the proxy
server settings in Kaspersky Endpoint Security policy settings.
193
Con guring database and application module updates from a server repository consists of the following steps:
1. Con gure download of an update package to the Administration Server repository (the Download updates to
the Administration Server repository task).
The Download updates to the Administration Server repository task is created automatically by the
Administration Server quick start wizard, and this task may only have one single instance. By default, Kaspersky
Security Center copies the update package to folder \\<server name>\KLSHARE\Updates. For more
information about downloading updates to the Administration Server repository, please refer to the Kaspersky
Security Center Help .
2. Con gure database and application module updates from the speci ed server repository to the remaining
computers on the organization's LAN (Update task).
How to con gure Kaspersky Endpoint Security update from the speci ed server storage in the Administration
Console (MMC)
194
1. Open the Kaspersky Security Center Administration Console.
In the console tree, select Tasks.
4. In the Update settings for local mode block, click the Settings button.
5. In the list of update sources, make sure that the update from the Kaspersky Security Center source is
enabled. Additionally, the Kaspersky Security Center source must have the highest priority.
b. In the Update sources eld, specify the address of the FTP- or HTTP server, network folder or local
folder where Kaspersky Security Center will copy the update package received from Kaspersky
servers.
195
The address of the update source must match the address you speci ed in the Folder for
storing updates eld when you con gured download of updates to the server storage (the
Download updates to the Administration Server repository task).
c. Click OK.
You can exclude the update source without removing it from the list of update sources. To do so, clear
the check box next to the object.
Sources of update
7. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
8. In the task properties window, select the Schedule section and con gure the task run mode.
How to con gure Kaspersky Endpoint Security update from the speci ed server storage in the Web Console
196
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
4. In the list of update sources, make sure that the update from the Kaspersky Security Center source is
enabled. Additionally, the Kaspersky Security Center source must have the highest priority.
b. In the Web address or path to a local or network folder eld, specify the address of the FTP- or
HTTP server, network folder or local folder where Kaspersky Security Center will copy the update
package received from Kaspersky servers.
The address of the update source must match the address you speci ed in the Folder for
storing updates eld when you con gured download of updates to the server storage (the
Download updates to the Administration Server repository task).
c. Click OK.
You can exclude the update source without removing it from the list of update sources. To do so, set
the toggle switch next to it to the o position.
197
Sources of update
6. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
7. In the task properties window, select the Schedule section and con gure the task run mode.
How to con gure Kaspersky Endpoint Security update from the speci ed server storage in the application
interface
198
You cannot con gure the Update group task in the application interface. Only a local update task,
Update of databases and application modules, is available to the user. If the Update of databases and
application modules task is not displayed, it means the administrator has prohibited the use of local
tasks in the policy.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
4. In the list of update sources, make sure that the update from the Kaspersky Security Center source is
enabled. Additionally, the Kaspersky Security Center source must have the highest priority.
199
Sources of update
a. Specify the address of the FTP- or HTTP server, network folder or local folder where Kaspersky
Security Center will copy the update package received from Kaspersky update servers.
The address of the update source must match the address you speci ed in the Folder for
storing updates eld when you con gured download of updates to the server storage (the
Download updates to the Administration Server repository task).
b. Click Select.
You can exclude the update source without removing it from the list of update sources. To do so, set
the toggle switch next to it to the o position.
6. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
If a computer is managed by Kaspersky Security Center, it is not possible to con gure the run
mode for the Update of databases and application modules task. You can only run the task
manually.
200
Updating from a server repository
The version and localization of the Kaspersky Endpoint Security application that copies the update package
to a shared folder must match the version and localization of the application that updates databases from the
shared folder. If versions or localizations of the applications do not match, the database update may end with
an error.
Con guring database and application module updates from a shared folder consists of the following steps:
1. Con guring database and application module updates from a server repository.
2. Enabling the copying of an update package to a shared folder on one of the computers on the local area
network.
How to enable copying of the update package to the shared folder in the Administration Console (MMC)
201
1. Open the Kaspersky Security Center Administration Console.
The Update task must be assigned for one computer that will serve as the source of updates.
5. In the Update settings for local mode block, click the Settings button.
8. In the Folder path eld, enter the UNC path to the shared folder (for example, \\<server
name>\KLSHARE\Updates).
202
If the eld is left blank, Kaspersky Endpoint Security will copy the update package to the folder
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP12\Update
distribution\.
How to enable copying of the update package to the shared folder in Web Console and Cloud Console
The Update task must be assigned for one computer that will serve as the source of updates.
3. The Update task is created automatically by the Administration Server quick start wizard. To create the
Update task, install the Kaspersky Endpoint Security for Windows Management Plug-in while running
the Wizard.
7. In the Path eld, enter the UNC path to the shared folder (for example, \\<server
name>\KLSHARE\Updates).
If the eld is left blank, Kaspersky Endpoint Security will copy the update package to the folder
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP12\Update
distribution\.
How to enable copying of the update package to the shared folder in the application interface
203
1. In the main application window, go to the Update section.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
3. In the Distributing updates block, select the Copy updates to folder check box.
4. Enter the UNC path to the shared folder (for example, \\<server name>\KLSHARE\Updates).
Save your changes.
3. Con gure database and application module updates from the speci ed shared folder to the remaining
computers on the organization's LAN.
How to con gure updates from the shared folder in the Administration Console (MMC)
204
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
Add a new update source: a shared folder. The source address must match the address that you previously
speci ed in the Folder path eld when you con gured copying of the update package to the shared folder.
Con gure the priorities of update sources by using the Up and Down buttons.
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The
speci c devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
The Update task must be assigned to the computers of the organization's LAN, except the computer
that serves as the update source.
205
Step 4. Selecting the account to run the task
Select an account to run the Update task. By default, Kaspersky Endpoint Security starts the task with the
rights of a local user account.
Con gure a schedule for starting a task, for example, manually or after anti-virus databases are
downloaded to the repository.
Enter the name of the task, for example, Updating from a shared folder.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties. As a result, the update task will be executed on users’
computers according to the speci ed schedule.
How to con gure updates from the shared folder in Web Console and Cloud Console
206
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
c. In the Task name eld, enter a brief description, for example, Updating from a shared folder.
d. In the Select devices to which the task will be assigned block, select the task scope.
The Update task must be assigned to the computers of the organization's LAN, except the
computer that serves as the update source.
4. Select devices according to the selected task scope option and go to the next step.
9. In the Web address or path to a local or network folder eld, enter the path to the shared folder.
The source address must match the address that you previously speci ed in the Path eld when
you con gured copying of the update package to the shared folder (see the instructions above).
11. Con gure the priorities of update sources by using the Up and Down buttons.
How to con gure updates from the shared folder in the application interface
207
1. In the main application window, go to the Update section.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
5. In the window that opens, enter the path to the shared folder.
The source address must match the address that you previously speci ed when you con gured
copying of the update package to the shared folder (see the instructions above).
6. Click Select.
7. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
208
Updating from a shared folder
The version and localization of the Kaspersky Endpoint Security application that copies the update package
to a shared folder must match the version and localization of the application that updates databases from the
shared folder. If versions or localizations of the applications do not match, the database update may end with
an error.
Con guring database and application module updates from a shared folder consists of the following steps:
1. Con guring database and application module updates from a server repository.
2. Install the Kaspersky Update Utility on one of the computers of the organization's LAN.
3. Con gure copying of the update package to the shared folder in the Kaspersky Update Utility settings.
You can download the Kaspersky Update Utility distribution package from the Kaspersky Technical Support
website . After installing the utility, select the update source (for example, the Administration Server
repository) and the shared folder to which the Kaspersky Update Utility will copy update packages. For detailed
information about using Kaspersky Update Utility, refer to the Kaspersky Knowledge Base .
4. Con gure database and application module updates from the speci ed shared folder to the remaining
computers on the organization's LAN.
How to con gure updates from the shared folder in the Administration Console (MMC)
209
1. Open the Kaspersky Security Center Administration Console.
5. In the Update settings for local mode block, click the Settings button.
7. In the Source eld, enter the UNC path to the shared folder (for example, \\<server
name>\KLSHARE\Updates).
The source address must match the address indicated in the Kaspersky Update Utility settings.
8. Click OK.
9. Con gure the priorities of update sources by using the Up and Down buttons.
210
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
How to con gure updates from the shared folder in Web Console and Cloud Console
5. In the Web address or path to a local or network folder eld, enter the UNC path to the shared folder
(for example, \\<server name>\KLSHARE\Updates).
The source address must match the address indicated in the Kaspersky Update Utility settings.
6. Click OK.
7. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
How to con gure updates from the shared folder in the application interface
211
You cannot con gure the Update group task in the application interface. Only a local update task,
Update of databases and application modules, is available to the user. If the Update of databases and
application modules task is not displayed, it means the administrator has prohibited the use of local
tasks in the policy.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
212
Sources of update
5. Enter the UNC path to the shared folder (for example, \\<server name>\KLSHARE\Updates).
The source address must match the address indicated in the Kaspersky Update Utility settings.
6. Click Select.
7. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security
automatically switches over to the next source.
213
Updating in mobile mode
Mobile mode is the mode of Kaspersky Endpoint Security operation, when a computer leaves the organization
network perimeter (o line computer). For more details about working with o line computers and out-of-o ice
users, refer to the Kaspersky Security Center Help .
An o line computer outside of the organization's network cannot connect to the Administration Server to update
databases and application modules. By default, only Kaspersky update servers are used as update source for
updating databases and application modules in mobile mode. The use of a proxy server to connect to the Internet
is determined by a special out-of-o ice policy. The out-of-o ice policy must be created separately. When
Kaspersky Endpoint Security is switched to mobile mode, the update task is started every two hours.
How to con gure the update settings for mobile mode in the Administration Console (MMC)
214
1. Open the Kaspersky Security Center Administration Console.
5. In the Update settings for mobile mode block, click the Settings button.
6. Con gure the sources of updates. The sources of updates can be Kaspersky update servers, other FTP-
and HTTP servers, local folders, or network folders.
How to con gure the update settings for mobile mode in Web Console and Cloud Console
215
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
4. Con gure the sources of updates. The sources of updates can be Kaspersky update servers, other FTP-
and HTTP servers, local folders, or network folders.
As a result, the databases and application modules will be updated on user computers when they switch to mobile
mode.
2. In the Update of databases and application modules tile, click the Update button if you want to start the
update task.
Kaspersky Endpoint Security will start updating the application modules and databases. The application will
display the task progress, the size of the downloaded les, and the update source. You can stop the task at any
time by clicking the Stop update button.
To start or stop the update task when the simpli ed application interface is displayed:
1. Right-click to bring up the context menu of the application icon that is in the taskbar noti cation area.
2. In the Tasks drop-down list in the context menu, do one of the following:
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
5. Enter the account credentials of a user with the necessary permissions to access the update source.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
4. In the window that opens, select the update task run mode:
If you want Kaspersky Endpoint Security to run the update task depending on whether or not an update
package is available from the update source, select Automatically. The frequency of checks by Kaspersky
Endpoint Security for update packages increases during virus outbreaks and is less at other times.
If you want to con gure a schedule for running the update task, select other options. Con gure the
advanced settings for starting the update task:
In the Postpone running after application startup for N minutes eld, enter the time interval by which
you want to postpone the start of the update task after the startup of Kaspersky Endpoint Security.
218
Select the Run scheduled scan on the next day if computer is turned o if you want Kaspersky
Endpoint Security to run missed update tasks at the rst opportunity. When the application gets an
opportunity to execute missed tasks, it runs the tasks randomly within a certain time interval to distribute
the load on the computer.
Update sources include the Kaspersky Security Center server, Kaspersky update servers, and network or local
folders.
The default list of update sources includes Kaspersky Security Center and Kaspersky update servers. You can add
other update sources to the list. You can specify HTTP/FTP servers and shared folders as update sources.
Kaspersky Endpoint Security does not support updates from HTTPS servers unless they are Kaspersky's
update servers.
If several resources are selected as update sources, Kaspersky Endpoint Security tries to connect to them one
after another, starting from the top of the list, and performs the update task by retrieving the update package
from the rst available source.
By default, Kaspersky Endpoint Security uses the Kaspersky Security Center server as the rst update source.
This helps conserve tra ic when updating. If a policy is not applied to the computer, Kaspersky servers are
selected as the rst update source in the settings of the Update local task because the application may not have
access to the Kaspersky Security Center server.
219
1. Open the Kaspersky Security Center Administration Console.
In the console tree, select Tasks.
3. The Update task is created automatically by the Administration Server quick start wizard. To create the
Update task, install the Kaspersky Endpoint Security for Windows Management Plug-in while running the
Wizard.
5. In the Update settings for local mode block, click the Settings button.
220
Sources of update
7. In the Update sources eld, specify the address of the FTP or HTTP server, network folder or local folder
that contains the update package.
The following path format is used for update source:
You can exclude the update source without removing it from the list of update sources. To do so, clear the
check box next to the object.
8. Click OK.
9. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security automatically
switches over to the next source.
10. If necessary, add an update source for mobile mode. Mobile mode is the mode of Kaspersky Endpoint
Security operation, when a computer leaves the organization network perimeter (o line computer).
221
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
3. The Update task is created automatically by the Administration Server quick start wizard. To create the
Update task, install the Kaspersky Endpoint Security for Windows Management Plug-in while running the
Wizard.
Sources of update
6. In the window that opens, specify the address of the FTP or HTTP server, network folder or local folder
that contains the update package.
The following path format is used for update source:
222
For a network folder, enter the UNC path.
For example, \\Server\Share\Update distribution.
You can exclude the update source without removing it from the list of update sources. To do so, set the
toggle switch next to it to the o position.
7. Click OK.
8. Con gure the priorities of update sources by using the Up and Down buttons.
If an update cannot be performed from the rst update source, Kaspersky Endpoint Security automatically
switches over to the next source.
9. If necessary, add an update source for mobile mode. Mobile mode is the mode of Kaspersky Endpoint
Security operation, when a computer leaves the organization network perimeter (o line computer).
223
1. In the main application window, go to the Update section.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
224
Sources of update
5. In the window that opens, specify the address of the FTP or HTTP server, network folder or local folder
that contains the update package.
The following path format is used for update source:
6. Click Select.
7. Con gure the priorities of update sources by using the Up and Down buttons.
After installing an application update, you may be required to restart your computer.
2. This opens the task list; select the Update of databases and application modules task and click .
The task properties window opens.
3. In the Downloading and installing updates of application modules block, select the Download updates of
application modules check box.
Install critical and approved updates. If this option is selected, when application module updates are
available Kaspersky Endpoint Security installs critical updates automatically and all other application module
updates only after their installation is approved locally via the application interface or on the side of
Kaspersky Security Center.
226
Install only approved updates. If this option is selected, when application module updates are available
Kaspersky Endpoint Security installs them only after their installation is approved locally via the application
interface or on the side of Kaspersky Security Center. This option is selected by default.
4. Con gure the proxy server connection settings: proxy server address, port, and authentication settings (user
name and password).
1. In the main window of the Web Console, select Devices → Policies & pro les.
227
Kaspersky Endpoint Security for Windows network settings.
5. In the Proxy server settings block, select Bypass proxy server for local addresses.
228
Application network settings
3. In the Proxy server block, click the Proxy server settings link.
229
4. In the window that opens, select one of the following options for determining the proxy server address:
5. If you want to enable authentication on the proxy server, select the Use proxy server authentication check
box and provide your user account credentials.
6. If you want to disable proxy server use when updating databases and application modules from a shared folder,
select the Bypass proxy server for local addresses check box.
As a result, Kaspersky Endpoint Security will use the proxy server to download application module and database
updates. Kaspersky Endpoint Security will also use the proxy server to access KSN servers and Kaspersky
activation servers. If authentication is required on the proxy server but the user account credentials were not
provided or are incorrect, Kaspersky Endpoint Security will prompt you for the user name and password.
Each time that a user starts the update process, Kaspersky Endpoint Security creates a backup copy of the
current databases and application modules. This lets you roll back the databases and application modules to their
previous versions when necessary. Rolling back the last update is useful, for example, when the new database
version contains an invalid signature that causes Kaspersky Endpoint Security to block a safe application.
230
Local update tasks
2. In the Rollback of databases to their previous version tile, click the Roll back button.
Kaspersky Endpoint Security will start rolling back the last database update. The application will display the
rollback progress, the size of the downloaded les, and the update source. You can stop the task at any time by
clicking the Stop update button.
To start or stop a rollback task when the simpli ed application interface is displayed:
1. Right-click to bring up the context menu of the application icon that is in the taskbar noti cation area.
2. In the Tasks drop-down list in the context menu, do one of the following:
231
Working with active threats
Kaspersky Endpoint Security logs information about les that it has not processed for some reason. This
information is recorded in the form of events in the list of active threats (see the gure below). To work with active
threats, Kaspersky Endpoint Security uses the Advanced Disinfection technology. Advanced Disinfection works
di erently for workstations and servers. You can con gure advanced disinfection in Malware Scan task settings
and in application settings.
Advanced Disinfection during a virus scan task on a computer is performed only if the Advanced Disinfection
feature is enabled in the properties of the policy applied to this computer.
232
Noti cation about active threat
If Kaspersky Endpoint Security is installed on a computer running Windows for Servers, Kaspersky Endpoint
Security does not show the noti cation. Therefore, the user cannot select an action to disinfect an active
threat. To disinfect a threat, you need to enable Advanced Disinfection technology in application settings and
enable immediate Advanced Disinfection in Malware Scan task settings. Then you need to start a Malware
Scan task.
Advanced Disinfection works di erently for workstations and servers. To use the technology on servers, you
must enable immediate advanced disinfection in the properties of the Malware Scan task. This prerequisite is
not necessary to use the technology on workstations.
How to enable or disable the Advanced Disinfection technology in the Administration Console (MMC)
233
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the General block, select or clear the Enable Advanced Disinfection technology check box to enable or
disable Advanced Disinfection technology.
How to enable or disable the Advanced Disinfection technology in the Web Console and Cloud Console
234
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the General block, select or clear the Enable Advanced Disinfection technology check box to enable or
disable Advanced Disinfection technology.
How to enable or disable the Advanced Disinfection technology in the application interface
235
1. In the main application window, click the button.
3. In the General block, select or clear the Use Advanced Disinfection technology (requires considerable
computer resources) check box to enable or disable Advanced Disinfection technology.
As a result, the user cannot use most operating system features while Advanced Disinfection is in progress. When
the disinfection is complete, the computer will be rebooted.
Kaspersky Endpoint Security moves the le to the list of active threats if, for any reason, Kaspersky Endpoint
Security failed to perform an action on this le according to the speci ed application settings while scanning the
computer for viruses and other threats.
The scanned le is unavailable (for example, it is located on a network drive or on a removable drive without
write privileges).
236
In the Malware Scan task settings, the action on threat detection is set to Inform. Then, when the infected le
noti cation was displayed on the screen, the user selected Ignore.
If there are any unprocessed threats, Kaspersky Endpoint Security changes the icon to . In the main application
window, the threat noti cation is displayed (see the gure below). In the Kaspersky Security Center console, the
status of the computer is changed to Critical – .
Disinfect. If this option is selected, the application automatically attempts to disinfect all infected les
that are detected. If disinfection fails, the application deletes the les.
Delete.
1. In the main window of the Web Console, select Operations → Repositories → Active threats.
The list of active threats opens.
Disinfect. If this option is selected, the application automatically attempts to disinfect all infected les
that are detected. If disinfection fails, the application deletes the les.
Delete.
237
1. In the main application window, in the Monitoring section, click the Protection is at risk tile.
The list of active threats opens.
Resolve. If this option is selected, the application automatically attempts to disinfect all infected les
that are detected. If disinfection fails, the application deletes the les.
Add to exclusions. If this action is selected, Kaspersky Endpoint Security suggests adding the le to
the list of scan exclusions. Settings of the exclusion are con gured automatically. If adding an exclusion
is not available, it means that the administrator has disabled adding exclusions in policy settings.
Ignore. If this option is selected, Kaspersky Endpoint Security deletes the entry from the list of active
threats. If there are no active threats remaining on the list, the computer status will be changed to OK. If
the object is detected again, Kaspersky Endpoint Security will add a new entry to the list of active
threats.
Open containing folder. If this option is selected, Kaspersky Endpoint Security opens the folder
containing the object in the le manager. You can then manually delete the object or move the object to
a folder that is not within the protection scope.
Learn more. If this option is selected, Kaspersky Endpoint Security opens the Kaspersky Virus
Encyclopedia website .
238
Computer protection
The component scans the les accessed by the user or application. If a malicious le is detected, Kaspersky
Endpoint Security blocks the le operation. The application then disinfects or deletes the malicious le, depending
on the settings of the File Threat Protection component.
When attempting to access a le whose contents are stored in the OneDrive cloud, Kaspersky Endpoint
Security downloads and scans the le contents.
How to enable or disable the File Threat Protection component in the Administration Console (MMC)
239
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → File Threat Protection.
5. Use the File Threat Protection check box to enable or disable the component.
6. If you enabled the component, do one of the following in the Security level block:
If you want to apply one of the preset security levels, select it with the slider:
High. When this le security level is selected, the File Threat Protection component takes the
strictest control of all les that are opened, saved, and started. The File Threat Protection
component scans all le types on all hard drives, removable drives, and network drives of the
computer. It also scans archives, installation packages, and embedded OLE objects.
Recommended. This le security level is recommended by Kaspersky Lab experts. The File Threat
Protection component scans only the speci ed le formats on all hard drives, removable drives, and
network drives of the computer, and embedded OLE objects. The File Threat Protection component
does not scan archives or installation packages.
Low. The settings of this le security level ensure maximum scanning speed. The File Threat
Protection component scans only les with speci ed extensions on all hard drives, removable drives,
and network drives of the computer. The File Threat Protection component does not scan
compound les.
If you want to con gure a custom security level, click the Settings button and de ne your own
component settings.
You can restore the values of preset security levels by clicking the By default button.
7. In the Action on threat detection block, select the action that Kaspersky Endpoint Security performs on
malicious objects:
Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts
to disinfect all infected les that are detected. If disinfection fails, the application deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security
automatically attempts to disinfect all infected les that are detected. If disinfection is not possible,
Kaspersky Endpoint Security adds the information about the infected les that are detected to the list
of active threats.
Block. If this option is selected, the File Threat Protection component automatically blocks all infected
les without attempting to disinfect them.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected les
to the list of active threats on detection of these les.
Before attempting to disinfect or delete an infected le, the application creates a backup copy of the
le in case you need to restore the le or if it can be disinfected in the future.
241
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the File Threat Protection toggle to enable or disable the component.
b. This opens a window; in that window, select the objects that you want to add to the protection scope.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
You can use masks anywhere in a le or folder path. For example, if you want the scan scope to include
the Downloads folder for all user accounts on the computer, enter the C:\Users\*\Downloads\
mask.
You can exclude an object from protection without removing it from the list of objects in the protection
scope. To do so, set the toggle switch next to it to the o position.
7. In the Action on threat detection block, select the action that Kaspersky Endpoint Security performs on
malicious objects:
Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts
to disinfect all infected les that are detected. If disinfection fails, the application deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security
automatically attempts to disinfect all infected les that are detected. If disinfection is not possible,
Kaspersky Endpoint Security adds the information about the infected les that are detected to the list
of active threats.
242
Block. If this option is selected, the File Threat Protection component automatically blocks all infected
les without attempting to disinfect them.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected les
to the list of active threats on detection of these les.
Before attempting to disinfect or delete an infected le, the application creates a backup copy of the
le in case you need to restore the le or if it can be disinfected in the future.
How to enable or disable the File Threat Protection component in the application interface
243
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
3. Use the File Threat Protection toggle to enable or disable the component.
4. If you enabled the component, do one of the following in the Security level block:
If you want to apply one of the preset security levels, select it with the slider:
High. When this le security level is selected, the File Threat Protection component takes the
strictest control of all les that are opened, saved, and started. The File Threat Protection
component scans all le types on all hard drives, removable drives, and network drives of the
computer. It also scans archives, installation packages, and embedded OLE objects.
Recommended. This le security level is recommended by Kaspersky Lab experts. The File Threat
Protection component scans only the speci ed le formats on all hard drives, removable drives, and
network drives of the computer, and embedded OLE objects. The File Threat Protection component
does not scan archives or installation packages.
Low. The settings of this le security level ensure maximum scanning speed. The File Threat
Protection component scans only les with speci ed extensions on all hard drives, removable drives,
and network drives of the computer. The File Threat Protection component does not scan
compound les.
If you want to con gure a custom security level, click the Advanced Settings button and de ne your
own component settings.
You can restore the values of preset security levels by clicking the Restore recommended security
level button.
5. In the Action on threat detection block, select the action that Kaspersky Endpoint Security performs on
malicious objects:
Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts
to disinfect all infected les that are detected. If disinfection fails, the application deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security
automatically attempts to disinfect all infected les that are detected. If disinfection is not possible,
Kaspersky Endpoint Security adds the information about the infected les that are detected to the list
of active threats.
Block. If this option is selected, the File Threat Protection component automatically blocks all infected
les without attempting to disinfect them.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected les
to the list of active threats on detection of these les.
Before attempting to disinfect or delete an infected le, the application creates a backup copy of the
le in case you need to restore the le or if it can be disinfected in the future.
File Threat Protection settings recommended by Kaspersky experts (recommended security level)
244
Parameter Value Description
File types Files If this setting is enabled, the application scans infectable les only. Before
scanned by scanning a le for malicious code, the internal header of the le is analyzed to
format determine the format of the le (for example, .txt, .doc, or .exe). The scan also
looks for les with particular le extensions.
Heuristic Light scan The technology was developed for detecting threats that cannot be detected
Analysis by using the current version of Kaspersky application databases. It detects
les that may be infected with an unknown virus or a new variety of a known
virus.
When scanning les for malicious code, the heuristic analyzer executes
instructions in the executable les. The number of instructions that are
executed by the heuristic analyzer depends on the level that is speci ed for
the heuristic analyzer. The heuristic analysis level ensures a balance between
the thoroughness of searching for new threats, the load on the resources of
the operating system, and the duration of heuristic analysis.
Scan only On Scans only new les and those les that have been modi ed since the last time
new and they were scanned. This helps reduce the duration of a scan. This mode applies
modi ed both to simple and to compound les.
les
Use iSwift On This technology allows increasing scan speed by excluding certain les from
technology scanning. Files are excluded from scans by using a special algorithm that takes
into account the release date of Kaspersky Endpoint Security databases, the
date when the le was last scanned, and any modi cations to the scan
settings. The iSwift technology is an advancement of the iChecker technology
for the NTFS le system.
Use On This technology allows increasing scan speed by excluding certain les from
iChecker scanning. Files are excluded from scans by using a special algorithm that takes
technology into account the release date of Kaspersky Endpoint Security databases, the
date when the le was last scanned, and any modi cations to the scan
settings. There are limitations to iChecker Technology: it does not work with
large les and applies only to les with a structure that the application
recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and
RAR).
Scan les On Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and other Microsoft
in extensions). O ice format les include OLE objects as well. Kaspersky
Microsoft Endpoint Security scans o ice format les that are smaller than 1 MB,
O ice regardless of whether the check box is selected or not.
formats
Scan mode Smart In this mode, File Threat Protection scans an object based on an analysis of
mode actions taken on the object. For example, when working with a Microsoft O ice
document, Kaspersky Endpoint Security scans the le when it is rst opened
and last closed. Intermediate operations that overwrite the le do not cause it
to be scanned.
Action on Disinfect, If this option is selected, the application automatically attempts to disinfect all
threat delete if infected les that are detected. If disinfection fails, the application deletes the
detection disinfection les.
fails
245
You can con gure File Threat Protection to automatically pause at a speci ed time or when working with speci c
applications.
File Threat Protection should be paused only as a last resort when it con icts with some applications. If any
con icts arise while a component is running, you are advised to contact Kaspersky Technical Support . The
support experts will help you set up the File Threat Protection component to run simultaneously with other
applications on your computer.
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
4. In the Pause File Threat Protection block, click the Pause File Threat Protection link.
5. In the window that opens, con gure the settings for pausing File Threat Protection:
b. Create a list of applications whose operation should cause File Threat Protection to pause its activities.
Changing the action taken on infected les by the File Threat Protection
component
By default, the File Threat Protection component automatically tries to disinfect all infected les that are
detected. If disinfection fails, the File Threat Protection component deletes these les.
To change the action taken on infected les by the File Threat Protection component:
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts to
disinfect all infected les that are detected. If disinfection fails, the application deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically
attempts to disinfect all infected les that are detected. If disinfection is not possible, Kaspersky Endpoint
Security adds the information about the infected les that are detected to the list of active threats.
Block. If this option is selected, the File Threat Protection component automatically blocks all infected les
without attempting to disinfect them.
246
Before attempting to disinfect or delete an infected le, the application creates a backup copy of the le
in case you need to restore the le or if it can be disinfected in the future.
1. There is a low probability of introducing malicious code into les of certain formats and its subsequent
activation (for example, TXT format). At the same time, there are le formats that contain executable code
(such as .exe, .dll). The executable code may also be contained in les of formats that are not intended for this
purpose (for example, the DOC format). The risk of intrusion and activation of malicious code in such les is
high.
2. An intruder may send a virus or another malicious application to your computer in an executable le that has
been renamed with the .txt extension. If you select scanning of les by extension, the application skips this le
during scanning. If scanning of les by format is selected, Kaspersky Endpoint Security analyzes the le header
regardless of its extension. If this analysis reveals that the le has the format of an executable le (for example,
EXE), the application scans it.
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
4. In the File types block, specify the type of les that you want the File Threat Protection component to scan:
All les. If this setting is enabled, Kaspersky Endpoint Security checks all les without exception (all formats
and extensions).
Files scanned by format. If this setting is enabled, the application scans infectable les only. Before
scanning a le for malicious code, the internal header of the le is analyzed to determine the format of the
le (for example, .txt, .doc, or .exe). The scan also looks for les with particular le extensions.
Files scanned by extension. If this setting is enabled, the application scans infectable les only. The le
format is then determined based on the le's extension.
6. In the window that opens, select the objects that you want to add to the protection scope or exclude from it.
247
You cannot remove or edit objects that are included in the default protection scope.
a. Click Add.
The folder tree opens.
You can exclude an object from scans without deleting it from the list of objects in the scan scope. To do so,
clear the check box next to the object.
To increase the e ectiveness of protection, you can use heuristic analysis. When scanning les for malicious code,
the heuristic analyzer executes instructions in the executable les. The number of instructions that are executed
by the heuristic analyzer depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level
ensures a balance between the thoroughness of searching for new threats, the load on the resources of the
operating system, and the duration of heuristic analysis.
To con gure the use of heuristic analysis in the operation of the File Threat Protection component:
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
4. If you want the application to use heuristic analysis for protection against le threats, select the Heuristic
Analysis check box in the Scan methods block. Then use the slider to set the heuristic analysis level: Light
scan, Medium scan or Deep scan.
248
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
4. In the Scan technologies block, select the check boxes next to the names of technologies that you want to use
for le threat protection:
Use iSwift technology. This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into account the release date
of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any modi cations
to the scan settings. The iSwift technology is an advancement of the iChecker technology for the NTFS le
system.
Use iChecker technology. This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into account the release date
of Kaspersky Endpoint Security databases, the date when the le was last scanned, and any modi cations
to the scan settings. There are limitations to iChecker Technology: it does not work with large les and
applies only to les with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF,
SYS, COM, CHM, ZIP, and RAR).
Optimizing le scanning
You can optimize the le scanning that is performed by the File Threat Protection component by reducing the scan
time and increasing the operating speed of Kaspersky Endpoint Security. This can be achieved by scanning only
new les and those les that have been modi ed since the previous scan. This mode applies both to simple and to
compound les.
You can also enable the use of the iChecker and iSwift technologies that optimize the speed of le scanning by
excluding les that have not been modi ed since the most recent scan.
To optimize le scanning:
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
4. In the Optimization block, select the Scan only new and modi ed les check box.
249
The method used to process an infected compound le (disinfection or deletion) depends on the type of le.
The File Threat Protection component disinfects compound les in the ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB,
LHA, JAR and ICE formats and deletes les in all other formats (except mail databases).
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
4. In the Scan of compound les block, specify the types of compound les that you want to scan: archives,
distribution package, or les in o ice formats.
5. If scanning only new and modi ed les is disabled, con gure the settings for scanning each type of compound
le: scan all les of this type or only new les.
If scanning only new and modi ed les is enabled, Kaspersky Endpoint Security scans only new and modi ed
les of all types of compound les.
Kaspersky Endpoint Security scans large les that are extracted from archives, regardless of whether
the Do not unpack large compound les check box is selected.
250
Scan mode refers to the condition that triggers le scanning by the File Threat Protection component. By default,
Kaspersky Endpoint Security scans les in smart mode. In this le scan mode, the File Threat Protection
component decides whether or not to scan les after analyzing operations that are performed with the le by the
user, by an application on behalf of the user (under the account that was used to log in or a di erent user
account), or by the operating system. For example, when working with a Microsoft O ice Word document,
Kaspersky Endpoint Security scans the le when it is rst opened and last closed. Intermediate operations that
overwrite the le do not cause it to be scanned.
2. In the application settings window, select Essential Threat Protection → File Threat Protection.
Smart mode. In this mode, File Threat Protection scans an object based on an analysis of actions taken on
the object. For example, when working with a Microsoft O ice document, Kaspersky Endpoint Security
scans the le when it is rst opened and last closed. Intermediate operations that overwrite the le do not
cause it to be scanned.
On access and modi cation. In this mode, File Threat Protection scans objects whenever there is an
attempt to open or modify them.
On access. In this mode, File Threat Protection scans objects only upon an attempt to open them.
On execution. In this mode, File Threat Protection only scans objects upon an attempt to run them.
Kaspersky Endpoint Security scans HTTP-, HTTPS- and FTP-tra ic. Kaspersky Endpoint Security scans URLs and
IP addresses. You can specify the ports that Kaspersky Endpoint Security will monitor, or select all ports.
For HTTPS tra ic monitoring, you need to enable encrypted connections scan.
When a user tries to open a malicious or phishing website, Kaspersky Endpoint Security will block access and show
a warning (see the gure below).
251
Website access denied message
You can select or con gure the security level only in Administration Console (MMC) or the local interface of
the application. You cannot select or con gure the security level in Web Console or Cloud Console.
How to enable or disable the Web Threat Protection component in the Administration Console (MMC)
252
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Web Threat Protection.
5. Use the Web Threat Protection check box to enable or disable the component.
6. If you enabled the component, do one of the following in the Security level block:
If you want to apply one of the preset security levels, select it with the slider:
High. The security level under which the Web Threat Protection component performs maximum
scanning of web tra ic that the computer receives over the HTTP and FTP protocols. Web Threat
Protection performs detailed scanning of all web tra ic objects by using the full set of application
databases, and performs the deepest possible heuristic analysis .
Recommended. The security level that provides the optimal balance between the performance of
Kaspersky Endpoint Security and the security of web tra ic. The Web Threat Protection
component performs heuristic analysis at the medium scan level. This web tra ic security level is
recommended by Kaspersky specialists. The values of settings for the recommended security level
are provided in the table below.
Low. The settings of this web tra ic security level ensure the maximum web tra ic scanning speed.
The Web Threat Protection component performs heuristic analysis at the light scan level.
If you want to con gure a custom security level, click the Settings button and de ne your own
component settings.
You can restore the values of preset security levels by clicking the By default button.
7. In the Action on threat detection block, select the action that Kaspersky Endpoint Security performs on
malicious web tra ic objects:
Block. If this option is selected and an infected object is detected in web tra ic, the Web Threat
Protection component blocks access to the object and displays a message in the browser.
Inform. If this option is selected and an infected object is detected in web tra ic, Kaspersky Endpoint
Security allows this object to be downloaded to the computer but adds information about the infected
object to the list of active threats.
How to enable or disable the Web Threat Protection component in the Web Console and Cloud Console
253
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Web Threat Protection toggle to enable or disable the component.
6. In the Action on threat detection block, select the action that Kaspersky Endpoint Security performs on
malicious web tra ic objects:
Block. If this option is selected and an infected object is detected in web tra ic, the Web Threat
Protection component blocks access to the object and displays a message in the browser.
Inform. If this option is selected and an infected object is detected in web tra ic, Kaspersky Endpoint
Security allows this object to be downloaded to the computer but adds information about the infected
object to the list of active threats.
254
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → Web Threat Protection.
3. Use the Web Threat Protection toggle to enable or disable the component.
4. If you enabled the component, do one of the following in the Security level block:
If you want to apply one of the preset security levels, select it with the slider:
High. The security level under which the Web Threat Protection component performs maximum
scanning of web tra ic that the computer receives over the HTTP and FTP protocols. Web Threat
Protection performs detailed scanning of all web tra ic objects by using the full set of application
databases, and performs the deepest possible heuristic analysis .
Recommended. The security level that provides the optimal balance between the performance of
Kaspersky Endpoint Security and the security of web tra ic. The Web Threat Protection
component performs heuristic analysis at the medium scan level. This web tra ic security level is
recommended by Kaspersky specialists. The values of settings for the recommended security level
are provided in the table below.
Low. The settings of this web tra ic security level ensure the maximum web tra ic scanning speed.
The Web Threat Protection component performs heuristic analysis at the light scan level.
If you want to con gure a custom security level, click the Advanced Settings button and de ne your
own component settings.
You can restore the values of preset security levels by clicking the Restore recommended security
level button.
5. In the Action on threat detection block, select the action that Kaspersky Endpoint Security performs on
malicious web tra ic objects:
Block. If this option is selected and an infected object is detected in web tra ic, the Web Threat
Protection component blocks access to the object and displays a message in the browser.
Inform. If this option is selected and an infected object is detected in web tra ic, Kaspersky Endpoint
Security allows this object to be downloaded to the computer but adds information about the infected
object to the list of active threats.
Web Threat Protection settings recommended by Kaspersky experts (recommended security level)
Check the On Scanning the links to determine whether they are included in the database of
web malicious web addresses allows you to track websites that have been added to
address denylist. The database of malicious web addresses is maintained by Kaspersky,
against included in the application installation package, and updated during Kaspersky
the Endpoint Security database updates.
database
of
malicious
web
addresses
255
Check the On The database of phishing web addresses includes the web addresses of currently
web known websites that are used to launch phishing attacks. Kaspersky supplements
address this database of phishing links with addresses obtained from the international
against organization known as the Anti-Phishing Working Group. The database of phishing
the addresses is included in the application installation package and supplemented with
database Kaspersky Endpoint Security database updates.
of
phishing
web
addresses
Use Medium The technology was developed for detecting threats that cannot be detected by
Heuristic scan using the current version of Kaspersky application databases. It detects les that
Analysis may be infected with an unknown virus or a new variety of a known virus.
(Web When web tra ic is scanned for viruses and other applications that present a
Threat threat, the heuristic analyzer performs instructions in the executable les. The
Protection) number of instructions that are executed by the heuristic analyzer depends on the
level that is speci ed for the heuristic analyzer. The heuristic analysis level ensures a
balance between the thoroughness of searching for new threats, the load on the
resources of the operating system, and the duration of heuristic analysis.
Use On The technology was developed for detecting threats that cannot be detected by
Heuristic using the current version of Kaspersky application databases. It detects les that
Analysis may be infected with an unknown virus or a new variety of a known virus.
(Anti-
Phishing)
Action on Block If this option is selected and an infected object is detected in web tra ic, the Web
threat Threat Protection component blocks access to the object and displays a message
detection in the browser.
You can select malicious web address detection methods only in Administration Console (MMC) or the local
interface of the application. You cannot select malicious web address detection methods in Web Console or
Cloud Console. The default option is checking web addresses against the database of malicious addresses
with heuristic analysis (medium scan).
Scanning the links to determine whether they are included in the database of malicious web addresses allows you
to track websites that have been added to denylist. The database of malicious web addresses is maintained by
Kaspersky, included in the application installation package, and updated during Kaspersky Endpoint Security
database updates.
256
Kaspersky Endpoint scans all links to determine if they are listed in databases of malicious web addresses. The
application's secure connection scan settings do not a ect the link scanning functionality. In other words, if
encrypted connections scan is disabled, Kaspersky Endpoint Security checks links against databases of
malicious web addresses even if network tra ic is transmitted over an encrypted connection.
How to enable or disable the checking of web addresses against the database of malicious web addresses using
the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Web Threat Protection.
6. In the window that opens, in the Scan methods block, select or clear the Check the web address against
the database of malicious web addresses check box to enable or disable the checking of addresses
against the database of malicious web addresses.
How to enable or disable the checking of addresses against the malicious address database in the application
interface
2. In the application settings window, select Essential Threat Protection → Web Threat Protection.
4. In the Scan methods block, select or clear the Check the web address against the database of
malicious web addresses check box to enable or disable the checking of addresses against the database
of malicious web addresses.
Heuristic analysis
During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating system.
Heuristic analysis can detect threats for which there are currently no records in the Kaspersky Endpoint Security
databases.
257
When web tra ic is scanned for viruses and other applications that present a threat, the heuristic analyzer
performs instructions in the executable les. The number of instructions that are executed by the heuristic
analyzer depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level ensures a
balance between the thoroughness of searching for new threats, the load on the resources of the operating
system, and the duration of heuristic analysis.
How to enable or disable the use of heuristic analysis in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Web Threat Protection.
6. In the Scan methods block, select the Use Heuristic Analysis check box if you want the application to use
heuristic analysis when scanning web tra ic for viruses and other malware.
7. Use the slider to set the heuristic analysis level: light scan, medium scan or deep scan.
When web tra ic is scanned for viruses and other applications that present a threat, the heuristic analyzer
performs instructions in the executable les. The number of instructions that are executed by the heuristic
analyzer depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level
ensures a balance between the thoroughness of searching for new threats, the load on the resources of
the operating system, and the duration of heuristic analysis.
How to enable or disable the use of heuristic analysis in the application interface
2. In the application settings window, select Essential Threat Protection → Web Threat Protection.
4. In the Scan methods block, select the Use Heuristic Analysis check box if you want the application to use
heuristic analysis when scanning web tra ic for viruses and other malware.
When web tra ic is scanned for viruses and other applications that present a threat, the heuristic analyzer
performs instructions in the executable les. The number of instructions that are executed by the heuristic
analyzer depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level
ensures a balance between the thoroughness of searching for new threats, the load on the resources of
the operating system, and the duration of heuristic analysis.
258
Anti-Phishing
Web Threat Protection checks links to see if they belong to phishing web addresses. This helps prevent phishing
attacks. A phishing attack can be disguised, for example, as an email message supposedly from your bank with a
link to the o icial website of the bank. By clicking the link, you go to an exact copy of the bank's website and can
even see its real web address in the browser, even though you are on a counterfeit site. From this point forward, all
of your actions on the site are tracked and can be used to steal your money.
Because links to phishing websites may be received not only in an email message but also from other sources such
as messengers, the Web Threat Protection component monitors attempts to access a phishing website at the
web tra ic scan level and blocks access to such websites. Lists of phishing URLs are included with the Kaspersky
Endpoint Security distribution kit.
You can con gure Anti-Phishing only in Administration Console (MMC) or the local interface of the
application. You cannot con gure Anti-Phishing in Web Console or Cloud Console. By default, Anti-Phishing
with heuristic analysis is enabled.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Web Threat Protection.
6. In the window that opens, in the Anti-Phishing settings block, select or clear the Check the web address
against the database of phishing web addresses check box to enable or disable Anti-Phishing.
The database of phishing web addresses includes the web addresses of currently known websites that are
used to launch phishing attacks. Kaspersky supplements this database of phishing links with addresses
obtained from the international organization known as the Anti-Phishing Working Group. The database of
phishing addresses is included in the application installation package and supplemented with Kaspersky
Endpoint Security database updates.
7. Select the Use Heuristic Analysis check box if you want the application to use heuristic analysis when
scanning web pages for phishing links.
During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating
system. Heuristic analysis can detect threats for which there are currently no records in the Kaspersky
Endpoint Security databases.
To scan links, in addition to anti-virus database and heuristic analysis, you can use Kaspersky Security
Network reputation databases.
259
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → Web Threat Protection.
4. If you want the Web Threat Protection component to check links against the databases of phishing web
addresses, select the Check the web address against the database of phishing web addresses check
box in the Anti-Phishing block. The database of phishing web addresses includes the web addresses of
currently known websites that are used to launch phishing attacks. Kaspersky supplements this database
of phishing links with addresses obtained from the international organization known as the Anti-Phishing
Working Group. The database of phishing addresses is included in the application installation package
and supplemented with Kaspersky Endpoint Security database updates.
5. Select the Use Heuristic Analysis check box if you want the application to use heuristic analysis when
scanning web pages for phishing links.
During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating
system. Heuristic analysis can detect threats for which there are currently no records in the Kaspersky
Endpoint Security databases.
To scan links, in addition to anti-virus database and heuristic analysis, you can use Kaspersky Security
Network reputation databases.
A URL may be the address of a speci c web page or the address of a website.
260
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Web Threat Protection.
6. In the window that opens, select the Trusted web addresses tab.
7. Select the Do not scan web tra ic from trusted web addresses check box.
If the check box is selected, the Web Threat Protection component does not scan the content of web
pages or websites whose addresses are included in the list of trusted web addresses. You can add both the
speci c address and the address mask of a web page/website to the list of trusted web addresses.
How to add a trusted web address in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Trusted web addresses block, select the Do not scan web tra ic from trusted web addresses
check box.
If the check box is selected, the Web Threat Protection component does not scan the content of web
pages or websites whose addresses are included in the list of trusted web addresses. You can add both the
speci c address and the address mask of a web page/website to the list of trusted web addresses.
261
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → Web Threat Protection.
4. Select the Do not scan web tra ic from trusted URLs check box.
If the check box is selected, the Web Threat Protection component does not scan the content of web
pages or websites whose addresses are included in the list of trusted web addresses. You can add both the
speci c address and the address mask of a web page/website to the list of trusted web addresses.
As a result, Web Threat Protection does not scan tra ic of trusted web addresses. The user always can open a
trusted website and download a le from that website. If you could not gain access to the website, check the
settings of Encrypted connections scan, Web Control, and Network ports monitoring components. If Kaspersky
Endpoint Security detects a le downloaded from a trusted website as malicious, you can add this le to
exclusions.
You can also create a general list of exclusions for encrypted connections. In this case, Kaspersky Endpoint
Security does not scan HTTPS tra ic of trusted web addresses when Web Threat Protection, Mail Threat
Protection, Web Control components are doing their work.
How to export and import a list of trusted web addresses in the Administration Console (MMC)
262
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Web Threat Protection.
6. In the window that opens, select the Trusted web addresses tab.
a. Select the trusted web addresses that you want to export. To select multiple ports, use the CTRL or
SHIFT keys.
If you did not select any trusted web address, Kaspersky Endpoint Security will export all web
addresses.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
trusted web addresses, and select the folder in which you want to save this le.
How to export and import a list of trusted web addresses in the Web Console and Cloud Console
263
1. In the main window of the Web Console, select Devices → Policies & pro les.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
trusted web addresses, and select the folder in which you want to save this le.
Mail Threat Protection can scan both incoming and outgoing messages. The application supports POP3, SMTP,
IMAP, and NNTP in the following mail clients:
Mozilla Thunderbird
Windows Mail
264
R7-O ice Organizer
To scan tra ic in Mozilla Thunderbird, MyO ice Mail and R7-O ice Organizer mail clients, you need to add
Kaspersky certi cate to the certi cate store and select the own certi cate store.
Mail Threat Protection does not support other protocols and mail clients.
Mail Threat Protection may not always be able to gain protocol-level access to messages (for example, when using
the Microsoft Exchange solution). For this reason, Mail Threat Protection includes an extension for Microsoft
O ice Outlook. The extension allows scanning messages at the level of the mail client. The Mail Threat Protection
extension supports operations with Outlook 2010, 2013, 2016, and 2019.
The Mail Threat Protection component does not scan messages if the mail client is open in a browser.
When a malicious le is detected in an attachment, Kaspersky Endpoint Security adds information about the
performed action to the message subject, for example, [Message has been processed] <message subject>.
When working with the Mozilla Thunderbird mail client, the Mail Threat Protection component does not scan
messages that are transmitted via the IMAP protocol for viruses and other threats if lters are used to move
messages from the Inbox folder.
2. In the application settings window, select Essential Threat Protection → Mail Threat Protection.
3. Use the Mail Threat Protection toggle to enable or disable the component.
4. If you enabled the component, do one of the following in the Security level block:
If you want to apply one of the preset security levels, select it with the slider:
High. When this email security level is selected, the Mail Threat Protection component scans email
messages most thoroughly. The Mail Threat Protection component scans incoming and outgoing email
messages, and performs deep heuristic analysis. The High mail security level is recommended for high-
risk environments. An example of such an environment is a connection to a free email service from a
home network that is not guarded by centralized email protection.
265
Recommended. The email security level that provides the optimal balance between the performance of
Kaspersky Endpoint Security and email security. The Mail Threat Protection component scans incoming
and outgoing email messages, and performs medium-level heuristic analysis. This mail tra ic security
level is recommended by Kaspersky specialists. The values of settings for the recommended security
level are provided in the table below.
Low. When this email security level is selected, the Mail Threat Protection component only scans
incoming email messages, performs light heuristic analysis, and does not scan archives that are attached
to email messages. At this mail security level, the Mail Threat Protection component scans email
messages at maximum speed and uses a minimum of operating system resources. The Low mail security
level is recommended for use in a well-protected environment. An example of such an environment might
be an enterprise LAN with centralized email security.
If you want to con gure a custom security level, click the Advanced Settings button and de ne your own
component settings.
You can restore the values of preset security levels by clicking the Restore recommended security level
button.
Mail Threat Protection settings recommended by Kaspersky experts (recommended security level)
Protection Incoming The Protection scope includes objects that the component checks when
scope and it is run: incoming and outgoing messages or incoming messages only.
outgoing In order to protect your computers, you need only scan incoming
messages messages. You can turn on scanning for outgoing messages to prevent
infected les from being sent in archives. You can also turn on the
scanning of outgoing messages if you want to prevent les in particular
formats from being sent, such as audio and video les, for example.
Connect On If the check box is selected, scanning of email messages transmitted via
Microsoft the POP3, SMTP, NNTP, IMAP protocols is enabled on the side of the
Outlook extension integrated into Microsoft Outlook.
extension If mail is scanned using the extension for Microsoft Outlook, it is
recommended to use Cached Exchange Mode. For more detailed
information about Cached Exchange Mode and recommendations on its
use, refer to the Microsoft Knowledge Base.
Scan On Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other
attached archives. The application scans archives not only by extension, but also by
archives format. When checking archives, the application performs a recursive
unpacking. This allows to detect threats inside multi-level archives
(archive within an archive).
Scan On Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and other Microsoft
attached extensions). O ice format les include OLE objects as well. Kaspersky
les of Endpoint Security scans o ice format les that are smaller than 1 MB,
Microsoft regardless of whether the check box is selected or not.
O ice
formats
Attachment Rename If this option is selected, the Mail Threat Protection component will
lter attachments replace the last extension character found in the attached les of the
of selected speci ed types with the underscore character (for example,
types attachment.doc_). Thus, in order to open the le, the user must rename
the le.
Heuristic Medium The technology was developed for detecting threats that cannot be
analysis scan detected by using the current version of Kaspersky application
266
databases. It detects les that may be infected with an unknown virus or
a new variety of a known virus.
When scanning les for malicious code, the heuristic analyzer executes
instructions in the executable les. The number of instructions that are
executed by the heuristic analyzer depends on the level that is speci ed
for the heuristic analyzer. The heuristic analysis level ensures a balance
between the thoroughness of searching for new threats, the load on the
resources of the operating system, and the duration of heuristic analysis.
2. In the application settings window, select Essential Threat Protection → Mail Threat Protection.
3. In the Action on threat detection block, select the action for Kaspersky Endpoint Security to perform when an
infected message is detected:
Disinfect, delete if disinfection fails. When an infected object is detected in an inbound or outbound
message, Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to
access the message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint
Security deletes the infected object. Kaspersky Endpoint Security adds information about the performed
action to the message subject, for example, [Message has been processed] <message subject>.
Disinfect, block if disinfection fails. When an infected object is detected in an inbound message,
Kaspersky Endpoint Security attempts to disinfect the detected object. The user will be able to access the
message with a safe attachment. If the object cannot be disinfected, Kaspersky Endpoint Security adds a
warning to the message subject. The user will be able to access the message with the original attachment.
When an infected object is detected in an outbound message, Kaspersky Endpoint Security attempts to
disinfect the detected object. If the object cannot be disinfected, Kaspersky Endpoint Security blocks
transmission of the message, and the mail client shows an error.
Block. If an infected object is detected in an inbound message, Kaspersky Endpoint Security adds a warning
to the message subject. The user will be able to access the message with the original attachment. If an
infected object is detected in an outbound message, Kaspersky Endpoint Security blocks transmission of
the message, and the mail client shows an error.
267
Forming the protection scope of the Mail Threat Protection component
Protection scope refers to the objects that are scanned by the component when it is active. The protection
scopes of di erent components have di erent properties. The properties of the protection scope of the Mail
Threat Protection component include the settings for integrating the Mail Threat Protection component into mail
clients, and the type of email messages and email protocols whose tra ic is scanned by the Mail Threat Protection
component. By default, Kaspersky Endpoint Security scans both incoming and outgoing email messages and
tra ic of the POP3, SMTP, NNTP, and IMAP protocols, and is integrated into the Microsoft O ice Outlook mail
client.
2. In the application settings window, select Essential Threat Protection → Mail Threat Protection.
In order to protect your computers, you need only scan incoming messages. You can turn on scanning for
outgoing messages to prevent infected les from being sent in archives. You can also turn on the scanning of
outgoing messages if you want to prevent les in particular formats from being sent, such as audio and video
les, for example.
If you choose to scan only incoming messages, it is recommended that you perform a one-time scan of all
outgoing messages because there is a chance that your computer has email worms that are being spread
over email. This helps to avoid problems resulting from unmonitored mass emailing of infected messages
from your computer.
If you want the Mail Threat Protection component to scan messages that are transmitted via the POP3,
SMTP, NNTP, and IMAP protocols before they are received on the user's computer, select the Scan POP3,
SMTP, NNTP, and IMAP tra ic check box.
If you do not want the Mail Threat Protection component to scan messages that are transmitted via the
POP3, SMTP, NNTP, and IMAP protocols before they arrive on the user's computer, clear the Scan POP3,
SMTP, NNTP, and IMAP tra ic check box. In this case, messages are scanned by the Mail Threat Protection
extension embedded in the Microsoft O ice Outlook mail client after they are received on the user
computer if the Connect Microsoft Outlook extension check box is selected.
If you use a mail client other than Microsoft O ice Outlook, the Mail Threat Protection component
does not scan messages that are transmitted via the POP3, SMTP, NNTP, and IMAP protocols, when the
Scan POP3, SMTP, NNTP, and IMAP tra ic check box is cleared.
If you want to allow access to Mail Threat Protection component settings from Microsoft O ice Outlook
and enable scanning of messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI protocols
268
after they arrive on the computer using the extension that is embedded into Microsoft O ice Outlook,
select the Connect Microsoft Outlook extension check box.
If you want to block access to Mail Threat Protection component settings from Microsoft O ice Outlook
and disable scanning of messages that are transmitted via the POP3, SMTP, NNTP, IMAP, and MAPI
protocols after they arrive on the computer using the extension that is embedded into Microsoft O ice
Outlook, clear the Connect Microsoft Outlook extension check box.
The Mail Threat Protection extension is embedded in the Microsoft O ice Outlook mail client during
installation of Kaspersky Endpoint Security.
2. In the application settings window, select Essential Threat Protection → Mail Threat Protection.
4. In the Scan of compound les block, con gure the scan settings:
Scan attached les of Microsoft O ice formats. Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and
other Microsoft extensions). O ice format les include OLE objects as well. Kaspersky Endpoint Security
scans o ice format les that are smaller than 1 MB, regardless of whether the check box is selected or not.
Scan attached archives. Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives.
The application scans archives not only by extension, but also by format. When checking archives, the
application performs a recursive unpacking. This allows to detect threats inside multi-level archives (archive
within an archive).
If during the scan, Kaspersky Endpoint Security detects a password for an archive in the text of the
message, this password will be used to scan the content of the archive for malicious applications. In this
case, the password is not saved. An archive is unpacked during scan. If an application error occurs
during the unpacking process, you can manually delete the unpacked les that are saved to the
following path: %systemroot%\temp. The les have the PR pre x.
Do not scan archives larger than N MB. If this check box is selected, the Mail Threat Protection component
excludes archives attached to email messages from scanning if their size exceeds the speci ed value. If the
check box is cleared, the Mail Threat Protection component scans email attachment archives of any size.
Limit the time for checking archives to N sec. If the check box is selected, the time that is allocated for
scanning archives attached to email messages is limited to the speci ed period.
269
Email messages attachment ltering
Malicious applications can be distributed in the form of attachments in email messages. You can con gure ltering
based on the type of message attachments so that les of the speci ed types are automatically renamed or
deleted. By renaming an attachment of a certain type, Kaspersky Endpoint Security can protect your computer
against automatic execution of a malicious application.
2. In the application settings window, select Essential Threat Protection → Mail Threat Protection.
Disable ltering. If this option is selected, the Mail Threat Protection component does not lter les that
are attached to email messages.
Rename attachments of selected types. If this option is selected, the Mail Threat Protection component
will replace the last extension character found in the attached les of the speci ed types with the
underscore character (for example, attachment.doc_). Thus, in order to open the le, the user must rename
the le.
Delete attachments of selected types. If this option is selected, the Mail Threat Protection component
deletes attached les of the speci ed types from email messages.
5. If you selected the Rename attachments of selected types option or the Delete attachments of selected
types option during the previous step, select the check boxes opposite the relevant types of les.
How to export and import a list of attachment lter extensions in the Administration Console (MMC)
270
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Mail Threat Protection.
a. Select the extensions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
extensions, and select the folder in which you want to save this le.
b. In the window that opens, select the XML le from which you want to import the list of extensions.
How to export and import a list of attachment lter extensions in the Web Console and Cloud Console
271
1. In the main window of the Web Console, select Devices → Policies & pro les.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
extensions, and select the folder in which you want to save this le.
b. In the window that opens, select the XML le from which you want to import the list of extensions.
You can open the Mail Threat Protection component settings from within Outlook, and specify when email
messages are to be scanned for viruses and other threats.
The Mail Threat Protection extension supports operations with Outlook 2010, 2013, 2016, and 2019.
272
In Outlook, incoming messages are rst scanned by the Mail Threat Protection component (if the Scan POP3,
SMTP, NNTP, and IMAP tra ic check box is selected in the interface of Kaspersky Endpoint Security) and then by
the Mail Threat Protection extension for Outlook. If the Mail Threat Protection component detects a malicious
object in a message, it noti es you about this event.
The Mail Threat Protection component settings can be con gured directly in Outlook if the Microsoft Outlook
extension is connected in the Kaspersky Endpoint Security interface (see the gure below).
Outgoing messages are rst scanned by the Mail Threat Protection extension for Outlook, and are then scanned
by the Mail Threat Protection component.
If mail is scanned using the Mail Threat Protection extension for Outlook, it is recommended to use Cached
Exchange Mode. For more detailed information about Cached Exchange Mode and recommendations on its
use, refer to the Microsoft Knowledge Base .
To con gure the operating mode of the Mail Threat Protection extension for Outlook:
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Mail Threat Protection.
Select the Scan when receiving check box if you want the Mail Threat Protection extension for Outlook to
scan incoming messages as they arrive to the mailbox.
Select the Scan when reading check box if you want the Mail Threat Protection extension for Outlook to
scan incoming messages when the user opens them.
273
Select the Scan when sending check box if you want the Mail Threat Protection extension for Outlook to
scan outgoing messages as they are sent.
How to enable or disable Network Threat Protection in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Network Threat Protection.
5. Use the Network Threat Protection check box to enable or disable the component.
How to enable or disable Network Threat Protection in the Web Console and Cloud Console
274
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Network Threat Protection toggle to enable or disable the component.
2. In the application settings window, select Essential Threat Protection → Network Threat Protection.
3. Use the Network Threat Protection toggle to enable or disable the component.
275
Blocking an attacking computer
If the Network Threat Protection component is enabled, Kaspersky Endpoint Security automatically blocks
network threats. Additionally, the application can block the attacking computer and restrict the sending of network
packets for a certain length of time. By default, Kaspersky Endpoint Security blocks the computer for one hour.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Network Threat Protection.
5. Under Network Threat Protection settings, select the Block attacking devices for N min check box.
If the option is enabled, the Network Threat Protection component adds the attacking computer to the
blocked list. This means that the Network Threat Protection component blocks the network connection
with the attacking computer after the rst network attack attempt for the speci ed amount of time. This
block automatically protects the user's computer against possible future network attacks from the same
address. The minimum time an attacking computer must spend in the block list is one minute. The maximum
time is 999 minutes.
6. Set a di erent blocking duration for an attacking computer in the eld to the right of the Block attacking
devices for N min check box.
276
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Under Network Threat Protection settings, select the Block attacking devices for N min check box.
If the option is enabled, the Network Threat Protection component adds the attacking computer to the
blocked list. This means that the Network Threat Protection component blocks the network connection
with the attacking computer after the rst network attack attempt for the speci ed amount of time. This
block automatically protects the user's computer against possible future network attacks from the same
address. The minimum time an attacking computer must spend in the block list is one minute. The maximum
time is 999 minutes.
6. Set a di erent blocking duration for an attacking computer in the eld below the Block attacking devices
for N min check box.
277
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → Network Threat Protection.
4. Set a di erent blocking duration for an attacking computer in the eld below the Block attacking devices
for N min toggle switch.
As a result, when Kaspersky Endpoint Security detects an attempted network attack launched against the user's
computer, it will block all connections with the attacking computer. Kaspersky Endpoint Security creates the
Network attack detected event. The event contains information about the attacking computer: IP and MAC
addresses.
278
Noti cation about network attack detection
Kaspersky Endpoint Security unblocks the computer when the speci ed time runs out. The Kaspersky Security
Center console does not provide tools for monitoring blocked computers other than Network attack detected
events in the report. You can only view a list of blocked computers in the interface of the application. This
functionality is provided by the Network Monitor tool. You can also use the Network Monitor tool to unblock a
computer.
To unblock a computer:
1. In the main application window, in the Monitoring section, click the Network Monitor tile.
Kaspersky Endpoint Security clears the block list when the application is restarted and when the Network
Threat Protection settings are changed.
3. Select the computer that you want to unblock and click Unblock.
279
Con guring addresses of exclusions from blocking
Kaspersky Endpoint Security can recognize a network attack and block an unsecured network connection that is
transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you
can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that
are used for communication and allow speci c network activities.
The ability to select protocols and ports for exclusions was added in Kaspersky Endpoint Security 12.2. Make
sure the application and the management plug-in are updated to version 12.2 or later. If you are using an earlier
version of the application or the management plug-in, Kaspersky Endpoint Security can allow network
activities only by IP address.
How to con gure addresses of exclusions from blocking in Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Network Threat Protection.
5. In the Network Threat Protection settings block, click the Exclusions button.
7. Enter the IP address of the computer from which network attacks must not be blocked.
If required, select the protocol and ports through which data is transmitted.
How to con gure addresses of exclusions from blocking in Web Console and Cloud Console
280
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Network Threat Protection settings block, click the Exclusions link.
7. Enter the IP address of the computer from which network attacks must not be blocked.
If required, select the protocol and ports through which data is transmitted.
How to con gure addresses of exclusions from blocking in the user interface of the application
281
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → Network Threat Protection.
5. Enter the IP address of the computer from which network attacks must not be blocked.
If required, select the protocol and ports through which data is transmitted.
How to export and import a list of exclusions in the Administration Console (MMC)
282
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Network Threat Protection.
5. In the Network Threat Protection settings block, click the Exclusions button.
a. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
How to export and import a list of exclusions in the Web Console and Cloud Console
283
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Network Threat Protection settings block, click the Exclusions link.
The list of exclusions opens.
b. Click Export.
c. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
d. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
Network Flooding is an attack on network resources of an organization (such as web servers). This attack
consists of sending a large number of requests to overload the bandwidth of network resources. When this
happens, users are unable to access the network resources of the organization.
A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This
attack allows the attacker to identify the degree of vulnerability of the computer before conducting more
dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system
on the computer and select the appropriate network attacks for this operating system.
284
A MAC spoo ng attack consists of changing the MAC address of a network device (network card). As a result,
an attacker can redirect data sent to a device to another device and gain access to this data. Kaspersky
Endpoint Security lets you block MAC Spoo ng attacks and receive noti cations about the attacks.
You can disable detection of these types of attacks in case some of your allowed applications perform operations
that are typical for these types of attacks. This will help avoid false alarms.
By default, Kaspersky Endpoint Security does not monitor Network Flooding, Port Scanning, and MAC spoo ng
attacks.
How to con gure network threat protection by type in Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Essential Threat Protection → Network Threat Protection.
5. Use the Treat port scanning and network ooding as attacks check box to enable or disable the
detection of these attacks.
If this functionality is enabled, Kaspersky Endpoint Security monitors network tra ic for port scanning and
network ooding. If such behavior is detected, the application noti es the user and sends the
corresponding event to Kaspersky Security Center. The application provides information about the
computer that is making the requests. This information is necessary for a timely response. However,
Kaspersky Endpoint Security does not block the computer that is making the requests because such
tra ic may be a normal occurrence on the corporate network.
6. In the MAC spoo ng protection mode block, select one of the following options:
Inform
Block.
How to con gure network threat protection by type in Web Console and Cloud Console
285
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Treat port scanning and network ooding as attacks check box to enable or disable the
detection of these attacks.
If this functionality is enabled, Kaspersky Endpoint Security monitors network tra ic for port scanning and
network ooding. If such behavior is detected, the application noti es the user and sends the
corresponding event to Kaspersky Security Center. The application provides information about the
computer that is making the requests. This information is necessary for a timely response. However,
Kaspersky Endpoint Security does not block the computer that is making the requests because such
tra ic may be a normal occurrence on the corporate network.
6. Use the Network Threat Protection ENABLED toggle switch to enable the detection of these attacks.
Select one of the following options:
Inform.
Block.
How to con gure network threat protection by type in the application interface
286
1. In the main application window, click the button.
2. In the application settings window, select Essential Threat Protection → Network Threat Protection.
3. Use the toggle Treat port scanning and network ooding as attacks to enable or disable the detection of
these attacks.
If this functionality is enabled, Kaspersky Endpoint Security monitors network tra ic for port scanning and
network ooding. If such behavior is detected, the application noti es the user and sends the
corresponding event to Kaspersky Security Center. The application provides information about the
computer that is making the requests. This information is necessary for a timely response. However,
Kaspersky Endpoint Security does not block the computer that is making the requests because such
tra ic may be a normal occurrence on the corporate network.
4. Use the toggle MAC Spoo ng Protection to enable or disable the detection of these attacks.
5. In the On detecting a MAC spoo ng attack block, select one of the following options:
Inform.
Block.
Firewall
287
The Firewall blocks unauthorized connections to the computer while working on the Internet or local network. The
Firewall also controls the network activity of applications on the computer. This allows you to protect your
corporate LAN from identity theft and other attacks. The component provides computer protection with the help
of anti-virus databases, the Kaspersky Security Network cloud service, and prede ned network rules.
Network Agent is used for interaction with Kaspersky Security Center. Firewall automatically creates network
rules required for the application and the Network Agent to work. As a result, the Firewall opens several ports
on the computer. Which ports are opened depends on computer's role (for example, distribution point). To
learn more about the ports that will be opened on the computer, refer to the Kaspersky Security Center
Help .
Network rules
Network packet rules. Network packet rules impose restrictions on network packets, regardless of the
application. Such rules restrict inbound and outbound network tra ic through speci c ports of the selected
data protocol. Kaspersky Endpoint Security has prede ned network packet rules with permissions
recommended by Kaspersky experts.
Application network rules. Application network rules impose restrictions on the network activity of a speci c
application. They factor in not only the characteristics of the network packet, but also the speci c application
to which this network packet is addressed or which issued this network packet.
Controlled access of applications to operating system resources, processes and personal data is provided by
the Host Intrusion Prevention component by using application rights.
During the rst startup of the application, the Firewall performs the following actions:
3. Places the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group de nes the rights that Kaspersky Endpoint Security refers to when controlling application
activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger
that this application may pose to the computer.
Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion
Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion
Prevention.
If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the
application in a trust group depending on the settings of the Host Intrusion Prevention component. After
receiving the reputation of the application from KSN, the trust group can be changed automatically.
4. It blocks network activity of the application depending on the trust group. For example, applications in the High
Restricted trust group are not allowed to use any network connections.
288
The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the
application is unchanged, the component uses the current network rules for it. If the application has been
modi ed, Kaspersky Endpoint Security analyzes the application as if it were being started for the rst time.
Each rule has a priority. The higher a rule is on the list, the higher its priority. If network activity is added to several
rules, the Firewall regulates network activity according to the rule with the highest priority.
Network packet rules have a higher priority than network rules for applications. If both network packet rules and
network rules for applications are speci ed for the same type of network activity, the network activity is handled
according to the network packet rules.
Network rules for applications work in a particular way. Network rule for applications includes access rules based
on the network status: Public network, Local network, Trusted network. For example, applications in the High
Restricted trust group are not allowed any network activity in networks of all statuses by default. If a network rule
is speci ed for an individual application (parent application), then the child processes of other applications will run
according to the network rule of the parent application. If there is no network rule for the application, the child
processes will run according to network access rule of the application's trust group.
For example, you have prohibited any network activity in networks of all statuses for all applications, except
browser X. If you start browser Y installation (child process) from browser X (parent application), then browser Y
installer will access the network and download the necessary les. After installation, browser Y will be denied any
network connections according to the Firewall settings. To prohibit network activity of browser Y installer as a child
process, you must add a network rule for the installer of browser Y.
The Firewall allows you to control network activity depending on the status of the network connection. Kaspersky
Endpoint Security receives the network connection status from the computer's operating system. The status of
the network connection in the operating system is set by the user when setting up the connection. You can change
the status of the network connection in the Kaspersky Endpoint Security settings. The Firewall will monitor
network activity depending on the network status in the Kaspersky Endpoint Security settings, and not in the
operating system.
The network connection can have one of the following status types:
Public network. The network is not protected by antivirus applications, rewalls, or lters (such as Wi-Fi in a
cafe). When the user operates a computer that is connected to such a network, Firewall blocks access to les
and printers of this computer. External users are also unable to access data through shared folders and remote
access to the desktop of this computer. Firewall lters the network activity of each application according to
the network rules that are set for it.
Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.
Local network. Network for users with restricted access to les and printers on this computer (such as for a
corporate LAN or home network).
Trusted network. Safe network in which the computer is not exposed to attacks or unauthorized data access
attempts. Firewall permits any network activity within networks with this status.
289
By default, Firewall is enabled and functions in the optimal mode.
3. Select the necessary policy and double-click to open the policy properties.
How to enable or disable the Firewall in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
As a result, if the Firewall is enabled, Kaspersky Endpoint Security controls network activity and blocks
unauthorized network connections to your computer, as well as blocks unauthorized network activity of
applications on your computer. Network activity is also controlled by the Network Threat Protection component.
The Network Threat Protection component (also called Intrusion Detection System) monitors inbound network
tra ic for activity characteristic of network attacks.
290
Kaspersky Endpoint Security logs network attack events in its reports irrespective of the Firewall settings.
Even if the Firewall blocks the network connection using rules and thus prevents a network attack, the
Network Threat Protection component registers network attack events. It is required to generate statistical
information about network attacks on the computers in your organization.
5. In the Network type column, select the status of the network connection:
Public network. The network is not protected by antivirus applications, rewalls, or lters (such as Wi-Fi in a
cafe). When the user operates a computer that is connected to such a network, Firewall blocks access to
les and printers of this computer. External users are also unable to access data through shared folders and
remote access to the desktop of this computer. Firewall lters the network activity of each application
according to the network rules that are set for it.
Local network. Network for users with restricted access to les and printers on this computer (such as for a
corporate LAN or home network).
Trusted network. Safe network in which the computer is not exposed to attacks or unauthorized data
access attempts. Firewall permits any network activity within networks with this status.
291
A new custom network packet rule is added to the list of network packet rules by default with Enabled
status.
When creating network packet rules, remember that they have priority over network rules for applications.
How to use the Network Monitor tool to create a network packet rule in the application interface
292
1. In the main application window, in the Monitoring section, click the Network Monitor tile.
3. In the context menu of a network connection, select Create network packet rule.
This opens the network rule properties.
5. Manually enter the name of the network service in the Name eld.
6. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the Network rule template link. Rule templates
describe the most frequently used network connections.
All network rule settings will be lled in automatically.
7. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
8. Click Save.
The new network rule will be added to the list.
9. Use the Up / Down buttons to set the priority of the network rule.
How to use Firewall settings to create a network packet rule in the application interface
293
1. In the main application window, click the button.
4. Using the Add drop-down list, select the location of the rule in the list: at the top of the list, at the bottom
of the list, or next to the selected rule.
The position of the rule in the list determines the priority of the rule. The rule at the top of the list has the
highest priority.
6. Manually enter the name of the network service in the Name eld.
7. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the Network rule template link. Rule templates
describe the most frequently used network connections.
All network rule settings will be lled in automatically.
8. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
9. Click Save.
The new network rule will be added to the list.
10. Use the Up / Down buttons to set the priority of the network rule.
294
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
7. Using the Add drop-down list, select the location of the rule in the list: at the top of the list, at the bottom
of the list, or next to the selected rule.
The position of the rule in the list determines the priority of the rule. The rule at the top of the list has the
highest priority.
8. Manually enter the name of the network service in the Name eld.
9. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the button. Rule templates describe the most
frequently used network connections.
All network rule settings will be lled in automatically.
10. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
12. Use the Up / Down buttons to set the priority of the network rule.
The Firewall will control network packets according to the rule. You can disable a packet rule from Firewall
operation without deleting it from the list. To do so, clear the check box next to the object.
How to create a network packet rule in the Web Console and Cloud Console
295
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Firewall Settings block, click the Network packet rules link.
This opens the list of default network rules that are set by the Firewall.
6. Using the Add drop-down list, select the location of the rule in the list: at the top of the list, at the bottom
of the list, or next to the selected rule.
The position of the rule in the list determines the priority of the rule. The rule at the top of the list has the
highest priority.
7. Manually enter the name of the network service in the Name eld.
8. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the Select template link. Rule templates describe the
most frequently used network connections.
All network rule settings will be lled in automatically.
9. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
11. Use the Up / Down buttons to set the priority of the network rule.
The Firewall will control network packets according to the rule. You can disable a packet rule from Firewall
operation without deleting it from the list. Use the toggle in the Status column to enable or disable the
packet rule.
Parameter Description
Action Allow.
Block.
By application rules. If this option is selected, Firewall applies the application network rules to
the network connection.
Protocol Control network activity over the selected protocol: TCP, UDP, ICMP, ICMPv6, IGMP and GRE.
If ICMP or ICMPv6 is selected as the protocol, you can de ne the ICMP packet type and code.
If TCP or UDP is selected as the protocol type, you can specify the comma-delimited port
numbers of the local and remote computers between which the connection is to be monitored.
Direction Inbound (packet). Firewall applies the network rule to all inbound network packets.
296
Inbound. Firewall applies the network rule to all network packets sent via a connection that was
initiated by a remote computer.
Inbound / Outbound. Firewall applies the network rule to both inbound and outbound network
packets, regardless of whether the user's computer or a remote computer initiated the
network connection.
Outbound (packet). Firewall applies the network rule to all outbound network packets.
Outbound. Firewall applies the network rule to all network packets sent via a connection that
was initiated by the user's computer.
Network Network adapters that can send and/or receive network packets. Specifying the settings of
adapters network adapters makes it possible to di erentiate between network packets sent or received
by network adapters with identical IP addresses.
Time to Restrict control of network packets based on their time to live (TTL).
live (TTL)
Remote Network addresses of remote computers that can send and receive network packets. Firewall
address applies the network rule to the speci ed range of remote network addresses. You can include
all IP addresses in a network rule, create a separate list of IP addresses, specify a range of IP
addresses, or select a subnet (Trusted networks, Local networks, Public networks). You can
also specify a DNS name of a computer instead of its IP address. You should use DNS names
only for LAN computers or internal services. Interaction with cloud services (such as Microsoft
Azure) and other Internet resources should be handled by the Web Control component.
If in the network packet rule, you added a DNS name for which the IP address could not be
determined, Kaspersky Endpoint Security will display a warning. In the list of network
packet rules in Web Console, a Warning column is added with a description of the error. In
Administration Console (MMC), the error description is not available. Such packet rules are
highlighted in color.
Local Network addresses of computers that can send and receive network packets. Firewall applies a
address network rule to the speci ed range of local network addresses. You can include all IP addresses
in a network rule, create a separate list of IP addresses, or specify a range of IP addresses.
Kaspersky Endpoint Security supports DNS names starting from version 11.7.0. If you
specify a DNS name for version 11.6.0 or older, Kaspersky Endpoint Security may apply the
relevant rule to all addresses.
Sometimes the local address cannot be obtained for applications. If this is the case, this
parameter is ignored.
297
3. Click Packet rules.
This opens a list of default network packet rules that are set by Firewall.
5. Use the toggle in the Status column to enable or disable the rule.
4. Select it in the list of network packet rules and click the Edit button.
5. In the Action drop-down list, select the action to be performed by Firewall on detecting this kind of network
activity:
Allow.
Block.
By application rules. If this option is selected, Firewall applies the application network rules to the network
connection.
Every manually created network packet rule is added to the end of the list of network packet rules and is of the
lowest priority.
Firewall executes rules in the order in which they appear in the list of network packet rules, from top to bottom.
According to each processed network packet rule that applies to a particular network connection, Firewall either
allows or blocks network access to the address and port that are speci ed in the settings of this network
connection.
298
2. In the application settings window, select Essential Threat Protection → Firewall.
4. In the list, select the network packet rule whose priority you want to change.
5. Use the Up / Down buttons to set the priority of the network rule.
How to export and import a list of network packet rules in the Administration Console (MMC)
299
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
a. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
c. In the window that opens, specify the name of the XML le to which you want to export the list of rules,
and select the folder in which you want to save this le.
How to export and import a list of network packet rules in the Web Console and Cloud Console
300
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Firewall Settings block, click the Network packet rules link.
b. Click Export.
c. Con rm that you want to export only the selected rules, or export the entire list.
The XML le contains two main nodes: Rules and Resources. The Rules node lists network packet rules. This
node contains rules con gured by default (prede ned rules) as well as rules added by the user (custom rules).
<key name="0000">
<tDWORD name="RuleId">100</tDWORD>
<tDWORD name="RuleState">1</tDWORD>
<tDWORD name="RuleTypeId">4</tDWORD>
<tQWORD name="AppIdEx">0</tQWORD>
<tDWORD name="ResIdEx">812</tDWORD>
<tDWORD name="ResIdEx2">0</tDWORD>
301
<tDWORD name="AccessFlag">2</tDWORD>
</key>
<key Priority of the rule. The lower the value, the Integer
name="0000"> higher the priority.
</key>
The Resources node contains network packet rule settings. Custom network packet rule settings are listed in the
<key name="0004"> block.
<key name="0026">
<key name="Data">
<key name="RemotePorts"> </key>
<key name="LocalPorts"> </key>
<key name="AdapterBindings">
<key name="0000">
<key name="IpAddresses">
<key name="0000">
<key name="IP">
<key name="V6">
<tQWORD
name="Hi">0</tQWORD>
<tQWORD
name="Lo">0</tQWORD>
<tDWORD
name="Zone">0</tDWORD>
<tSTRING
name="ZoneStr"/>
</key>
<tBYTE
name="Version">4</tBYTE>
<tDWORD
name="V4">16909060</tDWORD>
<tBYTE name="Mask">32</tBYTE>
</key>
<key name="AddressIP"> </key>
<tSTRING name="Address"/>
303
</key>
</key>
<key name="MacAddresses">
<key name="0000">
<tDWORD name="Type">0</tDWORD>
<tQWORD
name="AddressData0">1108152157446</tQWORD>
<tQWORD name="AddressData1">0</tQWORD>
</key>
</key>
<tSTRING name="AdapterName">ADAPTER TEST 123</tSTRING>
<tDWORD name="InterfaceType">3</tDWORD>
</key>
</key>
<tTYPE_ID name="unique">3213697024</tTYPE_ID>
<tBYTE name="Proto">2</tBYTE>
<tBYTE name="Direction">2</tBYTE>
<tBYTE name="IcmpType">0</tBYTE>
<tBYTE name="IcmpCode">0</tBYTE>
<tDWORD name="Flags">1</tDWORD>
<tBYTE name="TTL">255</tBYTE>
</key>
<key name="Childs"> </key>
<tDWORD name="Id">1073747214</tDWORD>
<tDWORD name="ParentID">7</tDWORD>
<tDWORD name="Flags">38</tDWORD>
<tSTRING name="Name">TEST1</tSTRING>
</key>
1 – LoopBack.
4 – Tunnel.
304
5 – PPP connection.
6 – PPPoE connection.
7 – VPN connection.
8 – Modem connection.
305
0 – Echo Reply (ICMP) or disabled.
ICMPv6 protocol
306
1 – Destination Unreachable.
3 – Time Exceeded.
4 – Parameter Problem.
TTL Value of the Time to live (TTL) Value in seconds. If disabled, the value is 0.
parameter.
</key>
Like the Host Intrusion Prevention component, by default the Firewall component applies the network rules for an
application group when ltering the network activity of all applications within the group. The application group
network rules de ne the rights of applications within the group to access di erent network connections.
By default, Firewall creates a set of network rules for each application group that is detected by Kaspersky
Endpoint Security on the computer. You can change the Firewall action that is applied to the application group
network rules that are created by default. You cannot edit, remove, disable, or change the priority of
application group network rules that are created by default.
308
You can also create a network rule for an individual application. Such a rule will have a higher priority than the
network rule of the group to which the application belongs.
Manually de ned network rules have a higher priority than network rules that were determined for a trust group. In
other words, if manually de ned application rules di er from the application rules determined for a trust group,
Firewall controls application activity according to the manually de ned rules for applications.
By default, Firewall creates the following network rules for each application:
Kaspersky Endpoint Security controls the network activity of applications according to prede ned network rules
as follows:
When creating network rules for applications, remember that network packet rules have priority over
application network rules.
How to use the Network Monitor tool to create an application network rule in the application interface
309
1. In the main application window, in the Monitoring section, click the Network Monitor tile.
3. In the context menu of a network connection, select Create an application network rule.
The application rules and properties window opens.
5. Click Add.
This opens the network rule properties.
6. Manually enter the name of the network service in the Name eld.
7. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the Network rule template link. Rule templates
describe the most frequently used network connections.
All network rule settings will be lled in automatically.
8. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
9. Click Save.
The new network rule will be added to the list.
10. Use the Up / Down buttons to set the priority of the network rule.
How to use Firewall settings to create an application network rule in the application interface
310
1. In the main application window, click the button.
4. In the list of applications, select the application or application group for which you want to create a
network rule.
5. Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
7. Click Add.
This opens the network rule properties.
8. Manually enter the name of the network service in the Name eld.
9. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the Network rule template link. Rule templates
describe the most frequently used network connections.
All network rule settings will be lled in automatically.
10. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
12. Use the Up / Down buttons to set the priority of the network rule.
311
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
7. Click Add.
8. In the window that opens, enter criteria to search for the application for which you want to create a
network rule.
You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security
supports environment variables and the * and ? characters when entering a mask.
9. Click Refresh.
Kaspersky Endpoint Security will search for the application in the consolidated list of applications installed
on managed computers. Kaspersky Endpoint Security will show a list of applications that satisfy your
search criteria.
11. In the Add selected application to the trust group drop-down list, select Default groups and click OK.
The application will be added to the default group.
12. Select the relevant application and then select Application rights from the context menu of the
application.
The application rules and properties window opens.
15. Manually enter the name of the network service in the Name eld.
16. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the button. Rule templates describe the most
frequently used network connections.
All network rule settings will be lled in automatically.
17. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
19. Use the Up / Down buttons to set the priority of the network rule.
312
20. Save your changes.
How to create an application network rule in the Web Console and Cloud Console
313
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Firewall Settings block, click the Application network rules link.
This opens the application rights con guration window and the list of protected resources.
7. Click Add.
This starts the Wizard for adding an application to a trust group.
10. In the opened list of applications, select the applications for which you want to create a network rule.
Use a lter. You can enter the name of the application or the name of the vendor. Kaspersky Endpoint
Security supports environment variables and the * and ? characters when entering a mask.
12. In the left part of the window, select the relevant application.
13. In the right part of the window, select Network rules from the drop-down list.
This opens the list of default network rules that are set by the Firewall.
15. Manually enter the name of the network service in the Name eld.
16. Con gure the network rule settings (see the table below).
You can select a prede ned rule template by clicking the Select template link. Rule templates describe the
most frequently used network connections.
All network rule settings will be lled in automatically.
17. If you want the actions of the network rule to be re ected in the report, select the Log events check box.
314
19. Use the Up / Down buttons to set the priority of the network rule.
Parameter Description
Action Allow.
Block.
Protocol Control network activity over the selected protocol: TCP, UDP, ICMP, ICMPv6, IGMP and GRE.
If ICMP or ICMPv6 is selected as the protocol, you can de ne the ICMP packet type and code.
If TCP or UDP is selected as the protocol type, you can specify the comma-delimited port
numbers of the local and remote computers between which the connection is to be monitored.
Direction Inbound.
Inbound / Outbound.
Outbound.
Remote Network addresses of remote computers that can send and receive network packets. Firewall
address applies the network rule to the speci ed range of remote network addresses. You can include
all IP addresses in a network rule, create a separate list of IP addresses, specify a range of IP
addresses, or select a subnet (Trusted networks, Local networks, Public networks). You can
also specify a DNS name of a computer instead of its IP address. You should use DNS names
only for LAN computers or internal services. Interaction with cloud services (such as Microsoft
Azure) and other Internet resources should be handled by the Web Control component.
If in the network packet rule, you added a DNS name for which the IP address could not be
determined, Kaspersky Endpoint Security will display a warning. In the list of network packet
rules in Web Console, a Warning column is added with a description of the error. In
Administration Console (MMC), the error description is not available. Such packet rules are
highlighted in color.
Local Network addresses of computers that can send and receive network packets. Firewall applies a
address network rule to the speci ed range of local network addresses. You can include all IP addresses
in a network rule, create a separate list of IP addresses, or specify a range of IP addresses.
Kaspersky Endpoint Security supports DNS names starting from version 11.7.0. If you
specify a DNS name for version 11.6.0 or older, Kaspersky Endpoint Security may apply the
relevant rule to all addresses.
Sometimes the local address cannot be obtained for applications. If this is the case, this
parameter is ignored.
315
2. In the application settings window, select Essential Threat Protection → Firewall.
4. In the list of applications, select the application or group of applications for which you want to create or edit a
network rule.
5. Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
7. In the list of network rules for an application group, select the relevant network rule.
The network rule properties window opens.
To change the Firewall action for all network rules for an application or group of applications:
4. If you want to change the Firewall action that is applied to all network rules that are created by default, select
an application or group of applications in the list. Manually created network rules are left unchanged.
5. Right-click to open the context menu, select Network rules, then select the action that you want to assign:
Inherit.
Allow.
Block.
To change the Firewall response for one network rule for an application or application group:
4. In the list, select the application or group of applications for which you want to change the action for one
network rule.
5. Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
7. Select the network rule for which you want to change the Firewall action.
8. In the Permission column, right-click to bring up the context menu and select the action that you want to
assign:
Inherit.
Allow.
Deny.
Log events.
Manually created network rules have a higher priority than default network rules.
You cannot change the priority of application group network rules that are created by default.
4. In the list of applications, select the application or group of applications for which you want to change the
priority of a network rule.
317
5. Right-click to open the context menu and select Details and rules.
The application rules and properties window opens.
8. Use the Up / Down buttons to set the priority of the network rule.
Network Monitor
Network Monitor is a tool designed for viewing information about the network activity of a user's computer in real
time.
In the main application window, in the Monitoring section, click the Network Monitor tile.
The Network Monitor window opens. In this window, information about the network activity of the computer is
shown on four tabs:
The Network activity tab shows all currently active network connections with the computer. Both outbound
and inbound network connections are displayed. On this tab, you can also create network packet rules for
Firewall operation.
The Open ports tab lists all open network ports of the computer. On this tab, you can also create network
packet rules and application rules for Firewall operation.
The Network tra ic tab shows the volume of inbound and outbound network tra ic between the user's
computer and other computers in the network to which the user is currently connected.
The Blocked computers tab lists the IP addresses of remote computers whose network activity has been
blocked by the Network Threat Protection component after detecting network attack attempts from such IP
addresses.
The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting
to the computer.
When a USB device is connected to the computer and identi ed as a keyboard by the operating system, the
application prompts the user to enter a numerical code generated by the application from this keyboard or using
On-Screen Keyboard if available (see the gure below). This procedure is known as keyboard authorization.
318
If the code has been entered correctly, the application saves the identi cation parameters – VID/PID of the
keyboard and the number of the port to which it has been connected – in the list of authorized keyboards.
Keyboard authorization does not need to be repeated when the keyboard is reconnected or after the operating
system is restarted.
When the authorized keyboard is connected to a di erent USB port of the computer, the application shows a
prompt for authorization of this keyboard again.
If the numerical code has been entered incorrectly, the application generates a new code. You can con gure the
number of attempts for entering the numerical code. If the numerical code is entered incorrectly several times or
the keyboard authorization window is closed (see gure below), the application blocks input from this keyboard.
When the USB device blocking time elapses or the operating system is restarted, the application prompts the user
to perform keyboard authorization again.
The application allows use of an authorized keyboard and blocks a keyboard that has not been authorized.
The BadUSB Attack Prevention component is not installed by default. If you need the BadUSB Attack
Prevention component, you can add the component in the properties of the installation package before
installing the application or change the available application components after installing the application.
Keyboard authorization
2. In the application settings window, select Essential Threat Protection → BadUSB Attack Prevention.
3. Use the BadUSB Attack Prevention toggle to enable or disable the component.
319
4. In the USB keyboard authorization upon connection block, adjust security settings for entering the
authorization code:
Maximum number of USB device authorization attempts. Automatically blocking the USB device if the
authorization code is entered incorrectly the speci ed number of times. Valid values are 1 to 10. For example,
if you allow 5 attempts to enter the authorization code, the USB device is blocked after the fth failed
attempt. Kaspersky Endpoint Security displays the blocking duration for the USB device. After this time
elapses, you can have 5 attempts to enter the authorization code.
Timeout when reaching the maximum number of attempts. Blocking duration of the USB device after the
speci ed number of failed attempts to enter the authorization code. Valid values are 1 to 180 (minutes).
As a result, if BadUSB Attack Prevention is enabled, Kaspersky Endpoint Security requires authorization of a
connected USB device identi ed as a keyboard by the operating system. The user cannot use an unauthorized
keyboard until it is authorized.
2. In the application settings window, select Essential Threat Protection → BadUSB Attack Prevention.
3. Use the Prohibit use of On-Screen Keyboard for authorization of USB devices check box to block or allow
use of the On-Screen Keyboard for authorization.
AMSI Protection
AMSI Protection component is intended to support Antimalware Scan Interface from Microsoft. The Antimalware
Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell
scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these
objects. Third-party applications may include, for example, Microsoft O ice applications (see the gure below). For
details on AMSI, please refer to the Microsoft documentation .
The AMSI Protection can only detect a threat and notify a third-party application about the detected threat.
Third-party application after receiving a noti cation of a threat does not allow to perform malicious actions (for
example, terminates).
320
AMSI operation example
AMSI Protection component may decline a request from a third-party application, for example, if this
application exceeds maximum number of requests within a speci ed interval. Kaspersky Endpoint Security
sends information about a rejected request from a third-party application to the Administration Server. The
AMSI Protection component does not deny requests from those third-party applications for which
continuous integration with the AMSI Protection component is enabled.
AMSI Protection is available for the following operating systems for workstations and servers:
Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise / Enterprise multi-session;
Windows Server 2022 Standard / Datacenter / Datacenter: Azure Edition (including Core Mode).
2. In the application settings window, select Essential Threat Protection → AMSI Protection.
321
AMSI Protection settings
2. In the application settings window, select Essential Threat Protection → AMSI Protection.
322
AMSI Protection settings
3. In the Scan of compound les block, specify the types of compound les that you want to scan: archives,
distribution package, or les in o ice formats.
To block the AMSI Protection component from unpacking large compound les, select the Do not unpack
large compound les check box and specify the required value in the Maximum le size eld. The AMSI
Protection component will not unpack compound les that are larger than the speci ed size.
To allow the AMSI Protection component to unpack large compound les, clear the Do not unpack large
compound les check box.
The AMSI Protection component scans large les that are extracted from archives, regardless of whether
the Do not unpack large compound les check box is selected.
Exploit Prevention
323
The Exploit Prevention component detects program code that takes advantage of vulnerabilities on the computer
to exploit administrator privileges or to perform malicious activities. For example, exploits can utilize a bu er
over ow attack. To do so, the exploit sends a large amount of data to a vulnerable application. When processing
this data, the vulnerable application executes malicious code. As a result of this attack, the exploit can start an
unauthorized installation of malware. When there is an attempt to run an executable le from a vulnerable
application that was not performed by the user, Kaspersky Endpoint Security blocks this le from running or
noti es the user.
324
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Exploit Prevention check box to enable or disable the component.
Block operation. If this item is selected, on detecting an exploit, Kaspersky Endpoint Security blocks
the operations of this exploit and makes a log entry with information about this exploit.
Inform. If this item is selected, when Kaspersky Endpoint Security detects an exploit it logs an entry
containing information about the exploit and adds information about this exploit to the list of active
threats.
How to enable or disable Exploit Prevention in the Web Console and Cloud Console
325
1. In the main window of the Web Console, select Devices → Policies & pro les.
Block operation. If this item is selected, on detecting an exploit, Kaspersky Endpoint Security blocks
the operations of this exploit and makes a log entry with information about this exploit.
Inform. If this item is selected, when Kaspersky Endpoint Security detects an exploit it logs an entry
containing information about the exploit and adds information about this exploit to the list of active
threats.
326
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Exploit Prevention.
Block operation. If this item is selected, on detecting an exploit, Kaspersky Endpoint Security blocks
the operations of this exploit and makes a log entry with information about this exploit.
Inform. If this item is selected, when Kaspersky Endpoint Security detects an exploit it logs an entry
containing information about the exploit and adds information about this exploit to the list of active
threats.
How to enable or disable the system process memory protection in the Administration Console (MMC)
327
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Enable system process memory protection check box to enable or disable the option.
How to enable or disable the system process memory protection in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the System processes memory protection toggle to enable or disable this feature.
How to enable or disable the system process memory protection in the application interface
328
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Exploit Prevention.
3. Use the Enable system process memory protection toggle to enable or disable this feature.
Behavior Detection
The Behavior Detection component receives data on the actions of applications on your computer and provides
this information to other protection components to improve their performance. The Behavior Detection
component utilizes Behavior Stream Signatures (BSS) for applications. If application activity matches a behavior
stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint
Security functionality based on behavior stream signatures provides proactive defense for the computer.
329
It is not recommended to disable Behavior Detection unless absolutely necessary because doing so would
reduce the e ectiveness of the protection components. The protection components may request data
collected by the Behavior Detection component to detect threats.
2. In the application settings window, select Advanced Threat Protection → Behavior Detection.
As a result, if Behavior Detection is enabled, Kaspersky Endpoint Security will use behavior stream signatures to
analyze the activity of applications in the operating system.
2. In the application settings window, select Advanced Threat Protection → Behavior Detection.
330
Behavior Detection settings
3. Select the relevant action in the Action on malware activity detection block:
Delete le. If this item is selected, on detecting malicious activity Kaspersky Endpoint Security deletes the
executable le of the malicious application and creates a backup copy of the le in Backup.
Block. If this item is selected, on detecting malicious activity Kaspersky Endpoint Security terminates this
application.
Inform. If this item is selected and malware activity of an application is detected, Kaspersky Endpoint
Security adds information about the malware activity of the application to the list of active threats.
The component monitors operations performed only with those les that are stored on mass storage devices
with the NTFS le system and that are not encrypted with EFS.
Protection of shared folders against external encryption provides for analysis of activity in shared folders. If this
activity matches a behavior stream signature that is typical for external encryption, Kaspersky Endpoint Security
performs the selected action.
331
After Kaspersky Endpoint Security is installed, the protection of shared folders against external encryption will
be limited until the computer is restarted.
After Kaspersky Endpoint Security is installed, the protection of shared folders against external encryption will
be limited until the computer is restarted.
2. In the application settings window, select Advanced Threat Protection → Behavior Detection.
3. Use the Enable protection of shared folders against external encryption toggle to enable or disable
detection of activity that is typical of external encryption.
332
Selecting the action to take on detection of external encryption of shared
folders
To select the action to take on detection of external encryption of shared folders:
2. In the application settings window, select Advanced Threat Protection → Behavior Detection.
3. Select the relevant action in the Protection of shared folders against external encryption block:
Block connection for N min. (from 1 to 43800). If this option is selected and Kaspersky Endpoint Security
detects an attempt to modify les in shared folders, it takes the following actions:
Blocks access to le modi cation for the session that initiated the malicious activity (the le will be read-
only).
Sends information about the detected malicious activity to Kaspersky Security Center.
Also, if the Remediation Engine component is enabled, the modi ed les are restored from backup copies.
333
Inform. If this option is selected and Kaspersky Endpoint Security detects an attempt to modify les in
shared folders, it takes the following actions:
Sends information about the detected malicious activity to Kaspersky Security Center.
How to create an exclusion for protection of shared folders using the Administration Console (MMC)
334
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Scan exclusions and trusted applications block, click the Settings button.
7. Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions
for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The
lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent
policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy
is not possible.
8. Select the Allow use of local exclusions check box if you want to enable the user to create a local list of
exclusions. This way, a user can create their own local list of exclusions in addition to the general list of
exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit,
or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy.
Also, if this check box is cleared, Kaspersky Endpoint Security hides the consolidated list of scan exclusions
in the user interface of the application.
9. Click Add.
10. In the Properties block, select the File or folder check box.
11. Click the Select le or folder link in the Scan exclusion description (click underlined items to edit them)
block to open the Name of le or folder window.
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the C: drive,
but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the
le or folder name, including the \ and / characters (delimiters of the names of les and folders in
paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to les
with the TXT extension located in folders nested within the Folder, except the Folder itself. The
mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have
the TXT extension and a name consisting of three characters.
335
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want to
add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
13. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
14. Click the link in the Scan exclusion description (click underlined items to edit them) block to open the
Protection components window.
15. Select the check box next to the Behavior Detection component.
How to create an exclusion for protection of shared folders using the Web Console and Cloud Console
336
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Scan exclusions and trusted applications block, click the Scan exclusions link.
6. Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions
for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The
lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent
policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy
is not possible.
7. Select the Allow use of local exclusions check box if you want to enable the user to create a local list of
exclusions. This way, a user can create their own local list of exclusions in addition to the general list of
exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit,
or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy.
Also, if this check box is cleared, Kaspersky Endpoint Security hides the consolidated list of scan exclusions
in the user interface of the application.
8. Click Add.
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the C: drive,
but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the
le or folder name, including the \ and / characters (delimiters of the names of les and folders in
paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to les
with the TXT extension located in folders nested within the Folder, except the Folder itself. The
mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have
the TXT extension and a name consisting of three characters.
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want to
add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
11. In the Protection components block, select the Behavior Detection component.
337
12. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
How to create an exclusion for protection of shared folders in the application interface
2. In the application settings window, select General settings → Exclusions and types of detected objects.
4. Click Add.
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the C: drive,
but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the
le or folder name, including the \ and / characters (delimiters of the names of les and folders in
paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to les
with the TXT extension located in folders nested within the Folder, except the Folder itself. The
mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have
the TXT extension and a name consisting of three characters.
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want to
add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
7. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
338
Con guring addresses of exclusions from protection of shared folders
against external encryption
The Audit Logon service must be enabled to enable exclusions of addresses from protection of shared folders
against external encryption. By default, the Audit Logon service is disabled (for detailed information about
enabling the Audit Logon service, please visit the Microsoft website).
The functionality for excluding addresses from shared folder protection does not work on a remote computer
if the remote computer was turned on before Kaspersky Endpoint Security was started. You can restart this
remote computer after Kaspersky Endpoint Security is started to ensure that the functionality for excluding
addresses from shared folder protection works on this remote computer.
2. In the application settings window, select Advanced Threat Protection → Behavior Detection.
3. In the Exclusions block, click the Con gure addresses of exclusions link.
4. If you want to add an IP address or computer name to the list of exclusions, click the Add button.
5. Enter the IP address or name of the computer from which external encryption attempts must not be handled.
339
6. Save your changes.
How to export and import a list of exclusions in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. In the Protection of shared folders against external encryption block, click the Exclusions button.
a. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
How to export and import a list of exclusions in the Web Console and Cloud Console
340
1. In the main window of the Web Console, select Devices → Policies & pro les.
b. Click Export.
c. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
d. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
The Host Intrusion Prevention component prevents applications from performing actions that may be dangerous
for the operating system, and ensures control over access to operating system resources and personal data. The
component provides computer protection with the help of anti-virus databases and the Kaspersky Security
Network cloud service.
The component controls the operation of applications by using application rights. Application rights include the
following access parameters:
341
Access to operating system resources (for example, automatic startup options, registry keys)
During the rst startup of the application, the Host Intrusion Prevention component performs the following
actions:
You are advised to participate in Kaspersky Security Network to help the Host Intrusion Prevention
component work more e ectively.
3. Places the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group de nes the rights that Kaspersky Endpoint Security refers to when controlling application
activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger
that this application may pose to the computer.
Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion
Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion
Prevention.
If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the
application in a trust group depending on the settings of the Host Intrusion Prevention component. After
receiving the reputation of the application from KSN, the trust group can be changed automatically.
4. Blocks application actions depending on the trust group. For example, applications from the High Restricted
trust group are denied access to the operating system modules.
The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the
application is unchanged, the component uses the current application rights for it. If the application has been
modi ed, Kaspersky Endpoint Security analyzes the application as if it were being started for the rst time.
How to enable or disable the Host Intrusion Prevention component in the Administration Console (MMC)
342
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. Use the Host Intrusion Prevention check box to enable or disable the component.
How to enable or disable the Host Intrusion Prevention component in the Web Console and Cloud Console
343
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Host Intrusion Prevention toggle to enable or disable the component.
How to enable or disable the Host Intrusion Prevention component in the application interface
344
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
3. Use the Host Intrusion Prevention toggle to enable or disable the component.
If the Host Intrusion Prevention component is enabled, Kaspersky Endpoint Security will place an application in a
trust group depending on the level of danger that this application may pose to the computer. Kaspersky Endpoint
Security will then block the actions of the application depending on the trust group.
At the rst stage of the application scan, Kaspersky Endpoint Security searches the internal database of known
applications for a matching entry and at the same time sends a request to the Kaspersky Security Network
database (if an Internet connection is available). Based on the results of the search in the internal database and the
Kaspersky Security Network database, the application is placed into a trust group. Each time the application is
subsequently started, Kaspersky Endpoint Security sends a new query to the KSN database and places the
application into a di erent trust group if the reputation of the application in the KSN database has changed.
You can select a trust group to which Kaspersky Endpoint Security must automatically assign all unknown
applications. Applications that were started before Kaspersky Endpoint Security are automatically moved to the
trust group de ned in Host Intrusion Prevention component settings.
For applications that were started before Kaspersky Endpoint Security, only network activity is controlled.
Control is performed according to the network rules de ned in the Firewall settings.
Kaspersky specialists do not recommend moving applications from the automatically assigned trust group to
a di erent trust group. Instead, you can modify rights for an individual application if necessary.
How to change the trust group of an application in the Administration Console (MMC)
345
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application rights and protected resources block, click the Settings button.
This opens the application rights con guration window and the list of protected resources.
7. Click Add.
8. In the window that opens, enter criteria to search for the application whose trust group you want to
change.
You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security
supports environment variables and the * and ? characters when entering a mask.
9. Click Refresh.
Kaspersky Endpoint Security will search for the application in the consolidated list of applications installed
on managed computers. Kaspersky Endpoint Security will show a list of applications that satisfy your
search criteria.
346
10. Select the necessary application.
11. In the Add selected application to the trust group drop-down list, select the necessary trust group for
the application.
How to change the trust group of an application in the Web Console and Cloud Console
347
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Application rights and protected resources block, click the Application rights and protected
resources link.
This opens the application rights con guration window and the list of protected resources.
7. Click Add.
This starts the Wizard for adding an application to a trust group.
348
If you want to change the trust group for multiple applications, select the Group type and de ne a name
for the application group.
10. In the opened list of applications, select the applications whose trust group you want to change.
Use a lter. You can enter the name of the application or the name of the vendor. Kaspersky Endpoint
Security supports environment variables and the * and ? characters when entering a mask.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
As a result, the application will be put into the other trust group. Kaspersky Endpoint Security will then block the
actions of the application depending on the trust group. The (user-de ned) status will be assigned to the
application. If the reputation of the application is changed in Kaspersky Security Network, the Host Intrusion
Prevention component will leave this application's trust group unchanged.
349
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application rights and protected resources block, click the Settings button.
This opens the application rights con guration window and the list of protected resources.
If you want to edit trust group rights that regulate operations with the operating system registry, user
les, and application settings, select the Files and system registry tab.
350
If you want to edit trust group rights that regulate access to operating system processes and objects,
select the Rights tab.
10. For the relevant resource, in the column of the corresponding action, right-click to open the context menu
and select the necessary option: Inherit, Allow ( ) or Block ( ).
11. If you want to monitor the use of computer resources, select Log events ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention
component. Reports contain information about operations with computer resources performed by the
application (allowed or forbidden). Reports also contain information about the applications that utilize each
resource.
How to change trust group rights in the Web Console and Cloud Console
351
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Application rights and protected resources block, click the Application rights and protected
resources link.
This opens the application rights con guration window and the list of protected resources.
7. In the left part of the window, select the relevant trust group.
8. In the right part of the window, in the drop-down list, do one of the following:
If you want to edit trust group rights that regulate operations with the operating system registry, user
les, and application settings, select Files and system registry.
352
If you want to edit trust group rights that regulate access to operating system processes and objects,
select Rights.
9. For the relevant resource, in the column of the corresponding action, select the necessary option: Inherit,
Allow ( ), Block ( ).
10. If you want to monitor the use of computer resources, select Log events ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention
component. Reports contain information about operations with computer resources performed by the
application (allowed or forbidden). Reports also contain information about the applications that utilize each
resource.
353
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the context menu of the trust group, select Details and rules.
This opens the trust group properties.
If you want to edit trust group rights that regulate operations with the operating system registry, user
les, and application settings, select the Files and system registry tab.
If you want to edit trust group rights that regulate access to operating system processes and objects,
select the Rights tab.
7. For the relevant resource, in the column of the corresponding action, right-click to open the context menu
and select the necessary option: Inherit, Allow ( ) or Deny ( ).
8. If you want to monitor the use of computer resources, select Log events ( ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention
component. Reports contain information about operations with computer resources performed by the
application (allowed or forbidden). Reports also contain information about the applications that utilize each
resource.
The trust group rights will be changed. Kaspersky Endpoint Security will then block the actions of the application
depending on the trust group. The status (Custom settings) will be assigned to the trust group.
For applications that were started before Kaspersky Endpoint Security, only network activity is controlled.
Control is performed according to the network rules de ned in the Firewall settings. To specify which network
rules must be applied to network activity monitoring for such applications, you must select a trust group.
How to select a trust group for applications started before Kaspersky Endpoint Security in the Administration
Console (MMC)
354
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application rights and protected resources block, click the Edit button.
6. For the Trust group for applications launched before Kaspersky Endpoint Security starts working
setting, select the appropriate trust group.
How to select a trust group for applications started before Kaspersky Endpoint Security in the Web Console and
Cloud Console
355
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. For the Trust group for applications launched before Kaspersky Endpoint Security starts working
setting, select the appropriate trust group.
How to select a trust group for applications started before Kaspersky Endpoint Security in the application
interface
356
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
3. In the Trust group for applications started before startup of Kaspersky Endpoint Security block, select
the appropriate trust group.
As a result, an application that is started before Kaspersky Endpoint Security will be put into the other trust group.
Kaspersky Endpoint Security will then block the actions of the application depending on the trust group.
How to select a trust group for unknown applications in the Administration Console (MMC)
357
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application processing rules block, use the Trust group for applications that could not be added
to existing groups drop-down list to select the necessary trust group.
If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a
request for the reputation of an application each time the application is started. Based on the received
response, the application may be moved to a trust group that is di erent from the one speci ed in the
Host Intrusion Prevention component settings.
6. Use the Update rights for previously unknown applications from KSN database check box to con gure
automatic update of the rights of unknown applications.
How to select a trust group for unknown applications in the Web Console and Cloud Console
358
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Application processing rules block, use the Trust group for applications that could not be added
to existing groups drop-down list to select the necessary trust group.
If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a
request for the reputation of an application each time the application is started. Based on the received
response, the application may be moved to a trust group that is di erent from the one speci ed in the
Host Intrusion Prevention component settings.
6. Use the Update rights for previously unknown applications from KSN database check box to con gure
automatic update of the rights of unknown applications.
How to select a trust group for unknown applications in the application interface
359
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
3. In the Application processing rules block, select the appropriate trust group.
If participation in Kaspersky Security Network is enabled, Kaspersky Endpoint Security sends KSN a
request for the reputation of an application each time the application is started. Based on the received
response, the application may be moved to a trust group that is di erent from the one speci ed in the
Host Intrusion Prevention component settings.
4. Use the Update rules for previously unknown applications from KSN check box to con gure automatic
update of the rights of unknown applications.
How to select a trust group for digitally signed applications in the Administration Console (MMC)
360
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application processing rules block, use the Trust digitally signed applications check box to enable
or disable automatic assignment to the Trusted group for applications containing the digital signature of
trusted vendors.
Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can
also add vendor certi cate to the trusted system certi cate store manually.
If this check box is cleared, the Host Intrusion Prevention component does not consider digitally signed
applications to be trusted, and uses other parameters to determine their trust group.
How to select a trust group for digitally signed applications in the Web Console and Cloud Console
361
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Application processing rules block, use the Trust digitally signed applications check box to enable
or disable automatic assignment to the Trusted group for applications containing the digital signature of
trusted vendors.
Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can
also add vendor certi cate to the trusted system certi cate store manually.
If this check box is cleared, the Host Intrusion Prevention component does not consider digitally signed
applications to be trusted, and uses other parameters to determine their trust group.
How to select a trust group for digitally signed applications in the application interface
362
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
3. In the Application processing rules block, use the Trust digitally signed applications check box to enable
or disable automatic assignment to the Trusted group for applications containing the digital signature of
trusted vendors.
Trusted vendors are those software vendors that are included in the trusted group by Kaspersky. You can
also add vendor certi cate to the trusted system certi cate store manually.
If this check box is cleared, the Host Intrusion Prevention component does not consider digitally signed
applications to be trusted, and uses other parameters to determine their trust group.
Manually de ned application rights have a higher priority than application rights that were de ned for a trust group.
In other words, if manually de ned application rights di er from the application rights de ned for a trust group, the
Host Intrusion Prevention component controls application activity according to the manually de ned application
rights.
The rules that you create for applications are inherited by child applications. For example, if you deny all network
activity for cmd.exe, all network activity will also be denied for notepad.exe if it is started using cmd.exe. When an
application is not a child of the application it runs from, rules are not inherited.
363
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application rights and protected resources block, click the Settings button.
This opens the application rights con guration window and the list of protected resources.
7. Click Add.
8. In the window that opens, enter criteria to search for the application whose application rights you want to
change.
You can enter the name of the application or the name of the vendor. Kaspersky Endpoint Security
supports environment variables and the * and ? characters when entering a mask.
9. Click Refresh.
Kaspersky Endpoint Security will search for the application in the consolidated list of applications installed
on managed computers. Kaspersky Endpoint Security will show a list of applications that satisfy your
search criteria.
364
10. Select the necessary application.
11. In the Add selected application to the trust group drop-down list, select Default groups and click OK.
The application will be added to the default group.
12. Select the relevant application and then select Application rights from the context menu of the
application.
This opens the application properties.
If you want to edit trust group rights that regulate operations with the operating system registry, user
les, and application settings, select the Files and system registry tab.
If you want to edit trust group rights that regulate access to operating system processes and objects,
select the Rights tab.
14. For the relevant resource, in the column of the corresponding action, right-click to open the context menu
and select the necessary option: Inherit, Allow ( ) or Block ( ).
15. If you want to monitor the use of computer resources, select Log events ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention
component. Reports contain information about operations with computer resources performed by the
application (allowed or forbidden). Reports also contain information about the applications that utilize each
resource.
How to change application rights in the Web Console and Cloud Console
365
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Application rights and protected resources block, click the Application rights and protected
resources link.
This opens the application rights con guration window and the list of protected resources.
7. Click Add.
This starts the Wizard for adding an application to a trust group.
366
If you want to change the trust group for multiple applications, select the Group type and de ne a name
for the application group.
10. In the opened list of applications, select the applications whose application rights you want to change.
Use a lter. You can enter the name of the application or the name of the vendor. Kaspersky Endpoint
Security supports environment variables and the * and ? characters when entering a mask.
12. In the left part of the window, select the relevant application.
13. In the right part of the window, in the drop-down list, do one of the following:
If you want to edit trust group rights that regulate operations with the operating system registry, user
les, and application settings, select Files and system registry.
If you want to edit trust group rights that regulate access to operating system processes and objects,
select Rights.
14. For the relevant resource, in the column of the corresponding action, select the necessary option: Inherit,
Allow ( ), Block ( ).
15. If you want to monitor the use of computer resources, select Log events ( / ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention
component. Reports contain information about operations with computer resources performed by the
application (allowed or forbidden). Reports also contain information about the applications that utilize each
resource.
367
1. In the main application window, click the button.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
If you want to edit trust group rights that regulate operations with the operating system registry, user
les, and application settings, select the Files and system registry tab.
If you want to edit trust group rights that regulate access to operating system processes and objects,
select the Rights tab.
7. For the relevant resource, in the column of the corresponding action, right-click to open the context menu
and select the necessary option: Inherit, Allow ( ) or Deny ( ).
8. If you want to monitor the use of computer resources, select Log events ( ).
Kaspersky Endpoint Security will record information about the operation of the Host Intrusion Prevention
component. Reports contain information about operations with computer resources performed by the
application (allowed or forbidden). Reports also contain information about the applications that utilize each
resource.
9. Select the Exclusions tab and con gure the advanced settings of the application (see the table below).
Parameter Description
Do not scan All les that are opened by the application are excluded from scans by Kaspersky
les before Endpoint Security. For example, if you are using applications to back up les, this
opening feature helps reduce the consumption of resources by Kaspersky Endpoint
Security.
Do not monitor Kaspersky Endpoint Security will not monitor the application's le- and network
application activity in the operating system. You can con gure application activity
activity monitoring for di erent components of Kaspersky Endpoint Security:
Do not monitor for protection and control components. Application activity
is monitored by the following components: Behavior Detection, Exploit
Prevention, Host Intrusion Prevention, Remediation Engine and Firewall.
368
managing the application on the console. Telemetry data is used by Kaspersky
Anti Targeted Attack Platform (EDR).
Do not inherit The restrictions con gured for the parent process will not be applied by
restrictions Kaspersky Endpoint Security to a child process. The parent process is started by
from the an application for which application rights (Host Intrusion Prevention) and
parent process application network rules (Firewall) are con gured.
(application)
Do not monitor Kaspersky Endpoint Security will not monitor the le activity or network activity
child of applications that are started by this application. You can apply the exclusion
application recursively. So that the application does not monitor the activity of the entire
activity chain of child applications.
Do not scan Network tra ic initiated by the application will be excluded from scans by
encrypted Kaspersky Endpoint Security. You can exclude either all tra ic or only encrypted
tra ic / Do not tra ic from scans. You can also exclude individual IP addresses and port numbers
scan all tra ic from scans.
369
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
5. In the Application rights and protected resources block, click the Settings button.
This opens the application rights con guration window and the list of protected resources.
7. Select the category of protected resources to which you want to add a new protected resource.
If you want to add a subcategory, click Add → Category.
8. Click the Add button. In the drop-down list, select the type of resource that you want to add: File or folder
or Registry key.
370
You can view applications' rights to access the added resources. To do so, select an added resource in the
left part of the window and Kaspersky Endpoint Security will show the access rights for each trust group.
You can also disable control of application activity with resources by using the check box next to a new
resource.
How to add a protected resource in the Web Console and Cloud Console
371
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Application rights and protected resources block, click the Application rights and protected
resources link.
This opens the application rights con guration window and the list of protected resources.
7. Click Add.
The New Resource Wizard starts.
8. Click the Group name link to select the category of protected resources to which you want to add a new
protected resource.
372
If you want to add a subcategory, select the Category of protected resources option.
9. Select the type of resource that you want to add: File or folder or Registry key.
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
4. Select the category of protected resources to which you want to add a new protected resource.
If you want to add a subcategory, click Add → Category.
5. Click the Add button. In the drop-down list, select the type of resource that you want to add: File or folder
or Registry key.
Kaspersky Endpoint Security will control access to the added operating system resources and to personal data.
Kaspersky Endpoint Security controls an application's access to resources based on the trust group assigned to
the application. You can also change the trust group of an application.
Kaspersky Endpoint Security automatically deletes information about unused applications to save computer
resources. Kaspersky Endpoint Security deletes application information according to the following rules:
373
If the trust group and rights of an application were determined automatically, Kaspersky Endpoint Security
deletes information about this application after 30 days. It is not possible to change the storage term for
application information or turn o automatic deletion.
If you manually put an application into a trust group or con gured its access rights, Kaspersky Endpoint
Security deletes information about this application after 60 days (default storage term). You can change the
storage term for application information, or turn o automatic deletion (see the instructions below).
When you start an application whose information has been deleted, Kaspersky Endpoint Security analyzes the
application as if it were starting for the rst time.
How to con gure automatic deletion of information about unused applications in the Administration Console
(MMC)
374
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Host Intrusion Prevention.
If you want to con gure automatic deletion, select the Delete rules for applications that have not
been started for longer than N day(s) check box and enter the number of days.
Information about the applications that you manually put into a trust group or whose access rights you
manually con gured will be deleted by Kaspersky Endpoint Security after the de ned number of days.
Information about applications whose trust group and application rights were automatically determined
will also be deleted by Kaspersky Endpoint Security after 30 days.
If you want to turn o automatic deletion, clear the Delete rules for applications that have not been
started for longer than N day(s) check box.
Information about the applications that you manually put into a trust group or whose access rights you
manually con gured will be stored by Kaspersky Endpoint Security inde nitely, without any storage
term limits. Kaspersky Endpoint Security will only delete information about applications whose trust
group and application rights were automatically determined after 30 days.
376
1. In the main window of the Web Console, select Devices → Policies & pro les.
If you want to con gure automatic deletion, select the Delete rules for applications that have not
been started for longer than N day(s) check box and enter the number of days.
Information about the applications that you manually put into a trust group or whose access rights you
manually con gured will be deleted by Kaspersky Endpoint Security after the de ned number of days.
Information about applications whose trust group and application rights were automatically determined
will also be deleted by Kaspersky Endpoint Security after 30 days.
If you want to turn o automatic deletion, clear the Delete rules for applications that have not been
started for longer than N day(s) check box.
377
Information about the applications that you manually put into a trust group or whose access rights you
manually con gured will be stored by Kaspersky Endpoint Security inde nitely, without any storage
term limits. Kaspersky Endpoint Security will only delete information about applications whose trust
group and application rights were automatically determined after 30 days.
How to con gure automatic deletion of information about unused applications in the application interface
2. In the application settings window, select Advanced Threat Protection → Host Intrusion Prevention.
If you want to con gure automatic deletion, select the Delete rules for applications that have not
been started for longer than N day(s) check box and enter the number of days.
Information about the applications that you manually put into a trust group or whose access rights you
manually con gured will be deleted by Kaspersky Endpoint Security after the de ned number of days.
Information about applications whose trust group and application rights were automatically determined
will also be deleted by Kaspersky Endpoint Security after 30 days.
If you want to turn o automatic deletion, clear the Delete rules for applications that have not been
started for longer than N day(s) check box.
Information about the applications that you manually put into a trust group or whose access rights you
manually con gured will be stored by Kaspersky Endpoint Security inde nitely, without any storage
term limits. Kaspersky Endpoint Security will only delete information about applications whose trust
group and application rights were automatically determined after 30 days.
To monitor Host Intrusion Prevention operations, you need to enable report writing. For example, you can enable
forwarding of reports for individual applications in the Host Intrusion Prevention component settings.
When con guring Host Intrusion Prevention monitoring, take into account the potential network load when
forwarding events to Kaspersky Security Center. You can also enable saving of reports only in the local log of
Kaspersky Endpoint Security.
By default, Kaspersky Endpoint Security controls the access of applications to the audio stream and video stream
as follows:
Trusted and Low Restricted applications are allowed to receive the audio stream and video stream from
devices by default.
High Restricted and Untrusted applications are not allowed to receive the audio stream and video stream from
devices by default.
You can manually allow applications to receive the audio stream and video stream.
The Host Intrusion Prevention component must be enabled for this functionality to work.
If the application started receiving the audio stream before the Host Intrusion Prevention component was
started, Kaspersky Endpoint Security allows the application to receive the audio stream and does not show any
noti cations.
If you moved the application to the Untrusted group or High Restricted group after the application began
receiving the audio stream, Kaspersky Endpoint Security allows the application to receive the audio stream and
does not show any noti cations.
After the settings for the application's access to sound recording devices have been changed (for example, if
the application has been blocked from receiving the audio stream), this application must be restarted to stop it
from receiving the audio stream.
Control of access to the audio stream from sound recording devices does not depend on an application's
webcam access settings.
Kaspersky Endpoint Security protects access to only built-in microphones and external microphones. Other
audio streaming devices are not supported.
Kaspersky Endpoint Security cannot guarantee the protection of an audio stream from such devices as DSLR
cameras, portable video cameras, and action cameras.
When you run audio and video recording or playback applications for the rst time since installation of
Kaspersky Endpoint Security, audio and video playback or recording may be interrupted. This is necessary in
order to enable the functionality that controls access to sound recording devices by applications. The system
service that controls audio hardware will be restarted when Kaspersky Endpoint Security is run for the rst
time.
Webcam access protection functionality has the following special considerations and limitations:
The application controls video and still images derived from the processing of webcam data.
The application controls the audio stream if it is part of the video stream received from the webcam.
379
The application controls only webcams connected via USB or IEEE1394 that are displayed as Imaging Devices in
the Windows Device Manager.
Kaspersky cannot guarantee support for webcams that are not speci ed in this list.
Remediation Engine
The Remediation Engine lets Kaspersky Endpoint Security roll back actions that have been performed by malware
in the operating system.
When rolling back malware activity in the operating system, Kaspersky Endpoint Security handles the following
types of malware activity:
File activity
Kaspersky Endpoint Security performs the following actions:
Deletes executable les that were created by malware (on all media except network drives).
Deletes executable les that were created by programs that have been in ltrated by malware.
Registry activity
Kaspersky Endpoint Security performs the following actions:
Does not restore registry keys that have been modi ed or deleted by malware.
380
System activity
Kaspersky Endpoint Security performs the following actions:
Network activity
Kaspersky Endpoint Security performs the following actions:
Blocks the network activity of processes that have been in ltrated by malware.
A rollback of malware actions can be started by the File Threat Protection or Behavior Detection component, or
during a malware scan.
Rolling back malware operations a ects a strictly de ned set of data. Rollback has no adverse e ects on the
operating system or on the integrity of your computer data.
How to enable or disable the Remediation Engine component in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Remediation Engine check box to enable or disable the component.
How to enable or disable the Remediation Engine component in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
381
How to enable or disable the Remediation Engine component in the application interface
2. In the application settings window, select Advanced Threat Protection → Remediation Engine.
As a result, if Remediation Engine is enabled, Kaspersky Endpoint Security will roll back the actions taken by
malicious applications in the operating system.
Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky
Knowledge Base that contains information about the reputation of les, web resources, and software. The use of
data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats,
improves the performance of some protection components, and reduces the likelihood of false positives. If you are
participating in Kaspersky Security Network, KSN services provide Kaspersky Endpoint Security with information
about the category and reputation of scanned les, as well as information about the reputation of scanned web
addresses.
Use of Kaspersky Security Network is voluntary. The application prompts you to use KSN during initial
con guration of the application. Users can begin or discontinue participation in KSN at any time.
For more detailed information about sending Kaspersky statistical information that is generated during
participation in KSN, and about the storage and destruction of such information, please refer to the Kaspersky
Security Network Statement and the Kaspersky website . The ksn_<language ID>.txt le with the text of the
Kaspersky Security Network Statement is included in the application distribution kit.
Kaspersky Endpoint Security supports the following infrastructure solutions for working with Kaspersky reputation
databases:
Kaspersky Security Network (KSN) is the solution that is used by most Kaspersky applications. KSN participants
receive information from Kaspersky and send Kaspersky information about objects detected on the user's
computer to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical
databases.
Kaspersky Private Security Network (KPSN) is a solution that enables users of computers hosting Kaspersky
Endpoint Security or other Kaspersky applications to obtain access to Kaspersky reputation databases, and to
other statistical data without sending data to Kaspersky from their own computers. KPSN is designed for
corporate customers who are unable to participate in Kaspersky Security Network for any of the following
reasons:
382
Local workstations are not connected to the Internet.
Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted
by corporate security policies.
By default, Kaspersky Security Center uses KSN. You can con gure the use of KPSN in the Administration
Console (MMC), in the Kaspersky Security Center Web Console, and in the command line. It is not possible to
con gure the use of KPSN in the Kaspersky Security Center Cloud Console.
For more details about KPSN, please refer to the documentation on Kaspersky Private Security Network.
2. In the application settings window, select Advanced Threat Protection → Kaspersky Security Network.
3. Use the Kaspersky Security Network toggle to enable or disable the component.
If you enabled the use of KSN, Kaspersky Endpoint Security will display the Kaspersky Security Network
Statement. Please read and accept the Kaspersky Security Network (KSN) Statement terms of use if you agree
to them.
By default, Kaspersky Endpoint Security uses the Extended KSN mode. Extended KSN mode is a mode in which
Kaspersky Endpoint Security sends additional data to Kaspersky.
As a result, if use of KSN is enabled, Kaspersky Endpoint Security uses information about the reputation of les,
web resources, and applications received from Kaspersky Security Network.
However, in some cases Kaspersky Endpoint Security might not request the reputation of an object in KSN/KPSN.
If this is the case, Kaspersky Endpoint Security will not receive data from the local reputation database of KPSN.
Kaspersky Endpoint Security might not request the reputation of an object in KSN/KPSN for the following reasons:
Kaspersky applications are using o line reputation databases. O line reputation databases are designed to
optimize resources during operation of Kaspersky applications and to protect critically important objects on
383
the computer. O line reputation databases are created by Kaspersky experts based on data from Kaspersky
Security Network. Kaspersky applications update o line reputation databases with anti-virus databases of the
speci c application. If o line reputation databases contain information about an object being scanned, the
application does not request the reputation of this object from KSN/KPSN.
Scan exclusions (trusted zone) are con gured in the application settings. If this is the case, the application does
not take into account the reputation of the object in the local reputation database.
The application uses scan optimization technologies, such as iSwift or iChecker, or is caching reputation
requests to KSN / KPSN. If this is the case, the application might not request the reputation of previously
scanned objects.
To optimize its workload, the application scans les of a certain format and size. The list of relevant formats and
size limits are determined by Kaspersky experts. This list is updated with the application's anti-virus databases.
You can also con gure scan optimization settings in the application interface, for example, for the File Threat
Protection component.
When using Kaspersky Private Security Network, cloud mode functionality is available starting with Kaspersky
Private Security Network version 3.0.
2. In the application settings window, select Advanced Threat Protection → Kaspersky Security Network.
3. Use the Enable cloud mode toggle to enable or disable the component.
As a result, Kaspersky Endpoint Security downloads a light version or full version of anti-virus databases during
the next update.
If the light version of anti-virus databases is not available for use, Kaspersky Endpoint Security automatically
switches to the premium version of anti-virus databases.
384
User computers managed by Kaspersky Security Center Administration Server can interact with KSN via the KSN
Proxy service.
The user's computer can query KSN and submit information to KSN even without direct access to the Internet.
The KSN Proxy service caches processed data, thereby reducing the load on the external network
communication channel and speeding up receipt of the information that is requested by the user's computer.
By default, after KSN is enabled and the KSN Statement is accepted, the application uses a proxy server to
connect to Kaspersky Security Network. The proxy server used by the application is the Kaspersky Security
Center Administration Server via TCP port 13111. Therefore, if KSN Proxy is not available, you need to verify the
following:
You can con gure the use of KSN Proxy as follows: enable or disable KSN Proxy, and con gure the port for the
connection. To do so, you need to open the Administration Server properties. For details on KSN Proxy
con guration, please refer to the Kaspersky Security Center Help. You can also enable or disable KSN Proxy for
individual computers in the Kaspersky Endpoint Security policy.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Advanced Threat Protection → Kaspersky Security Network.
5. In the KSN Proxy Settings block, use the Use Administration Server as a KSN proxy server check box to
enable or disable KSN Proxy.
6. If necessary, select the Use Kaspersky Security Network servers if the KSN proxy server is unavailable
check box.
If the check box is selected, Kaspersky Endpoint Security uses KSN servers when the KSN Proxy service is
unavailable. KSN servers may be located both on the side of Kaspersky and on the side of third parties
(when Kaspersky Private Security Network is used).
385
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Use Administration Server as a KSN proxy server check box to enable or disable KSN Proxy.
6. If necessary, select the Use Kaspersky Security Network servers if the KSN proxy server is unavailable
check box.
If the check box is selected, Kaspersky Endpoint Security uses KSN servers when the KSN Proxy service is
unavailable. KSN servers may be located both on the side of Kaspersky and on the side of third parties
(when Kaspersky Private Security Network is used).
The KSN Proxy address matches the Administration Server address. When the Administration Server domain name
is changed, you need to manually update the KSN Proxy address.
2. In the console tree, select the Advanced → Remote installation → Installation packages folder.
4. On the General tab in the opened window, specify the new address of the KSN proxy server.
You can check the reputation of a le if you have accepted the terms of the Kaspersky Security Network
Statement.
Open the le context menu and select the Check reputation in KSN option (see the gure below).
386
File context menu
Trusted (Kaspersky Security Network). Most users of Kaspersky Security Network have con rmed that the
le is trusted.
Legitimate software that can be used by intruders to damage your computer or personal data. Although
they do not have any malicious functions, such applications can be exploited by intruders. For details on
legitimate software that could be used by criminals to harm the computer or personal data of a user, please refer
to the Kaspersky IT Encyclopedia website . You can add these applications to the trusted list.
Untrusted (Kaspersky Security Network). A virus or other application that poses a threat.
Unknown (Kaspersky Security Network). Kaspersky Security Network does not have any information about
the le. You can scan a le using anti-virus databases (the Scan for viruses option in the context menu).
Kaspersky Endpoint Security displays the KSN solution that was used to determine the reputation of the le:
Kaspersky Security Network or Kaspersky Private Security Network.
Kaspersky Endpoint Security also displays additional information about the le (see the gure below).
387
Encrypted connections scan
After installation, Kaspersky Endpoint Security adds a Kaspersky certi cate to the system storage for trusted
certi cates (Windows certi cate store). Kaspersky Endpoint Security uses this certi cate to scan encrypted
connections. Kaspersky Endpoint Security also includes the use of system storage of trusted certi cates in
Firefox and Thunderbird to scan the tra ic of these applications.
The Web Control, Mail Threat Protection, Web Threat Protection components can decrypt and scan network
tra ic transmitted over encrypted connections using the following protocols:
SSL 3.0.
3. In the Encrypted connections scan block, select the encrypted connection scanning mode:
388
Do not scan encrypted connections. Kaspersky Endpoint Security will not have access to the contents of
websites whose addresses begin with https://.
Scan encrypted connections upon request from protection components. Kaspersky Endpoint Security
will scan encrypted tra ic only when requested by the Web Threat Protection, Mail Threat Protection, and
Web Control components.
Always scan encrypted connections. Kaspersky Endpoint Security will scan encrypted network tra ic even
if protection components are disabled.
Kaspersky Endpoint Security does not scan encrypted connections that were established by trusted
applications for which tra ic scanning is disabled. Kaspersky Endpoint Security does not scan encrypted
connections from the prede ned list of trusted websites. The prede ned list of trusted websites is
created by Kaspersky experts. This list is updated with the application's anti-virus databases. You can view
the prede ned list of trusted websites only in the Kaspersky Endpoint Security interface. You cannot view
the list in the Kaspersky Security Center Console.
5. Con gure the settings for scanning encrypted connections (see the table below).
Parameter Description
Trusted root List of trusted root certi cates. Kaspersky Endpoint Security lets you install trusted
certi cates root certi cates on user computers if, for example, you need to deploy a new
389
certi cation center. The application lets you add a certi cate to a special Kaspersky
Endpoint Security certi cate store. In this case, the certi cate is considered trusted
only for the Kaspersky Endpoint Security application. In other words, the user can
gain access to a website with the new certi cate in the browser. If another
application tries to gain access to the website, you can get a connection error
because of a certi cate issue. To add to the system certi cate store, you can use
Active Directory group policies.
Visiting a
domain with an Allow. When visiting a domain with an untrusted certi cate, Kaspersky Endpoint
untrusted Security allows the network connection.
certi cate When opening a domain with an untrusted certi cate in a browser, Kaspersky
Endpoint Security displays an HTML page showing a warning and the reason why
visiting that domain is not recommended. A user can click the link from the HTML
warning page to obtain access to the requested web resource.
If a third-party application or service establishes a connection with a domain with
an untrusted certi cate, Kaspersky Endpoint Security creates its own certi cate
to scan tra ic. The new certi cate has the Untrusted status. This is necessary to
warn the third-party application about the untrusted connection because the
HTML page cannot be shown in this case and the connection can be established
in background mode.
Block. When visiting a domain with an untrusted certi cate, Kaspersky Endpoint
Security blocks the network connection. When opening a domain with an
untrusted certi cate in a browser, Kaspersky Endpoint Security displays an HTML
page showing the reason why that domain is blocked.
Visiting a
domain with an Block. If this item is selected, when an encrypted connection scan error occurs,
encrypted Kaspersky Endpoint Security blocks the network connection.
connections
scan error Allow and add domain to exclusions. If this item is selected, when an encrypted
connection scan error occurs, Kaspersky Endpoint Security adds the domain that
resulted in the error to the list of domains with scan errors and does not monitor
encrypted network tra ic when this domain is visited. You can view a list of
domains with encrypted connections scan errors only in the local interface of the
application. To clear the list contents, you need to select Block. Kaspersky
Endpoint Security also generates an event for the encrypted connection scan
error.
Block SSL 2.0 If the check box is selected, the application blocks network connections established
connections over the SSL 2.0 protocol.
(recommended)
If the check box is cleared, the application does not block network connections
established over the SSL 2.0 protocol and does not monitor network tra ic
transmitted over these connections.
Decrypt an EV certi cates (Extended Validation Certi cates) con rm the authenticity of
encrypted websites and enhance the security of the connection. Browsers use a lock icon in
connection their address bar to indicate that a website has an EV certi cate. Browsers may also
with the fully or partially color the address bar in green.
website that
If the check box is selected, the application decrypts and monitors encrypted
uses EV
connections with websites that use an EV certi cate.
certi cate
If the check box is cleared, the application does not have access to the contents of
HTTPS tra ic. For this reason, the application monitors HTTPS tra ic only based on
the website address, for example, https://bing.com.
390
If you are opening a website with an EV certi cate for the rst time, the
encrypted connection will be decrypted regardless of whether or not the check
box is selected.
How to install trusted root certi cates in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. In the Trusted root certi cates block, click the Add button.
6. This opens a window; in that window, select a trusted root certi cate.
Kaspersky Endpoint Security supports certi cates with PEM, DER, and CRT extensions.
How to install trusted root certi cates in Web Console and Cloud Console
391
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. This opens a window; in that window, click Add and select a trusted root certi cate.
Kaspersky Endpoint Security supports certi cates with PEM, DER, and CRT extensions.
3. In the Encrypted connections scan block, click the Show certi cates button.
4. This opens a window; in that window, click Add and select a trusted root certi cate.
Kaspersky Endpoint Security supports certi cates with PEM, DER, and CRT extensions.
As a result, when scanning tra ic, in addition to the system certi cate store, Kaspersky Endpoint Security uses its
own certi cate store.
If you have allowed the user to visit domains with untrusted certi cates, Kaspersky Endpoint Security performs
the following actions:
When visiting a domain with an untrusted certi cate in the browser, Kaspersky Endpoint Security uses the
Kaspersky certi cate to scan tra ic. Kaspersky Endpoint Security displays a HTML page with a warning and
information about the reason why it is not recommended to visit the relevant domain (see the gure below). A
user can click the link from the HTML warning page to obtain access to the requested web resource. After
following this link, during the next hour Kaspersky Endpoint Security will not display warnings about an untrusted
certi cate when visiting other resources on this same domain. Kaspersky Endpoint Security also generates an
event about establishing an encrypted connection with an untrusted certi cate.
392
In some cases, Kaspersky Endpoint Security cannot technically display an HTML page with a warning in the
browser (see gure below). For example, if a web resource uses an outdated version of a network protocol
and a non-standard port. In these cases, Kaspersky Endpoint Security blocks access to this domain and
the browser will show the standard ERR_CONNECTION_RESET window. To access a web resource, you can
add domain to exclusions or use a trusted certi cate.
If a third-party application or service establishes a connection with a domain with an untrusted certi cate,
Kaspersky Endpoint Security creates its own certi cate to scan tra ic. The new certi cate has the Untrusted
status. This is necessary to warn the third-party application about the untrusted connection because the
HTML page cannot be shown in this case and the connection can be established in background mode.
Therefore, if a third-party application has built-in certi cate veri cation tools, the connection may be
terminated. In that case, you must contact the owner of the domain and set up a trusted connection. If setting
up a trusted connection is impossible, you can add that third-party application to the list of trusted
applications. Kaspersky Endpoint Security also generates an event about establishing an encrypted connection
with an untrusted certi cate.
How to con gure the scanning of encrypted connections with an untrusted certi cate in Administration Console
(MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. In the Encrypted connections scan block, click the Advanced settings button.
6. In the window that opens, select the application operating mode when visiting a domain with an untrusted
certi cate: Allow or Block.
How to con gure the scanning of encrypted connections with an untrusted certi cate in Web Console and Cloud
Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Encrypted connections scan block, select the application operating mode when visiting a domain
with an untrusted certi cate: Allow or Block.
393
How to con gure the scanning of encrypted connections with an untrusted certi cate in the application interface
3. In the Encrypted connections scan block, select the application operating mode when visiting a domain
with an untrusted certi cate: Allow or Block.
After installation, Kaspersky Endpoint Security adds a Kaspersky certi cate to the system storage for trusted
certi cates (Windows certi cate store). If Kaspersky Security Center is deployed in your organization and a policy
is being applied to a computer, Kaspersky Endpoint Security automatically enables the use of Windows certi cate
store in browsers and mail clients to scan the tra ic of these applications. If a policy is not being applied to the
computer, you can choose the certi cate store that will be used by browsers and mail clients. If you selected the
own certi cate store, add the Kaspersky certi cate to the store manually. This will help avoid errors when working
with HTTPS tra ic.
To scan tra ic in the Mozilla Firefox browser and the Thunderbird mail client, you must enable the Encrypted
Connections Scan. If Encrypted Connections Scan is disabled, the application does not scan tra ic in the
Mozilla Firefox browser and Thunderbird mail client. Encrypted connections scan should also be enabled to
scan tra ic in MyO ice Mail and R7-O ice Organizer mail clients.
394
Prior to adding a certi cate to the own certi cate store of your browser or mail client, export the Kaspersky
certi cate from the Windows Control Panel (Internet properties). For details about exporting the Kaspersky
certi cate, please refer to the Technical Support Knowledge Base . You can learn more about adding a certi cate
to the store, for example, on the Mozilla technical support website .
You can choose the certi cate store only in the local interface of the application.
To choose a certi cate store for scanning encrypted connections in browsers and mail clients:
3. In the Encrypted connections scan block, select the Use the selected certi cate store to scan encrypted
connections in Mozilla applications check box.
Windows certi cate store (recommended). The Kaspersky root certi cate is added to this store during
installation of Kaspersky Endpoint Security.
Certi cate store from Mozilla Firefox browser settings. Mozilla Firefox and Thunderbird use their own
certi cate stores. If the Mozilla certi cate store is selected, you need to manually add the Kaspersky root
certi cate to this store through the browser properties.
MyO ice Mail and R7-O ice Organizer mail clients also use their own certi cate store.
If a trusted application uses an encrypted connection, you can disable encrypted connections scan for this
application. For example, you can disable encrypted connections scan for cloud storage applications that use two-
factor authentication with their own certi cate.
How to exclude a web address from encrypted connection scans in the Administration Console (MMC)
395
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Encrypted connections scan block, click the Con gure trusted addresses button.
6. Click Add.
7. Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted
connections established when visiting that domain.
Kaspersky Endpoint Security supports the * character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the * symbol for IP addresses. You can select a range
of IP addresses using a subnet mask (for example, 198.51.100.0/24).
Examples:
How to exclude a web address from encrypted connection scans in Web Console and Cloud Console
396
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Encrypted connections scan block, click the Con gure trusted addresses button.
6. Click Add.
7. Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted
connections established when visiting that domain.
Kaspersky Endpoint Security supports the * character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the * symbol for IP addresses. You can select a range
of IP addresses using a subnet mask (for example, 198.51.100.0/24).
Examples:
How to exclude a web address from encrypted connection scans in the application interface
397
1. In the main application window, click the button.
3. In the Encrypted connections scan block, click the Con gure trusted addresses button.
4. Click Add.
5. Enter a domain name or an IP address if you do not want Kaspersky Endpoint Security to scan encrypted
connections established when visiting that domain.
Kaspersky Endpoint Security supports the * character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the * symbol for IP addresses. You can select a range
of IP addresses using a subnet mask (for example, 198.51.100.0/24).
Examples:
398
*.domain.com – the record is inclusive of the following addresses: https://movies.domain.com,
https://images.domain.com/page123. The record is exclusive of the domain.com domain.
By default, Kaspersky Endpoint Security does not scan encrypted connections when errors occur and adds the
website to a special list of Domains with scan errors. Kaspersky Endpoint Security compiles a separate list for each
user and does not send data to Kaspersky Security Center. You can enable blocking the connection when a scan
error occurs. You can view a list of domains with encrypted connections scan errors only in the local interface of
the application.
3. In the Encrypted connections scan block, click the Domains with scan errors button.
A list of domains with scan errors opens. To reset the list, enable blocking connection when scan errors occur in
the policy, apply the policy, then reset the parameter to its initial value and apply the policy again.
Kaspersky specialists make a list of global exceptions — trusted websites that Kaspersky Endpoint Security does
not check regardless of the application settings.
3. In the Encrypted connections scan block, click the list of trusted websites link.
This opens a list of websites compiled by Kaspersky experts. Kaspersky Endpoint Security does not scan
protected connections for websites on the list. The list may be updated when Kaspersky Endpoint Security
databases and modules are updated.
To ensure comprehensive protection of Kaspersky Endpoint Security and Network Agent from unauthorized
access, we recommend enabling additional protection. For Kaspersky Endpoint Security, we recommend
enabling Password protection. To protect Network Agent, we recommend setting an uninstall password. For
details about protecting Network Agent from removal, please refer to the Kaspersky Security Center Help .
399
Managing the connection of the computer to the Administration Server is achieved using the Administration
Server connection protection task. The task lets you perform the following actions:
After setting a password, the application creates a data array using PBKDF2 transformation of the password. The
application then encrypts this data array using the Network Agent key. The application uses the encrypted data
array to check rights and privileges of the Administration Server for subsequent connections.
Subsequently, whenever an attempt is made to reconnect the computer to the Administration Server, the
application decrypts the data array with the Network Agent key and compares it with the local copy. If they do not
match, access to the application is restricted.
How to set a password for server connection protection in Administration Console (MMC)
400
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security for Windows (12.5) → Administration Server connection protection.
3. In the Password for connection to the Administration Server eld, set a password for connecting to the
Administration Server and con rm it.
If you forget the password, you can change the password using a task.
Select Default account. By default, Kaspersky Endpoint Security starts the task as the system user account
(SYSTEM).
Enter a name for the task, for example, Main server connection password.
Exit the Wizard. Select the Run the task after the wizard nishes check box or run the task manually. You can
monitor the progress of the task in the task properties.
How to set a password for server connection protection in Web Console and Cloud Console
401
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
b. In the Task type drop-down list, select Administration Server connection protection.
c. In the Task name eld, enter a brief description, for example, Main server connection password.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
5. Select a default user account. By default, Kaspersky Endpoint Security starts the task as the system user
account (SYSTEM).
7. Click the Administration Server connection protection task of Kaspersky Endpoint Security.
The task properties window opens.
10. In the Connection to the Administration Server drop-down list, select New password.
11. In the Password eld, set a password for connecting to the Administration Server and con rm it.
If you forget the password, you can change the password using a task.
You can monitor the status of the task, and the number of devices on which the task was completed
successfully or completed with an error.
Reconnecting the computer to a di erent Administration Server involves the following steps:
1. In the console of the current [KSC1] server, run the Change Administration Server task for Network Agent.
402
After running the task, the computer is reconnected to the new [KSC2] server.
The console displays the computer with the Critical status. Con guring the application using policies or
remotely running tasks on the computer is impossible.
2. In the console of the new [KSC2] server, create a new Administration Server connection protection task for
Kaspersky Endpoint Security. In task properties, enter the password of the previous server and set a password
for the new server.
How to set a new password for reconnecting to a new server in Administration Console (MMC)
403
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security for Windows (12.5) → Administration Server connection
protection.
2. In the Administration Server drop-down list, select Reconnect from another server.
3. In the Current password eld, enter the password set for the connection to the previously used
trusted server.
4. In the New password eld, set a password for connecting to the new Administration Server and
con rm the password.
If you forget the password, you can change the password using a task.
Select Default account. By default, Kaspersky Endpoint Security starts the task as the system user
account (SYSTEM).
Enter a name for the task, for example, Main server connection password.
Exit the Wizard. Select the Run the task after the wizard nishes check box or run the task manually. You
can monitor the progress of the task in the task properties.
404
How to set a new password for reconnecting to a new server in Web Console and Cloud Console
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
b. In the Task type drop-down list, select Administration Server connection protection.
c. In the Task name eld, enter a brief description, for example, Main server connection password.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
5. Select a default user account. By default, Kaspersky Endpoint Security starts the task as the system
user account (SYSTEM).
7. Click the Administration Server connection protection task of Kaspersky Endpoint Security.
The task properties window opens.
10. In the Connection to the Administration Server drop-down list, select Reconnect from another
server.
11. In the Current password server, enter the password set for connecting to the previously used trusted
server.
12. In the New password eld, set a password for connecting to the new Administration Server and
con rm the password.
If you forget the password, you can change the password using a task.
405
After completing the task, make sure that in the console of the new [KSC2] server, the computer has the OK
status. Test if you can run tasks remotely and con gure the application using policies.
If you forgot your Administration Server connection password or the password is compromised, you can reset the
password in task properties. You can also reset the password and set a new password for a group of computers
with di erent Administration Server connection protection statuses. That is, if some computers have the
protection enabled and some have it disabled, the task sets a password for all computers.
You can only reset the Administration Server connection password in the console of the server to which the
computer is connected.
How to reset the Administration Server connection password using the Administration Console (MMC)
3. Select the Administration Server connection protection task and double-click to open the task
properties.
5. Under Administration Server connection protection, select Protect and change password.
6. In the Password for connection to the Administration Server eld, set a new password for connecting to
the current trusted server and con rm the password.
How to reset the Administration Server connection password in Web Console and Cloud Console
406
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click the Administration Server connection protection task of Kaspersky Endpoint Security.
The task properties window opens.
4. Under Administration Server connection protection, select Protect and change password.
5. In the Password eld, set a new password for connecting to the current trusted server and con rm the
password.
8. Click Start.
As a result, the Administration Server connection password is reset after the task nishes.
You can only remotely disable Administration Server connection protection in the console of the server to
which the computer is connected. You can also disable the protection locally on the command line.
3. Select the Administration Server connection protection task and double-click to open the task
properties.
How to disable the server connection protection in Web Console and Cloud Console
407
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click the Administration Server connection protection task of Kaspersky Endpoint Security.
The task properties window opens.
7. Click Start.
You can monitor the status of the task, and the number of devices on which the task was completed
successfully or completed with an error.
Example:
avp.com SERVERBINDINGDISABLE /password=!Password1
Wipe Data
Kaspersky Endpoint Security lets you use a task to remotely delete data from users' computers.
In silent mode;
408
On hard drives and removable drives;
Kaspersky Endpoint Security performs the Wipe data task no matter which licensing type is being used, even
after the license has expired.
It is not possible to set a schedule for deleting data in task properties. You can only delete data immediately
after starting the task manually, or con gure delayed data deletion if there is no connection with Kaspersky
Security Center.
Limitations
Only a Kaspersky Security Center administrator can manage the Wipe data task. You cannot con gure or start
a task in the local interface of Kaspersky Endpoint Security.
For the NTFS le system, Kaspersky Endpoint Security deletes only the names of the main data streams.
Alternate data stream names cannot be deleted.
When you delete a symbolic link le, Kaspersky Endpoint Security also deletes the les whose paths are
speci ed in the symbolic link.
2. Click Add.
The Task Wizard starts.
409
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
c. In the Task name eld, enter a brief description, for example, Wipe data (Anti-Theft) .
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
If new computers are added to an administration group within the task scope, the immediate data deletion
task is run on the new computers only if the task is completed within 5 minutes of the addition of the new
computers.
Delete by means of the operating system. Kaspersky Endpoint Security uses the operating system
resources to delete les without sending them to the recycle bin.
Delete completely, no recovery possible. Kaspersky Endpoint Security overwrites les with random data. It
is practically impossible to restore data after it is deleted.
9. If you want to postpone data deletion, select the Automatically wipe data when there is no connection to
Kaspersky Security Center for more than N days check box. De ne the number of days.
The postponed data deletion task will be performed each time that a connection with Kaspersky Security
Center is absent for the de ned period of time.
When con guring postponed data deletion, bear in mind that employees may turn o their computer before
going on vacation. In this case, the absent connection term may be exceeded and data will be deleted. Also
consider the work schedule of o line users. For more details about working with o line computers and out-of-
o ice users, refer to the Kaspersky Security Center Help .
If the check box is cleared, the task will be performed immediately after synchronization with Kaspersky
Security Center.
Folders. Kaspersky Endpoint Security deletes all les in the folder, and its subfolders. Kaspersky Endpoint
Security does not support masks and environment variables for entering a folder path.
Files by extension. Kaspersky Endpoint Security searches for les with the speci ed extensions on all
computer drives, including removable drives. Use the ";" or "," characters to specify multiple extensions.
Prede ned scope. Kaspersky Endpoint Security will delete les from the following areas:
410
Documents. Files in the standard Documents folder of the operating system, and its subfolders.
Cookies. Files in which the browser saves data from the websites visited by the user (such as user
authorization data).
Desktop. Files in the standard Desktop folder of the operating system, and its subfolders.
Temporary Internet Explorer les. Temporary les related to the operation of Internet Explorer, such as
copies of web pages, images, and media les.
Temporary les. Temporary les related to the operation of applications installed on the computer. For
example, Microsoft O ice applications create temporary les containing backup copies of documents.
Outlook les. Files related to the operation of the Outlook mail client: data les (PST), o line data les
(OST), o line address book les (OAB), and personal address book les (PAB).
User pro le. Set of les and folders that store operating system settings for the local user account.
You can create a list of objects to delete on each tab. Kaspersky Endpoint Security will create a consolidated
list and delete les from this list when a task is complete.
You cannot delete les that are required for operation of Kaspersky Endpoint Security.
As a result, data on users' computers will be deleted according to the selected mode: immediate or when a
connection is absent. If Kaspersky Endpoint Security cannot delete a le, such as when a user is currently using a
le, the application does not attempt to delete it again. To complete data deletion, run the task again.
411
Computer control
Web Control
Web Control manages users' access to web resources. This helps reduce tra ic and inappropriate use of work
time. When a user tries to open a website that is restricted by Web Control, Kaspersky Endpoint Security will block
access or show a warning (see the gure below).
Kaspersky Endpoint Security monitors only HTTP- and HTTPS tra ic.
For HTTPS tra ic monitoring, you need to enable encrypted connections scan.
Web Control lets you con gure access to websites by using the following methods:
Website category. Websites are categorized according to the Kaspersky Security Network cloud service,
heuristic analysis, and the database of known websites (included in application databases). For example, you
can restrict user access to the Social networks category or to other categories .
Data type. You can restrict users' access to data on a website, and hide images, for example. Kaspersky
Endpoint Security determines the data type based on the le format and not based on its extension.
Kaspersky Endpoint Security does not scan les within archives. For example, if image les were placed in
an archive, Kaspersky Endpoint Security identi es the Archives data type and not Graphics.
You can simultaneously use multiple methods for regulating access to websites. For example, you can restrict
access to the "O ice les" data type just for the Web-based email website category.
Web Control manages users' access to websites by using access rules. You can con gure the following advanced
settings for a website access rule:
Rule schedule.
For example, you can restrict Internet access through a browser during working hours only.
412
Each rule has a priority. The higher a rule is on the list, the higher its priority. If a website has been added to multiple
rules, Web Control regulates access to the website based on the rule with the highest priority. For example,
Kaspersky Endpoint Security may identify a corporate portal as a social network. To restrict access to social
networks and provide access to the corporate web portal, create two rules: one block rule for the Social networks
website category and one allow rule for the corporate web portal. The access rule for the corporate web portal
must have a higher priority than the access rule for social networks.
413
It is not recommended to create more than 1000 rules of access to web resources, as this can cause the
system to become unstable.
A web resource access rule is a set of lters and actions that Kaspersky Endpoint Security performs when the
user visits web resources that are described in the rule during the time span that is indicated in the rule schedule.
Filters allow you to precisely specify a pool of web resources to which access is controlled by the Web Control
component.
Filter by content. Web Control categorizes web resources by content and data type. You can control user
access to web resources with content and data falling into the types de ned by these categories. When the
users visit web resources that belong to the selected content category and / or data type category, Kaspersky
Endpoint Security performs the action that is speci ed in the rule.
Filter by web resource addresses. You can control user access to all web resource addresses or to individual
web resource addresses and / or groups of web resource addresses.
If ltering by content and ltering by web resource addresses are speci ed, and the speci ed web resource
addresses and / or groups of web resource addresses belong to the selected content categories or data type
categories, Kaspersky Endpoint Security does not control access to all web resources in the selected content
categories and / or data type categories. Instead, the application controls access only to the speci ed web
resource addresses and / or groups of web resource addresses.
Filter by names of users and user groups. You can specify the names of users and / or groups of users for
which access to web resources is controlled according to the rule.
Rule schedule. You can specify the rule schedule. The rule schedule determines the time span during which
Kaspersky Endpoint Security monitors access to web resources covered by the rule.
After Kaspersky Endpoint Security is installed, the list of rules of the Web Control component is not empty. The
Default rule is preset. This rule is applied to any web resources that are not covered by other rules, and allows or
blocks access to these web resources for all users.
Each rule has a priority. The higher a rule is on the list, the higher its priority. If a website has been added to multiple
rules, Web Control regulates access to the website based on the rule with the highest priority. For example,
Kaspersky Endpoint Security may identify a corporate portal as a social network. To restrict access to social
networks and provide access to the corporate web portal, create two rules: one block rule for the Social networks
website category and one allow rule for the corporate web portal. The access rule for the corporate web portal
must have a higher priority than the access rule for social networks.
414
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
7. Con gure the web resource access rule (see the table below).
How to add a web resource access rule in Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
7. Con gure the web resource access rule (see the table below).
415
1. In the main application window, click the button.
4. In the Settings block, click the Rules of access to web resources button.
6. Con gure the web resource access rule (see the table below).
As a result, the new Web Control rule is added to the list. If necessary, change the priority of the Web Control rule.
You can also use the toggle switch to disable the web resource access rule at any time without removing it from
the list.
Parameter Description
State
On.
O .
416
You can use the toggle to disable the web resource access rule at any time.
Action
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule
and displays a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule,
Web Control displays a warning that visiting the web resource is inadvisable. By using links
from the warning message, the user can obtain access to the requested web resource.
Content
By content categories. You can control user access to web resources by category (for
of the
example, the Social networks category).
lter
By types of data. You can control user access to web resources based on the speci c
data type of its published data (for example, Graphics).
Addresses
To all addresses. Web Control will not lter web resources by address.
To individual addresses. Web Control will lter only web resource addresses from the list.
You can enter a web address or use masks. You can also export a list of web resource
addresses from a TXT le. You can select users in Active Directory, in the list of accounts in
Kaspersky Security Center, or by entering a local user name manually. Kaspersky
recommends using local user accounts only in special cases when it is not possible to use
domain user accounts.
If Encrypted Connections Scan is disabled, for the HTTPS protocol you can only lter by
the server name.
Users
To all users. Web Control will not lter web resources for speci c users.
To individual users and / or groups. Web Control will lter web resources only for speci c
users. You can select users in Active Directory, in the list of accounts in Kaspersky Security
Center, or by entering a local user name manually. Kaspersky recommends using local user
accounts only in special cases when it is not possible to use domain user accounts.
Rule The rule schedule determines the time span during which Kaspersky Endpoint Security
schedule monitors access to web resources covered by the rule. For example, you can restrict Internet
access through a browser during working hours only.
Rules may include a rule schedule and a list of users to which the rule applies. For example, you can restrict access
to websites during working hours only, or allow visiting websites to users in certain groups.
417
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
c. Create a list of web resource addresses. You can enter a web address or use masks. You can also export
a list of web resource addresses from a TXT le.
If Encrypted Connections Scan is disabled, for the HTTPS protocol you can only lter by the server
name.
d. In the Apply to users drop-down list, select the relevant lter for users:
To all users. Web Control will not lter web resources by address.
To individual users or groups. Web Control will lter only web resource addresses from the list. You
can enter a web address or use masks. You can also export a list of web resource addresses from a
TXT le. You can select users in Active Directory, in the list of accounts in Kaspersky Security
Center, or by entering a local user name manually. Kaspersky recommends using local user accounts
only in special cases when it is not possible to use domain user accounts.
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule and
displays a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule, Web
Control displays a warning that visiting the web resource is inadvisable. By using links from the
warning message, the user can obtain access to the requested web resource.
f. In the Rule schedule drop-down list, select a schedule or create a new schedule.
How to enable a web resource address lter in Web Console and Cloud Console
418
1. In the main window of the Web Console, select Devices → Policies & pro les.
b. Select the Active status for the web resource access rule.
You can use the toggle switch to disable the web resource access rule at any time without removing it
from the list.
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule and
displays a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule, Web
Control displays a warning that visiting the web resource is inadvisable. By using links from the
warning message, the user can obtain access to the requested web resource.
e. Create a list of web resource addresses. You can enter a web address or use masks. You can also export
a list of web resource addresses from a TXT le.
If Encrypted Connections Scan is disabled, for the HTTPS protocol you can only lter by the server
name.
Apply to all users. Web Control will not lter web resources by address.
Apply to individual users and / or groups. Web Control will lter only web resource addresses from
the list. You can enter a web address or use masks. You can also export a list of web resource
addresses from a TXT le. You can select users in Active Directory, in the list of accounts in
Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using
local user accounts only in special cases when it is not possible to use domain user accounts.
419
How to enable a web resource address lter in the application interface
420
1. In the main application window, click the button.
3. In the Settings block, click the Rules of access to web resources button.
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule and displays
a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule, Web Control
displays a warning that visiting the web resource is inadvisable. By using links from the warning message,
the user can obtain access to the requested web resource.
421
Create a list of web resource addresses. You can enter a web address or use masks. You can also export a
list of web resource addresses from a TXT le.
If Encrypted Connections Scan is disabled, for the HTTPS protocol you can only lter by the server
name.
To all users. Web Control will not lter web resources for speci c users.
To individual users and / or groups. Web Control will lter only web resource addresses from the list.
You can enter a web address or use masks. You can also export a list of web resource addresses from a
TXT le. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or
by entering a local user name manually. Kaspersky recommends using local user accounts only in special
cases when it is not possible to use domain user accounts.
10. In the Rule schedule drop-down list, select a schedule or create a new schedule.
As a result, the new Web Control rule is added to the list. If necessary, change the priority of the Web Control rule.
You can also use the toggle switch to disable the web resource access rule at any time without removing it from
the list.
Websites are categorized according to the Kaspersky Security Network cloud service, heuristic analysis, and the
database of known websites (included in application databases). For example, you can restrict user access to the
Social networks category or to other categories .
You can restrict user access to a website based on data type, for example, to hide images. Kaspersky Endpoint
Security determines the data type based on the le format and not based on its extension. Web Control
distinguishes the following data types:
Video
Sound
Executable les
Archives
Graphics
Scripts
422
Kaspersky Endpoint Security does not scan les within archives. For example, if image les were placed in an
archive, Kaspersky Endpoint Security identi es the Archives data type and not Graphics.
Rules may include a rule schedule and a list of users to which the rule applies. For example, you can restrict access
to websites during working hours only, or allow visiting websites to users in certain groups.
423
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
b. In the Filter content drop-down list, select the relevant content lter:
By content categories. You can control user access to web resources by category (for example,
the Social networks category).
By types of data. You can control user access to web resources based on the speci c data type of
its published data (for example, Graphics).
By content categories and types of data. Filters by content categories and types of data are
enabled.
c. In the Apply to users drop-down list, select the relevant lter for users:
To all users. Web Control will not lter web resources by address.
To individual users or groups. Web Control will lter only web resource addresses from the list. You
can enter a web address or use masks. You can also export a list of web resource addresses from a
TXT le. You can select users in Active Directory, in the list of accounts in Kaspersky Security
Center, or by entering a local user name manually. Kaspersky recommends using local user accounts
only in special cases when it is not possible to use domain user accounts.
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule and
displays a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule, Web
Control displays a warning that visiting the web resource is inadvisable. By using links from the
warning message, the user can obtain access to the requested web resource.
e. In the Rule schedule drop-down list, select a schedule or create a new schedule.
424
How to enable a web resource content lter in Web Console and Cloud Console
425
1. In the main window of the Web Console, select Devices → Policies & pro les.
b. Select the Active status for the web resource access rule.
You can use the toggle to disable the web resource access rule at any time.
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule and
displays a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule, Web
Control displays a warning that visiting the web resource is inadvisable. By using links from the
warning message, the user can obtain access to the requested web resource.
d. In the Content of the lter block, select the relevant content lter:
By content categories. You can control user access to web resources by category (for example,
the Social networks category).
By types of data. You can control user access to web resources based on the speci c data type of
its published data (for example, Graphics).
Apply to all users. Web Control will not lter web resources by address.
Apply to individual users and / or groups. Web Control will lter only web resource addresses from
the list. You can enter a web address or use masks. You can also export a list of web resource
addresses from a TXT le. You can select users in Active Directory, in the list of accounts in
Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using
local user accounts only in special cases when it is not possible to use domain user accounts.
426
How to enable a web resource content lter in the application interface
427
1. In the main application window, click the button.
3. In the Settings block, click the Rules of access to web resources button.
Allow. Web Control allows access to web resources that match the parameters of the rule.
Block. Web Control blocks access to web resources that match the parameters of the rule and displays
a website access denied message.
Warn. When the user attempts to gain access to a web resource that matches the rule, Web Control
displays a warning that visiting the web resource is inadvisable. By using links from the warning message,
the user can obtain access to the requested web resource.
8. In the Content of the lter block, select the relevant content lter:
428
By content categories. You can control user access to web resources by category (for example, the
Social networks category).
By types of data. You can control user access to web resources based on the speci c data type of its
published data (for example, Graphics).
b. Select the check boxes next to the names of the required categories of content and/or data types.
Selecting the check box next to the name of a content category and/or data type means that
Kaspersky Endpoint Security applies the rule to control access to web resources that belong to the
selected categories of content and/or data types.
c. Return to the window for con guring the web resource access rule.
To all users. Web Control will not lter web resources by address.
To individual users and / or groups. Web Control will lter only web resource addresses from the list.
You can enter a web address or use masks. You can also export a list of web resource addresses from a
TXT le. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or
by entering a local user name manually. Kaspersky recommends using local user accounts only in special
cases when it is not possible to use domain user accounts. To create a list of users to whom you want
to apply the rule:
a. Click Add.
b. In the window that opens, select the users or groups of users to which you want to apply the web
resource access rule.
c. Return to the window for con guring the web resource access rule.
10. In the Rule schedule drop-down list, select the name of the necessary schedule or generate a new
schedule based on the selected rule schedule. To do so:
e. Return to the window for con guring the web resource access rule.
As a result, the new Web Control rule is added to the list. If necessary, change the priority of the Web Control rule.
You can also use the toggle switch to disable the web resource access rule at any time without removing it from
the list.
429
Testing web resource access rules
When con guring Web Control, you might inadvertently block access to web resources that users need for their
work. To nd out which Web Control rule is blocking access to web resources, you can use the Web Control Rules
diagnostics tool. Web Control Rules diagnostics is only available in the interface of Kaspersky Endpoint Security. In
the Kaspersky Security Center console, you cannot nd out which Web Control rule includes a given resource.
If the user believes that the web resource is blocked by mistake, the user may click the link in the web resource
block noti cation message to send a pre-generated message to the local corporate network administrator.
4. If you want to test the rules that Kaspersky Endpoint Security uses to control access to a speci c web
resource, select the Specify address check box. Enter the address of the web resource in the eld below.
5. If you want to test the rules that Kaspersky Endpoint Security uses to control access to web resources for
speci ed users and / or groups of users, specify a list of users and / or groups of users.
430
6. If you want to test the rules that Kaspersky Endpoint Security uses to control access to web resources of
certain content categories and/or data type categories, select the Filter content check box and choose the
relevant option from the drop-down list (By content categories, By types of data, or By content categories
and types of data).
7. If you want to test the rules with account of the time and day of the week when an attempt is made to access
the web resources that are speci ed in the rule diagnostics conditions, select the Include time of access
attempt check box. Then specify the day of the week and the time.
8. Click Scan.
Test completion is followed by a message with information about the action that is taken by Kaspersky Endpoint
Security, according to the rst rule that is triggered on the attempt to access the speci ed web resource (allow,
block, or warning). The rst rule to be triggered is the one with a rank on the list of Web Control rules which is
higher than that of other rules meeting the diagnostics conditions. The message is displayed on the right of the
Scan button. The following table lists the remaining triggered rules, specifying the action taken by Kaspersky
Endpoint Security. The rules are listed in the order of declining priority.
431
Web resource access test result
How to export and import a list of Web Control rules in the Administration Console (MMC)
432
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
a. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
c. In the window that opens, specify the name of the XML le to which you want to export the list of rules,
and select the folder in which you want to save this le.
How to export and import a list of Web Control rules in the Web Console and Cloud Console
433
1. In the main window of the Web Console, select Devices → Policies & pro les.
b. Click Export.
c. Con rm that you want to export only the selected rules, or export the entire list.
Exporting and importing web resource addresses of the Web Control rule
If you have created a list of web resource addresses in a web resource access rule, you can export it to a .txt le.
You can subsequently import the list from this le to avoid creating a new list of web resource addresses manually
when con guring an access rule. The option of exporting and importing the list of web resource addresses may be
useful if, for example, you create access rules with similar parameters.
You can also export/import all Web Control rules and not just the web resource addresses of an individual rule.
You cannot export/import web resource addresses of a Web Control rule in Web Console or Cloud Console.
How to export / import web resource addresses of the Web Control rule in the Administration Console (MMC)
434
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Web Control settings block, select the rule whose list of web resource addresses you want to
export or import.
Web Control rule properties are displayed.
6. To export the list of web resources, do the following in the address list:
c. In the window that opens, enter the name of the TXT le to which you want to export the list of web
resource addresses, and select the folder in which you want to save this le.
7. To import the list of web resources, do the following in the address list:
How to export / import web resource addresses of the Web Control rule in the application interface
435
1. In the main application window, click the button.
3. In the Settings block, click the Rules of access to web resources button.
4. Select the rule whose list of web resource addresses you want to export or import.
5. To export the list of trusted web addresses, do the following in the Addresses block:
b. Click Export.
c. In the window that opens, enter the name of the TXT le to which you want to export the list of web
resource addresses, and select the folder in which you want to save this le.
6. To import the list of web resources, do the following in the Addresses block:
a. Click Import.
In the window that opens, select the TXT le from which you want to import the list of web resources.
436
b. Open the le.
If the computer already has a list of addresses, Kaspersky Endpoint Security will prompt you to delete
the existing list or add new entries to it from the TXT le.
Browsers that support the monitoring function: Microsoft Edge, Microsoft Internet Explorer, Google Chrome,
Yandex Browser, Mozilla Firefox. User activity monitoring does not work in other browsers.
Kaspersky Endpoint Security creates the following user Internet activity events:
Prior to enabling user Internet activity monitoring, you must do the following:
Inject a web page interaction script into web tra ic (see the instructions below). The script enables registration
of Web Control events.
For HTTPS tra ic monitoring, you need to enable encrypted connections scan.
How to inject a web page interaction script into web tra ic in the Administration Console (MMC)
437
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Encrypted connections scan block, select the Inject script into web tra ic to interact with web
pages check box.
How to inject a web page interaction script into web tra ic in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Encrypted connections scan block, select the Inject script into web tra ic to interact with web
pages check box.
How to inject a web page interaction script into web tra ic in the application interface
438
1. In the main application window, click the button.
3. In the Tra ic processing block, select the Inject script into web tra ic to interact with web pages check
box.
As a result, Kaspersky Endpoint Security will inject a web page interaction script into web tra ic. This script
enables registration of Web Control events for the application event log, OS event log, and reports.
3. In the Noti cations block, click the Con gure noti cations button.
439
5. Con gure the noti cation method for each event: Save in local report or Save in Windows Event Log.
To log allowed website visit events, you need to also con gure Web Control (see the instructions below).
In the events table, you can also enable an on-screen noti cation and an email noti cation. To send
noti cations by email, you need to con gure the SMTP server settings. For more details about sending
noti cations by email, please refer to the Kaspersky Security Center Help .
As a result, Kaspersky Endpoint Security begins logging user Internet activity events.
Web Control sends user activity events to Kaspersky Security Center as follows:
If you are using Kaspersky Security Center, Web Control sends events for all the objects that make up the web
page. For this reason, multiple events may be created when one web page is blocked. For example, when
blocking the web page http://www.example.com, Kaspersky Endpoint Security may relay events for the
following objects: http://www.example.com, http://www.example.com/icon.ico, http://www.example.com/ le.js,
etc.
If you are using the Kaspersky Security Center Cloud Console, Web Control groups events and sends only the
protocol and domain of the website. For instance, if a user visits non-recommended web pages
http://www.example.com/main, http://www.example.com/contact, and http://www.example.com/gallery,
Kaspersky Endpoint Security will send only one event with the http://www.example.com object.
440
Web Control settings
4. In the window that opens, select the Log the opening of allowed pages check box.
441
Web Control advanced settings
Warning message. This message warns the user that visiting the web resource is not recommended and/or
violates the corporate security policy. Kaspersky Endpoint Security displays a warning message if the Warn
option is selected in the settings of the rule that describes this web resource.
If the user believes that the warning is mistaken, the user may click the link from the warning to send a pre-
generated message to the local corporate network administrator.
Message informing of blocking of a web resource. Kaspersky Endpoint Security displays a message informing
that a web resource is blocked if the Block option is selected in the settings of the rule that describes this web
resource.
If the user believes that the web resource is blocked by mistake, the user may click the link in the web resource
block noti cation message to send a pre-generated message to the local corporate network administrator.
Special templates are provided for the warning message, the message informing that a web resource is blocked,
and the message sent to the LAN administrator. You can modify their content.
442
1. In the main application window, click the button.
3. In the Templates block, con gure the templates for Web Control messages:
Warning. The entry eld consists of a template of the message that is displayed if a rule for warning about
attempts to access an unwanted web resource is triggered.
Message about blocking. The entry eld contains the template of the message that appears if a rule which
blocks access to a web resource is triggered.
Message to administrator. Template of the message to be sent to the LAN administrator if the user
considers the block to be a mistake. After the user requests to provide access, Kaspersky Endpoint Security
sends an event to Kaspersky Security Center: Web page access blockage message to administrator. The
event description contains a message to administrator with substituted variables. You can view these events
in the Kaspersky Security Center console using the prede ned event selection User requests. If your
organization does not have Kaspersky Security Center deployed or there is no connection to the
Administration Server, the application will send a message to administrator to the speci ed email address.
1. The * character replaces any sequence that contains zero or more characters.
For example, if you enter the *abc* address mask, the access rule is applied to all web resources that contain
the sequence abc. Example: http://www.example.com/page_0-9abcdef.html.
2. A sequence of *. characters (known as a domain mask) lets you select all domains of an address. The *.
domain mask represents any domain name, subdomain name, or a blank line.
Example: the *.example.com mask represents the following addresses:
3. The www. character sequence at the start of the address mask is interpreted as a *. sequence.
Example: the address mask www.example.com is interpreted as *.example.com. This mask covers the
addresses www2.example.com and www.pictures.example.com.
4. If an address mask does not start with the * character, the content of the address mask is equivalent to the
same content with the *. pre x.
5. If an address mask ends with a character other than / or *, the content of the address mask is equivalent to
the same content with the /* post x.
Example: the address mask http://www.example.com covers such addresses as
http://www.example.com/abc, where a, b, and c are any characters.
6. If an address mask ends with the / character, the content of the address mask is equivalent to the same
content with the /*. post x.
7. The character sequence /* at the end of an address mask is interpreted as /* or an empty string.
8. Web resource addresses are veri ed against an address mask, taking into account the protocol (http or https):
If the address mask contains no network protocol, this address mask covers addresses with any network
protocol.
Example: the address mask example.com covers the addresses http://example.com and
https://example.com.
If the address mask contains a network protocol, this address mask only covers addresses with the same
network protocol as that of the address mask.
Example: the address mask http://*.example.com covers the address http://www.example.com but
does not cover https://www.example.com.
9. An address mask that is in double quotes is treated without considering any additional replacements, except
the * character if it has been initially included in the address mask. Rules 5 and 7 do not apply to address masks
enclosed in double quotation marks (see examples 14 – 18 in the table below).
10. The user name and password, connection port, and character case are not taken into account during
comparison with the address mask of a web resource.
444
No. Address mask Address of web resource to Is the Comment
verify address
covered by
the
address
mask
Device Control
Device Control manages user access to devices that are installed on or connected to the computer (for example,
hard drives, cameras, or Wi-Fi modules). This lets you protect the computer from infection when such devices are
connected, and prevent loss or leaks of data.
Allow – .
Block – .
Connection bus. A connection bus is an interface used for connecting devices to the computer (for example,
USB or FireWire). Therefore, you can restrict the connection of all devices, for example, over USB.
You can con gure device access as follows:
Allow – .
Block – .
Trusted devices. Trusted devices are devices to which users that are speci ed in the trusted device settings
have full access at all times.
You can add trusted devices based on the following data:
Devices by ID. Each device has a unique identi er (Hardware ID, or HWID). You can view the ID in the device
properties by using operating system tools. Example device ID:
SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000. Adding devices by ID is
convenient if you want to add several speci c devices.
Devices by model. Each device has a vendor ID (VID) and a product ID (PID). You can view the IDs in the
device properties by using operating system tools. Template for entering the VID and PID:
VID_1234&PID_5678. Adding devices by model is convenient if you use devices of a certain model in your
organization. This way, you can add all devices of this model.
Devices by ID mask. If you are using multiple devices with similar IDs, you can add devices to the trusted list
by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not
support the ? character when entering a mask. For example, WDC_C*.
Devices by model mask. If you are using multiple devices with similar VIDs or PIDs (for example, devices
from the same manufacturer), you can add devices to the trusted list by using masks. The * character
replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when
entering a mask. For example, VID_05AC & PID_ *.
Device Control regulates user access to devices by using access rules. Device Control also lets you save device
connection/disconnection events. To save events, you need to con gure the registration of events in a policy.
If access to a device depends on the connection bus (the status), Kaspersky Endpoint Security does not
save device connection/disconnection events. To enable Kaspersky Endpoint Security to save device
connection/disconnection events, allow access to the corresponding type of device (the status) or add the
device to the trusted list.
When a device that is blocked by Device Control is connected to the computer, Kaspersky Endpoint Security will
block access and show a noti cation (see the gure below).
446
Device Control noti cation
Kaspersky Endpoint Security makes a decision on whether to allow access to a device after the user connects the
device to the computer (see the gure below).
447
If a device is connected and access is allowed, you can edit the access rule and block access. In this case, the next
time someone attempts to access the device (such as to view the folder tree, or perform read or write
operations), Kaspersky Endpoint Security blocks access. A device without a le system is blocked only the next
time that the device is connected.
If a user of the computer with Kaspersky Endpoint Security installed must request access to a device that the user
believes was blocked by mistake, send the user the request access instructions.
As a result, if Device Control is enabled, the application relays information about connected devices to
Kaspersky Security Center. You can view the list of connected devices in Kaspersky Security Center in the
Advanced → Repositories → Hardware folder.
The group of settings for an access rule di ers depending on the type of device (see the table below).
Hard drives
Removable drives
(including USB ash
drives)
Floppy disks
CD/DVD drives
448
Local printers – –
Network printers – –
Modems – – – –
Tape devices – – – –
Multifunctional devices – – – –
Windows CE USB – – – –
ActiveSync devices
External network – – – –
adapters
Bluetooth – – – –
A Wi-Fi network access rule determines whether the use of Wi-Fi networks is allowed (the status) or forbidden
(the status). You can add a trusted Wi-Fi network (the status) to a rule. Use of a trusted Wi-Fi network is
allowed without limitations. By default, a Wi-Fi network access rule allows access to any Wi-Fi network.
Connection bus access rules determine whether the connection of devices is allowed (the status) or forbidden
(the status). Rules that allow access to buses are created by default for all connection buses that are present in
the classi cation of the Device Control component.
Keyboard and mouse cannot be locked using Device Control. If you prohibit access to the USB connection
bus, the user will continue to work with a keyboard and mouse connected via USB. The BadUSB Attack
Prevention component is designed to prevent infected USB devices imitating keyboards from connecting to
the computer.
3. In the Access settings block, click the Devices and Wi-Fi networks button.
449
The opened window shows access rules for all devices that are included in the Device Control component
classi cation.
4. In the Access To Storage Devices block, select the access rule that you want to edit. The block contains
devices that have a le system for which you can con gure additional access settings. By default, a device
access rule grants all users full access to the speci ed type of devices at any time.
Allow.
Block.
By rules.
This option lets you con gure user rights, permissions, and a schedule for device access.
450
Device Control rule settings
a. Assign a priority to the rule. A rule includes the following attributes: user account, schedule, permissions
(read/write), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to
assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with the
value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions
to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority
of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been added
to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates device
access based on any existing block rule.
e. Click Add.
5. In the Access To External Devices block, select the rule and con gure access: Allow, Block, or Depends on
connection bus. If necessary, con gure access to the connection bus.
451
6. In the Access to Wi-Fi networks block, click the Wi-Fi link and con gure access: Allow, Block, or Block with
exceptions. If necessary, add Wi-Fi networks to the trusted list.
5. In the Access column, select whether or not to allow access to the connection bus: Allow or Block.
If you have changed access to the connection bus Serial Port (COM) or Parallel Port (LPT), you must
restart the computer to activate the access rule.
452
Managing access to mobile devices
Kaspersky Endpoint Security allows you to control access to data on mobile devices running Android and iOS.
Mobile devices belong to the category of portable devices (MTP). Therefore, to con gure data access on mobile
devices, you need to edit the access settings for portable devices (MTP).
When a mobile device is connected to the computer, the operating system determines the device type. If Android
Debug Bridge (ADB), iTunes or their equivalent applications are installed on the computer, the operating system
identi es mobile devices as ADB or iTunes devices. In all other cases, the operating system may identify the mobile
device type as a portable device (MTP) for le transfer, a PTP device (camera) for image transfer, or another
device. The device type depends on the model of the mobile device and the selected USB connection mode.
Kaspersky Endpoint Security lets you con gure individual access permissions for data on mobile devices in ADB
applications, iTunes, or the le manager. In all other cases, Device Control allows access to mobile devices in
accordance with portable devices (MTP) access rules.
Mobile devices belong to the category of portable devices (MTP), therefore the settings for them are the same.
You can select one of the following modes of access to mobile devices:
Allow . Kaspersky Endpoint Security allows full access to mobile devices. You can open, create, modify, copy,
or delete les on mobile devices using the le manager or ADB and iTunes applications. You can also charge the
battery of the device by connecting the mobile device to a USB port of the computer.
Block . Kaspersky Endpoint Security restricts access to mobile devices in the le manager and ADB and
iTunes applications. The application allows access only to trusted mobile devices. You can also charge the
battery of the device by connecting the mobile device to a USB port of the computer.
Depends on connection bus . Kaspersky Endpoint Security allows connecting to mobile devices in
accordance with the USB connection status (Allow or Block ).
By rules . Kaspersky Endpoint Security restricts access to mobile devices in accordance with rules. In the
rules, you can con gure access rights (read / write), select users or a group of users that can have access to
mobile devices, and con gure an access schedule for mobile devices. You can also restrict access to data on
mobile devices through the ADB and iTunes applications.
Access rules for portable devices (MTP), ADB devices, and iTunes devices are con gured di erently. For portable
devices (MTP) and ADB devices, you can con gure rules for individual users or groups of users and create a
schedule for when the rules will apply. For iTunes devices, you cannot do that. You can only allow or deny access to
data through the iTunes application for all users.
How to con gure mobile device access rules in Administration Console (MMC)
453
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
6. In the context menu for the Portable devices (MTP) device type, con gure the mobile device access
mode: Allow , Block , or Depends on connection bus .
7. To con gure mobile device access rules, double-click to open the list of rules.
b. In the Priority eld, set the rule write priority. A rule includes the following attributes: user account,
schedule, permissions (read / write / ADB access), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows
to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry
with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write
permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and
assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been
added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security
regulates device access based on any existing block rule.
c. Under Rule for users and groups, select users or groups of users. You can select users in Active
Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually.
Kaspersky recommends using local user accounts only in special cases when it is not possible to use
domain user accounts.
d. Click OK.
9. Under Schedules for the selected access rule, con gure a mobile device access schedule for users.
Con guring a separate access schedule for ADB devices is not possible. You can con gure a common
access schedule for ADB devices and portable devices (MTP).
10. Con gure users' access permissions to mobile devices in the le manager (Read / Write).
11. Con gure the access to data on a mobile device through the ADB application using the Access via ADB
check box.
454
If the check box is cleared, when the mobile device is connected, the ADB application is prevented from
detecting the device.
12. Under Access via iTunes, con gure access to data on the mobile device through the iTunes application.
Kaspersky Endpoint Security applies the settings for mobile device access through the iTunes
application for all users. Con guring a separate access schedule for iTunes devices is not possible.
How to con gure mobile device access rules in Web Console and Cloud Console
455
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Device Control Settings block, click the Access rules for devices and Wi-Fi networks link.
The table lists access rules for all devices that are present in the classi cation of the Device Control
component.
7. Under Con guring device access rules, con gure the mobile devices access mode: Allow, Block,
Depends on connection bus, or By rules.
8. If you select the By rules mode, you must add access rules for devices. To do so, under Users, click the
Add button and con gure the mobile device access rule:
a. In the Rule of access to devices eld, set the rule write priority. A rule includes the following attributes:
user account, schedule, permissions (read / write / ADB access), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows
to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry
with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write
permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and
assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been
added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security
regulates device access based on any existing block rule.
b. Under Users, select users or groups of users for access to mobile devices. You can select users in
Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name
manually. Kaspersky recommends using local user accounts only in special cases when it is not possible
to use domain user accounts.
c. Under Schedule for access to devices, con gure a mobile device access schedule for users.
Con guring a separate access schedule for ADB devices is not possible. You can con gure a
common access schedule for ADB devices and portable devices (MTP).
d. Con gure users' access permissions to mobile devices in the le manager (Read / Write).
e. Con gure the access to data on a mobile device through the ADB application using the Access via
ADB check box.
If the check box is cleared, when the mobile device is connected, the ADB application is prevented from
detecting the device.
456
f. Under Access via iTunes, con gure access to data on the mobile device through the iTunes application.
Kaspersky Endpoint Security applies the settings for mobile device access through the iTunes
application for all users. Con guring a separate access schedule for iTunes devices is not possible.
How to con gure mobile device access rules in the application interface
457
1. In the main application window, click the button.
3. In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component
classi cation.
4. In the Access To Storage Devices block, click the Portable devices (MTP) link.
This opens a window containing the portable devices (MTP) access rules.
5. Under Access, con gure the mobile devices access mode: Allow, Block, Depends on connection bus, or
By rules.
6. If you select the By rules mode, you must add access rules for devices.
b. In the Priority eld, set the rule write priority. A rule includes the following attributes: user account,
schedule, permissions (read / write / ADB access), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows
to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry
with the value of 0 has the lowest priority.
458
For example, you can grant read-only permissions to the Everyone group and grant read/write
permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and
assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been
added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security
regulates device access based on any existing block rule.
d. Under Access rules, con gure mobile device access permissions for users.
Con gure users' access permissions to mobile devices in the le manager (Read / Write).
Con gure the access to data on a mobile device through the ADB application using the Access via
ADB check box.
If the check box is cleared, when the mobile device is connected, the ADB application is prevented
from detecting the device.
e. Under Users, select users or groups of users for access to mobile devices. You can select users in
Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name
manually. Kaspersky recommends using local user accounts only in special cases when it is not possible
to use domain user accounts.
f. Under Schedule for access to devices, con gure a device access schedule for users.
Con guring a separate access schedule for ADB devices is not possible. You can con gure a
common access schedule for ADB devices and portable devices (MTP).
g. Under Access via iTunes, con gure access to data on the mobile device through the iTunes application.
Kaspersky Endpoint Security applies the settings for mobile device access through the iTunes
application for all users. Con guring a separate access schedule for iTunes devices is not possible.
As a result, user access to mobile devices is restricted in accordance with rules. If you have prohibited access to
mobile devices in the ADB and iTunes applications, when you connect a mobile devices, the ADB and iTunes
applications are prevented from detecting the mobile device.
Trusted devices are devices to which users that are speci ed in the trusted device settings have full access at all
times.
The procedure for adding a trusted mobile device is exactly the same as for other types of trusted devices. You
can add a mobile device by ID or by device model.
459
To add a trusted mobile device by ID, you will need a unique ID (Hardware ID – HWID). You can nd the ID in device
properties by using operating system tools (see gure below). The Device Manager tool lets you do this. IDs of
portable devices (MTP) and ADB, iTunes devices are di erent even for the same mobile device. The ID of a
portable device (MTP) may look like this: 15131JECB07440. The ID of an ADB device may look like this:
6&370DEC2A&0&0001. Adding devices by ID is convenient if you want to add several speci c devices. You can also
use masks.
If you installed the ADB or iTunes applications after connecting a device to the computer, the unique ID of the
device may be reset. This means that Kaspersky Endpoint Security will identify this device as a new device. If a
device is trusted, add the device to the trusted list again.
To add a trusted mobile device by device model, you will need its Vendor ID (VID) and Product ID (PID). You can nd
the IDs in device properties by using operating system tools (see gure below). Template for entering the VID and
PID: VID_18D1&PID_4EE5. Adding devices by model is convenient if you use devices of a certain model in your
organization. This way, you can add all devices of this model.
When Bluetooth devices are connected or disconnected, the application may create multiple events about
the device. The reason is that the operating system may detect a Bluetooth device as multiple devices of
di erent types. Kaspersky Endpoint Security also manages the Bluetooth adapter through which the device is
connected as a separate device. That is why the application creates an event for each of the detected
devices.
You can select one of the following modes of access to Bluetooth devices:
Allow and do not log . Kaspersky Endpoint Security allows connecting any Bluetooth devices and does not
save information about the connection in the event log. You can connect Bluetooth input devices (keyboards,
mice, etc), send data over Bluetooth, manage other Bluetooth devices (headset, headphones, etc).
460
Allow . Kaspersky Endpoint Security allows connecting any Bluetooth devices. You can connect Bluetooth
input devices (keyboards, mice, etc), send data over Bluetooth, manage other Bluetooth devices (headset,
headphones, etc).
Block . Kaspersky Endpoint Security restricts access to Bluetooth devices. You can allow connecting only
Bluetooth input devices (the Human Interface Devices class). These devices include keyboards, mice, joysticks,
etc.
It is not possible to create a list of trusted Bluetooth devices. If you have restricted access to Bluetooth
devices, you can only connection of Bluetooth input devices.
You can allow connecting input devices only in the user interface of the application or in Web Console. You
cannot allow connecting input devices in Administration Console (MMC).
How to con gure Bluetooth device access rules in Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
6. In the context menu for the Bluetooth device type, con gure the Bluetooth device access mode: Allow ,
Block , Allow and do not log .
If you blocked access to Bluetooth devices, you can allow connecting only input devices (keyboards,
mice, etc) in the user interface of the application or in Web Console. You cannot allow connecting
input devices in Administration Console (MMC).
How to con gure Bluetooth device access rules in Web Console and Cloud Console
461
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Device Control Settings block, click the Access rules for devices and Wi-Fi networks link.
The table lists access rules for all devices that are present in the classi cation of the Device Control
component.
7. Con gure the Bluetooth device access mode: Allow, Block, Allow and do not log.
8. If you select the Block mode, you can allow connecting only Bluetooth input devices (keyboards, mice, etc).
To do so, under Exclusions, select the Input devices (mice and keyboards) check box.
How to con gure Bluetooth device access rules in the application interface
462
1. In the main application window, click the button.
3. In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component
classi cation.
5. Under Access, con gure the Bluetooth device access mode: Allow, Block, Allow and do not log.
6. If you select the Block mode, you can allow connecting only Bluetooth input devices (keyboards, mice, etc).
To do so, under Exclusions, select the Input devices (mice and keyboards) check box.
Control of printing
You can use Control of printing to con gure user access to local and network printers.
463
Local printer control
Kaspersky Endpoint Security allows con guring access to local printers on two levels: connecting and printing.
Kaspersky Endpoint Security controls local printer connection over the following buses: USB, Serial Port (COM),
Parallel Port (LPT).
Kaspersky Endpoint Security controls the connection of local printers to COM and LPT ports only on the level
of the bus. That is, to prevent the connection of printers to COM and LPT ports, you must prohibit the
connection of all device types to COM and LPT buses. For printers connected to USB, the application
exercises control on two levels: device type (local printers) and connection bus (USB). Therefore you can allow
all device types except local printers to connect to USB.
You can select one of the following access modes to local printers via USB:
Allow . Kaspersky Endpoint Security grants full access to local printers to all users. Users can connect printers
and print documents using the means that the operating system provides.
Block . Kaspersky Endpoint Security blocks the connection of local printers. The application allows
connecting only trusted printers.
Depends on connection bus . Kaspersky Endpoint Security allows connecting to local printers in accordance
with the USB bus connection status (Allow or Block ).
By rules . To control printing, you must add printing rules. In the rules, you can select users or a group of users
for which you want to allow or block access to printing documents on local printers.
Kaspersky Endpoint Security allows con guring access to printing on network printers. You can select one of the
following access modes to network printers:
Allow and do not log . Kaspersky Endpoint Security does not control printing on network printers. The
application grants access to printing to all users and does not save information about printing to the event log.
Allow . Kaspersky Endpoint Security grants access to printing on network printers to all users.
Block . Kaspersky Endpoint Security restricts access to network printers for all users. The application allows
access only to trusted printers.
By rules . Kaspersky Endpoint Security grants access to printing in accordance with printing rules. In the rules,
you can select users or a group of users that will be allowed or prevented from printing documents on network
printer.
464
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
6. In the context menu for the Local printers and Network printers device types, con gure the access mode
for the relevant printers: Allow , Block , Allow and do not log (for network printers only), or Depends
on connection bus (for local printers only).
7. To con gure printing rules on local and network printers, double-click the rule lists to open them.
9. Select the users or groups of users to which you want to apply the printing rule.
a. Click Add.
This opens a window for adding a new printing rule.
b. Assign a priority to the rule entry. A rule entry includes the following attributes: user account, action
(allow/block), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows
to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry
with the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write
permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and
assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been
added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security
regulates device access based on any existing block rule.
d. Click Users and groups and select users or groups of users for access to printing. You can select users
in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name
manually. Kaspersky recommends using local user accounts only in special cases when it is not possible
to use domain user accounts.
e. Click OK.
465
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Device Control Settings block, click the Access rules for devices and Wi-Fi networks link.
The table lists access rules for all devices that are present in the classi cation of the Device Control
component.
7. Con gure the access mode for the relevant printers: Allow, Block, Allow and do not log (for network
printers only), Depends on connection bus (for local printers only), or By rules.
8. If you select the By rules mode, you must add printing rules for local or network printers. To do so, click the
Add button in the printing rules table.
This opens the settings of the new printing rule.
9. Assign a priority to the rule entry. A rule entry includes the following attributes: user account, action
(allow/block), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows to
assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry with
the value of 0 has the lowest priority.
For example, you can grant read-only permissions to the Everyone group and grant read/write permissions
to the administrators group. To do so, assign a priority of 1 for the administrators group and assign a priority
of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been
added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security regulates
device access based on any existing block rule.
10. Under Action, con gure user access to printing on the printer.
11. Under Users and groups, select users or groups of users for access to printing. You can select users in
Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name
manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to
use domain user accounts.
466
1. In the main application window, click the button.
3. In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component
classi cation.
5. Under Access to local printers or Access to network printers, con gure the access mode for printers:
Allow, Block, Allow and do not log (for network printers only), Depends on connection bus (for local
printers only), or By rules.
6. If you select the By rules mode, you must add printing rules for printers. Select the users or groups of
users to which you want to apply the printing rule.
a. Click Add.
This opens a window for adding a new printing rule.
b. Assign a priority to the rule entry. A rule entry includes the following attributes: user account,
permissions (allow/block), and priority.
A rule has a speci c priority. If a user has been added to multiple groups, Kaspersky Endpoint Security
regulates device access based on the rule with the highest priority. Kaspersky Endpoint Security allows
to assign priority from 0 to 10,000. The higher the value, the higher the priority. In other words, an entry
with the value of 0 has the lowest priority.
467
For example, you can grant read-only permissions to the Everyone group and grant read/write
permissions to the administrators group. To do so, assign a priority of 1 for the administrators group and
assign a priority of 0 for the Everyone group.
The priority of a block rule is higher than the priority of an allow rule. In other words, if a user has been
added to multiple groups and the priority of all rules are the same, Kaspersky Endpoint Security
regulates device access based on any existing block rule.
d. Under Users and groups, select users or groups of users for access to printing. You can select users in
Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name
manually. Kaspersky recommends using local user accounts only in special cases when it is not possible
to use domain user accounts.
Trusted printers
Trusted devices are devices to which users that are speci ed in the trusted device settings have full access at all
times.
The procedure for adding trusted printers is exactly the same as for other types of trusted devices. You can add
local printers by ID or device model. You can only add network printers by device ID.
To add a trusted local printer by ID, you will need a unique ID (Hardware ID – HWID). You can nd the ID in device
properties by using operating system tools (see gure below). The Device Manager tool lets you do this. The ID of a
local printer may look like this: 6&2D09F5AF&1&C000. Adding devices by ID is convenient if you want to add several
speci c devices. You can also use masks.
To add a trusted local printer by device model, you will need its Vendor ID (VID) and Product ID (PID). You can nd
the IDs in device properties by using operating system tools (see gure below). Template for entering the VID and
PID: VID_04A9&PID_27FD. Adding devices by model is convenient if you use devices of a certain model in your
organization. This way, you can add all devices of this model.
468
Device ID in Device Manager
To add a trusted network printer, you will need its device ID. For network printers, the device ID can be the network
name of the printer (name of the shared printer), the IP address of the printer, or the URL of the printer.
On computers running Windows 11, you need to enable Location services in order to control Wi-Fi
connections. To do this, you need to enable the Location services switch in the operating system settings
(Settings → Privacy & security → Location). If Location services are disabled, Kaspersky Endpoint Security
does not control connections to Wi-Fi networks.
469
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
6. In the context menu for the Wi-Fi device type, select the Device Control action that is taken when
connecting to Wi-Fi: Allow ( ), Block ( ), or Block with exceptions ( ).
7. If you selected the Block with exceptions option, create a list of trusted Wi-Fi networks:
c. This opens a window; in that window, con gure the trusted Wi-Fi network (see gure below):
Network name. Name or SSID (Service Set Identi er) of the Wi-Fi network.
Authentication type. Authentication type used when connecting to the Wi-Fi network.
Starting with Kaspersky Endpoint Security for Windows version 12.0, the WPA3 protocol
support has been added to the application. If a Kaspersky Endpoint Security version 12.2 policy
is applied on a computer, the WPA2 protocol is selected on computers with Kaspersky Endpoint
Security version 11.11.0 and earlier; WPA2 / WPA3 is selected for versions 12.0 to 12.1; WPA3 is
selected for versions 12.2 and later.
Encryption type. Encryption type used to protect the Wi-Fi tra ic.
You can view the settings of the trusted Wi-Fi network in router settings.
A Wi-Fi network is considered trusted if its settings match all settings speci ed in the rule.
470
Trusted Wi-Fi network settings
471
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Device Control Settings block, click the Access rules for devices and Wi-Fi networks link.
The table lists access rules for all devices that are present in the classi cation of the Device Control
component.
7. Under Access to Wi-Fi networks, select the Device Control action taken when connecting to Wi-Fi: Allow,
Block, or Block with exceptions.
8. If you selected the Block with exceptions option, create a list of trusted Wi-Fi networks:
c. This opens a window; in that window, con gure the trusted Wi-Fi network (see gure below):
Network name. Name or SSID (Service Set Identi er) of the Wi-Fi network.
Authentication type. Authentication type used when connecting to the Wi-Fi network.
Starting with Kaspersky Endpoint Security for Windows version 12.0, the WPA3 protocol
support has been added to the application. If a Kaspersky Endpoint Security version 12.2 policy
is applied on a computer, the WPA2 protocol is selected on computers with Kaspersky Endpoint
Security version 11.11.0 and earlier; WPA2 / WPA3 is selected for versions 12.0 to 12.1; WPA3 is
selected for versions 12.2 and later.
Encryption type. Encryption type used to protect the Wi-Fi tra ic.
You can view the settings of the trusted Wi-Fi network in router settings.
A Wi-Fi network is considered trusted if its settings match all settings speci ed in the rule.
472
Trusted Wi-Fi network settings
473
1. In the main application window, click the button.
3. In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component
classi cation.
5. Under Access, select the Device Control action taken when connecting to Wi-Fi: Allow, Block, or Block
with exceptions.
6. If you selected the Block with exceptions option, create a list of trusted Wi-Fi networks:
b. This opens a window; in that window, con gure the trusted Wi-Fi network (see gure below):
Network name. Name or SSID (Service Set Identi er) of the Wi-Fi network.
Authentication type. Authentication type used when connecting to the Wi-Fi network.
474
Starting with Kaspersky Endpoint Security for Windows version 12.0, the WPA3 protocol
support has been added to the application. If a Kaspersky Endpoint Security version 12.2 policy
is applied on a computer, the WPA2 protocol is selected on computers with Kaspersky Endpoint
Security version 11.11.0 and earlier; WPA2 / WPA3 is selected for versions 12.0 to 12.1; WPA3 is
selected for versions 12.2 and later.
Encryption type. Encryption type used to protect the Wi-Fi tra ic.
You can view the settings of the trusted Wi-Fi network in router settings.
A Wi-Fi network is considered trusted if its settings match all settings speci ed in the rule.
As a result, when a user tries connecting to a Wi-Fi network that is not listed as trusted, the application blocks the
connection and displays a noti cation (see gure below).
475
Device Control noti cation
3. In the Access settings block, click the Devices and Wi-Fi networks button.
The opened window shows access rules for all devices that are included in the Device Control component
classi cation.
476
Types of devices in the Device Control component
477
The settings of removable drive usage monitoring
7. In the File operations block, select the operations that you want to monitor: Write, Delete.
8. In the Filter by le formats block, select the formats of les whose associated operations should be logged by
Device Control.
9. Select the users or group of users whose use of removable drives you want to monitor.
As a result, when users write to les located on removable drives or delete les from removable drives,
Kaspersky Endpoint Security will save information about such operations to the event log and send events to
Kaspersky Security Center. You can view events associated with les on removable drives in the Kaspersky
Security Center Administration Console in the workspace of the Administration Server node on the Events tab.
For events to be displayed in the local Kaspersky Endpoint Security event log, you must select the File
operation performed check box in the noti cations settings for the Device Control component.
478
Changing the caching duration
The Device Control component registers events related to monitored devices, such as connection and
disconnection of a device, reading a le from a device, writing a le to a device, and other events. Device Control
then either allows or blocks the action according to the Kaspersky Endpoint Security settings.
Device Control saves information about events for a speci c period of time called the caching period. If
information about an event is cached and this event is repeated, there is no need to notify Kaspersky Endpoint
Security about it or to show another prompt for granting access to the corresponding action, such as connecting
a device. This makes it more convenient to work with a device.
An event is considered a duplicate event if all of the following event settings match the record in the cache:
device ID
Device category
Prior to changing the caching period, disable Kaspersky Endpoint Security Self-Defense. After changing the
caching period, enable Self-Defense.
4. De ne the number of minutes that Device Control must save information about an event before this
information is deleted.
479
Trusted devices are devices to which users that are speci ed in the trusted device settings have full access at all
times.
To work with trusted devices, you can grant access to an individual user, to a group of users, or to all users of the
organization.
For example, if your organization does not allow the use of removable drives but administrators use removable
drives in their work, you can allow removable drives only for a group of administrators. To do so, add removable
drives to the trusted list and con gure user access permissions.
It is not recommended to add more than 1000 trusted devices, as this can cause system instability.
Kaspersky Endpoint Security allows you to add a device to the trusted list in the following ways:
If Kaspersky Security Center is not deployed in your organization, you can connect the device to the computer
and add it to the trusted list in the application settings. To distribute the list of trusted devices to all computers
in your organization, you can enable merging the lists of trusted devices in a policy or use the export / import
procedure.
If Kaspersky Security Center is deployed in your organization, you can detect all connected devices remotely
and create a list of trusted devices in the policy. The list of trusted devices will be available on all computers to
which the policy is applied.
Kaspersky Endpoint Security allows controlling the use of trusted devices (connection and disconnection). You can
turn on event logging in noti cation settings for the Device Control component. Events have the Informational
severity level.
4. Click Select.
This opens the list of connected devices. The list of devices depends on the value that is selected in the
Display connected devices drop-down list.
5. In the list of devices, select the device that you want to add to the trusted list.
6. In the Comment eld, you can provide any relevant information about the trusted device.
7. Select the users or groups of users to which you want to allow access to trusted devices.
480
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a
local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not
possible to use domain user accounts.
You can add a device to the trusted list according to the following data:
Devices by ID. Each device has a unique identi er (Hardware ID, or HWID). You can view the ID in the device
properties by using operating system tools. Example device ID:
SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000. Adding devices by ID is
convenient if you want to add several speci c devices.
Devices by model. Each device has a vendor ID (VID) and a product ID (PID). You can view the IDs in the device
properties by using operating system tools. Template for entering the VID and PID: VID_1234&PID_5678.
Adding devices by model is convenient if you use devices of a certain model in your organization. This way, you
can add all devices of this model.
Devices by ID mask. If you are using multiple devices with similar IDs, you can add devices to the trusted list by
using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not support
the ? character when entering a mask. For example, WDC_C*.
Devices by model mask. If you are using multiple devices with similar VIDs or PIDs (for example, devices from
the same manufacturer), you can add devices to the trusted list by using masks. The * character replaces any
set of characters. Kaspersky Endpoint Security does not support the ? character when entering a mask. For
example, VID_05AC & PID_ *.
3. Select the necessary policy and double-click to open the policy properties.
5. In the right part of the window, select the Trusted devices tab.
6. Select the Merge values when inheriting check box if you want to create a consolidated list of trusted devices
for all computers in the company.
The lists of trusted devices in the parent and child policies will be merged. The lists will be merged provided that
merging values when inheriting is enabled. Trusted devices from the parent policy are displayed in child policies
in a read-only view. Changing or deleting trusted devices of the parent policy is not possible.
7. Click the Add button and select a method for adding a device to the trusted list.
8. To lter devices, select a device type from the Device type drop-down list (for example, Removable drives).
481
9. In the Name / Model eld, enter the device ID, model (VID and PID) or mask, depending on the selected addition
method.
Adding devices by model mask (VID and PID) works as follows: if you enter a model mask that does not
match any model, Kaspersky Endpoint Security checks if the device ID (HWID) matches the mask.
Kaspersky Endpoint Security checks only the part of the device ID that determines the manufacturer and
the type of the device
(SCSI\ CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00 \5&354AE4D7&0&000000). If the model mask
matches this part of the device ID, the devices that match the mask will be added to the list of trusted
devices on the computer. At the same time, the list of devices in Kaspersky Security Center remains empty
when you click the Refresh button. To display the list of devices correctly, you can add devices by device
ID mask.
10. To lter devices, in the Computer eld, enter the computer name or a mask for the name of the computer to
which the device is connected.
The * character replaces any set of characters. The ? character replaces any single character.
12. Select the check boxes next to the names of devices that you want to add to the trusted list.
13. In the Comment eld, enter a description of the reason for adding devices to the trusted list.
14. Click the Select button to the right of the Allow to users and / or groups of users eld.
15. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a
local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not
possible to use domain user accounts.
By default, access to trusted devices is allowed for the Everyone group.
When a device is connected, Kaspersky Endpoint Security checks the list of trusted devices for an authorized
user. If the device is trusted, Kaspersky Endpoint Security allows access to the device with all permissions, even
if access to the device type or connection bus is denied. If the device is untrusted and access is denied, you can
request access to the locked device.
For example, if you need to distribute a list of trusted removable drives, you need to do the following:
2. In the Kaspersky Endpoint Security settings, add the removable drives to the trusted list. If required, con gure
user access permissions. For example, allow only administrators to access removable drives.
3. Export the list of trusted devices in the Kaspersky Endpoint Security settings (see the instructions below).
482
4. Distribute the trusted device list le to other computers in your organization. For example, place the le in a
shared folder.
5. Import the list of trusted devices in the Kaspersky Endpoint Security settings on other computers in the
organization (see the instructions below).
b. Click Export.
c. In the window that opens, specify the name of the XML le to which you want to export the list of trusted
devices, and select the folder in which you want to save this le.
a. In the Import drop-down list, select the relevant action: Import and add to existing or Import and replace
existing.
b. In the window that opens, select the XML le from which you want to import the list of trusted devices.
When a device is connected, Kaspersky Endpoint Security checks the list of trusted devices for an authorized
user. If the device is trusted, Kaspersky Endpoint Security allows access to the device with all permissions, even
if access to the device type or connection bus is denied.
If Kaspersky Security Center is not deployed in your organization, you can provide access to a device in the
settings of Kaspersky Endpoint Security. For example, you can add the device to the trusted list or temporarily
disable Device Control.
If Kaspersky Security Center is deployed in your organization and a policy has been applied to computers, you can
provide access to a device in the Administration Console.
483
Online mode for granting access
You can grant access to a blocked device in online mode only if Kaspersky Security Center is deployed in the
organization and a policy has been applied to the computer. The computer must have the capability to
establish a connection with the Administration Server.
2. The administrator receives a message with the request in the Kaspersky Security Center console.
The Kaspersky Security Center console has a preset event selection User requests for easy tracking of
messages from users.
4. The administrator updates the settings of Kaspersky Endpoint Security on the user's computer.
You can grant access to a blocked device in o line mode only if Kaspersky Security Center is deployed in the
organization and a policy has been applied to the computer. In the policy settings, in the Device Control
section, the Allow request for temporary access check box must be selected.
If you need to grant temporary access to a blocked device but you cannot add the device to the trusted list, you
can grant access to the device in o line mode. This way, you can grant access to a blocked device even if the
computer does not have network access or if the computer is outside of the corporate network.
2. The administrator creates an access key from the request access le and sends it to the user.
484
Schematic for granting access to a device in o line mode
You can grant access to a blocked device in online mode only if Kaspersky Security Center is deployed in the
organization and a policy has been applied to the computer. The computer must have the capability to
establish a connection with the Administration Server.
3. Click Send.
Next, the administrator in the Kaspersky Security Center console receives the Device access blockage message to
administrator event. The event includes the user name, computer name, details of the device to which the user is
trying to gain access, and other information. You can con gure how the administrator is noti ed about such events
and, for example, select email noti cations. The Kaspersky Security Center console has a preset event selection
User requests for easy tracking of messages from users.
To allow access, you must add the device to the trusted list. After you update Kaspersky Endpoint Security
settings on the computer, the user can gain access to the device.
485
O line mode for granting access
You can grant access to a blocked device in o line mode only if Kaspersky Security Center is deployed in the
organization and a policy has been applied to the computer. In the policy settings, in the Device Control
section, the Allow request for temporary access check box must be selected.
3. In the list of connected devices, select the device to which you want to gain access.
5. In the Access duration eld, specify the period of time for which you want to have access to the device.
As a result, a request access le with the *.akey extension will be downloaded to computer memory. Use any
available method to send the device request access le to the corporate LAN administrator.
How the administrator can create an access key for the blocked device in the Administration Console (MMC)
486
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the Administration Console tree, open the folder with the name of the
administration group to which the relevant client computer belongs.
4. In the list of client computers, select the computer whose user needs to be granted temporary access to
the blocked device.
5. In the context menu of the computer, select the Grant access in o line mode item.
7. Click the Browse button and download the request access le received from the user.
You will see information about the blocked device to which the user has requested access.
How the administrator can create an access key for the blocked device in Web Console and Cloud Console
487
1. In the main window of the Web Console, select Devices → Managed devices.
2. In the list of client computers, select the computer whose user needs to be granted temporary access to
the blocked device.
3. Click the ellipsis button ( ) above the list of computers and then click the Grant access to the device in
o line mode button.
5. Click the Browse button and download the request access le received from the user.
You will see information about the blocked device to which the user has requested access.
7. Specify the time period during which the access key can be activated on the device.
This setting de nes the time period during which the user can activate access to the blocked device by
using the provided access key.
As a result, the blocked device access key will be downloaded to computer memory. An access key le has the
*.acode extension. Use any available method to send the blocked device access key to the user.
3. In the Access request block, click the Request access to device button.
4. In the window that opens, click the Activate access key button.
5. In the window that opens, select the le with the device access key received from the corporate LAN
administrator.
This opens a window containing information about access provision.
6. Click OK.
As a result, the user receives access to the device for the time period set by the administrator. The user
receives the full set of rights for accessing the device (read and write). When the key expires, access to the
device will be blocked. If the user requires permanent access to the device, add the device to the trusted list.
488
When the user attempts to access a blocked device, Kaspersky Endpoint Security displays a message stating that
access to the device is blocked or that an operation with the device contents is forbidden. If the user believes that
access to the device was mistakenly blocked or that an operation with device contents was forbidden by mistake,
the user can send a message to the local corporate network administrator by clicking the link in the displayed
message about the blocked action.
Templates are available for messages about blocked access to devices or forbidden operations with device
contents, and for the message sent to the administrator. You can modify the message templates.
3. In the Message templates block, con gure templates for Device Control messages:
Message about blocking. Template of the message that appears when a user attempts to access a blocked
device. This message also appears when a user attempts to perform an operation on the device contents
that was blocked for this user.
Message to administrator. A template of the message that is sent to the LAN administrator when the user
believes that access to the device is blocked or an operation with device content is forbidden by mistake.
After the user requests to provide access, Kaspersky Endpoint Security sends an event to Kaspersky
Security Center: Device access blockage message to administrator. The event description contains a
message to administrator with substituted variables. You can view these events in the Kaspersky Security
Center console using the prede ned event selection User requests. If your organization does not have
Kaspersky Security Center deployed or there is no connection to the Administration Server, the application
will send a message to administrator to the speci ed email address.
Anti-Bridging
Anti-Bridging inhibits the creation of network bridges by preventing the simultaneous establishment of multiple
network connections for a computer. This lets you protect a corporate network from attacks over unprotected,
unauthorized networks.
Connection rules are created for the following prede ned types of devices:
Network adapters;
Wi-Fi adapters;
Modems.
Blocks the active connection when establishing a new connection, if the device type speci ed in the rule is
used for both connections;
Blocks connections that are established using the types of devices for which lower-priority rules are used.
489
Enabling Anti-Bridging
Anti-Bridging is disabled by default.
To enable Anti-Bridging:
After Anti-Bridging is enabled, Kaspersky Endpoint Security blocks already established connections according
to the connection rules.
4. In the Rules for devices block, select the rule whose status you want to change.
5. Use the toggles in the Control column to enable or disable the rule.
4. In the Rules for devices block, select the rule whose priority you want to change.
5. Use the Up / Down buttons to set the priority of the connection rule.
490
The higher a rule is positioned in the table of rules, the higher its priority. Anti-Bridging blocks all connections
except one connection established using the type of device for which the highest-priority rule is used.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a
company's network. Adaptive Anomaly Control uses a set of rules to track non-typical behavior (for example, the
Start of Microsoft PowerShell from o ice application rule). Rules are created by Kaspersky specialists based on
typical scenarios of malicious activity. You can con gure how Adaptive Anomaly Control handles each rule and, for
example, allow the execution of PowerShell scripts that automate certain work ow tasks. Kaspersky Endpoint
Security updates the set of rules along with the application databases. Updates to the sets of rules must be
con rmed manually.
Adaptive Anomaly Control is con gured in real time. Adaptive Anomaly Control is con gured via the following
channels:
Adaptive Anomaly Control automatically starts to block the actions associated with the rules that were never
triggered in training mode.
The administrator con gures the operation of the Adaptive Anomaly Control after reviewing the rule triggering
report and the contents of the Triggering of rules in Smart Training state repository. It is recommended to
check the rule triggering report and the contents of the Triggering of rules in Smart Training state repository.
491
When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and
display a noti cation (see gure below).
Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on
the following algorithm (see the gure below).
492
Enabling and disabling Adaptive Anomaly Control
Adaptive Anomaly Control is enabled by default.
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
3. Use the Adaptive Anomaly Control toggle to enable or disable the component.
As a result, the Adaptive Anomaly Control will switch to the training mode. During training, Adaptive Anomaly
Control monitors rule triggering. When training is complete, Adaptive Anomaly Control starts to block actions
that are not typical of the computers in a company's network.
If your organization has started to use some new tools, and Adaptive Anomaly Control blocks the actions of
those tools, you can reset the results of the training mode and repeat the training. To do this, you need to
change the action that is taken when the rule is triggered (for example, set it to Inform). Then you need to
re-enable the training mode (set the Smart value).
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
4. In the table, select a set of rules (for example, Activity of o ice applications) and expand the set.
5. Select a rule (for example, Start of Microsoft PowerShell from o ice application).
6. Use the toggle switch in the State column to enable or disable the Adaptive Anomaly Control rule.
493
To edit the action that is taken when an Adaptive Anomaly Control rule is triggered:
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
5. Click Edit.
The Adaptive Anomaly Control rule properties window opens.
Smart. If this option is selected, the Adaptive Anomaly Control rule works in Smart training state for a
period of time de ned by Kaspersky experts. In this mode, when an Adaptive Anomaly Control rule is
triggered, Kaspersky Endpoint Security allows the activity covered by the rule and logs an entry in the
Triggering of rules in Smart Training state storage of the Kaspersky Security Center Administration Server.
When the time period set for working in Smart Training state ends, Kaspersky Endpoint Security blocks the
activity covered by an Adaptive Anomaly Control rule and logs an entry containing information about the
activity.
Block. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint
Security blocks the activity covered by the rule and logs an entry containing information about the activity.
Inform. If this action is selected, when an Adaptive Anomaly Control rule is triggered Kaspersky Endpoint
Security allows the activity covered by the rule and logs an entry containing information about the activity.
You cannot create more than 1,000 exclusions for Adaptive Anomaly Control rules. It is not recommended to
create more than 200 exclusions. To reduce the number of exclusions used, it is recommended to use masks in
the settings of exclusions.
An exclusion for an Adaptive Anomaly Control rule includes a description of the source and target objects. The
source object is the object performing the actions. The target object is the object on which the actions are being
performed. For example, you have opened a le named file.xlsx. As a result, a library le with the DLL extension
is loaded into the computer memory. This library is used by a browser (executable le named browser.exe). In this
example, file.xlsx is the source object, Excel is the source process, browser.exe is the target object, and
Browser is the target process.
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
5. Click Edit.
The Adaptive Anomaly Control rule properties window opens.
7. Select the user for which you want to con gure an exclusion.
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a
local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not
possible to use domain user accounts.
Adaptive Anomaly Control does not support exclusions for user groups. If you select a user group,
Kaspersky Endpoint Security does not apply the exclusion.
9. De ne the settings of the source object or source process started by the object:
Source process. Path or mask of the path to the le or folder containing les (for example,
C:\Dir\File.exe or Dir\*.exe).
Source object. Path or mask of the path to the le or folder containing les (for example,
C:\Dir\File.exe or Dir\*.exe). For example, le path document.docm, which uses a script or macro to
start the target processes.
You can also specify other objects to exclude, such as a web address, macro, command in the command line,
registry path, or others. Specify the object according to the following template: object://<object>,
where <object> refers to the name of the object, for example, object://web.site.example.com,
object://VBA, object://ipconfig, object://HKEY_USERS. You can also use masks, for example,
object://*C:\Windows\temp\*.
The Adaptive Anomaly Control rule is not applied to actions performed by the object, or to processes started
by the object.
10. Specify the settings of the target object or target processes started on the object.
Target process. Path or mask of the path to the le or folder containing les (for example,
C:\Dir\File.exe or Dir\*.exe).
Target object. The command to start the target process. Specify the command using the following pattern
object://<command>, for example, object://cmdline:powershell -Command "$result =
'C:\Windows\temp\result_local_users_pwdage.txt'". You can also use masks, for example,
object://*C:\Windows\temp\*.
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
b. Click Export.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
d. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
496
Until the update is applied, Kaspersky Endpoint Security displays the Adaptive Anomaly Control rules set to be
deleted by the update in the table of rules and assigns the Disabled status to them. It is not possible to
change the settings of these rules.
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
Special templates are available for the message about blocking potentially harmful actions and for the message to
be sent to the administrator. You can modify the message templates.
2. In the application settings window, select Security Controls → Adaptive Anomaly Control.
3. In the Templates block, con gure the templates for Adaptive Anomaly Control messages:
Message about blocking. Template of the message that is displayed to a user when an Adaptive Anomaly
Control rule that blocks a non-typical action is triggered.
Message to administrator. Template of the message that a user can be sent to the local corporate network
administrator if the user considers the blocking to be a mistake. After the user requests to provide access,
Kaspersky Endpoint Security sends an event to Kaspersky Security Center: Application activity blockage
message to administrator. The event description contains a message to administrator with substituted
variables. You can view these events in the Kaspersky Security Center console using the prede ned event
selection User requests. If your organization does not have Kaspersky Security Center deployed or there is
no connection to the Administration Server, the application will send a message to administrator to the
speci ed email address.
497
Viewing Adaptive Anomaly Control reports
To view Adaptive Anomaly Control reports:
3. Select the necessary policy and double-click to open the policy properties.
If you want to view the report on Adaptive Anomaly Control rules state, click Report on Adaptive Anomaly
Control rules state.
If you want to view the report on triggered Adaptive Anomaly Control rules, click Report on triggered
Adaptive Anomaly Control rules.
Application Control
Application Control manages the startup of applications on users' computers. This allows you to implement a
corporate security policy when using applications. Application Control also reduces the risk of computer infection
by restricting access to applications.
When a user attempts to start a prohibited application, Kaspersky Endpoint Security will block the application from
starting and will display a noti cation (see the gure below).
498
A test mode is provided to check the con guration of Application Control. In this mode, Kaspersky Endpoint
Security does the following:
Shows a noti cation about the startup of a prohibited application and adds information to the report on the
user's computer.
Sends data about the startup of prohibited applications to Kaspersky Security Center.
Denylist. In this mode, Application Control allows users to start all applications except for applications that are
prohibited in Application Control rules.
This mode of Application Control is enabled by default.
Allowlist. In this mode, Application Control blocks users from starting any applications except for applications
that are allowed and not prohibited in Application Control rules.
If the allow rules of Application Control are fully con gured, the component blocks the startup of all new
applications that have not been veri ed by the LAN administrator, while allowing the operation of the operating
system and of trusted applications that users rely on in their work.
You can read the recommendations on con guring Application Control rules in allowlist mode.
Application Control can be con gured to operate in these modes both by using the Kaspersky Endpoint Security
local interface and by using Kaspersky Security Center.
However, Kaspersky Security Center o ers tools that are not available in the Kaspersky Endpoint Security local
interface, such as the tools that are needed for the following tasks:
Receiving information about applications that are installed on corporate LAN computers.
499
This is why it is recommended to use Kaspersky Security Center to con gure the operation of the Application
Control component.
Kaspersky Endpoint Security uses an algorithm to make a decision about starting an application (see the gure
below).
When the application version is upgraded, importing Application Control component settings is not supported.
If there is no connection with KSN servers, Kaspersky Endpoint Security receives information about the
reputation of applications and their modules only from local databases.
500
The list of applications that Kaspersky Endpoint Security designates as KL category Other applications \
Applications, trusted according to reputation in KSN may di er depending on whether or not a
connection to KSN servers is available.
At the Kaspersky Security Center database, information on 150,000 processed les may be stored. Once this
number of records has been achieved, new les will not be processed. To resume inventory operations, you
must delete the les that were previously inventoried in the Kaspersky Security Center database from the
computer on which Kaspersky Endpoint Security is installed.
The component does not control the startup of scripts unless the script is sent to the interpreter via the
command line.
If the startup of an interpreter is allowed by Application Control rules, the component will not block a script
started from this interpreter.
If at least one of the scripts speci ed in the interpreter command line is blocked from start by Application
control rules, the component blocks all the scripts, speci ed in the interpreter command line.
The component does not control the startup of scripts from interpreters that are not supported by Kaspersky
Endpoint Security.
Kaspersky Endpoint Security supports the following interpreters:
Java
PowerShell
%ComSpec%;
%SystemRoot%\\system32\\regedit.exe;
%SystemRoot%\\regedit.exe;
%SystemRoot%\\system32\\regedt32.exe;
%SystemRoot%\\system32\\cscript.exe;
%SystemRoot%\\system32\\wscript.exe;
%SystemRoot%\\system32\\msiexec.exe;
%SystemRoot%\\system32\\mshta.exe;
%SystemRoot%\\system32\\rundll32.exe;
%SystemRoot%\\system32\\wwahost.exe;
%SystemRoot%\\syswow64\\cmd.exe;
%SystemRoot%\\syswow64\\regedit.exe;
501
%SystemRoot%\\syswow64\\regedt32.exe;
%SystemRoot%\\syswow64\\cscript.exe;
%SystemRoot%\\syswow64\\wscript.exe;
%SystemRoot%\\syswow64\\msiexec.exe;
%SystemRoot%\\syswow64\\mshta.exe;
%SystemRoot%\\syswow64\\rundll32.exe;
%SystemRoot%\\syswow64\\wwahost.exe.
Application usage policies adopted in the company (this may be security policies or administrative policies).
Information about installed applications is provided by Kaspersky Security Center Network Agent (the
Applications registry folder). You can also get a list of executable les using the Inventory task (Executable les
folder).
Information about applications that are used on corporate LAN computers is available in the Applications registry
folder and in the Executable les folder.
2. In the Administration Console tree, select Advanced → Application management → Applications registry.
3. Select an application.
To open the properties window for an executable le in the Executable les folder:
2. In the Administration Console tree, select Advanced → Application management → Executable les.
502
3. Select an executable le.
To view general information about the application and its executable les, and the list of computers on which an
application is installed, open the properties window of an application that is selected in the Applications registry
folder or in the Executable les folder.
Starting with Kaspersky Endpoint Security 12.3 for Windows, the operation of Application Control component with
the database of executable les is optimized. Kaspersky Endpoint Security 12.3 for Windows automatically updates
the database after the le is deleted from the computer. This allows keeping the database up to date and saving
Kaspersky Security Center resources.
To keep the database of installed applications up to date, the sending of application information to the
Administration Server must be enabled (it is enabled by default).
3. Select the necessary policy and double-click to open the policy properties.
5. In the Data transfer to Administration Server block, click the Settings button.
How to enable the submission of application information in Web Console and Cloud Console
503
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Data transfer to Administration Server block, select the About started applications check box.
As a result, if Application Control is enabled, the application forwards information about running executable les
to Kaspersky Security Center. You can view the list of running executable les in Kaspersky Security Center in
the Executable les folder. To receive information about all executable les instead of only running executable
les, run the Inventory task.
3. In the Application Startup Control mode block, select one of the following options:
Blocked applications. If this option is selected, Application Control allows all users to start any applications,
except in cases that satisfy the conditions of Application Control block rules.
Allowed applications. If this option is selected, Application Control blocks all users from starting any
applications, except in cases that satisfy the conditions of Application Control allow rules.
The Golden Image rule and Trusted Updaters rule are initially de ned for Allowlist mode. These
Application Control rules correspond to KL categories. The "Golden Image" KL category includes
programs that ensure normal operation of the operating system. The "Trusted Updaters" KL category
includes updaters for the most reputable software vendors. You cannot delete these rules. The settings
of these rules cannot be edited. By default, the Golden Image rule is enabled and the Trusted
Updaters rule is disabled. All users are allowed to start applications that match the trigger conditions of
these rules.
All rules created during the selected mode are saved after the mode is changed so that the rules can be used
again. To revert back to using these rules, all you have to do is select the necessary mode.
4. In the Action on starting applications blocked by rules block, select the action to be performed by the
component when a user attempts to start an application that is blocked by Application Control rules.
5. Select the Control DLL modules load check box if you want Kaspersky Endpoint Security to monitor the
loading of DLL modules when applications are started by users.
Information about the module and the application that loaded the module will be saved to a report.
Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check
box was selected. Restart the computer after selecting the check box if you want Kaspersky Endpoint Security
to monitor all DLL modules and drivers, including ones that are loaded before Kaspersky Endpoint Security is
started.
505
When enabling control over the loading of DLL modules and drivers, make sure that one of the following
rules is enabled in the Application Control settings: the default Golden Image rule or another rule that
contains the "Trusted certi cates" KL category and ensures that trusted DLL modules and drivers are
loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and
drivers when the Golden Image rule is disabled may cause instability in the operating system.
We recommend turning on password protection for con guring application settings, so that it is possible
to turn o the rules blocking critical DLL modules and drivers form start, without modifying Kaspersky
Security Center policy settings.
Rule-triggering conditions
A rule-triggering condition has the following correlation: "condition type - condition criterion - condition value".
Based on the rule-triggering conditions, Kaspersky Endpoint Security applies (or does not apply) a rule to an
application.
Inclusion conditions. Kaspersky Endpoint Security applies the rule to the application if the application matches
at least one of the inclusion conditions.
Exclusion conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application
matches at least one of the exclusion conditions and does not match any of the inclusion conditions.
Rule-triggering conditions are created using criteria. The following criteria are used to create rules in Kaspersky
Endpoint Security:
Path to the folder containing the executable le of the application or path to the executable le of the
application.
Metadata: application executable le name, application executable le version, application name, application
version, application vendor.
506
The criterion value must be speci ed for each criterion used in the condition. If the parameters of the application
being started match the values of criteria speci ed in the inclusion condition, the rule is triggered. In this case,
Application Control performs the action prescribed in the rule. If application parameters match the values of
criteria speci ed in the exclusion condition, Application Control does not control startup of the application.
If you have selected a certi cate as a rule-triggering condition, you need to ensure that this certi cate is
added to the trusted system storage on the computer, and check the trusted system storage usage settings
in the application.
When a rule is triggered, Application Control allows users (or user groups) to start applications or blocks startup
according to the rule. You can select individual users or groups of users that are allowed or not allowed to start
applications that trigger a rule.
If a rule does not specify those users allowed to start applications satisfying the rule, this rule is called a block rule.
If a rule that does not specify any users who are not allowed to start applications that match the rule, this rule is
called an allow rule.
The priority of a block rule is higher than the priority of an allow rule. For example, if an Application Control allow
rule has been assigned for a user group while an Application Control block rule has been assigned for one user in
this user group, this user will be blocked from starting the application.
Application Control rules can have one of the following operating statuses:
Enabled. This status means that the rule is used when the Application Control component is running.
Disabled. This status means that the rule is ignored when the Application Control component is running.
Test mode. This status signi es that Kaspersky Endpoint Security allows the startup of applications to which
the rules apply but logs information about the startup of such applications in the report.
It is recommended to create a "Work applications" category that covers the standard set of applications that are
used at the company. If di erent user groups use di erent sets of applications in their work, a separate application
category can be created for each user group.
2. In the Administration Console tree, select the Advanced → Application management → Application
categories folder.
507
3. Click the New category button in the workspace.
The user category creation wizard starts.
Category with content added manually. If you selected this type of category, at the "Con guring the
conditions for including applications in a category" step and the "Con guring the conditions for excluding
applications from a category" step, you will be able to de ne the criteria whereby executable les will be
included into the category.
Category that includes executable les from selected devices. If you selected this type of category, at the
"Settings" step you will be able to specify a computer whose executable les will be automatically included in
the category.
Category that includes executable les from a speci c folder. If you selected this type of category, at the
"Repository folder" step you will be able to specify a folder from which executable les will be automatically
included in the category.
When creating a category with content added automatically, Kaspersky Security Center performs inventory
on les with the following formats: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL, HTML,
HTM, DRV, OCX, and SCR.
This step is available if you selected the Category with content added manually category type.
At this step, in the Add drop-down list, select the conditions for including applications into the category:
From the list of executable les. Add applications from the list of executable les on the client device to the
custom category.
From le properties. Specify detailed data of executable les as a condition for adding applications to the
custom category.
Metadata from les in folder. Select a folder on the client device that contains executable les. Kaspersky
Security Center will indicate the metadata of these executable les as a condition for adding applications to
the custom category.
Checksums of the les in the folder. Select a folder on the client device that contains executable les.
Kaspersky Security Center will indicate the hashes of these executable les as a condition for adding
applications to the custom category.
508
Certi cates for the les from the folder. Select a folder on the client device that contains executable les
signed with certi cates. Kaspersky Security Center will indicate the certi cates of these executable les as a
condition for adding applications to the custom category.
It is not recommended to use conditions whose properties do not have the Certi cate thumbprint
parameter speci ed.
MSI installer les metadata. Select the MSI package. Kaspersky Security Center will indicate the metadata of
executable les packed in this MSI package as a condition for adding applications to the custom category.
Checksums of the les from the MSI installer of the application. Select the MSI package. Kaspersky Security
Center will indicate the hashes of executable les packed in this MSI package as a condition for adding
applications to the custom category.
From KL category. Specify a KL category as a condition for adding applications to the custom category. A KL
category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts.
For example, the KL category known as "O ice applications" includes applications from the Microsoft O ice
suite, Adobe Acrobat, and others.
You can select all KL categories to generate an extended list of trusted applications.
Specify path to application (masks supported). Select a folder on the client device. Kaspersky Security
Center will add executable les from this folder to the custom category.
Select certi cate from repository. Select certi cates that were used to sign executable les as a condition
for adding applications to the custom category.
It is not recommended to use conditions whose properties do not have the Certi cate thumbprint
parameter speci ed.
Drive type. Specify the type of storage device (all hard drives and removable drives, or only removable drives)
as a condition for adding applications to the custom category.
Step 4. Con guring the conditions for excluding applications from a category
This step is available if you selected the Category with content added manually category type.
Applications speci ed at this step are excluded from the category even if these applications were speci ed at
the "Con guring the conditions for including applications in a category" step.
At this step, in the Add drop-down list, select conditions for excluding applications from the category:
From the list of executable les. Add applications from the list of executable les on the client device to the
custom category.
From le properties. Specify detailed data of executable les as a condition for adding applications to the
custom category.
Metadata from les in folder. Select a folder on the client device that contains executable les. Kaspersky
Security Center will indicate the metadata of these executable les as a condition for adding applications to
509
the custom category.
Checksums of the les in the folder. Select a folder on the client device that contains executable les.
Kaspersky Security Center will indicate the hashes of these executable les as a condition for adding
applications to the custom category.
Certi cates for the les from the folder. Select a folder on the client device that contains executable les
signed with certi cates. Kaspersky Security Center will indicate the certi cates of these executable les as a
condition for adding applications to the custom category.
MSI installer les metadata. Select the MSI package. Kaspersky Security Center will indicate the metadata of
executable les packed in this MSI package as a condition for adding applications to the custom category.
Checksums of the les from the MSI installer of the application. Select the MSI package. Kaspersky Security
Center will indicate the hashes of executable les packed in this MSI package as a condition for adding
applications to the custom category.
From KL category. Specify a KL category as a condition for adding applications to the custom category. A KL
category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts.
For example, the KL category known as "O ice applications" includes applications from the Microsoft O ice
suite, Adobe Acrobat, and others.
You can select all KL categories to generate an extended list of trusted applications.
Specify path to application (masks supported). Select a folder on the client device. Kaspersky Security
Center will add executable les from this folder to the custom category.
Select certi cate from repository. Select certi cates that were used to sign executable les as a condition
for adding applications to the custom category.
Drive type. Specify the type of storage device (all hard drives and removable drives, or only removable drives)
as a condition for adding applications to the custom category.
Step 5. Settings
This step is available if you selected the Category that includes executable les from selected devices
category type.
At this step, click the Add button and specify the computers whose executable les will be added to the
application category by Kaspersky Security Center. All executable les from the speci ed computers presented in
the Executable les folder will be added to the application category by Kaspersky Security Center.
At this step, you can also con gure the following settings:
Algorithm for hash function calculation. To select an algorithm, you must select at least one of the following
check boxes:
Calculate SHA-256 for les in this category (supported by Kaspersky Endpoint Security 10 Service
Pack 2 for Windows and later versions).
Calculate MD5 for les in this category (supported by versions earlier than Kaspersky Endpoint
Security 10 Service Pack 2 for Windows).
Synchronize data with Administration Server repository check box. Select this check box if you want
Kaspersky Security Center to periodically clear the application category and add to it all executable les from
510
the speci ed computers presented in the Executable les folder.
If the Synchronize data with Administration Server repository check box is cleared, Kaspersky Security
Center will not make any modi cations to an application category after it is created.
Scan period (h) eld. In this eld, you can specify the period of time (in hours) after which Kaspersky Security
Center clears the application category and adds to it all executable les from the speci ed computers
presented in the Executable les folder.
The eld is available if the Synchronize data with Administration Server repository check box is selected.
This step is available if you selected the Category that includes executable les from a speci c folder
category type.
At this step, specify the folder in which Kaspersky Security Center will search for executable les to automatically
add applications to the application category.
At this step, you can also con gure the following settings:
The Include dynamic-link libraries (DLL) in this category check box. Select this check box if you want
dynamic-link libraries (DLL les) to be included in the application category.
Including DLL les in the application category may reduce the performance of Kaspersky Security Center.
The Include script data in this category check box. Select this check box if you want scripts to be included in
the application category.
Including scripts in the application category may reduce the performance of Kaspersky Security Center.
Algorithm for hash function calculation. To select an algorithm, you must select at least one of the following
check boxes:
Calculate SHA-256 for les in this category (supported by Kaspersky Endpoint Security 10 Service
Pack 2 for Windows and later versions).
Calculate MD5 for les in this category (supported by versions earlier than Kaspersky Endpoint
Security 10 Service Pack 2 for Windows).
The Force folder scan for changes check box. Select this check box if you want Kaspersky Security Center to
periodically search for executable les in the folder used for automatically adding to the application category.
If the Force folder scan for changes check box is cleared, Kaspersky Security Center searches for executable
les in the folder used for automatically adding to the application category only if changes have been made in
the folder, les have been added to it or deleted from it.
Scan period (h) eld. In this eld, you can specify the time interval (in hours) after which Kaspersky Security
Center will search for executable les in the folder used for automatically adding to the application category.
The eld is available if the Force folder scan for changes check box is selected.
To add a new trigger condition for an Application Control rule in the application interface:
4. Select the rule for which you want to con gure a trigger condition.
The Application Control rule properties open.
5. Select the Conditions: N tab or Exclusions: N tab and click the Add button.
Conditions from properties of started applications. In the list of running applications, you can select the
applications to which the Application Control rule will be applied. Kaspersky Endpoint Security also lists
applications that were previously running on the computer. You need to select the criterion that you want to
use to create one or multiple rule trigger conditions: File hash, Certi cate, KL category, Metadata or Path
to le or folder.
Conditions "KL category". A KL category is a list of applications that have shared theme attributes. The list
is maintained by Kaspersky experts. For example, the KL category known as "O ice applications" includes
applications from the Microsoft O ice suite, Adobe® Acrobat®, and others.
Custom condition. You can select the application le and select one of the rule trigger conditions: File hash,
Certi cate, Metadata or Path to le or folder.
Condition by le drive (removable drive). The Application Control rule is applied only to les that are run on
a removable drive.
Conditions from properties of les in the speci ed folder. The Application Control rule is applied only to
les in the speci ed folder. You can also include or exclude les from subfolders. You need to select the
criterion that you want to use to create one or multiple rule trigger conditions: File hash, Certi cate, KL
category, Metadata or Path to le or folder.
When adding conditions, please take into account the following special considerations for Application Control:
Kaspersky Endpoint Security does not support an MD5 le hash and does not control startup of applications
based on an MD5 hash. An SHA256 hash is used as a rule trigger condition.
It is not recommended to use only the Issuer and Certi cate subject criteria as rule trigger conditions. Use of
these criteria is unreliable.
If you are using a symbolic link in the Path to le or folder eld, you are advised to resolve the symbolic link for
correct operation of the Application Control rule. To do so, click the Resolve symbolic link button.
512
Adding executable les from the Executable les folder to the application
category
In the Executable les folder the list of executable les detected on computers is displayed. Kaspersky Endpoint
Security generates a list of executable les after executing the Inventory task.
To add executable les from the Executable les folder to the application category:
2. In the Administration Console tree, select Advanced → Application management → Executable les folder.
3. In the workspace, select the executable les that you want to add to the application category.
4. Right-click to open the context menu for the selected executable les and select Add to category.
In the upper part of the window, choose one of the following options:
Add to a new application category. Choose this option if you want to create a new application category
and add executable les to it.
Add to an existing application category. Choose this option if you want to select an existing application
category and add executable les to it.
Rules for adding to inclusions. Select this option if you want to create a condition that adds executable
les to the application category.
Rules for adding to exclusions. Select this option if you want to create a condition that excludes
executable les from the application category.
In the Parameter used as a condition block, select one of the following options:
Certi cate details (or SHA-256 hashes for les without a certi cate).
Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version).
513
1. Open the Kaspersky Security Center Administration Console.
2. In the Administration Server node of the Administration Console tree, select the Events tab.
3. Choose a selection of events related to operation of the Application Control component (Viewing events
resulting from operation of the Application Control component, Viewing events resulting from test operation
of the Application Control component) in the Event selections drop-down list.
5. Select the events whose associated executable les you want to add to the application category.
6. Right-click to open the context menu for the selected events and select Add to category.
7. In the window that opens, con gure the settings of the application category:
In the upper part of the window, choose one of the following options:
Add to a new application category. Choose this option if you want to create a new application category
and add executable les to it.
Add to an existing application category. Choose this option if you want to select an existing application
category and add executable les to it.
Rules for adding to inclusions. Select this option if you want to create a condition that adds executable
les to the application category.
Rules for adding to exclusions. Select this option if you want to create a condition that excludes
executable les from the application category.
In the Parameter used as a condition block, select one of the following options:
Certi cate details (or SHA-256 hashes for les without a certi cate).
Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version).
3. Select the necessary policy and double-click to open the policy properties.
514
4. In the policy window, select Security Controls → Application Control.
In the right part of the window, the settings of the Application Control component are displayed.
5. Click Add.
The Application Control rule window opens.
a. In the Category drop-down list, select the created application category that you want to edit.
b. Click Properties.
e. In the Category drop-down list, select the created application category based on which you want to
create a rule.
7. In the Users and their rights table, click the Add button.
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a
local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not
possible to use domain user accounts.
If you want to allow users and/or groups of users to start applications that belong to the selected category,
select the Allow check box in the relevant rows.
If you want to block users and/or groups of users from starting applications that belong to the selected
category, select the Block check box in the relevant rows.
9. Select the Deny for other users check box if you want all users that do not appear in the User or group column
and that are not part of the group of users speci ed in the User or group column to be blocked from starting
applications that belong to the selected category.
10. If you want Kaspersky Endpoint Security to consider applications included in the selected application category
as trusted updaters allowed to create other executable les that will be subsequently allowed to run, select the
Trusted Updaters check box.
When Kaspersky Endpoint Security settings are migrated, the list of executable les created by trusted
updaters is migrated as well.
515
11. Save your changes.
4. Click Add.
This opens the Application Control rule settings window.
c. In the Users and their rights table, click the Add button.
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a
local user name manually. Kaspersky recommends using local user accounts only in special cases when it is
not possible to use domain user accounts.
The rule applies to all users by default.
d. In the Users and their rights table, use the toggle to de ne the right of users to start applications.
e. Select the Deny for other users check box if you want the application to prevent applications that satisfy
rule triggering conditions from running for all users that are not listed in the Users and their rights table and
are not members of user groups listed in the Users and their rights table.
If the Deny for other users check box is cleared, Kaspersky Endpoint Security does not control the
startup of applications by users that are not speci ed in the Users and their rights table and that do
not belong to the groups of users speci ed in the Users and their rights table.
f. Select the Trusted Updaters check box if you want Kaspersky Endpoint Security to consider applications
matching the rule trigger conditions as trusted updaters. Trusted Updaters are applications that are allowed
to create other executable les that will be allowed to run subsequently.
If an application triggers multiple rules, Kaspersky Endpoint Security sets the Trusted Updaters ag if the
following conditions are satis ed:
At least one rule has the Trusted Updaters check box selected.
6. On the Conditions: N tab, create or edit the list of inclusion conditions for triggering the rule.
7. On the Exclusions: N tab, create or edit the list of exclusion conditions for triggering the rule.
516
When Kaspersky Endpoint Security settings are migrated, the list of executable les created by trusted
updaters is migrated as well.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Status column, left-click to display the context menu and select one of the following:
On. This status means that the rule is used when the Application Control component is running.
O . This status means that the rule is ignored when the Application Control component is running.
Test. This status means that Kaspersky Endpoint Security always allows the startup of applications to which
the rule applies but logs information about the startup of such applications in the report.
4. In the Status column, open the context menu and select one of the following:
Enabled. This status means that the rule is used when the Application Control component is running.
Disabled. This status means that the rule is ignored when the Application Control component is running.
Test mode. This status means that Kaspersky Endpoint Security always allows the startup of applications to
which this rule applies but logs information about the startup of such applications in the report.
517
Exporting and importing Application Control rules
You can export the list of Application Control rules to an XML le. You can use the export/import function to back
up the list of Application Control rules or to migrate the list to a di erent server.
When exporting and importing Application Control rules, please keep in mind the following special considerations:
Kaspersky Endpoint Security exports the list of rules only for the active Application Control mode. In other
words, if Application Control is operating in denylist mode, Kaspersky Endpoint Security exports rules only for
this mode. To export the list of rules for allowlist mode, you need to switch the mode and run the export
operation again.
Kaspersky Endpoint Security uses application categories for Application Control rules to work. When migrating
the list of Application Control rules to a di erent server, you also need to migrate the list of application
categories. For more details on exporting or importing application categories, please refer to Kaspersky
Security Center Help .
How to export and import a list of Application Control rules in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
a. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
c. In the window that opens, specify the name of the XML le to which you want to export the list of rules,
and select the folder in which you want to save this le.
518
How to export and import a list of Application Control rules in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
b. Click Export.
c. Con rm that you want to export only the selected rules, or export the entire list.
2. In the Administration Server node of the Administration Console tree, select the Events tab.
519
4. In the window that opens, go to the Events section.
6. In the Events table, select the Application startup prohibited check box.
2. In the Administration Server node of the Administration Console tree, select the Reports tab.
4. Follow the instructions of the Report Template Wizard. At the Selecting the report template type step, select
Other → Report on prohibited applications.
After you have nished with the New Report Template Wizard, the new report template appears in the table on
the Reports tab.
The report generation process starts. The report is displayed in a new window.
An analysis of the operation of Application Control rules requires a review of the resultant Application Control
events that are reported to Kaspersky Security Center. If test mode results in no blocked startup events for all
applications required for the work of the computer user, this means that the correct rules were created.
Otherwise, you are advised to update the settings of the rules you have created, create additional rules, or delete
the existing rules.
By default, Kaspersky Endpoint Security allows the startup of all applications except for applications prohibited by
the rules.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Control mode drop-down list, select one of the following items:
Denylist. If this option is selected, Application Control allows all users to start any applications, except in
cases that satisfy the conditions of Application Control block rules.
Allowlist. If this option is selected, Application Control blocks all users from starting any applications, except
in cases that satisfy the conditions of Application Control allow rules.
If you want to enable testing of Application Control rules, select the Test rules option in the Action drop-
down list.
If you want to enable Application Control to manage the startup of applications on user computers, in the
drop-down list, select Apply rules.
To enable testing of Application Control rules or to select a blocking action for Application Control:
Kaspersky Endpoint Security will not block applications whose startup is forbidden by the Application Control
component, but will send noti cations about their startup to the Administration Server. You can also con gure
the display of noti cations about rule testing on the user's computer (see gure below).
521
Application Control noti cations in test mode
2. In the Administration Server node of the Administration Console tree, select the Reports tab.
4. Follow the instructions of the Report Template Wizard. At the Selecting the report template type step, select
Other → Report on prohibited applications in test mode.
After you have nished with the New Report Template Wizard, the new report template appears in the table on
the Reports tab.
The report generation process starts. The report is displayed in a new window.
2. In the Administration Server node of the Administration Console tree, select the Events tab.
6. In the Events table, select the Application startup prohibited in test mode and Application startup allowed
in test mode check boxes.
522
7. Save your changes.
Using the Application Activity Monitor requires installing the Application Control and Host Intrusion Prevention
components. If these components are not installed, the Application Activity Monitor section in the main
application window is hidden.
In the main application window, in the Monitoring section, click the Application Activity Monitor tile.
In this window, information about the activity of applications on the user's computer is presented on three tabs:
The All applications tab displays information about all applications installed on the computer.
The Running tab displays information about the computer resource consumption by each application in real
time. From this tab, you can also proceed to con gure permissions for an individual application.
The Run at startup tab displays the list of applications that are started when the operating system starts.
If you want to hide application activity information on the user's computer, you can restrict user access to the
Application Activity Monitor tool.
How to hide Application Activity Monitor in the application interface using the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Hide Application Activity Monitor section check box to grant or revoke access to the tool.
How to hide Application Activity Monitor in the application interface using the Web Console and Cloud Console
523
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Hide Application Activity Monitor section check box to grant or revoke access to the tool.
You can use the following common characters to create a le or folder name mask:
The * (asterisk) character, which takes the place of any set of characters (including an empty set). For example,
the C:\*.txt mask will include all paths to les with the txt extension located in folders and subfolders on
the (C:) drive.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters
(delimiters of the names of les and folders in paths to les and folders). For example, the mask
C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have the TXT
extension and a name consisting of three characters.
Special templates are available for the message that is displayed when an application is blocked from starting and
for the message sent to the administrator. You can modify the message templates.
3. In the Templates of messages about application blocking block, con gure templates for Application Control
messages:
524
Message about blocking. Template of the message that is displayed when an Application Control rule that
blocks an application from starting is triggered. The noti cation about a blocked application is shown in the
gure below.
You cannot con gure message templates for Application Control in test mode. Application Control in test
mode displays preset noti cations.
Message to administrator. Template of the message that a user can send to the corporate LAN
administrator if the user believes that an application was blocked by mistake. After the user requests to
provide access, Kaspersky Endpoint Security sends an event to Kaspersky Security Center: Application
startup blockage message to administrator. The event description contains a message to administrator
with substituted variables. You can view these events in the Kaspersky Security Center console using the
prede ned event selection User requests. If your organization does not have Kaspersky Security Center
deployed or there is no connection to the Administration Server, the application will send a message to
administrator to the speci ed email address.
User groups. Groups of users for whom you need to allow use of various sets of applications.
Administration groups. One or multiple groups of computers to which Kaspersky Security Center will apply
the list of allowed applications. It is necessary to create multiple groups of computers if di erent allowlist
settings are used for those groups.
525
Con guring allowlist mode for applications
When con guring the allowlist mode, it is recommended to perform the following actions:
1. Create application categories containing the applications that must be allowed to start.
You can select one of the following methods for creating application categories:
Category with content added manually. You can manually add to this category by using the following
conditions:
File metadata. Kaspersky Security Center adds all executable les accompanied by the speci ed
metadata to the application category.
File hash code. Kaspersky Security Center adds all executable les with the speci ed hash to the
application category.
Use of this condition excludes the capability to automatically install updates because di erent
versions of les will have a di erent hash.
File certi cate. Kaspersky Security Center adds all executable les signed with the speci ed certi cate
to the application category.
KL category. Kaspersky Security Center adds all applications that are in the speci ed KL category to the
application category.
Application folder. Kaspersky Security Center adds all executable les from this folder to the application
category.
Use of the Application folder condition may be unsafe because any application from the speci ed
folder will be allowed to start. It is recommended to apply rules that use the application categories
with the Application folder condition only to those users for whom the automatic installation of
updates must be allowed.
Category that includes executable les from a speci c folder. You can specify a folder from which
executable les will be automatically assigned to the created application category.
Category that includes executable les from selected devices. You can specify a computer for which all
executable les will be automatically assigned to the created application category.
When using this method of creating application categories, Kaspersky Security Center receives
information about applications on the computer from the Executable les folder.
526
The Golden Image rule and Trusted Updaters rule are initially de ned for Allowlist mode. These
Application Control rules correspond to KL categories. The "Golden Image" KL category includes programs
that ensure normal operation of the operating system. The "Trusted Updaters" KL category includes
updaters for the most reputable software vendors. You cannot delete these rules. The settings of these
rules cannot be edited. By default, the Golden Image rule is enabled and the Trusted Updaters rule is
disabled. All users are allowed to start applications that match the trigger conditions of these rules.
4. Determine the applications for which automatic installation of updates must be allowed.
You can allow automatic installation of updates in one of the following ways:
Specify an extended list of allowed applications by allowing the startup of all applications that belong to any
KL category.
Specify an extended list of allowed applications by allowing the startup of all applications that are signed
with certi cates.
To allow the startup of all applications signed with certi cates, you can create a category with a certi cate-
based condition that uses only the Subject parameter with the value *.
For the Application control rule, select the Trusted Updaters parameter. If this check box is selected,
Kaspersky Endpoint Security considers the applications included in the rule as Trusted Updaters. Kaspersky
Endpoint Security allows the startup of applications that have been installed or updated by applications
included in the rule, provided that no blocking rules are applied to those applications.
When Kaspersky Endpoint Security settings are migrated, the list of executable les created by trusted
updaters is migrated as well.
Create a folder and place within it the executable les of applications for which you want to allow automatic
installation of updates. Then create an application category with the "Application folder" condition and
specify the path to that folder. Then create an allow rule and select this category.
Use of the Application folder condition may be unsafe because any application from the speci ed
folder will be allowed to start. It is recommended to apply rules that use the application categories with
the Application folder condition only to those users for whom the automatic installation of updates
must be allowed.
When testing the allowlist mode, it is recommended to perform the following actions:
1. Determine the testing period (ranging from several days to two months).
527
3. Examine the events resulting from testing the operation of Application Control and reports on blocked
applications in test mode to analyze the testing results.
4. Based on the analysis results, make changes to the allowlist mode settings.
In particular, based on the test results, you can add executable les related to events to an application
category.
Examine the events resulting from the operation of Application Control and reports on blocked runs to analyze
the e ectiveness of Application Control.
Analyze unfamiliar executable les by checking their reputation in Kaspersky Security Network.
Prior to installing updates for the operating system or for software, install those updates on a test group of
computers to check how they will be processed by Application Control rules.
Kaspersky Endpoint Security divides TCP and UDP ports of the user's computer into several groups, depending on
the likelihood of their being compromised. Some network ports are reserved for vulnerable services. You are
advised to monitor these ports more thoroughly because they have a greater likelihood of being targeted by a
network attack. If you use non-standard services that rely on non-standard network ports, these network ports
may also be targeted by an attacking computer. You can specify a list of network ports and a list of applications
that request network access. These ports and applications then receive special attention from the Mail Threat
Protection and Web Threat Protection components during network tra ic monitoring.
528
Network ports monitoring settings
3. In the Monitored ports block, select Monitor selected network ports only.
4. Click Select.
This opens a list of network ports that are normally used for transmission of email and network tra ic. This list
of network ports is included in the Kaspersky Endpoint Security package.
5. Use the toggle in the Status column to enable or disable network port monitoring.
6. If a network port is not shown in the list of network ports, add it by doing the following:
a. Click Add.
b. In the window that opens, enter the network port number and brief description.
529
c. Set the Active or Inactive status for the network port monitoring.
When the FTP protocol runs in passive mode, the connection can be established via a random network port
that is not added to the list of monitored network ports. To protect such connections, enable monitoring of all
network ports or con gure control of network ports for applications that establish FTP connections.
Creating a list of applications for which all network ports are monitored
You can create a list of applications for which Kaspersky Endpoint Security monitors all network ports.
We recommend including applications that receive or transmit data via the FTP protocol in the list of
applications for which Kaspersky Endpoint Security monitors all network ports.
To create a list of applications for which all network ports are monitored:
3. In the Monitored ports block, select Monitor selected network ports only.
4. Select the Monitor all ports for the applications from the list recommended by Kaspersky check box.
If this check box is selected, Kaspersky Endpoint Security monitors all ports for the following applications:
Google Chrome.
Microsoft Edge.
Mozilla Firefox.
Internet Explorer.
Java.
mIRC.
Opera.
Pidgin.
Safari.
Mail.ru Agent.
530
Yandex Browser.
5. Select the Monitor all ports for speci ed applications check box.
6. Click Select.
This opens a list of applications for which Kaspersky Endpoint Security monitors network ports.
7. Use the toggle in the Status column to enable or disable network port monitoring.
a. Click Add.
b. In the window that opens, enter the path to the executable le of the application and a brief description.
How to export and import lists of monitored ports in the Administration Console (MMC)
531
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Monitored ports block, select Monitor selected network ports only.
6. Click Settings.
The Network ports window opens. The Network ports window displays a list of network ports that are
normally used for transmission of email and network tra ic. This list of network ports is included in the
Kaspersky Endpoint Security package.
a. In the list of network ports, select the ports that you want to export. To select multiple ports, use the
CTRL or SHIFT keys.
If you did not select any port, Kaspersky Endpoint Security will export all ports.
b. Click Export.
c. In the window that opens, enter the name of the XML le to which you want to export the list of
network ports, and select the folder in which you want to save this le.
8. To export the list of applications whose ports are monitored by Kaspersky Endpoint Security:
a. Select the Monitor all ports for speci ed applications check box.
b. In the list of applications, select the applications that you want to export. To select multiple ports, use
the CTRL or SHIFT keys.
If you did not select any application, Kaspersky Endpoint Security will export all applications.
c. Click Export.
d. In the window that opens, specify the name of the XML le to which you want to export the list of
applications, and select the folder in which you want to save this le.
532
If the computer already has a list of network ports, Kaspersky Endpoint Security will prompt you to
delete the existing list or add new entries to it from the XML le.
10. To import a list of applications whose ports are monitored by Kaspersky Endpoint Security:
How to export / import lists of monitored ports in the Web Console and Cloud Console
533
1. In the main window of the Web Console, select Devices → Policies & pro les.
a. In the Monitored ports block, select Monitor selected network ports only.
c. In the list of network ports, select the ports that you want to export.
d. Click Export.
e. In the window that opens, enter the name of the XML le to which you want to export the list of
network ports, and select the folder in which you want to save this le.
6. To export the list of applications whose ports are monitored by Kaspersky Endpoint Security:
a. In the Monitored ports block, select the Monitor all ports for speci ed applications check box.
c. In the list of applications, select the applications that you want to export.
d. Click Export.
e. In the window that opens, specify the name of the XML le to which you want to export the list of
applications, and select the folder in which you want to save this le.
534
8. To import a list of applications whose ports are monitored by Kaspersky Endpoint Security:
Log Inspection
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for servers. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs
on Windows for workstations.
Starting with version 11.11.0, Kaspersky Endpoint Security for Windows includes the Log Inspection component. Log
Inspection monitors the integrity of the protected environment based on the Windows event log analysis. When
the application detects signs of atypical behavior in the system, it informs the administrator, as this behavior may
indicate an attempted cyber attack.
Kaspersky Endpoint Security analyzes Windows event logs and detects violation in accordance with rules. The
component includes prede ned rules. Prede ned rules are powered by heuristic analysis. You can also add your
own rules (custom rules). When a rule triggers, the application creates an event with the Critical status (see gure
below).
If you want to use Log Inspection, make sure security the audit policy is con gured and the system is logging
the relevant events (for details, see the Microsoft technical support website. ).
535
You can con gure the triggering criteria for rules that monitor events for the following operations:
536
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
8. If necessary, con gure the There are patterns of a possible brute-force attack in the system rule:
b. In the window that opens, specify the number of attempts and a time period within which attempts to
enter a password must be performed for the rule to trigger.
c. Click OK.
9. If you selected the There is an atypical activity detected during a network logon session rule, you need
to con gure its settings:
b. In the Network logon detection block, specify the start and the end of the time interval.
Kaspersky Endpoint Security considers logon attempts performed during the de ned interval as
abnormal activity.
By default, the interval is not set and the application does not monitor logon attempts. For the
application to continuously monitor logon attempts, set the interval to 12:00 AM – 11:59 PM. The start
and the end of the interval must not coincide. If they are the same, the application does not monitor
logon attempts.
c. Create the list of trusted users and trusted IP addresses (IPv4 and IPv6).
537
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by
entering a local user name manually. Kaspersky recommends using local user accounts only in special
cases when it is not possible to use domain user accounts. Kaspersky Endpoint Security does not
monitor logon attempts for these users and computers.
d. Click OK.
How to con gure prede ned rules in the Web Console and Cloud Console
538
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. In the Prede ned rules block, enable or disable the prede ned rules using the toggles:
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
7. If necessary, con gure the There are patterns of a possible brute-force attack in the system rule:
b. In the window that opens, specify the number of attempts and a time period within which attempts to
enter a password must be performed for the rule to trigger.
c. Click OK.
8. If you selected the There is an atypical activity detected during a network logon session rule, you need
to con gure its settings:
b. In the Network logon detection block, specify the start and the end of the time interval.
Kaspersky Endpoint Security considers logon attempts performed during the de ned interval as
abnormal activity.
By default, the interval is not set and the application does not monitor logon attempts. For the
application to continuously monitor logon attempts, set the interval to 12:00 AM – 11:59 PM. The start
and the end of the interval must not coincide. If they are the same, the application does not monitor
logon attempts.
c. In the Exclusions block, add trusted users and trusted IP addresses (IPv4 and IPv6).
539
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by
entering a local user name manually. Kaspersky recommends using local user accounts only in special
cases when it is not possible to use domain user accounts. Kaspersky Endpoint Security does not
monitor logon attempts for these users and computers.
d. Click OK.
540
1. In the main application window, click the button.
4. In the Prede ned rules block, click the Con gure button.
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system.
6. If necessary, con gure the There are patterns of a possible brute-force attack in the system rule:
b. In the window that opens, specify the number of attempts and a time period within which attempts to
enter a password must be performed for the rule to trigger.
7. If you selected the There is an atypical activity detected during a network logon session rule, you need
to con gure its settings:
b. In the Network logon detection block, specify the start and the end of the time interval.
Kaspersky Endpoint Security considers logon attempts performed during the de ned interval as
abnormal activity.
By default, the interval is not set and the application does not monitor logon attempts. For the
application to continuously monitor logon attempts, set the interval to 12:00 AM – 11:59 PM. The start
and the end of the interval must not coincide. If they are the same, the application does not monitor
logon attempts.
c. In the Exclusions block, add trusted users and trusted IP addresses (IPv4 and IPv6).
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by
entering a local user name manually. Kaspersky recommends using local user accounts only in special
cases when it is not possible to use domain user accounts. Kaspersky Endpoint Security does not
monitor logon attempts for these users and computers.
As a result, when the rule triggers, Kaspersky Endpoint Security creates Critical event.
541
Adding custom rules
You can set your own Log Inspection rule triggering criteria. To do so, you must enter an event ID and select an
event source. You can look up the event ID on the Microsoft technical support website . You can select an event
source from among the standard logs: Application, Security or System. You can also specify the log of a third-
party application. You can nd out the name of the third-party application log using the Event Viewer tool. Third-
party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell
log).
The application does not check if the speci ed log is actually present in the Windows event log. If there is a
mistake in the name of the log, the application does not monitor events from that log.
The list of custom rules already includes three rules created by Kaspersky experts.
3. Select the necessary policy and double-click to open the policy properties.
7. In the window that opens, select the check boxes next to the custom rules that you want to enable.
9. This opens a window; in that window, con gure the custom rule:
Rule name.
Log name. Windows Event Logs. The following logs are available: Application, Security, System.
Source. Third-party application logs. You can nd out the name of the third-party application log using
the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder
(for example, the Windows PowerShell log).
Event identi ers. Event IDs in the Windows Event Log. You can look up the event ID in the Microsoft
technical documentation .
How to add a custom rule in the Web Console and Cloud Console
542
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. In the Custom rules block, select custom rules that you want to enable.
8. This opens a window; in that window, con gure the custom rule:
Rule name.
Windows Event Log name. Windows Event Logs. The following logs are available: Application, Security,
System.
Source. Third-party application logs. You can nd out the name of the third-party application log using
the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder
(for example, the Windows PowerShell log).
Windows Event Log identi er. Event IDs in the Windows Event Log. You can look up the event ID in the
Microsoft technical documentation .
543
1. In the main application window, click the button.
5. In the window that opens, select the check boxes next to the custom rules that you want to enable.
7. This opens a window; in that window, con gure the custom rule:
Rule name.
Log name. Windows Event Logs. The following logs are available: Application, Security, System.
Source. Third-party application logs. You can nd out the name of the third-party application log using
the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder
(for example, the Windows PowerShell log).
Event identi er. Event IDs in the Windows Event Log. You can look up the event ID in the Microsoft
technical documentation .
As a result, when the rule triggers, Kaspersky Endpoint Security creates Critical event.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for servers. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs
on Windows for workstations.
File Integrity Monitor works only on servers with NTFS or ReFS le system.
Starting with version 11.11.0, Kaspersky Endpoint Security for Windows includes the File Integrity Monitor
component. File Integrity Monitor detects changes to objects ( les and folders) in a given monitoring area. These
changes may indicate a computer security breach. When object changes are detected, the application informs the
administrator.
To use File Integrity Monitor you need to con gure component's scope, i.e. select objects, the state of which
should be monitored by the component.
You can view information about the results of File Integrity Monitor operation in Kaspersky Security Center and in
the interface of Kaspersky Endpoint Security for Windows.
544
Editing the monitoring scope
File Integrity Monitor cannot work without a speci ed monitoring scope. This means you must specify the paths to
the les and folders whose changes File Integrity Monitor will control. We recommend adding rarely modi ed
objects or objects that only the administrator has access to. This will reduce the number of File Integrity Monitor
events.
To reduce the number of events, you can also add exclusions to the monitoring rules. Exclusion entries have a
higher priority than monitoring scope entries. For example, the organization uses an application whose les you
want to monitor for integrity. To do so, you need to add the path to the folder with the application (for example,
C:\Users\Testadmin\Desktop\Utilities). You can exclude log les from the monitoring rule because such
les do not a ect system security. Moreover, the application constantly modi es log les, which results in a great
number of similar events. To avoid this, add log les to exceptions (for example,
C:\Users\Testadmin\Desktop\Utilities\*.log).
545
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
7. This opens a window; in that window, con gure the monitoring rule:
Rule name. Enter the name of the rule, for example, Monitoring application A.
Event severity level. Select the event severity level that File Integrity Monitor will log: Informational ,
Warning , Critical .
When con guring the monitoring scope, make sure the path to the folder or le begins with a drive
letter or a system environment variable. The application does not support user environment
variables. If path to the folder or le is speci ed incorrectly, Kaspersky Endpoint Security will not
add the speci ed monitoring scope.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
Exclusions. Enter the path to the folder or le. Kaspersky Endpoint Security supports environment
variables and the * and ? characters when entering a mask. Exclusion entries have a higher priority than
monitoring scope entries.
8. Click OK.
A new rule is added to the list of monitoring rules. You can disable the monitoring rule without removing it
from the list of rules. To do so, clear the check box next to the object.
546
How to edit a monitoring scope in the Web Console
547
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Make sure the File Integrity Monitor toggle switch is turned on.
7. This opens a window; in that window, con gure the monitoring rule:
Rule name. Enter the name of the rule, for example, Monitoring application A.
Event severity level. Select the event severity level that File Integrity Monitor will log: Informational ,
Warning , Critical .
When con guring the monitoring scope, make sure the path to the folder or le begins with a drive
letter or a system environment variable. The application does not support user environment
variables. If path to the folder or le is speci ed incorrectly, Kaspersky Endpoint Security will not
add the speci ed monitoring scope.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
Exclusions. Enter the path to the folder or le. Kaspersky Endpoint Security supports environment
variables and the * and ? characters when entering a mask. Exclusion entries have a higher priority than
monitoring scope entries.
8. Click OK.
A new rule is added to the list of monitoring rules. You can disable the monitoring rule without removing it
from the list of rules. To do so, set the toggle switch next to it to the o position.
548
9. Save your changes.
549
1. In the main application window, click the button.
2. In the application settings window, select Security Controls → File Integrity Monitor.
3. Make sure the File Integrity Monitor toggle switch is turned on.
6. This opens a window; in that window, con gure the monitoring rule:
Rule name. Enter the name of the rule, for example, Monitoring application A.
Event severity level. Select the event severity level that File Integrity Monitor will log: Informational ,
Warning , Critical .
When con guring the monitoring scope, make sure the path to the folder or le begins with a drive
letter or a system environment variable. The application does not support user environment
variables. If path to the folder or le is speci ed incorrectly, Kaspersky Endpoint Security will not
add the speci ed monitoring scope.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
Exclusions. Enter the path to the folder or le. Kaspersky Endpoint Security supports environment
variables and the * and ? characters when entering a mask. Exclusion entries have a higher priority than
monitoring scope entries.
7. Click OK.
A new rule is added to the list of monitoring rules. You can disable the monitoring rule without removing it
from the list of rules. To do so, set the toggle switch next to it to the o position.
550
Viewing system integrity information
Information about the results of File Integrity Monitor operation is displayed in the following ways:
Events in the Kaspersky Security Center Console and in the Kaspersky Endpoint Security
interface
Kaspersky Endpoint Security sends an event to Kaspersky Security Center if a change in les is detected. You can
con gure the event selection to view events from File Integrity Monitor component. For more details on event
selection settings, refer to the Kaspersky Security Center Help .
Kaspersky Endpoint Security interface provides a separate report for the File Integrity Monitor component.
Kaspersky Endpoint Security has event aggregation tools to reduce the number of File Integrity Monitor events.
Kaspersky Endpoint Security enables event aggregation in the following cases:
too frequent changes to a single object (more than ve times per minute)
too frequent triggering of a single monitoring rule (more than 10 times per minute)
As a result, Kaspersky Endpoint Security creates separate events on object modi cations until the aggregation
tools are triggered. At this point, Kaspersky Endpoint Security enables event aggregation and creates a
corresponding event. Kaspersky Endpoint Security performs event aggregation for 24 hours (the aggregation
period) or until Kaspersky Endpoint Security is stopped. After restarting Kaspersky Endpoint Security or after the
aggregation period is over, the application generates special events: Report on an atypical event for the
aggregation period and Report on object change for the aggregation period. These reports contain information
about the start and the end of the aggregation period and the number of aggregated events.
When events with severity level Critical or Warning are received from File Integrity Monitor component,
Kaspersky Security Center changes the status of the computer to Critical or Warning .
Receiving computer status from a managed application (Device status de ned by application condition)
should be enabled in Kaspersky Security Center in the lists of conditions that must be met to assign the
Critical or Warning status to a device. Conditions for assigning a status to a device are con gured in the
properties window of the administration group.
Computer status and all reasons for status changes are displayed in the list of devices of the administration group.
For more details on computer statuses, refer to the Kaspersky Security Center Help .
Top 10 devices with File Integrity Monitor / System Integrity Monitoring rules most frequently triggered.
Top 10 rules of File Integrity Monitor / System Integrity Monitoring that were triggered on devices most
frequently.
551
Cloud Discovery
Cloud Discovery is a component of the Cloud Access Security Broker (CASB) solution that protects the cloud
infrastructure of an organization. Cloud Discovery manages user access to cloud services. Cloud services include,
for example, Microsoft Teams, Salesforce, Microsoft O ice 365. Cloud services are grouped in categories, for
example, Data exchange, Messengers, Email. Kaspersky experts regularly update the Cloud Discovery categories
and cloud services classi ed in the categories. Kaspersky Endpoint Security updates the set of categories and
cloud services with the application databases. This means that Cloud Discovery does not use the Kaspersky
Security Network for categorizing cloud services.
System requirements
Monitoring of user Internet activity is enabled. Prior to enabling user Internet activity monitoring, you must do
the following:
Inject a web page interaction script into web tra ic. The script enables registration of Cloud Discovery
events. The script also provides full-featured blocking of access to cloud services. Without the script, the
application blocks access only by cloud service domains.
To get more accurate statistics of cloud services usage, you need to enable logging of data about visits to
allowed pages. The functionality includes grouping of events when a user visits web pages that belong to
the same domain. In this way, when a user uses a cloud service, Cloud Discovery logs only one event rather
than multiple events for each web page.
For HTTPS tra ic monitoring, you need to enable encrypted connections scan.
When a user begins using a cloud service, Kaspersky Endpoint Security registers that event and creates an entry in
the report. Cloud Discovery controls cloud service usage in the browser as well as in corresponding applications.
Cloud Discovery controls cloud service usage over HTTP and HTTPS.
552
1. In the main window of the Web Console, select Devices → Policies & pro les.
As a result, the application forwards information about cloud services being used to Kaspersky Security
Center. You can view cloud service usage information in reports. If necessary, you can block access to
unwanted services.
553
The administrator can restrict user access to Cloud Discovery categories or individual cloud services. In this way,
the administrator can allow only secure cloud services and avoid data leaks. Risk level information is displayed for
each cloud service in Cloud Discovery. The risk level helps detect services that do not satisfy the security
requirements of the organization.
The risk level is an estimation and does not imply any statements about the quality of the cloud service or its
vendor. The risk level is simply a recommendation of Kaspersky experts.
Risk levels of cloud services are displayed in the Cloud Discovery section of the policy in the list of all controlled
cloud service.
Other Kaspersky Endpoint Security components provide protection from threats and tracking of suspicious user
activity when using cloud services.
Cloud Discovery does not block cloud applications that were started before Kaspersky Endpoint Security.
Blocking access to unwanted cloud services is available only for the Kaspersky Next EDR Foundations license.
554
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. Use the toggle switch in the Access column to con gure access to cloud services.
As a result, the application controls cloud service usage in the browser as well as in corresponding
applications.
555
Password protection
Multiple users with di erent levels of computer literacy can share a computer. If users have unrestricted access to
Kaspersky Endpoint Security and its settings, the overall level of computer protection may be reduced. Password
protection lets you restrict users' access to Kaspersky Endpoint Security according to the permissions granted to
them (for example, permission to exit the application).
If the user that started the Windows session (session user) has the permission to perform the action, Kaspersky
Endpoint Security does not request the user name and password or a temporary password. The user receives
access to Kaspersky Endpoint Security in accordance with the granted permissions.
If a session user does not have the permission to perform an action, the user can obtain access to the application
in the following ways:
When a user attempts to perform a password-protected action, Kaspersky Endpoint Security prompts the user
for the user name and password or temporary password (see the gure below).
In the password entry window, you can switch languages only by pressing ALT+SHIFT. Using other shortcuts,
even if they are con gured in the operating system, do not work for switching languages.
To access Kaspersky Endpoint Security, you should enter account credentials. Password protection supports the
following accounts:
KLAdmin. An Administrator account with unrestricted access to Kaspersky Endpoint Security. The KLAdmin
account has the right to perform any action that is password-protected. The permissions for the KLAdmin
account cannot be revoked. When you enable password protection, Kaspersky Endpoint Security prompts you
to set a password for the KLAdmin account.
556
Account added manually. An account outside the Active Directory domain. You can use this service account
instead of KLAdmin if you do not want to share the administrator password. You can set any user name and
password and con gure individual permissions.
The Everyone group. A built-in Windows group that includes all users within the corporate network. Users in
the Everyone group can access the application according to the permissions that are granted to them.
Individual users or groups. User accounts for which you can con gure individual permissions. For example, if an
action is blocked for the Everyone group, you can allow this action for an individual user or a group.
Session user. Account of the user who started the Windows session. You can switch to another session user
when prompted for a password (the Save password for current session check box). In this case, Kaspersky
Endpoint Security regards the user whose account credentials were entered as the session user instead of the
user who started the Windows session.
Temporary password
A temporary password can be used to grant temporary access to Kaspersky Endpoint Security for an individual
computer outside of the corporate network. The Administrator generates a temporary password for an individual
computer in the computer properties in Kaspersky Security Center. The Administrator selects the actions that will
be protected with the temporary password, and speci es the temporary password's validity period.
Kaspersky Endpoint Security decides whether to allow or block a password-protected action based on the
following algorithm (see the gure below).
3. Select the necessary policy and double-click to open the policy properties.
6. Use the Enable password protection check box to enable or disable the component.
8. This opens a window; in that window, click Password and set a password for the KLAdmin account.
The KLAdmin account has the right to perform any action that is password-protected.
If you forgot your KLAdmin account password, you can reset the password in policy properties.
10. Set permissions for all users within the corporate network:
b. In the window that was opened, select the check boxes next to the actions that users will be allowed to
perform without entering the password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check
box next to the Exit the application permission is cleared, you can exit the application only if you are
logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a
temporary password.
Password protection permissions have some important aspects to consider. Make sure that all
conditions for accessing Kaspersky Endpoint Security are ful lled.
5. Under Password protection, use the Password protection toggle switch to enable or disable the
component.
6. Specify the password for the KLAdmin account and con rm it.
The KLAdmin account has the right to perform any action that is password-protected.
If you forgot your KLAdmin account password, you can reset the password in policy properties.
b. In the window that was opened, select the check boxes next to the actions that users will be allowed to
perform without entering the password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check
box next to the Exit the application permission is cleared, you can exit the application only if you are
logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a
temporary password.
Password protection permissions have some important aspects to consider. Make sure that all
conditions for accessing Kaspersky Endpoint Security are ful lled.
559
1. In the main application window, click the button.
4. Specify the password for the KLAdmin account and con rm it.
The KLAdmin account has the right to perform any action that is password-protected.
If a computer is running under a policy, the Administrator can reset the password for the KLAdmin
account in the policy properties. If the computer is not connected to Kaspersky Security Center and
you have forgotten the password for the KLAdmin account, it is not possible to recover the password.
a. In the account table, click Edit to open the list of permissions for the Everyone group.
The Everyone group is a built-in Windows group that includes all users within the corporate network.
b. Select the check boxes next to the actions that users will be allowed to perform without entering the
password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check
box next to the Exit the application permission is cleared, you can exit the application only if you are
logged in as KLAdmin, or as an individual user who has the required permission, or if you enter a
temporary password.
Password protection permissions have some important aspects to consider. Make sure that all
conditions for accessing Kaspersky Endpoint Security are ful lled.
When password protection is enabled, the application will restrict users' access to Kaspersky Endpoint Security
according to the permissions granted to the Everyone group. You can perform the actions that are blocked for the
Everyone group only if you use the KLAdmin account, another account that is granted the required permissions, or
if you enter a temporary password.
You can disable Password protection only if you are logged in as KLAdmin. It is not possible to disable
password protection if you are using any other user account or a temporary password.
During the password check, you can select the Save password for current session check box. In this case,
Kaspersky Endpoint Security will not prompt for a password when a user attempts to perform another password-
protected action for the duration of the session.
560
Active Directory user accounts
You can grant Kaspersky Endpoint Security access to individual users or groups within the Active Directory
domain. For example, if exiting the application is blocked for the Everyone group, you can grant the Exit the
application permission to an individual user. As a result, you can exit the application only if you are logged in as that
user or as KLAdmin.
You can use account credentials to access the application only if the computer is in the domain. If the
computer is not in the domain, you can use the KLAdmin account or a temporary password.
You can create a user account that is not present in Active Directory and assign individual permissions to that user
account. That is, you can create a service user account and use it instead of KLAdmin. This way, you do not need to
share your KLAdmin password with other users or create new Active Directory user accounts. You can specify any
user name and password. For example, you can grant the View reports permission to the service user account. As
a result, if viewing reports is prohibited to the 'All' group, you can open the reports using the service user account
or the KLAdmin user account.
How to grant permissions to individual users or groups in the Administration Console (MMC)
561
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
7. Select the type of the user account that you want to add:
Custom user name and password for a manually added service user account.
To add a service user account, enter a user name and a password (for example, SecureAdmin).
You can reset a service user account password in the policy settings. The service user account
password must be reset in the same way as the KLAdmin password. If editing Password protection
settings is allowed (the "lock" is open) or no policy is applied on the computer, you can reset the
password of the service user account in the application interface. To do so, con rm the changes of
the service user account information using the KLAdmin password.
8. In the Permissions list, select the check boxes next to the actions that the selected user or group will be
allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box
next to the Exit the application permission is cleared, you can exit the application only if you are logged in
as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
Password protection permissions have some important aspects to consider. Make sure that all
conditions for accessing Kaspersky Endpoint Security are ful lled.
How to grant permissions to individual users or groups in Web Console and Cloud Console
562
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. Select the type of the user account that you want to add:
Custom user name and password for a manually added service user account.
To add a service user account, enter a user name and a password (for example, SecureAdmin).
You can reset a service user account password in the policy settings. The service user account
password must be reset in the same way as the KLAdmin password. If editing Password protection
settings is allowed (the "lock" is open) or no policy is applied on the computer, you can reset the
password of the service user account in the application interface. To do so, con rm the changes of
the service user account information using the KLAdmin password.
7. In the Permissions list, select the check boxes next to the actions that the selected user or group will be
allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box
next to the Exit the application permission is cleared, you can exit the application only if you are logged in
as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
Password protection permissions have some important aspects to consider. Make sure that all
conditions for accessing Kaspersky Endpoint Security are ful lled.
How to grant permissions to individual users or groups in the user interface of the application
563
1. In the main application window, click the button.
4. Select the type of the user account that you want to add:
Custom user name and password for a manually added service user account.
To add a service user account, enter a user name and a password (for example, SecureAdmin).
You can reset a service user account password in the policy settings. The service user account
password must be reset in the same way as the KLAdmin password. If editing Password protection
settings is allowed (the "lock" is open) or no policy is applied on the computer, you can reset the
password of the service user account in the application interface. To do so, con rm the changes of
the service user account information using the KLAdmin password.
5. In the Permissions list, select the check boxes next to the actions that the selected user or group will be
allowed to perform without being prompted for a password.
If a check box is cleared, the users are blocked from performing the action. For example, if the check box
next to the Exit the application permission is cleared, you can exit the application only if you are logged in
as KLAdmin, or as an individual user who has the required permission, or if you enter a temporary password.
Password protection permissions have some important aspects to consider. Make sure that all
conditions for accessing Kaspersky Endpoint Security are ful lled.
As a result, if access to the application is restricted for the Everyone group, users will be granted permissions to
access Kaspersky Endpoint Security according to the users' individual permissions.
How to allow a user to perform a blocked action using a temporary password through the Administration Console
(MMC)
564
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the
administration group to which the relevant client computers belong.
6. In the list of Kaspersky applications installed on the computer, select Kaspersky Endpoint Security for
Windows and double-click to open the application properties.
11. In the Expiration date eld, specify the expiration date when the temporary password will expire.
12. In the Temporary password scope table, select the check boxes next to the actions that will be available
to the user after entering the temporary password.
How to allow a user to perform a blocked action using a temporary password through the Web Console and Cloud
Console
565
1. In the main window of the Web Console, select Devices → Managed devices.
2. Click the name of the computer on which you want to allow a user to perform a blocked action.
8. In the Expiration date eld, specify the expiration date when the temporary password will expire.
9. In the Temporary password scope table, select the check boxes next to the actions that will be available
to the user after entering the temporary password.
Temporary password
If a user's computer is running under a policy, make sure that all the required settings in the policy are available for
editing (the attributes are open).
566
There are no special considerations or limitations.
It is not possible to grant the permission to disable protection components for the Everyone group. To allow
users other than KLAdmin to disable control components, add a user or group that has the Disable protection
components permission in the Password Protection settings.
If a user's computer is running under a policy, make sure that all the required settings in the policy are available
for editing (the attributes are open).
To disable protection components in the application settings, a user must have the Con gure application
settings permission.
To disable protection components from the context menu (by using the Pause protection menu item), a user
must have the Disable protection components permission in addition to the Disable control components
permission.
It is not possible to grant the permission to disable control components for the Everyone group. To allow users
other than KLAdmin to disable control components, add a user or group that has the Disable control
components permission in the Password Protection settings.
If a user's computer is running under a policy, make sure that all the required settings in the policy are available
for editing (the attributes are open).
To disable control components in the application settings, a user must have the Con gure application settings
permission.
To disable control components from the context menu (by using the Pause protection menu item), a user must
have the Disable control components permission in addition to the Disable protection components
permission.
You cannot grant the "Everyone" group the permission to disable the Kaspersky Security Center policy. To allow
users other than KLAdmin to disable the policy, add a user or group that has the Disable Kaspersky Security
Center policy permission in the Password Protection settings.
Remove key
If you have allowed removing, modifying, and restoring the application for the "All" group, Kaspersky Endpoint
Security does not request a password when the user attempts to carry out these operations. Therefore, any user
including users from outside the domain, can install, modify, or restore the application.
567
Restore access to data on encrypted drive
You can restore access to data on encrypted drives only if you are logged in as KLAdmin. Permission to perform
this action cannot be granted to any other user.
View reports
You can perform password-protected actions using a temporary password. In this case, you do not need to enter
KLAdmin credentials.
If the computer is not connected to Kaspersky Security Center and you have forgotten the password for the
KLAdmin account, it is not possible to recover the password.
How to reset the KLAdmin account password using the Administration Console (MMC)
568
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
6. In the window that opens, clear the Enable password protection check box.
9. Click OK.
This opens the administrator password window.
10. Specify the new password for the KLAdmin account and con rm it.
How to reset the KLAdmin account password in Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the computer for which you want to con gure local application settings.
This opens the computer properties.
10. Specify the new password for the KLAdmin account and con rm it.
As a result, the password of your KLAdmin account is updated after the policy is applied.
569
Trusted zone
A trusted zone is a system administrator-con gured list of objects and applications that Kaspersky Endpoint
Security does not monitor when active.
The administrator forms the trusted zone independently, taking into account the features of the objects that are
handled and the applications that are installed on the computer. It may be necessary to include objects and
applications in the trusted zone when Kaspersky Endpoint Security blocks access to a certain object or
application, if you are sure that the object or application is harmless. An administrator can also allow a user to
create their own local trusted zone for a speci c computer. This way, users can create their own local lists of
exclusions and trusted applications in addition to the general trusted zone in a policy.
Starting with Kaspersky Endpoint Security 12.5 for Windows, you can add EDR telemetry to the trusted zone. This
allows to optimize data that the application sends to the Telemetry server for the Kaspersky Anti Targeted Attack
Platform (EDR) solution.
Scan exclusions make it possible to safely use legitimate software that can be exploited by criminals to damage the
computer or user data. Although they do not have any malicious functions, such applications can be exploited by
intruders. For details on legitimate software that could be used by criminals to harm the computer or personal data
of a user, please refer to the Kaspersky IT Encyclopedia website .
Such applications may be blocked by Kaspersky Endpoint Security. To prevent them from being blocked, you can
con gure scan exclusions for the applications in use. To do so, add the name or name mask that is listed in the
Kaspersky IT Encyclopedia to the trusted zone. For example, you often use the Radmin application for remote
administration of computers. Kaspersky Endpoint Security regards this activity as suspicious and may block it. To
prevent the application from being blocked, create a scan exclusion with the name or name mask that is listed in
the Kaspersky IT Encyclopedia.
If an application that collects information and sends it to be processed is installed on your computer, Kaspersky
Endpoint Security may classify this application as malware. To avoid this, you can exclude the application from
scanning by con guring Kaspersky Endpoint Security as described in this document.
Scan exclusions can be used by the following application components and tasks that are con gured by the system
administrator:
Behavior Detection.
Exploit Prevention.
570
Kaspersky Endpoint Security does not scan an object if the drive or folder containing this object is included in
the scan scope at the start of one of the scan tasks. However, the scan exclusion is not applied when a
custom scan task is started for this particular object.
571
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Scan exclusions and trusted applications block, click the Settings button.
7. Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions
for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The
lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent
policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy
is not possible.
8. Select the Allow use of local exclusions check box if you want to enable the user to create a local list of
exclusions. This way, a user can create their own local list of exclusions in addition to the general list of
exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit,
or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy.
Also, if this check box is cleared, Kaspersky Endpoint Security hides the consolidated list of scan exclusions
in the user interface of the application.
9. Click Add.
Exclusion settings
b. Click the link in the Scan exclusion description (click underlined items to edit them) block to open the
Name of le or folder window.
572
Select le or folder
a. Enter the le or folder name or the mask of the le or folder name, or select the le or folder in the
folder tree by clicking Browse.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the
C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in
the le or folder name, including the \ and / characters (delimiters of the names of les and folders
in paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to
les with the TXT extension located in folders nested within the Folder, except the Folder itself.
The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example,
the mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder
that have the TXT extension and a name consisting of three characters.
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want
to add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
Kaspersky Endpoint Security supports environment variables
Kaspersky Endpoint Security does not support the %userprofile% environment variable when
generating a list of exclusions using the Kaspersky Security Center console. To apply the entry to
all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe).
Whenever you add a new environment variable, you need to restart the application.
b. Click the link in the Scan exclusion description (click underlined items to edit them) block to open the
Object name window.
573
Select object
a. Enter the name of the object type according to the classi cation of the Kaspersky Encyclopedia (for
example, Email-Worm, Rootkit or RemoteAdmin).
You can use masks with the ? character (replaces any single character) and the * character (replaces
any number of characters). For example, if the Client* mask is speci ed, Kaspersky Endpoint Security
excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
b. Click the link in the Scan exclusion description (click underlined items to edit them) block to open the
Object hash window.
Select le
13. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
14. Specify the Kaspersky Endpoint Security components that should use the scan exclusion:
a. Click the link in the Scan exclusion description (click underlined items to edit them) block to open the
Protection components window.
a. Select the check boxes opposite the components to which the scan exclusion must be applied.
574
If the components are speci ed in the settings of the scan exclusion, this exclusion is applied only during
scanning by these components of Kaspersky Endpoint Security.
If the components are not speci ed in the settings of the scan exclusion, this exclusion is applied during
scanning by all components of Kaspersky Endpoint Security.
15. You can stop the exclusion at any time using the check box.
How to create a scan exclusion in the Web Console and Cloud Console
575
1. In the main window of the Web Console, select Devices → Policies & pro les.
Settings of exclusions
5. In the Scan exclusions and trusted applications block, click the Scan exclusions link.
6. Select the Merge values when inheriting check box if you want to create a consolidated list of exclusions
for all computers in the company. The lists of exclusions in the parent and child policies will be merged. The
lists will be merged provided that merging values when inheriting is enabled. Exclusions from the parent
policy are displayed in child policies in a read-only view. Changing or deleting exclusions of the parent policy
is not possible.
7. Select the Allow use of local exclusions check box if you want to enable the user to create a local list of
exclusions. This way, a user can create their own local list of exclusions in addition to the general list of
exclusions generated in the policy. An administrator can use Kaspersky Security Center to view, add, edit,
or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of exclusions generated in the policy.
Also, if this check box is cleared, Kaspersky Endpoint Security hides the consolidated list of scan exclusions
in the user interface of the application.
576
8. Click the Add button.
Exclusion settings
9. Select how you want to add the exclusion: File or folder, Object name or Object hash.
10. To exclude a le or folder from scan, enter the path manually. Kaspersky Endpoint Security supports
environment variables and the * and ? characters when entering a mask:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the C: drive,
but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the
le or folder name, including the \ and / characters (delimiters of the names of les and folders in
paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to les
with the TXT extension located in folders nested within the Folder, except the Folder itself. The
mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have
the TXT extension and a name consisting of three characters.
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want
to add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
577
11. If you want to exclude a speci c type of object from scans, in the Object name eld enter the name of the
object type according to the classi cation of the Kaspersky Encyclopedia (for example, Email-Worm,
Rootkit or RemoteAdmin).
You can use masks with the ? character (replaces any single character) and the * character (replaces any
number of characters). For example, if the Client* mask is speci ed, Kaspersky Endpoint Security
excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
12. If you want to exclude an individual le from scans, enter the le hash in the Object hash eld.
If the le is modi ed, the le hash will also be modi ed. If this happens, the modi ed le will not be added to
exclusions.
13. In the Protection components block, select the components that you want the scan exclusion to apply to.
14. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
15. You can use the toggle to stop an exclusion at any time.
578
1. In the main application window, click the button.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
Kaspersky Endpoint Security hides the list of scan exclusions in the user interface of the application if
con guration of scan exclusions is blocked by the administrator in the console ("closed lock" symbol)
and local scan exclusions are prohibited (the Allow use of local exclusions check box is cleared).
Settings of exclusions
4. Click Add.
5. If you want to exclude a le or folder from scans, select the le or folder by clicking the Browse button.
You can also enter the path manually. Kaspersky Endpoint Security supports environment variables and the
* and ? characters when entering a mask:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the C: drive,
but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the
le or folder name, including the \ and / characters (delimiters of the names of les and folders in
paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to les
579
with the TXT extension located in folders nested within the Folder, except the Folder itself. The
mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have
the TXT extension and a name consisting of three characters.
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want
to add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
6. If you want to exclude a speci c type of object from scans, in the Object eld enter the name of the
object type according to the classi cation of the Kaspersky Encyclopedia (for example, Email-Worm,
Rootkit or RemoteAdmin).
You can use masks with the ? character (replaces any single character) and the * character (replaces any
number of characters). For example, if the Client* mask is speci ed, Kaspersky Endpoint Security
excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
7. If you want to exclude an individual le from scans, enter the le hash in the File hash eld.
If the le is modi ed, the le hash will also be modi ed. If this happens, the modi ed le will not be added to
exclusions.
8. In the Protection components block, select the components that you want the scan exclusion to apply to.
9. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
List of exclusions
580
Path mask examples:
Paths to les located in any folder:
The mask *.exe will include all paths to les that have the exe extension.
The mask example* will include all paths to les named EXAMPLE.
The C:\dir\*.* mask will include all paths to les located in the C:\dir\ folder, but not in the subfolders of
C:\dir\.
The mask C:\dir\* will include all paths to les located in the C:\dir\ folder, including subfolders.
The mask C:\dir\ will include all paths to les located in the C:\dir\ folder, including subfolders.
The mask C:\dir\*.exe will include all paths to les with the EXE extension located in the C:\dir\ folder,
but not in the subfolders of C:\dir\.
The mask C:\dir\test will include all paths to les named "test" located in the C:\dir\ folder, but not in
the subfolders of C:\dir\.
The mask C:\dir\*\test will include all paths to les named "test" located in the C:\dir\ folder and in the
subfolders of C:\dir\.
The mask C:\dir1\*\dir3\ will include all paths to les in dir3 subfolders one level into the C:\dir1\
folder.
The mask C:\dir1\**\dirN\ will include all paths to les in dirN subfolders in the C:\dir1\ folder at any
level.
The mask dir\*.* will include all paths to les in folders named "dir", but not in the subfolders of those
folders.
The mask dir\* will include all paths to les in folders named "dir", but not in the subfolders of those
folders.
The mask dir\ will include all paths to les in folders named "dir", but not in the subfolders of those
folders.
The mask dir\*.exe will include all paths to les with the EXE extension in folders named "dir", but not in
the subfolders of those folders.
The mask dir\test will include all paths to les named "test" in folders named "dir", but not in the
subfolders of those folders.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
3. In the Types of detected objects block, select check boxes opposite the types of objects that you want
Kaspersky Endpoint Security to detect:
582
Subcategory: viruses and worms (Viruses_and_Worms)
Classic viruses and worms perform actions that are not authorized by the user. They can create copies
of themselves which are able to self-replicate.
Classic virus
When a classic virus in ltrates a computer, it infects a le, activates, performs malicious actions, and
adds copies of itself to other les.
A classic virus multiplies only on local resources of the computer; it cannot penetrate other computers
on its own. It can be passed to another computer only if it adds a copy of itself to a le that is stored in
a shared folder or on an inserted CD, or if the user forwards an email message with an attached
infected le.
Classic virus code can penetrate various areas of computers, operating systems, and applications.
Depending on the environment, viruses are divided into le viruses, boot viruses, script viruses, and
macro viruses.
Viruses can infect les by using a variety of techniques. Overwriting viruses write their code over the
code of the le that is infected, thus erasing the le's content. The infected le stops functioning and
cannot be restored. Parasitic viruses modify les, leaving them fully or partially functional. Companion
viruses do not modify les, but instead create duplicates. When an infected le is opened, a duplicate
of it (what is actually a virus) is started. The following types of viruses are also encountered: link viruses,
OBJ viruses, LIB viruses, source code viruses, and many others.
Worm
As with a classic virus, the code of a worm is activated and performs malicious actions after it in ltrates
a computer. Worms are so named because of their ability to "crawl" from one computer to another and
to spread copies via numerous data channels without the user's permission.
The main feature that allows di erentiating between various types of worms is the way they spread.
The following table provides an overview of various types of worms, which are classi ed by the way in
which they spread.
IRC- Internet They spread via Internet Relay Chats, service systems which allow
Worm chat communicating with other people over the Internet in real time.
583
worms These worms publish a le with a copy of themselves or a link to the le in an
Internet chat. When the user downloads and opens the le, the worm
activates.
Worms that do not use any of the methods described in the previous
table to spread (for example, those that spread over cell phones).
584
Subcategory: Trojans
Unlike worms and viruses, Trojans do not self-replicate. For example, they penetrate a computer via
email or a browser when the user visits an infected web page. Trojans are started with the user's
participation. They begin performing their malicious actions right after they are started.
Di erent Trojans behave di erently on infected computers. The main functions of Trojans consist in
blocking, modifying, or destroying information, and disabling computers or networks. Trojans can also
receive or send les, run them, display messages on the screen, request web pages, download and
install programs, and restart the computer.
Trojan- Trojans – When unpacked, these archives grow in size to such an extent
ArcBomb "archive that the computer's operation is impacted.
bombs"
When the user attempts to unpack such an archive, the
computer may slow down or freeze; the hard disk may become
lled with "empty" data. "Archive bombs" are especially dangerous
to le and mail servers. If the server uses an automatic system to
process incoming information, an "archive bomb" may halt the
server.
Backdoor Trojans for They are considered the most dangerous type of Trojan. In their
remote functions, they are similar to remote administration applications
administration that are installed on computers.
These programs install themselves on the computer without
being noticed by the user, allowing the intruder to manage the
computer remotely.
Trojan- Ransom They take the user's information "hostage", modifying or blocking
Ransom Trojans it, or impact the computer's operation so that the user loses the
ability to use information. The intruder demands a ransom from
the user, promising to send an application to restore the
computer's performance and the data that had been stored on it.
Trojan- Trojan clickers They access web pages from the user's computer, either by
Clicker sending commands to a browser on their own or by changing the
web addresses that are speci ed in operating system les.
585
By using these programs, intruders perpetrate network attacks
and increase website visits, increasing the number of displays of
banner ads.
Trojan- Trojan They access the intruder's web page, download other malicious
Downloader downloaders applications from it, and install them on the user's computer.
They can contain the le name of the malicious application to
download, or receive it from the web page that is accessed.
Trojan- Trojan They contain other Trojans which they install on the hard drive
Dropper droppers and then install.
Intruders may use Trojan Dropper–type programs for the
following goals:
Trojan- Trojan proxies They allow the intruder to anonymously access web pages by
Proxy using the user's computer; they are often used for sending spam.
Trojan-Spy Trojan spies They spy on the user, collecting information about the actions
that the user makes while working at the computer. They may
intercept the data that the user enters at the keyboard, take
screenshots, or collect lists of active applications. After they
receive the information, they transfer it to the intruder by email,
via FTP, by accessing the intruder's web page, or in another way.
Trojan- Trojan They send numerous requests from the user's computer to a
DDoS network remote server. The server lacks resources to process all
attackers requests, so it stops functioning (Denial of Service, or simply
DoS). Hackers often infect many computers with these programs
so that they can use the computers to attack a single server
simultaneously.
586
DoS programs perpetrate an attack from a single computer with
the user's knowledge. DDoS (Distributed DoS) programs
perpetrate distributed attacks from several computers without
being noticed by the user of the infected computer.
Trojan-IM Trojans that They steal account numbers and passwords of IM client users.
steal They transfer the data to the intruder by email, via FTP, by
information accessing the intruder's web page, or in another way.
from users of
IM clients
Rootkit Rootkits They mask other malicious applications and their activity, thus
prolonging the applications' persistence in the operating system.
They can also conceal les, processes in an infected computer's
memory, or registry keys which run malicious applications. The
rootkits can mask data exchange between applications on the
user's computer and other computers on the network.
Trojan-SMS Trojans in the They infect cell phones, sending SMS messages to premium-rate
form of SMS phone numbers.
messages
Trojan- Trojans that They steal account credentials from users of online games, after
GameThief steal which they send the data to the intruder by email, via FTP, by
information accessing the intruder's web page, or in another way.
from users of
online games
Trojan- Trojans that They steal bank account data or e-money system data; send the
Banker steal bank data to the hacker by email, via FTP, by accessing the hacker's
accounts web page, or by using another method.
Trojan- Trojans that They collect email addresses that stored on a computer and
Mail nder collect email send them to the intruder by email, via FTP, by accessing the
addresses intruder's web page, or in another way. Intruders may send spam
to the addresses they have collected.
Malicious tools ;
587
Subcategory: Malicious tools
Unlike other types of malware, malicious tools do not perform their actions right after they are started.
They can be safely stored and started on the user's computer. Intruders often use the features of
these programs to create viruses, worms, and Trojans, perpetrate network attacks on remote servers,
hack computers, or perform other malicious actions.
Various features of malicious tools are grouped by the types that are described in the following table.
Constructor Constructors They allow creating new viruses, worms, and Trojans. Some
constructors boast a standard window-based interface in
which the user can select the type of malicious application to
create, the way of counteracting debuggers, and other
features.
Dos Network They send numerous requests from the user's computer to a
attacks remote server. The server lacks resources to process all
requests, so it stops functioning (Denial of Service, or simply
DoS).
Flooder Programs for They send numerous messages over network channels. This
"contaminating" type of tools includes, for example, programs that contaminate
networks Internet Relay Chats.
Flooder-type tools do not include programs that "contaminate"
channels that are used by email, IM clients, and mobile
communication systems. These programs are distinguished as
separate types that are described in the table (Email-Flooder,
IM-Flooder, and SMS-Flooder).
HackTool Hacking tools They make it possible to hack the computer on which they are
installed or attack another computer (for example, by adding
new system accounts without the user's permission or by
588
erasing system logs to conceal traces of their presence in the
operating system). This type of tools includes some sni ers
which feature malicious functions, such as password
interception. Sni ers are programs that allow viewing network
tra ic.
Hoax Hoaxes They alarm the user with virus-like messages: they may "detect
a virus" in an uninfected le or notify the user that the disk has
been formatted, although this has not happened in reality.
Spoofer Spoo ng tools They send messages and network requests with a fake address
of the sender. Intruders use Spoofer-type tools to pass
themselves o as the true senders of messages, for example.
VirTool Tools that They allow modifying other malware programs, concealing them
modify from anti-virus applications.
malicious
applications
Email- Programs that They send numerous messages to various email addresses,
Flooder "contaminate" thus "contaminating" them. A large volume of incoming
email messages prevents users from viewing useful messages in their
addresses inboxes.
IM-Flooder Programs that They ood users of IM clients with messages. A large volume of
"contaminate" messages prevents users from viewing useful incoming
tra ic of IM messages.
clients
SMS- Programs that They send numerous SMS messages to cell phones.
Flooder "contaminate"
tra ic with
SMS messages
Adware ;
Adware displays advertising information to the user. Adware programs display banner ads in the
interfaces of other programs and redirect search queries to advertising web pages. Some of them
collect marketing information about the user and send it to the developer: this information may include
the names of the websites that are visited by the user or the content of the user's search queries.
Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's
permission.
Auto-dialers ;
589
Subcategory: legal software that may be used by criminals to damage your computer or personal data.
Most of these applications are useful, so many users run them. These applications include IRC clients,
auto-dialers, le download programs, computer system activity monitors, password utilities, and
Internet servers for FTP, HTTP, and Telnet.
However, if intruders gain access to these programs, or if they plant them on the user's computer, some
of the application's features may be used to violate security.
These applications di er by function; their types are described in the following table.
Client-IRC Internet chat Users install these programs to talk to people in Internet Relay
clients Chats. Intruders use them to spread malware.
Dialer Auto-dialers They can establish phone connections over a modem in hidden
mode.
Downloader Programs for They can download les from web pages in hidden mode.
downloading
Monitor Programs for They allow monitoring activity on the computer on which they
monitoring are installed (seeing which applications are active and how they
exchange data with applications that are installed on other
computers).
Server-FTP FTP servers They function as FTP servers. Intruders implant them on the
user's computer to open remote access to it via FTP.
Server-Proxy Proxy servers They function as proxy servers. Intruders implant them on the
user's computer to send spam under the user's name.
Server-Telnet Telnet servers They function as Telnet servers. Intruders implant them on the
user's computer to open remote access to it via Telnet.
Server-Web Web servers They function as web servers. Intruders implant them on the
user's computer to open remote access to it via HTTP.
RiskTool Tools for They provide the user with additional options when working at
working at a the user's own computer. The tools allow the user to hide les
local or windows of active applications and terminate active
computer processes.
NetTool Network tools They provide the user with additional options when working
590
with other computers on the network. These tools allow
restarting them, detecting open ports, and starting
applications that are installed on the computers.
Client-P2P P2P network They allow working on peer-to-peer networks. They can be
clients used by intruders for spreading malware.
Client-SMTP SMTP clients They send email messages without the user's knowledge.
Intruders implant them on the user's computer to send spam
under the user's name.
WebToolbar Web toolbars They add toolbars to the interfaces of other applications to
use search engines.
Legitimate software that can be used by intruders to damage your computer or personal data ;
591
Subcategory: legal software that may be used by criminals to damage your computer or personal data.
Most of these applications are useful, so many users run them. These applications include IRC clients,
auto-dialers, le download programs, computer system activity monitors, password utilities, and
Internet servers for FTP, HTTP, and Telnet.
However, if intruders gain access to these programs, or if they plant them on the user's computer, some
of the application's features may be used to violate security.
These applications di er by function; their types are described in the following table.
Client-IRC Internet chat Users install these programs to talk to people in Internet Relay
clients Chats. Intruders use them to spread malware.
Dialer Auto-dialers They can establish phone connections over a modem in hidden
mode.
Downloader Programs for They can download les from web pages in hidden mode.
downloading
Monitor Programs for They allow monitoring activity on the computer on which they
monitoring are installed (seeing which applications are active and how they
exchange data with applications that are installed on other
computers).
Server-FTP FTP servers They function as FTP servers. Intruders implant them on the
user's computer to open remote access to it via FTP.
Server-Proxy Proxy servers They function as proxy servers. Intruders implant them on the
user's computer to send spam under the user's name.
Server-Telnet Telnet servers They function as Telnet servers. Intruders implant them on the
user's computer to open remote access to it via Telnet.
Server-Web Web servers They function as web servers. Intruders implant them on the
user's computer to open remote access to it via HTTP.
RiskTool Tools for They provide the user with additional options when working at
working at a the user's own computer. The tools allow the user to hide les
local or windows of active applications and terminate active
computer processes.
NetTool Network tools They provide the user with additional options when working
592
with other computers on the network. These tools allow
restarting them, detecting open ports, and starting
applications that are installed on the computers.
Client-P2P P2P network They allow working on peer-to-peer networks. They can be
clients used by intruders for spreading malware.
Client-SMTP SMTP clients They send email messages without the user's knowledge.
Intruders implant them on the user's computer to send spam
under the user's name.
WebToolbar Web toolbars They add toolbars to the interfaces of other applications to
use search engines.
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-
extracting) archives.
To hide dangerous programs from anti-virus applications, intruders archive them by using special
packers or create multi-packed les.
Kaspersky virus analysts have identi ed packers that are the most popular amongst hackers.
If Kaspersky Endpoint Security detects such a packer in a le, the le most likely contains a malicious
application or an application that can be used by criminals to cause harm to your computer or personal
data.
Packed les that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
Multi-packed les (medium threat level) – the object has been packed three times by one or more
packers.
Multi-packed objects .
593
Kaspersky Endpoint Security scans compressed objects and the unpacker module within SFX (self-
extracting) archives.
To hide dangerous programs from anti-virus applications, intruders archive them by using special
packers or create multi-packed les.
Kaspersky virus analysts have identi ed packers that are the most popular amongst hackers.
If Kaspersky Endpoint Security detects such a packer in a le, the le most likely contains a malicious
application or an application that can be used by criminals to cause harm to your computer or personal
data.
Packed les that may cause harm – used for packing malware, such as viruses, worms, and Trojans.
Multi-packed les (medium threat level) – the object has been packed three times by one or more
packers.
594
The list of trusted applications is a list of applications whose le and network activity (including malicious activity)
and access to the system registry are not monitored by Kaspersky Endpoint Security. By default, Kaspersky
Endpoint Security monitors objects that are opened, executed, or saved by any application process and controls
the activity of all applications and network tra ic that is generated by them. After an application is added to the
list of trusted applications, Kaspersky Endpoint Security stops monitoring the application's activity.
The di erence between scan exclusions and trusted applications is that for exclusions Kaspersky Endpoint
Security does not scan les, while for trusted applications it does not control the initiated processes. If a trusted
application creates a malicious le in a folder which is not included in scan exclusions, Kaspersky Endpoint Security
will detect the le and eliminate the threat. If the folder is added to exclusions, Kaspersky Endpoint Security will
skip this le.
For example, if you consider objects that are used by the standard Microsoft Windows Notepad application to be
safe, meaning that you trust this application, you can add Microsoft Windows Notepad to the list of trusted
applications so that the objects used by this application are not monitored. This will increase computer
performance, which is especially important when using server applications.
In addition, certain actions that are classi ed by Kaspersky Endpoint Security as suspicious may be safe within the
context of the functionality of a number of applications. For example, the interception of text that is typed from
the keyboard is a routine process for automatic keyboard layout switchers (such as Punto Switcher). To take
account of the speci cs of such applications and exclude their activity from monitoring, we recommend that you
add such applications to the trusted applications list.
Trusted applications help to avoid compatibility issues between Kaspersky Endpoint Security and other
applications (for example, the problem of double-scanning of the network tra ic of a third-party computer by
Kaspersky Endpoint Security and by another anti-virus application).
At the same time, the executable le and process of the trusted application are still scanned for viruses and other
malware. An application can be fully excluded from Kaspersky Endpoint Security scanning by means of scan
exclusions.
How to add an application to the trusted list in the Administration Console (MMC)
595
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Scan exclusions and trusted applications block, click the Settings button.
7. Select the Merge values when inheriting check box if you want to create a consolidated list of trusted
applications for all computers in the company. The lists of trusted applications in the parent and child
policies will be merged. The lists will be merged provided that merging values when inheriting is enabled.
Trusted applications from the parent policy are displayed in child policies in a read-only view. Changing or
deleting trusted applications of the parent policy is not possible.
8. Select the Allow use of local trusted applications check box if you want to enable the user to create a
local list of trusted applications. This way, a user can create their own local list of trusted applications in
addition to the general list of trusted applications generated in the policy. An administrator can use
Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
If the check box is cleared, the user can access only the general list of trusted applications generated in
the policy. Also, if this check box is cleared, Kaspersky Endpoint Security hides the consolidated list of
trusted applications in the user interface of the application.
9. Click Add.
10. In the window that opens, enter the path to the executable le of the trusted application (see the gure
below).
Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a
mask.
Kaspersky Endpoint Security does not support the %userprofile% environment variable when
generating a list of trusted applications on the Kaspersky Security Center console. To apply the entry
to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe).
Whenever you add a new environment variable, you need to restart the application.
596
Trusted application settings
11. Con gure the advanced settings for the trusted application (see the table below).
12. You can use the check box to exclude an application from the trusted zone at any time (see the gure
below).
How to add an application to the trusted list in the Web Console and Cloud Console
597
1. In the main window of the Web Console, select Devices → Policies & pro les.
Settings of exclusions
5. In the Scan exclusions and trusted applications block, click the Trusted applications link.
This opens a window containing a list of trusted applications.
6. Select the Merge values when inheriting check box if you want to create a consolidated list of trusted
applications for all computers in the company. The lists of trusted applications in the parent and child
policies will be merged. The lists will be merged provided that merging values when inheriting is enabled.
Trusted applications from the parent policy are displayed in child policies in a read-only view. Changing or
deleting trusted applications of the parent policy is not possible.
7. Select the Allow use of local trusted applications check box if you want to enable the user to create a
local list of trusted applications. This way, a user can create their own local list of trusted applications in
addition to the general list of trusted applications generated in the policy. An administrator can use
Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
598
If the check box is cleared, the user can access only the general list of trusted applications generated in
the policy. Also, if this check box is cleared, Kaspersky Endpoint Security hides the consolidated list of
trusted applications in the user interface of the application.
9. In the window that opens, enter the path to the executable le of the trusted application (see the gure
below).
Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a
mask.
Kaspersky Endpoint Security does not support the %userprofile% environment variable when
generating a list of trusted applications on the Kaspersky Security Center console. To apply the entry
to all user accounts, you can use the * character (for example, C:\Users\*\Documents\File.exe).
Whenever you add a new environment variable, you need to restart the application.
10. Con gure the advanced settings for the trusted application (see the table below).
11. You can use the check box to exclude an application from the trusted zone at any time (see the gure
below).
599
How to add an application to the trusted list in the application interface
600
1. In the main application window, click the button.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
Kaspersky Endpoint Security hides the consolidated list of trusted applications in the user interface
of the application if con guration of trusted applications is blocked by the administrator in the
console ("closed lock" symbol) and local trusted applications are prohibited (the Allow use of local
trusted applications check box is cleared).
Settings of exclusions
Kaspersky Endpoint Security supports environment variables and converts the path in the local
interface of the application. In other words, if you enter the le path
%userprofile%\Documents\File.exe, a C:\Users\Fred123\Documents\File.exe record is
added in local interface of the application for user Fred123. Accordingly, Kaspersky Endpoint Security
ignores the File.exe trusted program for other users. To apply the entry to all user accounts, you
can use the * character (for example, C:\Users\*\Documents\File.exe).
601
Whenever you add a new environment variable, you need to restart the application.
6. In the trusted application properties window, con gure the advanced settings.
7. You can use the toggle to exclude an application from the trusted zone at any time (see the gure below).
Parameter Description
Do not scan les All les that are opened by the application are excluded from scans by Kaspersky
before opening Endpoint Security. For example, if you are using applications to back up les, this
feature helps reduce the consumption of resources by Kaspersky Endpoint Security.
Do not monitor Kaspersky Endpoint Security will not monitor the application's le- and network activity
application in the operating system. You can con gure application activity monitoring for di erent
activity components of Kaspersky Endpoint Security:
Do not monitor for protection and control components. Application activity is
monitored by the following components: Behavior Detection, Exploit Prevention,
Host Intrusion Prevention, Remediation Engine and Firewall.
Do not monitor for Managed Detection and Response and Endpoint Detection
and Response. Application activity is monitored by built-in MDR agent and built-in
EDR (KATA) agent.
Do not intercept console interactive input for Endpoint Detection and Response.
Kaspersky Endpoint Security does not send telemetry data about managing the
602
application on the console. Telemetry data is used by Kaspersky Anti Targeted
Attack Platform (EDR).
Do not inherit The restrictions con gured for the parent process will not be applied by Kaspersky
restrictions Endpoint Security to a child process. The parent process is started by an application for
from the parent which application rights (Host Intrusion Prevention) and application network rules
process (Firewall) are con gured.
(application)
Do not monitor Kaspersky Endpoint Security will not monitor the le activity or network activity of
child application applications that are started by this application. You can apply the exclusion recursively.
activity So that the application does not monitor the activity of the entire chain of child
applications.
Allow interaction Kaspersky Endpoint Security Self-Defense blocks all attempts to manage application
with the services from a remote computer. If the check box is selected, the remote access
application application is allowed to manage Kaspersky Endpoint Security settings through the
interface Kaspersky Endpoint Security interface.
Do not block Kaspersky Endpoint Security will not monitor the trusted application's requests for
interaction with objects to be scanned by the AMSI Protection component.
AMSI Protection
component
Do not scan Network tra ic initiated by the application will be excluded from scans by Kaspersky
network tra ic Endpoint Security. You can exclude either all tra ic or only encrypted tra ic from scans.
You can also exclude individual IP addresses and port numbers from scans.
Comment If necessary, you can provide a brief comment for the trusted application. Comments
help simplify searches and sorting of trusted applications.
Inactive status means that the application is excluded from the trusted zone.
If creating a local trusted zone is allowed by an administrator, the user can add their own scan exclusions and
trusted applications in the user interface of the application. At the same time, the user does not have permissions
to modify or delete objects from the trusted zone con gured in the policy. The administrator can also view, add,
modify, or delete list items in the Kaspersky Security Center console if exclusions need to be added for an
individual computer.
Kaspersky Endpoint Security hides the lists of scan exclusions and trusted applications in the user interface of
the application if con guration of the trusted zone is blocked by the administrator in the console ("closed lock"
symbol) and local scan exclusions and trusted applications are prohibited.
603
How to add an object to the local trusted zone in the Administration Console (MMC)
604
1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, open the folder with the name of the
administration group to which the relevant client computers belong.
6. In the list of Kaspersky applications installed on the computer, select Kaspersky Endpoint Security for
Windows and double-click to open the application properties.
8. In the Scan exclusions and trusted applications → Local scan exclusions block, click the Settings
button.
This opens a window containing a list of local exclusions.
10. In the Scan exclusions and trusted applications → Local trusted applications block, click the Settings
button.
This opens a window containing a list of local trusted applications.
605
11. Make a list of local trusted applications.
Rules for adding applications to the list of local trusted applications are the same as the rules for adding
them to the general list. Kaspersky Endpoint Security supports environment variables and the * and ?
characters when entering a mask.
How to add an object to the local trusted zone in Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Managed devices.
2. Click the name of the computer on which you want to allow a user to perform a blocked action.
6. In the application settings window, select General settings → Exclusions and types of detected objects.
7. In the Scan exclusions and trusted applications block, click the Local scan exclusions link.
9. In the Scan exclusions and trusted applications block, click the Local trusted applications link.
606
1. In the main application window, click the button.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
Kaspersky Endpoint Security hides the list of scan exclusions in the user interface of the application if
con guration of scan exclusions is blocked by the administrator in the console ("closed lock" symbol)
and local scan exclusions are prohibited (the Allow use of local exclusions check box is cleared).
Settings of exclusions
4. Click Add.
5. If you want to exclude a le or folder from scans, select the le or folder by clicking the Browse button.
You can also enter the path manually. Kaspersky Endpoint Security supports environment variables and the
* and ? characters when entering a mask:
The * (asterisk) character, which takes the place of any set of characters, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\*\*.txt will include all paths to les with the TXT extension located in folders on the C: drive,
but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the
le or folder name, including the \ and / characters (delimiters of the names of les and folders in
paths to les and folders). For example, the mask C:\Folder\**\*.txt will include all paths to les
607
with the TXT extension located in folders nested within the Folder, except the Folder itself. The
mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and /
characters (delimiters of the names of les and folders in paths to les and folders). For example, the
mask C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have
the TXT extension and a name consisting of three characters.
You can use masks at the beginning, in the middle or at the end of the le path. For example, if you want
to add a folder for all users to exclusions, enter the C:\Users\*\Folder\ mask.
6. If you want to exclude a speci c type of object from scans, in the Object eld enter the name of the
object type according to the classi cation of the Kaspersky Encyclopedia (for example, Email-Worm,
Rootkit or RemoteAdmin).
You can use masks with the ? character (replaces any single character) and the * character (replaces any
number of characters). For example, if the Client* mask is speci ed, Kaspersky Endpoint Security
excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
7. If you want to exclude an individual le from scans, enter the le hash in the File hash eld.
If the le is modi ed, the le hash will also be modi ed. If this happens, the modi ed le will not be added to
exclusions.
8. In the Protection components block, select the components that you want the scan exclusion to apply to.
9. If necessary, in the Comment eld, enter a brief comment on the scan exclusion that you are creating.
List of exclusions
608
How to add an application to the list of local trusted applications in the application interface
609
1. In the main application window, click the button.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
Kaspersky Endpoint Security hides the consolidated list of trusted applications in the user interface
of the application if con guration of trusted applications is blocked by the administrator in the
console ("closed lock" symbol) and local trusted applications are prohibited (the Allow use of local
trusted applications check box is cleared).
Settings of exclusions
Kaspersky Endpoint Security supports environment variables and converts the path in the local
interface of the application. In other words, if you enter the le path
%userprofile%\Documents\File.exe, a C:\Users\Fred123\Documents\File.exe record is
added in local interface of the application for user Fred123. Accordingly, Kaspersky Endpoint Security
ignores the File.exe trusted program for other users. To apply the entry to all user accounts, you
can use the * character (for example, C:\Users\*\Documents\File.exe).
610
Whenever you add a new environment variable, you need to restart the application.
6. In the trusted application properties window, con gure the advanced settings.
7. You can use the toggle to exclude an application from the trusted zone at any time (see the gure below).
The application uses the following formats for exporting and importing the list of exclusions:
XML is available in Administration Console (MMC), Web Console, and Cloud Console.
DAT is available only for import in the Administration Console (MMC). The purpose of this format is to maintain
compatibility with older versions of the application. You can convert a DAT le to XML in the Administration
Console (MMC) to migrate exclusion lists to Web Console.
611
Kaspersky Endpoint Security uses the XML format for exporting and importing the list of trusted applications.
How to export and import the trusted zone in the Administration Console (MMC)
612
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Scan exclusions and trusted applications block, click the Settings button.
b. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
d. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
b. Select the trusted applications that you want to export. To select multiple ports, use the CTRL or SHIFT
keys.
If you do not select any trusted application, Kaspersky Endpoint Security exports all trusted
applications.
d. This opens a window; in that window, enter the name of the XML le to which you want to export the list
of trusted applications, and select the folder in which you want to save this le.
613
List of trusted applications
b. Click Import.
c. In the window that opens, select the XML le from which you want to import the list of exclusions.
b. Click Import.
c. This opens a window; in that window, select the XML le from which you want to import the list of
trusted applications.
615
1. In the main window of the Web Console, select Devices → Policies & pro les.
Settings of exclusions
a. In the Scan exclusions and trusted applications block, click the Scan exclusions link.
c. Click Export.
d. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
e. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
616
g. Kaspersky Endpoint Security exports the entire list of exclusions to the XML le.
a. In the Scan exclusions and trusted applications block, click the Trusted applications link.
c. Click Export.
d. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
e. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
a. In the Scan exclusions and trusted applications block, click the Trusted applications link.
b. Click Import.
c. This opens a window; in that window, select the XML le from which you want to import the list of
trusted applications.
617
1. In the main application window, click the button.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
Settings of exclusions
c. Click Export.
d. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
e. In the window that opens, specify the name of the CSV le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
618
List of exclusions
c. Click Export.
d. Con rm that you want to export only the selected trusted applications, or export the entire list.
e. This opens a window; in that window, enter the name of the XML le to which you want to export the list
of trusted applications, and select the folder in which you want to save this le.
619
List of trusted applications
b. Click Import.
c. In the window that opens, select the CSV le from which you want to import the list of exclusions.
b. Click Import.
c. This opens a window; in that window, select the XML le from which you want to import the list of
trusted applications.
620
Using trusted system certi cate storage
Use of system certi cate storage lets you exclude applications signed by a trusted digital signature from virus
scans. Kaspersky Endpoint Security automatically assigns such applications to the Trusted group.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
3. In the Trusted system certi cate store drop-down list, select which system store must be considered as
trusted by Kaspersky Endpoint Security.
621
Managing Backup
Backup stores backup copies of les that were deleted or modi ed during disinfection. A backup copy is a le
copy created before the le was disinfected or deleted. Backup copies of les are stored in a special format and
do not pose a threat.
Users in the Administrators group are granted full permission to access this folder. Limited access rights to this
folder are granted to the user whose account was used to install Kaspersky Endpoint Security.
Kaspersky Endpoint Security does not provide the capability to con gure user access permissions to backup
copies of les.
Sometimes it is not possible to maintain the integrity of les during disinfection. If you partially or completely lose
access to important information in a disinfected le after disinfection, you can attempt to restore the le from its
backup copy to its original folder.
If Kaspersky Endpoint Security is running under the management of Kaspersky Security Center, backup copies of
les may be transmitted to the Kaspersky Security Center Administration Server. For more details about managing
backup copies of les in Kaspersky Security Center, please refer to the Kaspersky Security Center Help system.
2. In the application settings window, select General settings → Reports and Storage.
622
Backup settings
3. If you want to limit the storage period for copies of les in Backup, select the Store objects no longer than N
days check box in the Backup block. Enter the maximum storage duration for copies of les in Backup.
2. In the application settings window, select General settings → Reports and Storage.
623
Backup settings
3. In the Backup block, select the Limit the size of Backup to N MB check box. If the check box is selected, the
maximum storage size is limited to the de ned value. By default, the maximum size is 1024 MB. To avoid
exceeding the maximum storage size, Kaspersky Endpoint Security automatically deletes the oldest les from
storage when the maximum storage size is reached.
Files with the Will be deleted on computer restart status cannot be restored. Restart the computer, and the le
status will change to Disinfected or Deleted. You can also restore the le from its backup copy to its original folder.
Upon detecting malicious code in a le that is part of the Windows Store application, Kaspersky Endpoint
Security immediately deletes the le without moving a copy of the le to Backup. You can restore the integrity
of the Windows Store application by using the appropriate tools of the Microsoft Windows 8 operating
system (see the Microsoft Windows 8 help les for details on restoring a Windows Store application).
The set of backup copies of les is presented as a table. For a backup copy of a le, the path to the original folder
of the le is displayed. The path to the original folder of the le may contain personal data.
624
If several les with identical names and di erent content located in the same folder are moved to Backup, only
the le that was last placed in Backup can be restored.
1. In the main application window, in the Monitoring section, click the Backup tile.
2. This opens the list of les in Backup; in that list, select the les that you want to restore and click Restore.
Kaspersky Endpoint Security restores les from the selected backup copies to their original folders.
1. In the main application window, in the Monitoring section, click the Backup tile.
2. This opens the list of les in Backup; in this list, select les that you want to delete from Backup and click
Delete.
Kaspersky Endpoint Security deletes the selected backup copies of les from Backup.
625
Noti cation service
All sorts of events occur during the operation of Kaspersky Endpoint Security. Noti cations of these events can
be either be purely informational or contain critical information. For example, noti cations may inform of a
successful database and application modules update or log component errors that need remedying.
Kaspersky Endpoint Security supports the logging of information about events in the operation of the Microsoft
Windows application log and / or the Kaspersky Endpoint Security event log.
using pop-up noti cations in the Microsoft Windows taskbar noti cation area;
by email.
You can con gure the delivery of event noti cations. The method of noti cation delivery is con gured for each
type of event.
When using the table of events to con gure the noti cation service, you can perform the following actions:
Filter noti cation service events by column values or by custom lter conditions.
Change the order and set of columns that are displayed in the list of noti cation service events.
3. In the Noti cations block, click the Con gure noti cations button.
Kaspersky Endpoint Security components and tasks are shown in the left part of the window. The right part of
the window lists the events generated for the selected component or task.
Events may contain the following user data:
Paths to registry keys modi ed during the operation of Kaspersky Endpoint Security.
4. In the left part of the window, select the component or task for which you want to con gure the event log
settings.
626
5. Select check boxes opposite the relevant events in the Save in local report and Save in Windows Event Log
columns.
Events whose check boxes are selected in the Save in local report column are displayed in the application logs.
Events that have the check box in the Save in Windows Event Log column selected are displayed in Windows
logs in the Application channel.
3. In the Noti cations block, click the Con gure noti cations button.
Kaspersky Endpoint Security components and tasks are shown in the left part of the window. The right part of
the window lists the events generated for the selected component or task.
Events may contain the following user data:
Paths to registry keys modi ed during the operation of Kaspersky Endpoint Security.
4. In the left part of the window, select the component or task for which you want to con gure the delivery of
noti cations.
5. In the Notify on screen column, select check boxes next to relevant events.
Information about the selected events is displayed on the screen as pop-up messages in the Microsoft
Windows taskbar noti cation area.
6. In the Notify by email column, select check boxes next to relevant events.
Information about the selected events is delivered by email if the mail noti cation delivery settings are
con gured.
7. Click OK.
8. If you enabled email noti cations, con gure the settings for email delivery:
b. Select the Notify about events check box to enable delivery of information about Kaspersky Endpoint
Security events selected in the Notify by email column.
d. Click OK.
627
9. Save your changes.
Con guring the display of warnings about the application status in the
noti cation area
To con gure the display of application status warnings in the noti cation area:
3. In the Show application's status in noti cations area block, select the check boxes opposite those categories
of events about which you want to see noti cations in the noti cation area of Microsoft Windows.
When events associated with the selected categories occur, the application icon in the noti cation area will
change to or depending on the severity of the warning.
A user may need to send a message to the local corporate network administrator in the following cases:
The method used to send messages and the utilized template depends on whether or not there is an active
Kaspersky Security Center policy running on the computer that has Kaspersky Endpoint Security installed, and
whether or not there is a connection with the Kaspersky Security Center Administration Server. The following
scenarios are possible:
If a Kaspersky Security Center policy is not running on the computer that has Kaspersky Endpoint Security
installed, a user's message is sent to the local area network administrator by email.
The message elds are populated with the values of elds from the template de ned in the local interface of
Kaspersky Endpoint Security.
If a Kaspersky Security Center policy is running on the computer that has Kaspersky Endpoint Security
installed, the standard message is sent to the Kaspersky Security Center Administration Server.
628
In this case, user messages are available for viewing in the Kaspersky Security Center event storage (see
instruction below). The message elds are populated with the values of elds from the template de ned in the
Kaspersky Security Center policy.
If a Kaspersky Security Center out-of-o ice policy is running on the computer with Kaspersky Endpoint
Security installed, the method used to send messages depends on whether or not there is a connection with
Kaspersky Security Center.
If a connection with Kaspersky Security Center is established, Kaspersky Endpoint Security sends the
standard message to the Kaspersky Security Center Administration Server.
If a connection with Kaspersky Security Center is absent, a user's message is sent to the local area network
administrator by email.
In both cases, the message elds are populated with the values of elds from the template de ned in the
Kaspersky Security Center policy.
2. In the Administration Server node of the Administration Console tree, select the Events tab.
The Kaspersky Security Center workspace displays all events occurring during the operation of Kaspersky
Endpoint Security, including messages to the administrator that are received from LAN users.
3. To con gure the event lter, in the Event selections drop-down list, select User requests.
5. Click the Open event properties window button in the right part of the Administration Console workspace.
629
Managing reports
Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the
performance of each scan task, the update task and integrity check task, and the overall operation of the
application is recorded in reports.
Paths to registry keys modi ed during the operation of Kaspersky Endpoint Security.
The data in the report is presented in tabular form. Each table row contains information on a separate event. Event
attributes are located in the table columns. Certain columns are compound ones which contain nested columns
with additional attributes. To view additional attributes, click the button next to the name of the column. Events
that are logged during the operation of various components or during the performance of various tasks have
di erent sets of attributes.
System audit report. Contains information about events occurring during the interaction between the user and
the application and in the course of application operation in general, which are unrelated to any particular
Kaspersky Endpoint Security components or tasks.
Data Encryption report. Contains information about events occurring during data encryption and decryption.
Informational messages. Reference events that normally do not contain important information.
Warnings. Events that need attention because they re ect important situations in the operation of
Kaspersky Endpoint Security.
Critical events. Events of critical importance that indicate problems in the operation of Kaspersky Endpoint
Security or vulnerabilities in the protection of the user's computer.
For convenient processing of reports, you can modify the presentation of data on the screen in the following ways:
630
Sort the list of events by each report column.
Display and hide events grouped by the event lter using the button.
Change the order and arrangement of columns that are shown in the report.
You can save a generated report to a text le, if necessary. You can also delete report information on Kaspersky
Endpoint Security components and tasks that are combined into groups.
If Kaspersky Endpoint Security is running under the management of Kaspersky Security Center, information about
events may be relayed to the Kaspersky Security Center Administration Server (for more details, please refer to
the Kaspersky Security Center Help ).
Viewing reports
If a user can view reports, the user can also view all events re ected in the reports.
To view reports:
1. In the main application window, in the Monitoring section, click the Reports tile.
Reports
631
3. To view detailed information about an event, select the event in the report.
A block with the event summary is displayed in the lower part of the window.
2. In the application settings window, select General settings → Reports and Storage.
Report settings
3. If you want to limit the report storage term, select the Store reports no longer than N days check box in the
Reports block. De ne the maximum report storage term.
632
You can specify the maximum size of the le that contains the report. By default, the maximum report le size is
1024 MB. To avoid exceeding the maximum report le size, Kaspersky Endpoint Security automatically deletes the
oldest entries from the report le when the maximum report le size is reached.
2. In the application settings window, select General settings → Reports and Storage.
Report settings
3. In the Reports block, select the Limit the size of report le to N MB check box if you want to limit the size of a
report le. De ne the maximum size of the report le.
Saving a report to le
The user is personally responsible for ensuring the security of information from a report saved to le, and
particularly for controlling and restricting access to this information.
You can save the report that you generate to a le in text format (TXT) or a CSV le.
633
Kaspersky Endpoint Security logs events in the report in the same way as they are displayed on the screen: in
other words, with the same set and sequence of event attributes.
1. In the main application window, in the Monitoring section, click the Reports tile.
Reports
Filtering events
Rearranging columns
Sorting events
4. Click the Save report button in the upper right part of the window.
5. In the window that opens, specify the destination folder for the report le.
634
8. Save your changes.
Clearing reports
To remove information from reports:
2. In the application settings window, select General settings → Reports and Storage.
Report settings
4. If Password Protection is enabled, Kaspersky Endpoint Security may prompt you for user account credentials.
The application prompts for account credentials if the user does not have the required permission.
Kaspersky Endpoint Security will delete all reports for all application components and tasks.
635
Kaspersky Endpoint Security Self-Defense
Self-Defense prevents other applications from performing actions that can interfere with the operation of
Kaspersky Endpoint Security and, for example, remove Kaspersky Endpoint Security from the computer. The set of
available Self-Defense technologies for Kaspersky Endpoint Security depends on whether the operating system is
32-bit or 64-bit (refer to the table below).
les in the Kaspersky Endpoint Security installation folder and other les of the application;
636
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Enable Self-Defense check box to enable or disable the Self-Defense mechanism.
How to enable or disable Self-Defense in the Web Console and Cloud Console
637
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Enable Self-Defense check box to enable or disable the Self-Defense mechanism.
638
1. In the main application window, click the button.
3. Use the Enable Self-Defense check box to enable or disable the Self-Defense mechanism.
Kaspersky Endpoint Security also has built-in mechanisms for protecting application processes. AM-PPL support
lets you delegate process security functions to the operating system. You can thereby increase the speed of the
application and reduce the consumption of computer resources.
AM-PPL technology is available for Windows 10 version 1703 (RS2) or later, and Windows Server 2019
operating systems.
639
The AM-PPL technology is available only for computers running 32-bit operating systems. Technology is not
available for computers running 64-bit operating systems.
klpsm.exe enable – enable support for AM-PPL technology (see the gure below).
To quit the application from the command line, disable the protection of Kaspersky Endpoint Security services
against external management.
How to enable or disable Protection of application services against external management in the Administration
Console (MMC)
640
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Use the Block external management of system services check box to enable or disable the protection of
Kaspersky Endpoint Security services against external management.
How to enable or disable Protection of application services against external management in the Web Console and
Cloud Console
641
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Block external management of system services check box to enable or disable the protection of
Kaspersky Endpoint Security services against external management.
How to enable or disable Protection of application services against external management in the application
interface
642
1. In the main application window, click the button.
3. Use the Block external management of system services check box to enable or disable the protection of
Kaspersky Endpoint Security services against external management.
As a result, when a user attempts to stop application services, a system window with an error message appears.
The user can only manage application services from the Kaspersky Endpoint Security interface.
643
You may occasionally need to use a remote administration application while external management defense is
enabled.
2. In the application settings window, select General settings → Exclusions and types of detected objects.
6. Select the Allow interaction with the Kaspersky Endpoint Security interface check box.
644
Kaspersky Endpoint Security performance and compatibility with other
applications
The performance of Kaspersky Endpoint Security refers to the number of types of objects that can harm the
computer that are detectable, as well as energy consumption and use of computer resources.
Kaspersky Endpoint Security lets you ne-tune the protection of your computer and select the types of
objects that the application detects during operation. Kaspersky Endpoint Security always scans the operating
system for viruses, worms, and Trojans. You cannot disable scanning of these types of objects. Such malware can
cause signi cant harm to the computer. For greater security on your computer, you can expand the range of
detectable object types by enabling monitoring of legal software that can be used by criminals to damage your
computer or personal data.
Energy consumption by applications is a key consideration for portable computers. Kaspersky Endpoint Security
scheduled tasks usually use up considerable resources. When the computer is running on battery power, you can
use energy-saving mode to consume power more sparingly.
Update task;
Whether or not energy saving mode is enabled, Kaspersky Endpoint Security pauses encryption tasks when a
portable computer switches to battery power. The application resumes encryption tasks when the portable
computer switches from battery power to mains power.
Consumption of computer resources by Kaspersky Endpoint Security when scanning the computer may increase
the load on the CPU and hard drive subsystems. To resolve the problem of simultaneous operation during
increased load on the CPU and hard drive subsystems, Kaspersky Endpoint Security can concede resources to
other applications.
645
Today's malicious applications can penetrate the lowest levels of an operating system, which makes them virtually
impossible to eliminate. After detecting malicious activity in the operating system, Kaspersky Endpoint Security
performs an extensive disinfection procedure that uses special advanced disinfection technology. Advanced
disinfection technology is aimed at purging the operating system of malicious applications that have already
started their processes in RAM and that prevent Kaspersky Endpoint Security from removing them by using other
methods. The threat is neutralized as a result. While Advanced Disinfection is in progress, you are advised to refrain
from starting new processes or editing the operating system registry. The advanced disinfection technology uses
considerable operating system resources, which may slow down other applications.
After the Advanced Disinfection process has been completed on a computer running Microsoft Windows for
workstations, Kaspersky Endpoint Security requests the user's permission to reboot the computer. After system
reboot, Kaspersky Endpoint Security deletes malware les and starts a "lite" full scan of the computer.
A reboot prompt is impossible on a computer running Microsoft Windows for servers due to the speci cs of
Kaspersky Endpoint Security. An unplanned reboot of a le server can lead to problems involving temporary
unavailability of le server data or loss of unsaved data. It is recommended to reboot a le server strictly according
to schedule. This is why Advanced Disinfection technology is disabled by default for le servers.
If active infection is detected on a le server, an event is relayed to Kaspersky Security Center with information
that Advanced Disinfection is required. To disinfect an active infection of a server, enable Advanced Disinfection
technology for servers and start a Malware Scan group task at a time convenient for server users.
646
Kaspersky Endpoint Security for Windows settings
3. In the Performance block, use the Postpone scheduled tasks while running on battery power check box to
enable or disable power saving mode.
When energy conservation mode is enabled and the computer is running on battery power, the following tasks
are not run even if scheduled:
Update
Full Scan
Custom Scan
Integrity check
IOC Scan.
How to enable or disable conceding resources to other applications in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
5. In the Performance block, use the Concede resources to other applications check box to enable or
disable conceding of resources to other applications.
How to enable or disable conceding resources to other applications in the Web Console and Cloud Console
647
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Performance block, use the Concede resources to other applications check box to enable or
disable conceding of resources to other applications.
How to enable or disable conceding resources to other applications in the application interface
648
1. In the main application window, click the button.
3. In the Performance block, use the Concede resources to other applications check box to enable or
disable conceding of resources to other applications.
General
Con gure general settings of the application in accordance with the following recommendations:
649
Default settings are considered optimal. This settings are recommended by Kaspersky experts. Default settings
provide recommended protection level and optimal resource use. If necessary, you can restore the default
application settings.
Enabling Background scan is recommended for Malware Scan of workstations. Background Scan is a scan mode of
Kaspersky Endpoint Security that does not display noti cations for the user. Background scan requires less
computer resources than other types of scans (such as a full scan). In this mode, Kaspersky Endpoint Security
scans startup objects, the boot sector, system memory, and the system partition. Background scan settings are
considered optimal. This settings are recommended by Kaspersky experts. Thus for performing a Malware Scan of
the computer, you can use just the background scan mode without using other scan tasks.
If background scanning does not suit your needs, con gure the Malware Scan task in accordance with the
following recommendations:
2. De ne a scan scope.
Select the following objects to scan:
Kernel memory;
Boot sectors;
iSwift technology.
This technology allows increasing scan speed by excluding certain les from scanning. Files are excluded
from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint
Security databases, the date when the le was last scanned, and any modi cations to the scan settings.
The iSwift technology is an advancement of the iChecker technology for the NTFS le system.
iChecker technology.
650
This technology allows increasing scan speed by excluding certain les from scanning. Files are excluded
from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint
Security databases, the date when the le was last scanned, and any modi cations to the scan settings.
There are limitations to iChecker Technology: it does not work with large les and applies only to les with a
structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and
RAR).
You can only turn on iSwift and iChecker technologies in the Administration Console (MMC) and Kaspersky
Endpoint Security interface. You cannot turn on these technologies in Kaspersky Security Center Web
Console.
Con gure the Malware Scan task in accordance with the following recommendations:
iSwift technology.
This technology allows increasing scan speed by excluding certain les from scanning. Files are excluded
from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint
Security databases, the date when the le was last scanned, and any modi cations to the scan settings.
The iSwift technology is an advancement of the iChecker technology for the NTFS le system.
iChecker technology.
This technology allows increasing scan speed by excluding certain les from scanning. Files are excluded
from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint
Security databases, the date when the le was last scanned, and any modi cations to the scan settings.
There are limitations to iChecker Technology: it does not work with large les and applies only to les with a
structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and
RAR).
You can only turn on iSwift and iChecker technologies in the Administration Console (MMC) and Kaspersky
Endpoint Security interface. You cannot turn on these technologies in Kaspersky Security Center Web
Console.
Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky
Knowledge Base that contains information about the reputation of les, web resources, and software. The use of
data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats,
improves the performance of some protection components, and reduces the likelihood of false positives. If you are
participating in Kaspersky Security Network, KSN services provide Kaspersky Endpoint Security with information
about the category and reputation of scanned les, as well as information about the reputation of scanned web
addresses.
Edit Kaspersky Security Network settings in accordance with the following recommendations:
652
Data Encryption
Kaspersky Endpoint Security lets you encrypt les and folders that are stored on local and removable drives, or
entire removable drives and hard drives. Data encryption minimizes the risk of information leaks that may occur
when a portable computer, removable drive or hard drive is lost or stolen, or when data is accessed by
unauthorized users or applications. Kaspersky Endpoint Security uses the Advanced Encryption Standard (AES)
encryption algorithm.
If the license has expired, the application does not encrypt new data, and old encrypted data remains encrypted
and available for use. In this event, encrypting new data requires the application be activated with a new license
that permits the use of encryption.
If your license has expired, or the End User License Agreement has been violated, the license key, Kaspersky
Endpoint Security, or encryption components has been removed, the encrypted status of previously
encrypted les is not guaranteed. This is because some applications, such as Microsoft O ice Word, create a
temporary copy of les during editing. When the original le is saved, the temporary copy replaces the original
le. As a result, on a computer that has no or inaccessible encryption functionality, the le remains
unencrypted.
File Level Encryption on local computer drives. You can compile lists of les by extension or group of
extensions and lists of folders stored on local computer drives, and create rules for encrypting les that are
created by speci c applications. After a policy is applied, Kaspersky Endpoint Security encrypts and decrypts
the following les:
Encryption of removable drives. You can specify a default encryption rule, according to which the application
applies the same action to all removable drives, or specify encryption rules for individual removable drives.
The default encryption rule has a lower priority than encryption rules created for individual removable drives.
Encryption rules created for removable drives of the speci ed device model have a lower priority than
encryption rules created for removable drives with the speci ed device ID.
To select an encryption rule for les on a removable drive, Kaspersky Endpoint Security checks whether or not
the device model and ID are known. The application then performs one of the following operations:
If only the device model is known, the application uses the encryption rule (if any) created for removable
drives of the speci c device model.
If only the device ID is known, the application uses the encryption rule (if any) created for removable drives
with the speci c device ID.
If the device model and ID are known, the application applies the encryption rule (if any) created for
removable drives with the speci c device ID. If no such rule exists, but there is an encryption rule created for
removable drives with the speci c device model, the application applies this rule. If no encryption rule is
speci ed for the speci c device ID nor for the speci c device model, the application applies the default
encryption rule.
If neither the device model nor device ID is known, the application uses the default encryption rule.
653
The application lets you prepare a removable drive for using encrypted data stored on it in portable mode.
After enabling portable mode, you can access encrypted les on removable drives connected to a computer
without encryption functionality.
Managing rules of application access to encrypted les. For any application, you can create an encrypted le
access rule that blocks access to encrypted les or allows access to encrypted les only as ciphertext, which is
a sequence of characters obtained when encryption is applied.
Creating encrypted packages. You can create encrypted archives and protect access to such archives with a
password. The contents of encrypted archives can be accessed only by entering the passwords with which you
protected access to those archives. Such archives can be securely transmitted over networks or on removable
drives.
Full Disk Encryption. You can select an encryption technology: Kaspersky Disk Encryption or BitLocker Drive
Encryption (hereinafter also referred to as simply "BitLocker").
BitLocker is a technology that is part of the Windows operating system. If a computer is equipped with a
Trusted Platform Module (TPM), BitLocker uses it to store recovery keys that provide access to an encrypted
hard drive. When the computer starts, BitLocker requests the hard drive recovery keys from the Trusted
Platform Module and unlocks the drive. You can con gure the use of a password and/or PIN code for accessing
recovery keys.
You can specify the default full disk encryption rule and create a list of hard drives to be excluded from
encryption. Kaspersky Endpoint Security performs full disk encryption by sector after the Kaspersky Security
Center policy is applied. The application encrypts all logical partitions of hard drives simultaneously.
After the system hard drives have been encrypted, at the next computer startup the user must complete
authentication using the Authentication Agent before the hard drives can be accessed and the operating
system is loaded. This requires entering the password of the token or smart card connected to the computer,
or the user name and password of the Authentication Agent account created by the local area network
administrator using the Manage Authentication Agent accounts task. These accounts are based on Microsoft
Windows accounts under which users log into the operating system. You can also use Single Sign-On (SSO)
technology, which lets you automatically log in to the operating system using the user name and password of
the Authentication Agent account.
If you back up a computer and then encrypt the computer data, after which you restore the backup copy
of the computer and encrypt the computer data again, Kaspersky Endpoint Security creates duplicates of
Authentication Agent accounts. To remove the duplicate accounts, you must use the klmover utility with
the dupfix key. The klmover utility is included in the Kaspersky Security Center build. You can read more
about its operation in the Kaspersky Security Center Help.
Access to encrypted hard drives is possible only from computers on which Kaspersky Endpoint Security with
full disk encryption functionality is installed. This precaution minimizes the risk of data leaks from an encrypted
hard drive when an attempt to access it is made outside of the local area network of the company.
To encrypt hard drives and removable drives, you can use the Encrypt used disk space only function. It is
recommended you only use this function for new devices that have not been previously used. If you are applying
encryption to a device that is already in use, it is recommended you encrypt the entire device. This ensures that all
data is protected – even deleted data that might still contain retrievable information.
Before beginning encryption, Kaspersky Endpoint Security obtains the map of le system sectors. The rst wave
of encryption includes sectors that are occupied by les at the moment when encryption is started. The second
wave of encryption includes sectors that were written to after encryption began. After encryption is complete, all
sectors containing data are encrypted.
After encryption is complete and a user deletes a le, the sectors that stored the deleted le become available for
storing new information at the le system level but remain encrypted. Thus, as les are written to a new device and
the device is regularly encrypted with the Encrypt used disk space only function enabled, all sectors will be
encrypted after some time.
654
The data needed to decrypt les is provided by the Kaspersky Security Center Administration Server that
controlled the computer at the time of encryption. If the computer with encrypted objects was managed by a
di erent Administration Server for some reason, you can obtain access to the encrypted data in one of the
following ways:
You do not need to take any additional actions. The user will retain access to the encrypted objects.
Encryption keys are distributed to all Administration Servers.
Restore the con guration of the Kaspersky Security Center Administration Server that controlled the
computer at the time of encryption from a backup copy and use this con guration on the Administration
Server that now controls the computer with encrypted objects.
If there is no access to encrypted data, follow the special instructions for working with encrypted data (Restoring
access to encrypted les, Working with encrypted devices when there is no access to them).
The application creates service les during encryption. Around 0.5% of non-fragmented free space on the hard
drive is required to store them. If there is not enough non-fragmented free space on the hard drive, encryption
will not start until enough space is freed up.
You can manage all data encryption components in the Kaspersky Security Center Administration Console and
in the Kaspersky Security Center Web Console. In the Kaspersky Security Center Cloud Console, you can only
manage Bitlocker.
Data encryption is available only when using Kaspersky Endpoint Security with the Kaspersky Security Center
administration system or the Kaspersky Security Center Cloud Console (BitLocker only). Data Encryption when
using Kaspersky Endpoint Security in o line mode is not possible because Kaspersky Endpoint Security stores
encryption keys in Kaspersky Security Center.
If Kaspersky Endpoint Security is installed on a computer running Microsoft Windows for Servers, only full disk
encryption using BitLocker Drive Encryption technology is available. If Kaspersky Endpoint Security is installed
on a computer running Windows for Workstations, data encryption functionality is fully available.
Full disk encryption using Kaspersky Disk Encryption technology is unavailable for hard drives that do not meet the
hardware and software requirements.
Compatibility between the full disk encryption functionality of Kaspersky Endpoint Security and Kaspersky Anti-
Virus for UEFI is not supported. Kaspersky Anti-Virus for UEFI starts before the operating system loads. When
using full disk encryption, the application will detect the absence of an installed operating system on the computer.
As a result, the operation of Kaspersky Anti-Virus for UEFI will end with an error. File Level Encryption (FLE) does
not a ect the operation of Kaspersky Anti-Virus for UEFI.
655
HDD, SSD, and USB drives.
Kaspersky Disk Encryption (FDE) technology supports working with SSD while preserving the performance
and service life of SSD drives.
Drives connected via bus: SCSI, ATA, IEEE1934, USB, RAID, SAS, SATA, NVME.
Drives with the following type of partitions: GPT, MBR, and VBR (removable drives).
To use Kaspersky Disk Encryption (FDE), it is recommended to disable Fast Boot technology. You can use
the FDE Test Utility to test the operation of Kaspersky Disk Encryption (FDE).
Kaspersky Endpoint Security does not support the following con gurations:
The boot loader is located on one drive while the operating system is on a di erent drive.
The system has Intel® Rapid Start Technology and drives that have a hibernation partition even when Intel®
Rapid Start Technology is disabled.
Hybrid drives.
Kaspersky Disk Encryption (FDE) technology is incompatible with other full disk encryption technologies (such
as BitLocker, McAfee Drive Encryption, and WinMagic SecureDoc).
Creating, deleting, and modifying partitions on an encrypted drive is not supported. You could lose data.
Kaspersky Disk Encryption (FDE) technology is not supported on the following models of devices:
Authentication Agent does not support working with USB tokens when Legacy USB Support is enabled. Only
password-based authentication will be possible on the computer.
When encrypting a drive in Legacy BIOS mode, you are advised to enable Legacy USB Support on the following
models of devices:
Lenovo G550
Samsung R530
Changing the length of the encryption key is available only for Kaspersky Endpoint Security 11.2.0 or later.
658
Changing the encryption key length consists of the following steps:
1. Decrypt objects that Kaspersky Endpoint Security encrypted before you begin changing the encryption key
length:
After the encryption key length is changed, objects that were previously encrypted become unavailable.
3. Install Kaspersky Endpoint Security from the Kaspersky Endpoint Security distribution package containing a
di erent encryption library.
You can also change the encryption key length by upgrading the application. The key length can be changed
through an application upgrade only if the following conditions are met:
Kaspersky Endpoint Security version 10 Service Pack 2 or later is installed on the computer.
Data encryption components (File Level Encryption, Full Disk Encryption) are not installed on the computer.
By default, data encryption components are not included in Kaspersky Endpoint Security. The BitLocker
Management component does not a ect the change in the length of the encryption key.
To change the encryption key length, run the kes_win.msi or setup_kes.exe le from the distribution package
containing the necessary encryption library. You can also remotely upgrade the application by using the installation
package.
It is impossible to change the length of the encryption key using the distribution package of the same version
of the application that is installed on your computer without rst uninstalling the application.
Kaspersky Disk Encryption is available only for computers running a Windows operating system for
workstations. For computers running a Windows operating system for servers, use BitLocker Drive Encryption
technology.
Kaspersky Endpoint Security supports full disk encryption in FAT32, NTFS and exFat le systems.
659
Before starting full disk encryption, the application runs a series of checks to determine if the device can be
encrypted, which includes checking the system hard drive for compatibility with Authentication Agent or with
BitLocker encryption components. To check for compatibility, the computer must be restarted. After the
computer has been rebooted, the application performs all the necessary checks automatically. If the compatibility
check is successful, full disk encryption starts after the operating system has loaded and the application has
started. If the system hard drive is found to be incompatible with Authentication Agent or with BitLocker
encryption components, the computer must be restarted by pressing the Reset hardware button. Kaspersky
Endpoint Security logs information about the incompatibility. Based on this information, the application does not
start full disk encryption at operating system startup. Information about this event is logged in Kaspersky Security
Center reports.
If the hardware con guration of the computer has changed, the incompatibility information logged by the
application during the previous check should be deleted in order to check the system hard drive for compatibility
with Authentication Agent and BitLocker encryption components. To do so, prior to full disk encryption, type
avp pbatestreset in the command line. If the operating system fails to load after the system hard drive has
been checked for compatibility with Authentication Agent, you must remove the objects and data remaining after
test operation of Authentication Agent by using the Restore Utility and then start Kaspersky Endpoint Security
and execute the avp pbatestreset command again.
After full disk encryption has started, Kaspersky Endpoint Security encrypts all data that is written to hard drives.
If the user shuts down or restarts the computer during full disk encryption, Authentication Agent is loaded before
the next startup of the operating system. Kaspersky Endpoint Security resumes full disk encryption after
successful authentication in Authentication Agent and operating system startup.
If the operating system switches to hibernation mode during full disk encryption, Authentication Agent is loaded
when the operating system switches back from hibernation mode. Kaspersky Endpoint Security resumes full disk
encryption after successful authentication in Authentication Agent and operating system startup.
If the operating system goes into sleep mode during full disk encryption, Kaspersky Endpoint Security resumes full
disk encryption when the operating system comes out of sleep mode without loading Authentication Agent.
Enter the name and password of the Authentication Agent account created by the LAN administrator using
Kaspersky Security Center tools.
Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256
encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm,
addition of the electronic certi cate le to the command will be denied.
The authentication agent supports keyboard layouts for the following languages:
English (UK)
English (USA)
Italian
Russian (for 105-key IBM / Windows keyboards with the QWERTY layout)
French (France)
French (Switzerland)
A keyboard layout becomes available in the Authentication Agent if this layout has been added in the language
and regional standards settings of the operating system and has become available on the welcome screen of
Microsoft Windows.
If the Authentication Agent account name contains symbols that cannot be entered using keyboard layouts
available in the Authentication Agent, encrypted hard drives can be accessed only after they are restored using
the Restore Utility or after the Authentication Agent account name and password are restored.
If an SSD drive is new and contains no con dential data, enable encryption of only occupied space. This lets
you overwrite the relevant drive sectors.
If an SSD drive is in use and it has con dential data, select one of the following options:
Fully wipe the SSD drive (Secure Erase), install the operating system and run encryption of the SSD drive
with the option to encrypt only occupied space enabled.
Run encryption of the SSD drive with the option to encrypt only occupied space disabled.
Encryption of an SSD drive requires 5-10 GB of free space. The free space requirements for storing encryption
administration data are provided in the table below.
SSD drive size Free space on primary partition of SSD Free space on secondary partition of SSD
(GB) drive (MB) drive (MB)
128 250 64
Prior to starting full disk encryption, you are advised to make sure that the computer is not infected. To do so,
start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected
by a rootkit may cause the computer to become inoperable.
Before you start disk encryption, you must check the settings of Authentication Agent accounts. Authentication
Agent is needed for working with drives that are protected using Kaspersky Disk Encryption (FDE) technology.
Before the operating system is loaded, the user needs to complete authentication with the Agent. Kaspersky
Endpoint Security allows you to automatically create Authentication Agent accounts before encrypting a drive.
You can enable automatic creation of Authentication Agent accounts in the Full Disk Encryption policy settings
(see the instructions below). You can also use Single Sign-On (SSO) technology.
Kaspersky Endpoint Security allows you to automatically create Authentication Agent for the following user
groups:
All accounts on the computer. All accounts on the computer that have been active at any time.
All domain accounts on the computer. All accounts on the computer that belong to some domain and that
have been active at any time.
All local accounts on the computer. All local accounts on the computer that have been active at any time.
Service account with a one-time password. The service account is necessary to gain access to the computer,
for example, when the user forgets the password. You can also use the service account as a reserve account.
You must enter the name of the account (by default, ServiceAccount). Kaspersky Endpoint Security creates
a password automatically. You can nd the password in the Kaspersky Security Center console.
Local administrator. Kaspersky Endpoint Security creates an Authentication Agent user account for the local
administrator of the computer.
Computer manager. Kaspersky Endpoint Security creates an Authentication Agent user account for the
account of the computer manager. You can see which account has the computer manager role in computer
properties in Active Directory. By default, the computer manager role is not de ned, that is, it does not
correspond to any account.
Active account. Kaspersky Endpoint Security automatically creates an Authentication Agent account for the
account that is active at the time of disk encryption.
The Manage Authentication Agent accounts task is designed for con guring user authentication settings. You can
use this task to add new accounts, modify the settings of current accounts, or remove accounts if necessary. You
can use local tasks for individual computers as well as group tasks for computers from separate administration
groups or a selection of computers.
How to run Kaspersky Disk Encryption through the Administration Console (MMC)
662
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
Kaspersky Disk Encryption technology cannot be used if the computer has hard drives that were
encrypted by BitLocker.
6. In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encrypting all hard drives you will be able
to load only the operating system that has the application installed.
If you need to exclude some of the hard drives from encryption, create a list of such hard drives.
7. Con gure advanced Kaspersky Disk Encryption options (see table below).
How to run Kaspersky Disk Encryption through the Web Console and Cloud Console
663
1. In the main window of the Web Console, select Devices → Policies & pro les.
Kaspersky Disk Encryption technology cannot be used if the computer has hard drives that were
encrypted by BitLocker.
7. In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encryption you will be able to load only
the operating system in which the encryption was performed.
If you need to exclude some of the hard drives from encryption, create a list of such hard drives.
8. Con gure advanced Kaspersky Disk Encryption options (see table below).
You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's
computer. You can run the Encryption Monitor tool from the main application window.
664
Encryption Monitor
If system hard drives are encrypted, the Authentication Agent loads before startup of the operating system. Use
the Authentication Agent to complete authentication for obtaining access to encrypted system hard drives and
load the operating system. After successful completion of the authentication procedure, the operating system
loads. The authentication process is repeated every time the operating system restarts.
Parameter Description
Automatically If this check box is selected, the application creates Authentication Agent accounts
create based on the list of Windows user accounts on the computer. By default, Kaspersky
Authentication Endpoint Security uses all local and domain accounts with which the user logged in to the
Agent operating system over the past 30 days.
accounts for
users during
encryption
Automatically If this check box is selected, the application checks information about Windows user
create accounts on the computer before starting Authentication Agent. If Kaspersky Endpoint
Authentication Security detects a Windows user account that has no Authentication Agent account, the
Agent application will create a new account for accessing encrypted drives. The new
accounts for Authentication Agent account will have the following default settings: password-
all users of this protected sign-on only, and password change on rst authentication. Therefore, you do
computer not need to manually add Authentication Agent accounts using the Manage
upon sign-in Authentication Agent accounts task for computers with already encrypted drives.
Save user If the check box is selected, the application saves the name of the Authentication Agent
name entered account. You will not be required to enter the account name the next time you attempt to
in complete authorization in the Authentication Agent under the same account.
Authentication
Agent
Encrypt used
This check box enables / disables the option that limits the encryption area to only
665
disk space occupied hard drive sectors. This limit lets you reduce encryption time.
only (reduces
encryption
time) Enabling or disabling the Encrypt used disk space only (reduces encryption time)
feature after starting encryption does not modify this setting until the hard drives
are decrypted. You must select or clear the check box before starting encryption.
If the check box is selected, only portions of the hard drive that are occupied by les are
encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added.
If the check box is cleared, the entire hard drive is encrypted, including residual fragments
of previously deleted and modi ed les.
This option is recommended for new hard drives whose data has not been modi ed
or deleted. If you are applying encryption on a hard drive that is already in use, it is
recommended to encrypt the entire hard drive. This ensures protection of all data,
even deleted data that is potentially recoverable.
Use Legacy This check box enables/disables the Legacy USB Support function. Legacy USB Support
USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token)
(not during the computer's boot phase before starting the operating system (BIOS mode).
recommended) Legacy USB Support does not a ect support for USB devices after the operating
system is started.
If the check box is selected, support for USB devices during initial startup of the
computer will be enabled.
When the Legacy USB Support function is enabled, the Authentication Agent in
BIOS mode does not support working with tokens via USB. It is recommended to use
this option only when there is a hardware compatibility issue and only for those
computers on which the problem occurred.
You can create a list of exclusions from encryption only for Kaspersky Disk Encryption technology.
3. Select the necessary policy and double-click to open the policy properties.
666
Entries corresponding to hard drives excluded from encryption appear in the Do not encrypt the following
hard drives table. This table is empty if you have not previously formed a list of hard drives excluded from
encryption.
6. To add hard drives to the list of hard drives excluded from encryption:
a. Click Add.
b. In the window that opens, specify the values for Device name, Computer, Disk type, Kaspersky Disk
Encryption.
c. Click Refresh.
d. In the Name column, select the check boxes in the table rows corresponding to those hard drives that you
want to add to the list of hard drives excluded from encryption.
e. Click OK.
The selected hard drives appear in the Do not encrypt the following hard drives table.
How to export and import a list of hard drive encryption exclusions in the Administration Console (MMC)
667
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
a. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.
c. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
How to export and import a list of hard drive encryption exclusions in the Web Console
668
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Select the Kaspersky Disk Encryption technology and follow the link to con gure the settings.
The encryption settings open.
b. Click Export.
c. Con rm that you want to export only the selected exclusions, or export the entire list of exclusions.
d. In the window that opens, specify the name of the XML le to which you want to export the list of
exclusions, and select the folder in which you want to save this le.
a. Click Import.
b. In the window that opens, select the XML le from which you want to import the list of exclusions.
When using Single Sign-on technology, the Authentication Agent ignores the password strength requirements
speci ed in Kaspersky Security Center. You can set the password strength requirements in the operating system
settings.
669
Enabling Single Sign-On technology
How to enable the use of Single Sign-On technology in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
6. In the window that opens, on the Authentication Agent tab, select the Use Single Sign-On (SSO)
technology check box.
7. If you are using a third-party credential provider, select the Wrap third-party credential providers check
box.
As a result, the user needs to complete the authentication procedure only once with the Agent. The
authentication procedure is not required for loading the operating system. The operating system loads
automatically.
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Select the Kaspersky Disk Encryption technology and follow the link to con gure the settings.
The encryption settings open.
6. In the Password settings block, select the Use Single Sign-On (SSO) technology check box.
7. If you are using a third-party credential provider, select the Wrap third-party credential providers check
box.
As a result, the user needs to complete the authentication procedure only once with the Agent. The
authentication procedure is not required for loading the operating system. The operating system loads
automatically.
670
For Single Sign-On to work, the Windows account password and the password for the Authentication Agent
account must match. If the passwords do not match, the user needs to perform the authentication procedure
twice: in the interface of the Authentication Agent and before loading the operating system. These actions need
to be performed only once to synchronize the passwords. After that, Kaspersky Endpoint Security replaces the
password of the Authentication Agent account with the password of the Windows account. When the Windows
account password is changed, the application will automatically update the password for the Authentication Agent
account.
Kaspersky Endpoint Security 11.10.0 adds support for third-party credential providers.
Kaspersky Endpoint Security supports the third-party credential provider ADSelfService Plus.
When working with third-party credential providers, Authentication Agent intercepts the password before the
operating system is loaded. This means that a user needs to enter a password only once when signing in to
Windows. After signing in to Windows, the user can utilize the capabilities of a third-party credential provider for
authentication in corporate services, for example. Third-party credential providers also allow users to
independently reset their own password. In this case, Kaspersky Endpoint Security will automatically update the
password for Authentication Agent.
If you are using a third-party credential provider that is not supported by the application, you may encounter some
limitations in Single Sign-On technology operation. When signing in to Windows, two pro les will be available to the
user: in-system credential provider and third-party credential provider. The icons of these pro les will be identical
(see the gure below). The user will have the following options for continuing:
If the user selects the third-party credential provider, Authentication Agent will not be able to synchronize the
password with the Windows account. Therefore, if the user has changed the Windows account password,
Kaspersky Endpoint Security cannot update the password for the Authentication Agent account. As a result,
the user needs to perform the authentication procedure twice: in the interface of the Authentication Agent
and before loading the operating system. In this case, the user can utilize the capabilities of a third-party
credential provider for authentication in corporate services, for example.
If the user selects the in-system credential provider, Authentication Agent will synchronize the passwords with
the Windows account. In this case, the user cannot utilize the capabilities of a third-party provider for
authentication in corporate services, for example.
System authentication pro le and third-party authentication pro le for Windows sign-in
671
Authentication Agent is needed for working with drives that are protected using Kaspersky Disk Encryption (FDE)
technology. Before the operating system is loaded, the user needs to complete authentication with the Agent. The
Manage Authentication Agent accounts task is designed for con guring user authentication settings. You can use
local tasks for individual computers as well as group tasks for computers from separate administration groups or a
selection of computers.
You cannot con gure a schedule for starting the Manage Authentication Agent accounts task. It is also
impossible to forcibly stop a task.
How to create the Manage Authentication Agent accounts task in the Administration Console (MMC)
672
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security for Windows (12.5) → Manage Authentication Agent accounts.
Generate a list of Authentication Agent account management commands. Management commands allow you
to add, modify, and delete Authentication Agent accounts (see instructions below). Only users who have an
Authentication Agent account can complete the authentication procedure, load the operating system, and
gain access to the encrypted drive.
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties.
As a result, after the task is completed at the next computer startup, the new user can complete the
authentication procedure, load the operating system, and gain access to the encrypted drive.
How to create the Manage Authentication Agent accounts task in the Web Console
673
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
2. In the Task type drop-down list, select Manage Authentication Agent accounts.
3. In the Task name eld, enter a brief description, such as Administrator accounts.
4. In the Select devices to which the task will be assigned block, select the task scope.
Generate a list of Authentication Agent account management commands. Management commands allow you
to add, modify, and delete Authentication Agent accounts (see instructions below). Only users who have an
Authentication Agent account can complete the authentication procedure, load the operating system, and
gain access to the encrypted drive.
Exit the Wizard. A new task will be displayed in the list of tasks.
To run a task, select the check box opposite the task and click the Start button.
As a result, after the task is completed at the next computer startup, the new user can complete the
authentication procedure, load the operating system, and gain access to the encrypted drive.
To add an Authentication Agent account, you need to add a special command to the Manage Authentication
Agent accounts task. It is convenient to use a group task, for example, to add an administrator account to all
computers.
Kaspersky Endpoint Security allows you to automatically create Authentication Agent accounts before encrypting
a drive. You can enable automatic creation of Authentication Agent accounts in the Full Disk Encryption policy
settings. You can also use Single Sign-On (SSO) technology.
How to add an Authentication Agent account through the Administration Console (MMC)
674
1. Open the properties of the Manage Authentication Agent accounts task.
4. In the window that opens, in the Windows account eld, specify the name of the Microsoft Windows
account that will be used to create the Authentication Agent account.
5. If you manually entered the Windows account name, click the Allow button to de ne the account security
identi er (SID).
If you choose not to determine the security identi er (SID) by clicking the Allow button, it will be
determined when the task is performed on the computer.
De ning a Windows account security identi er is necessary to verify that the Windows account name
was entered correctly. If the Windows account does not exist on the computer or in the trusted
domain, the Manage Authentication Agent accounts task will end with an error.
6. Select the Replace existing account check box if you want the existing account previously created for the
Authentication Agent to be replaced with the account being created.
This step is available when you are adding an Authentication Agent account creation command in the
properties of a group task for managing Authentication Agent accounts. This step is not available
when you are adding an Authentication Agent account creation command in the properties of the
Manage Authentication Agent accounts local task.
7. In the User name eld, type the name of the Authentication Agent account that must be entered during
authentication for access to encrypted hard drives.
8. Select the Allow password-based authentication check box if you want the application to prompt the
user to enter the Authentication Agent account password during authentication for accessing encrypted
hard drives. Set a password for the Authentication Agent account. If necessary, you can request a new
password from the user after the rst authentication.
9. Select the Allow certi cate-based authentication check box if you want the application to prompt the
user to connect a token or smart card to the computer during authentication for accessing encrypted
hard drives. Select a certi cate le for authentication with a smart card or token.
10. If required, in the Command description eld, enter the Authentication Agent account details that you
need for managing the command.
11. In the Access to authentication in Authentication Agent block, con gure access to authentication in
Authentication Agent for the user that uses the account speci ed in the command.
675
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click the Manage Authentication Agent accounts task of Kaspersky Endpoint Security.
The task properties window opens.
6. Select a user account. You can select an account from the list of domain accounts or manually enter the
account name. Go to the next step.
Kaspersky Endpoint Security determines the account security identi er (SID). This is necessary to verify
the account. If you entered the user name incorrectly, Kaspersky Endpoint Security will end the task with
an error.
Create a new Authentication Agent account to replace the existing account. Kaspersky Endpoint
Security scans existing accounts on the computer. If the user security ID on the computer and in the
task match, Kaspersky Endpoint Security will change the user account settings in accordance with the
task.
User name. The default user name of the Authentication Agent account corresponds to the domain
name of the user.
Allow password-based authentication. Set a password for the Authentication Agent account. If
necessary, you can request a new password from the user after the rst authentication. This way, each
user will have their own unique password. You can also set password strength requirements for the
Authentication Agent account in the policy.
Allow certi cate-based authentication. Select a certi cate le for authentication with a smart card
or token. This way, the user will need to enter the password for the smart card or token.
Account access to encrypted data. Con gure user access to the encrypted drive. You can, for
example, temporarily disable user authentication instead of deleting the Authentication Agent account.
9. Select the check box next to the task and click the Start button.
As a result, after the task is completed at the next computer startup, the new user can complete the
authentication procedure, load the operating system, and gain access to the encrypted drive.
To change the password and other settings of the Authentication Agent account, you need to add a special
command to the Manage Authentication Agent accounts task. It is convenient to use a group task, for example, to
replace the administrator token certi cate on all computers.
676
How to change the Authentication Agent account through the Administration Console (MMC)
677
1. Open the properties of the Manage Authentication Agent accounts task.
4. In the window that opens, in the Windows account eld, specify the name of the Microsoft Windows user
account that you want to change.
5. If you manually entered the Windows account name, click the Allow button to de ne the account security
identi er (SID).
If you choose not to determine the security identi er (SID) by clicking the Allow button, it will be
determined when the task is performed on the computer.
De ning a Windows account security identi er is necessary to verify that the Windows account name
was entered correctly. If the Windows account does not exist on the computer or in the trusted
domain, the Manage Authentication Agent accounts task will end with an error.
6. Select the Change user name check box and enter a new name for the Authentication Agent account if
you want Kaspersky Endpoint Security to change the user name for all Authentication Agent accounts
created using the Microsoft Windows account with the name indicated in the Windows account eld to
the name typed in the eld below.
7. Select the Modify password-based authentication settings check box to make password-based
authentication settings editable.
8. Select the Allow password-based authentication check box if you want the application to prompt the
user to enter the Authentication Agent account password during authentication for accessing encrypted
hard drives. Set a password for the Authentication Agent account.
9. Select the Edit the password change rule upon authentication in Authentication Agent check box if you
want Kaspersky Endpoint Security to change the value of the password change setting for all
Authentication Agent accounts created using the Microsoft Windows account with the name indicated in
the Windows account eld to the setting value speci ed below.
10. Specify the value of the password change setting upon authentication in Authentication Agent.
11. Select the Modify certi cate-based authentication settings check box to make settings of
authentication based on the electronic certi cate of a token or smart card editable.
12. Select the Allow certi cate-based authentication check box if you want the application to prompt the
user to enter the password to the token or smart card connected to the computer during the
authentication process in order to access encrypted hard drives. Select a certi cate le for authentication
with a smart card or token.
13. Select the Edit command description check box and edit the command description if you want Kaspersky
Endpoint Security to change the command description for all Authentication Agent accounts created
using the Microsoft Windows account with the name indicated in the Windows account eld.
14. Select the Edit the authentication access rule in Authentication Agent check box if you want Kaspersky
Endpoint Security to change the rule for user access to the authentication dialog in Authentication Agent
to the value speci ed below for all Authentication Agent accounts created using the Microsoft Windows
account with the name indicated in the Windows account eld.
678
15. Specify the rule for accessing the authentication dialog in Authentication Agent.
How to change the Authentication Agent account through the Web Console
679
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click the Manage Authentication Agent accounts task of Kaspersky Endpoint Security.
The task properties window opens.
6. Select a user account. You can select an account from the list of domain accounts or manually enter the
account name. Go to the next step.
Kaspersky Endpoint Security determines the account security identi er (SID). This is necessary to verify
the account. If you entered the user name incorrectly, Kaspersky Endpoint Security will end the task with
an error.
7. Select the check boxes next to the settings that you want to edit.
Create a new Authentication Agent account to replace the existing account. Kaspersky Endpoint
Security scans existing accounts on the computer. If the user security ID on the computer and in the
task match, Kaspersky Endpoint Security will change the user account settings in accordance with the
task.
User name. The default user name of the Authentication Agent account corresponds to the domain
name of the user.
Allow password-based authentication. Set a password for the Authentication Agent account. If
necessary, you can request a new password from the user after the rst authentication. This way, each
user will have their own unique password. You can also set password strength requirements for the
Authentication Agent account in the policy.
Allow certi cate-based authentication. Select a certi cate le for authentication with a smart card
or token. This way, the user will need to enter the password for the smart card or token.
Account access to encrypted data. Con gure user access to the encrypted drive. You can, for
example, temporarily disable user authentication instead of deleting the Authentication Agent account.
10. Select the check box next to the task and click the Start button.
To delete an Authentication Agent account, you need to add a special command to the Manage Authentication
Agent accounts task. It is convenient to use a group task, for example, to delete the account of a dismissed
employee.
How to delete an Authentication Agent account through the Administration Console (MMC)
680
1. Open the properties of the Manage Authentication Agent accounts task.
4. In the window that opens, in the Windows account eld, specify the name of the Windows user account
that was used to create the Authentication Agent account that you want to delete.
5. If you manually entered the Windows account name, click the Allow button to de ne the account security
identi er (SID).
If you choose not to determine the security identi er (SID) by clicking the Allow button, it will be
determined when the task is performed on the computer.
De ning a Windows account security identi er is necessary to verify that the Windows account name
was entered correctly. If the Windows account does not exist on the computer or in the trusted
domain, the Manage Authentication Agent accounts task will end with an error.
2. Click the Manage Authentication Agent accounts task of Kaspersky Endpoint Security.
The task properties window opens.
6. Select a user account. You can select an account from the list of domain accounts or manually enter the
account name.
8. Select the check box next to the task and click the Start button.
As a result, after the task is completed at the next computer startup, the user will not be able to complete
the authentication procedure and load the operating system. Kaspersky Endpoint Security will deny access
to encrypted data.
To view the list of users who can complete authentication with the Agent and load the operating system, you need
to go to the properties of the managed computer.
681
How to view the list of Authentication Agent accounts through the Administration Console (MMC)
5. In the task list, select Manage Authentication Agent accounts and open the task properties by double-
clicking.
As a result, you will be able to access a list of Authentication Agent accounts on this computer. Only users
from the list can complete authentication with the Agent and load the operating system.
How to view a list of Authentication Agent accounts through the Web Console
1. In the main window of the Web Console, select Devices → Managed devices.
2. Click the name of the computer on which you want to view the list of Authentication Agent accounts.
As a result, you will be able to access a list of Authentication Agent accounts on this computer. Only users
from the list can complete authentication with the Agent and load the operating system.
Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256
encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm,
addition of the electronic certi cate le to the command will be denied.
Kaspersky Endpoint Security supports the following tokens, smart card readers, and smart cards:
682
SafeNet eToken 4100-72K Java;
Rutoken ECP;
To add the le of a token or smart card electronic certi cate to the command for creating an Authentication
Agent account, you must rst save the le using third-party software for managing certi cates.
The token or smart-card certi cate must have the following properties:
The certi cate must be compliant with the X.509 standard, and the certi cate le must have DER encoding.
The certi cate contains an RSA key with a length of at least 1024 bits.
If the electronic certi cate of the token or smart card does not meet these requirements, you cannot load the
certi cate le into the command for creating an Authentication Agent account.
The KeyUsage parameter of the certi cate must have the value keyEncipherment or dataEncipherment. The
KeyUsage parameter determines the purpose of the certi cate. If the parameter has a di erent value, Kaspersky
Security Center will download the certi cate le but will display a warning.
If a user has lost a token or smart card, the administrator must add the le of a token or smart card electronic
certi cate to the command for creating an Authentication Agent account. Then the user must complete the
procedure for receiving access to encrypted devices or restoring data on encrypted devices.
You can decrypt hard drives even if there is no current license permitting data encryption.
5. In the Encryption technology drop-down list, select the technology with which the hard drives were encrypted.
In the Encryption mode drop-down list, select the Decrypt all hard drives option if you want to decrypt all
encrypted hard drives.
Add the encrypted hard drives that you want to decrypt to the Do not encrypt the following hard drives
table.
You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's
computer. You can run the Encryption Monitor tool from the main application window.
Encryption Monitor
If the user shuts down or restarts the computer during decryption of hard drives that were encrypted using
Kaspersky Disk Encryption technology, the Authentication Agent loads before the next startup of the operating
system. Kaspersky Endpoint Security resumes hard drive decryption after successful authentication in the
authentication agent and operating system startup.
684
If the operating system switches to hibernation mode during decryption of hard drives that were encrypted
using Kaspersky Disk Encryption technology, Authentication Agent loads when the operating system comes out
of hibernation mode. Kaspersky Endpoint Security resumes hard drive decryption after successful
authentication in the authentication agent and operating system startup. After hard drive decryption,
hibernation mode is unavailable until the rst reboot of the operating system.
If the operating system goes into sleep mode during hard drive decryption, Kaspersky Endpoint Security
resumes hard drive decryption when the operating system comes out of sleep mode without loading the
Authentication Agent.
Restoring access to a system hard drive protected by Kaspersky Disk Encryption technology consists of the
following steps:
1. The user reports the request blocks to the administrator (see the gure below).
2. The administrator enters the request blocks into Kaspersky Security Center, receives the response blocks and
reports the response blocks to the user.
3. The user enters the response blocks in the Authentication Agent interface and obtains access to the hard
drive.
Restoring access to a system hard drive protected by Kaspersky Disk Encryption technology
685
To start the recovery procedure, the user needs to click the Forgot your password button in the Authentication
Agent interface.
How to obtain response blocks for a system hard drive protected by Kaspersky Disk Encryption technology in the
Administration Console (MMC)
3. On the Devices tab, select the computer of the user requesting access to encrypted data and right-click
to open the context menu.
6. In the Encryption algorithm in use block, select an encryption algorithm: AES56 or AES256.
The data encryption algorithm depends on the AES encryption library that is included in the distribution
package: Strong encryption (AES256) or Lite encryption (AES56). The AES encryption library is installed
together with the application.
7. In the Account drop-down list, select the name of the Authentication Agent account of the user who
requested recovery of access to the drive.
8. In the Hard drive drop-down list, select the encrypted hard drive for which you need to recover access.
9. In the User request block enter the blocks of request dictated by the user.
As a result, the contents of the blocks of the response to the user's request for recovery of the user name
and password of an Authentication Agent account will be displayed in the Access key eld. Convey the
contents of the response blocks to the user.
686
How to obtain response blocks for a system hard drive protected by Kaspersky Disk Encryption technology in the
Web Console
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the check box next to the name of the computer whose drive you want to restore access to.
5. In the Account drop-down list, select the name of the Authentication Agent account created for the user
who is requesting recovery of the Authentication Agent account name and password.
The contents of the blocks of the response to the user's request for recovery of the user name and
password of the Authentication Agent account will be displayed at the bottom of the window. Convey the
contents of the response blocks to the user.
After completing the recovery procedure, the Authentication Agent will prompt the user to change the password.
Restoring access to a non-system hard drive protected by Kaspersky Disk Encryption technology consists of the
following steps:
2. The administrator adds the request access le to Kaspersky Security Center, creates an access key le and
sends the le to the user.
3. The user adds the access key le to Kaspersky Endpoint Security and obtains access to the hard drive.
To start the recovery procedure, the user needs to attempt to access a hard drive. As a result, Kaspersky Endpoint
Security will create a request access le (a le with the KESDC extension), which the user needs to send to the
administrator, for example, by email.
How to obtain an access key le for an encrypted non-system hard drive in the Administration Console (MMC)
687
1. Open the Kaspersky Security Center Administration Console.
3. On the Devices tab, select the computer of the user requesting access to encrypted data and right-click
to open the context menu.
7. In the window for selecting a request access le, specify the path to the le received from the user.
You will see information about the user's request. Kaspersky Security Center generates a key le. Email the
generated encrypted data access key le to the user. Or save the access le and use any available method
to transfer the le.
How to obtain an encrypted non-system hard drive access key le in the Web Console
688
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the check box next to the name of the computer whose data you want to restore access to.
5. Click the Select le button and select the request access le that you received from the user (a le with
the KESDC extension).
The Web Console will display information about the request. This will include the name of the computer on
which the user is requesting access to the le.
6. Click the Save key button and select a folder to save the encrypted data access key le (a le with the
KESDR extension).
As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the
user.
689
1. Open the Kaspersky Security Center Administration Console.
5. In the task list, select Manage Authentication Agent accounts and open the task properties by double-
clicking.
7. In the list of accounts, select the Authentication Agent service account (for example, WIN10-
USER\ServiceAccount).
10. Copy the one-time password for logging in with the service account.
1. In the main window of the Web Console, select Devices → Managed devices.
2. Click the name of the computer on which you want to view the list of Authentication Agent accounts.
This opens the computer properties.
6. In the list of accounts, select the Authentication Agent service account (for example, WIN10-
USER\ServiceAccount).
8. Copy the one-time password for logging in with the service account.
Kaspersky Endpoint Security automatically updates the password every time a user authenticates with the service
account. After authenticating using the agent, you must enter the Windows account password. When signing in
with the service account, you cannot use the SSO technology.
690
There are a number of special considerations for updating the operating system of a computer that is protected
by Full Disk Encryption (FDE). Update the operating system as follows: rst update the OS on one computer, then
update the OS on a small portion of the computers, then update the OS on all computers of the network.
If you are using Kaspersky Disk Encryption technology, Authentication Agent is loaded before the operating
system is started. Using Authentication Agent, the user can sign in to the system and receive access to encrypted
drives. Then the operating system begins loading.
If you start an update of the operating system on a computer that is protected using Kaspersky Disk Encryption
technology, the OS Update Wizard will remove Authentication Agent. As a result, the computer can be locked
because the OS loader will not be able to access the encrypted drive.
For details about safely updating the operating system, please refer to the Technical Support Knowledge Base .
Automatic updating of the operating system is available under the following conditions:
1. The operating system is updated through WSUS (Windows Server Update Services).
If all the conditions are met, you can update the operating system in the usual way.
If you are using Kaspersky Disk Encryption (FDE) technology and Kaspersky Endpoint Security for Windows version
11.1.0 or 11.1.1 is installed on the computer, you do not need to decrypt the hard drives to update Windows 10.
1. Prior to updating the system, copy the drivers named cm_km.inf, cm_km.sys, klfde.cat, klfde.inf, klfde.sys,
klfdefsf.cat, klfdefsf.inf, and klfdefsf.sys to a local folder. For example, C:\fde_drivers.
2. Run the system update installation with the /ReflectDrivers switch and specify the folder containing the
saved drivers:
setup.exe /ReflectDrivers C:\fde_drivers
If you are using BitLocker Drive Encryption technology, you do not need to decrypt the hard drives to update
Windows 10. For more details on BitLocker, please visit the Microsoft website .
When starting update of the Full Disk Encryption functionality the following errors may occur:
To eliminate errors that occurred when you start update process of the Full Disk Encryption functionality in the
new application version:
691
2. Encrypt hard drives once again.
During update of the Full Disk Encryption functionality the following errors may occur:
To eliminate errors that occurred during update process of the Full Disk Encryption functionality,
1. As soon as a computer with encrypted hard drives starts, press the F3 button to call up a window for
con guring Authentication Agent settings.
Disable debug logging (default). If this option is selected, the application does not log information about
Authentication Agent events in the trace le.
Enable debug logging. If this option is selected, the application logs information about the operation of the
Authentication Agent and the user operations performed with the Authentication Agent in the trace le.
Enable verbose logging. If this option is selected, the application logs detailed information about the
operation of the Authentication Agent and the user operations performed with the Authentication Agent in
the trace le.
The level of detail of entries under this option is higher compared to the level of the Enable debug
logging option. A high level of detail of entries can slow down the startup of the Authentication Agent
and the operating system.
Enable debug logging and select serial port. If this option is selected, the application logs information
about the operation of the Authentication Agent and the user operations performed with the
Authentication Agent in the trace le, and relays it via the COM port.
If a computer with encrypted hard drives is connected to another computer via the COM port,
Authentication Agent events can be examined from this other computer.
Enable verbose debug logging and select serial port. If this option is selected, the application logs detailed
information about the operation of the Authentication Agent and the user operations performed with the
Authentication Agent in the trace le, and relays it via the COM port.
The level of detail of entries under this option is higher compared to the level of the Enable debug
logging and select serial port option. A high level of detail of entries can slow down the startup of the
Authentication Agent and the operating system.
692
Data is recorded in the Authentication Agent trace le if there are encrypted hard drives on the computer or
during full disk encryption.
The Authentication Agent trace le is not sent to Kaspersky, unlike other trace les of the application. If necessary,
you can manually send the Authentication Agent trace le to Kaspersky for analysis.
Before editing help messages of the Authentication Agent, please review the list of supported characters in a
preboot environment (see below).
3. Select the necessary policy and double-click to open the policy properties.
Select the Authentication tab to edit the help text shown in the Authentication Agent window when
account credentials are being entered.
Select the Change password tab to edit the help text shown in the Authentication Agent window when the
password for the Authentication Agent account is being changed.
Select the Recover password tab to edit the help text shown in the Authentication Agent window when the
password for the Authentication Agent account is being recovered.
You can enter help text containing 16 lines or less. The maximum length of a line is 64 characters.
Characters that are not speci ed in this list are not supported in a preboot environment. It is not recommended to
use such characters in Authentication Agent help messages.
Objects and data may remain on the system hard drive after test operation of Authentication Agent only in
exceptional cases. For example, this can happen if the computer has not been restarted after a Kaspersky Security
Center policy with encryption settings was applied, or if the application fails to start after test operation of
Authentication Agent.
You can remove objects and data that remained on the system hard drive after test operation of Authentication
Agent in the following ways:
To use a Kaspersky Security Center policy to remove objects and data that remained after test operation of
Authentication Agent:
1. Apply to the computer a Kaspersky Security Center policy with settings con gured to decrypt all computer
hard drives.
694
2. Start Kaspersky Endpoint Security.
BitLocker Management
BitLocker is an encryption technology built into Windows operating systems. Kaspersky Endpoint Security allows
you to control and manage Bitlocker using Kaspersky Security Center. BitLocker encrypts logical volumes.
BitLocker cannot be used for encryption of removable drives. For more details on BitLocker, refer to the Microsoft
documentation .
BitLocker provides secure storage of access keys using a trusted platform module. A Trusted Platform Module
(TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption
keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other
system components via the hardware bus. Using TPM is the safest way to store BitLocker access keys, since TPM
provides pre-startup system integrity veri cation. You can still encrypt drives on a computer without a TPM. In this
case, the access key will be encrypted with a password. BitLocker uses the following authentication methods:
TPM.
Password.
After encrypting a drive, BitLocker creates a master key. Kaspersky Endpoint Security sends the master key to
Kaspersky Security Center so that you can restore access to the disk, for example, if a user has forgotten the
password.
If a user encrypts a disk using BitLocker, Kaspersky Endpoint Security will send information about disk encryption
to Kaspersky Security Center. However, Kaspersky Endpoint Security will not send the master key to Kaspersky
Security Center, so it will be impossible to restore access to the disk using Kaspersky Security Center. For
BitLocker to work correctly with Kaspersky Security Center, decrypt the drive and re-encrypt the drive using a
policy. You can decrypt a drive locally or using a policy.
After encrypting the system hard drive, the user needs to go through BitLocker authentication to boot the
operating system. After the authentication procedure, BitLocker will allow for users to log in. BitLocker does not
support single sign-on technology (SSO).
If you are using Windows group policies, turn o BitLocker management in the policy settings. Windows policy
settings may con ict with Kaspersky Endpoint Security policy settings. When encrypting a drive, errors may
occur.
Prior to starting full disk encryption, you are advised to make sure that the computer is not infected. To do so,
start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected
by a rootkit may cause the computer to become inoperable.
695
To use BitLocker Drive Encryption on computers running Windows operating systems for servers, installing the
BitLocker Drive Encryption component may be required. Install the component using the operating system
tools (Add Roles and Components Wizard). For more information about installing BitLocker Drive Encryption,
refer to the Microsoft documentation .
How to run BitLocker Drive Encryption through the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
6. In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encryption you will be able to load only
the operating system in which the encryption was performed.
7. Con gure advanced BitLocker Drive Encryption options (see table below).
How to run BitLocker Drive Encryption through the Web Console and Cloud Console
696
1. In the main window of the Web Console, select Devices → Policies & pro les.
7. In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encryption you will be able to load only
the operating system in which the encryption was performed.
8. Con gure advanced BitLocker Drive Encryption options (see table below).
You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's
computer. You can run the Encryption Monitor tool from the main application window.
Encryption Monitor
697
After the policy is applied, the application will display the following queries, depending on the authentication
settings:
TPM only. No user input required. The disk will be encrypted when the computer restarts.
TPM + PIN / Password. If a TPM module is available, a PIN code prompt window appears. If a TPM module is not
available, you will see a password prompt window for preboot authentication.
Password only. You will see a password prompt window for preboot authentication.
If the Federal Information Processing standard compatibility mode is enabled for computer operating system,
then in Windows 8 and earlier versions of operating system, a request for connecting a storage device is
displayed to save the recovery key le. You can save multiple recovery key les on a single storage device.
After setting a password or a PIN, BitLocker will ask you to restart your computer to complete the encryption.
Next, the user needs to go through the BitLocker authentication procedure. After the authentication procedure,
the user must log on to the system. After the operating system has loaded, BitLocker will complete the encryption.
If there is no access to encryption keys, the user may request the local network administrator to provide a
recovery key (if the recovery key was not saved earlier on the storage device or was lost).
Parameter Description
Enable use of
This check box enables / disables the use of authentication requiring data input in a
BitLocker
preboot environment, even if the platform does not have the capability for preboot
authentication
input (for example, with touchscreen keyboards on tablets).
requiring pre-
boot keyboard
input on tablets The touchscreen of tablet computers is not available in the preboot environment.
To complete BitLocker authentication on tablet computers, the user must
connect a USB keyboard, for example.
If the check box is selected, use of authentication requiring preboot input is allowed. It
is recommended to use this setting only for devices that have alternative data input
tools in a preboot environment, such as a USB keyboard in addition to touchscreen
keyboards.
If the check box is cleared, BitLocker Drive Encryption is not possible on tablets.
Use hardware If the check box is selected, the application applies hardware encryption. This lets you
encryption increase the speed of encryption and use less computer resources.
(Windows 8 and
later versions)
Encrypt used
This check box enables / disables the option that limits the encryption area to only
disk space only
occupied hard drive sectors. This limit lets you reduce encryption time.
(reduces
encryption time)
Enabling or disabling the Encrypt used disk space only (reduces encryption
time) feature after starting encryption does not modify this setting until the hard
drives are decrypted. You must select or clear the check box before starting
encryption.
698
If the check box is selected, only portions of the hard drive that are occupied by les
are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is
added.
If the check box is cleared, the entire hard drive is encrypted, including residual
fragments of previously deleted and modi ed les.
This option is recommended for new hard drives whose data has not been
modi ed or deleted. If you are applying encryption on a hard drive that is already in
use, it is recommended to encrypt the entire hard drive. This ensures protection of
all data, even deleted data that is potentially recoverable.
For computers running Windows 7 or Windows Server 2008 R2, only encryption
using a TPM module is available. If a TPM module is not installed, BitLocker
encryption is not possible. Use of a password on these computers is not
supported.
A device equipped with a Trusted Platform Module can create encryption keys that
can be decrypted only with the device. A Trusted Platform Module encrypts
encryption keys with its own root storage key. The root storage key is stored within the
Trusted Platform Module. This provides an additional level of protection against
attempts to hack encryption keys.
This action is selected by default.
You can set an additional layer of protection for access to the encryption key, and
encrypt the key with a password or a PIN:
Use PIN for TPM. If this check box is selected, a user can use of a PIN code to
obtain access to an encryption key that is stored in a Trusted Platform Module
(TPM).
If this check box is cleared, users are prohibited from using PIN codes. To access
the encryption key, a user must enter the password.
699
Minimum password length (characters).
Use enhanced PIN (letters and numbers). Enhanced PIN allows using other
characters in addition to numerical characters: uppercase and lowercase Latin
letters, special characters, and spaces.
How to decrypt a hard drive protected by BitLocker through the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
6. In the Encryption mode drop-down list, select Decrypt all hard drives.
How to decrypt a BitLocker-encrypted hard drive through the Web Console and Cloud Console
700
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Select the BitLocker Drive Encryption technology and follow the link to con gure the settings.
The encryption settings open.
6. In the Encryption mode drop-down list, select Decrypt all hard drives.
You can use the Encryption Monitor tool to control the disk encryption or decryption process on a user's
computer. You can run the Encryption Monitor tool from the main application window.
Encryption Monitor
701
If the computer's operating system has Federal Information Processing standard (FIPS) compatibility mode
enabled, then in Windows 8 and older the recovery key le is saved to the removable drive before encryption.
To restore access to the drive, insert the removable drive and follow the on-screen instructions.
Restoring access to a hard drive encrypted by BitLocker consists of the following steps:
1. The user tells the administrator the recovery key ID (see the gure below).
2. The administrator veri es the ID of the recovery key in the computer properties in Kaspersky Security Center.
The ID that the user provided must match the ID that is displayed in the computer properties.
3. If the recovery key IDs match, the administrator provides the user with the recovery key or sends a recovery key
le.
A recovery key le is used for computers running the following operating systems:
Windows 7;
Windows 8;
4. The user enters the recovery key and gains access to the hard drive.
To start the recovery procedure, the user needs to press the Esc key at the pre-boot authentication stage.
702
How to view the recovery key for a system drive encrypted by BitLocker in the Administration Console (MMC)
3. On the Devices tab, select the computer of the user requesting access to encrypted data and right-click
to open the context menu.
5. In the window that opens, select the Access to a BitLocker-protected system drive tab.
6. Prompt the user for the recovery key ID indicated in the BitLocker password input window, and compare it
with the ID in the Recovery key ID eld.
If the IDs do not match, this key is not valid for restoring access to the speci ed system drive. Make
sure that the name of the selected computer matches the name of the user's computer.
As a result, you will have access to the recovery key or le of the recovery key, which will need to be
transferred to the user.
How to view the recovery key for a BitLocker-encrypted system drive in the Web Console and Cloud Console
703
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the check box next to the name of the computer whose drive you want to restore access to.
5. Verify the recovery key ID. The ID provided by the user must match the ID that is displayed in the computer
settings.
If the IDs do not match, this key is not valid for restoring access to the speci ed system drive. Make
sure that the name of the selected computer matches the name of the user's computer.
As a result, you will have access to the recovery key or le of the recovery key, which will need to be
transferred to the user.
After the operating system is loaded, Kaspersky Endpoint Security prompts the user to change the password or
PIN code. After you set a new password or PIN code, BitLocker will create a new master key and send the key to
Kaspersky Security Center. As a result, the recovery key and recovery key le will be updated. If the user has not
changed the password, you can use the old recovery key the next time the operating system loads.
Windows 7 computers don't allow changing the password or PIN code. After the recovery key is entered and
the operating system is loaded, Kaspersky Endpoint Security won't prompt the user to change the password
or PIN code. Thus, it is impossible to set a new password or a PIN code. This issue stems from the peculiarities
of the operating system. To continue, you need to re-encrypt the hard drive.
To start the recovery procedure, the user needs to click the Forgot your password link in the window providing
access to the drive. After gaining access to the encrypted drive, the user can enable automatic unlocking of the
drive during Windows authentication in the BitLocker settings.
How to view the recovery key for a non-system drive encrypted by BitLocker in the Administration Console
(MMC)
704
1. Open the Kaspersky Security Center Administration Console.
2. In the Administration Console tree, select the Advanced → Data encryption and
protection → Encrypted drives folder.
3. In the workspace, select the encrypted device for which you want to create an access key le, then in the
context menu of the device, click Get access to the device in Kaspersky Endpoint Security for
Windows.
4. Prompt the user for the recovery key ID indicated in the BitLocker password input window, and compare it
with the ID in the Recovery key ID eld.
If the IDs do not match, this key is not valid for restoring access to the speci ed drive. Make sure that
the name of the selected computer matches the name of the user's computer.
5. Send the user the key that is indicated in the Recovery key eld.
How to view the recovery key for a BitLocker-encrypted non-system drive in the Web Console and Cloud Console
705
1. In the main window of the Web Console, select Operations → Data encryption and protection →
Encrypted Drives.
2. Select the check box next to the name of the computer whose drive you want to restore access to.
b. Verify the recovery key ID. The ID provided by the user must match the ID that is displayed in the
computer settings.
If the IDs do not match, this key is not valid for restoring access to the speci ed system drive. Make
sure that the name of the selected computer matches the name of the user's computer.
As a result, you will have access to the recovery key or le of the recovery key, which will need to be
transferred to the user.
706
1. Open the Kaspersky Security Center Administration Console.
Select Kaspersky Endpoint Security for Windows (12.5) → BitLocker Protection Management.
Con gure BitLocker authentication. To pause BitLocker protection, select Temporarily allow skipping
BitLocker authentication and enter the number of restarts without BitLocker authentication (1 to 15 times). If
necessary, enter an expiration date and time for the task. At the speci ed time, the task is automatically
turned o , and the user must complete BitLocker authentication when the computer is restarted.
Select the computers on which the task will be performed. The following options are available:
Assign the task to an administration group. In this case, the task is assigned to computers included in a
previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The speci c
devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP
addresses, and IP subnets of devices to which you want to assign the task.
Enter the name of the task, for example Updating to Windows 10.
Exit the Wizard. If necessary, select the Run the task after the wizard nishes check box. You can monitor
the progress of the task in the task properties.
707
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
2. Click Add.
1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
3. In the Task name eld, enter a brief description, for example, Updating to Windows 10.
4. In the Select devices to which the task will be assigned block, select the task scope.
Con gure BitLocker authentication. To pause BitLocker protection, select Temporarily allow skipping
BitLocker authentication and enter the number of restarts without BitLocker authentication (1 to 15 times). If
necessary, enter an expiration date and time for the task. At the speci ed time, the task is automatically
turned o , and the user must complete BitLocker authentication when the computer is restarted.
Exit the Wizard. A new task will be displayed in the list of tasks.
To run a task, select the check box opposite the task and click the Start button.
As a result, when the task is running, after the next restart of the computer, BitLocker does not prompt the user
for authentication. After each restart of the computer without BitLocker authentication, Kaspersky Endpoint
Security generates a corresponding event and records the number of remaining restarts. Kaspersky Endpoint
Security then sends the event to Kaspersky Security Center to be monitored by the administrator. You can also
view the number of remaining restarts in the Managed devices folder of Kaspersky Security Center console in the
device status description.
708
The list of managed devices
When the speci ed number of restarts or the expiration time of the task is reached, BitLocker authentication is
automatically turned on. To gain access to data, the user must complete BitLocker authentication.
On computers running Windows 7, BitLocker cannot count computer restarts. Counting restarts on Windows
7 computers is handled by Kaspersky Endpoint Security. Thus to automatically turn on BitLocker
authentication after each restart, Kaspersky Endpoint Security must be started.
To turn on BitLocker authentication ahead of time, open the BitLocker Protection Management task properties
and select Request authentication each time in preboot.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
Kaspersky Endpoint Security encrypts / decrypts les in prede ned folders only for local user pro les of the
operating system. Kaspersky Endpoint Security does not encrypt or decrypt les in prede ned folders of
roaming user pro les, mandatory user pro les, temporary user pro les, or redirected folders.
Kaspersky Endpoint Security does not encrypt les whose modi cation could harm the operating system and
installed applications. For example, the following les and folders with all nested folders are on the list of
encryption exclusions:
%WINDIR%;
The list of encryption exclusions cannot be viewed or edited. While les and folders on the list of encryption
exclusions can be added to the encryption list, they will not be encrypted during le encryption.
Kaspersky Endpoint Security does not encrypt les that are located in OneDrive cloud storage or in other
folders that have OneDrive as their name. Kaspersky Endpoint Security also blocks the copying of encrypted
les to OneDrive folders if those les are not added to the decryption rule.
6. On the Encryption tab, click the Add button, and in the drop-down list select one of the following items:
a. Select the Prede ned folders item to add les from folders of local user pro les suggested by Kaspersky
experts to an encryption rule.
Documents. Files in the standard Documents folder of the operating system, and its subfolders.
Favorites. Files in the standard Favorites folder of the operating system, and its subfolders.
Desktop. Files in the standard Desktop folder of the operating system, and its subfolders.
Temporary les. Temporary les related to the operation of applications installed on the computer. For
example, Microsoft O ice applications create temporary les containing backup copies of documents.
It is not recommended to encrypt temporary les, as this can cause data loss. For example,
Microsoft Word creates temporary les when processing a document. If temporary les are
encrypted, but the original le is not, the user may receive an Access Denied error when trying to
save the document. Additionally, Microsoft Word might save the le, but it will not be possible to
open the document the next time, i.e. the data will be lost.
Outlook les. Files related to the operation of the Outlook mail client: data les (PST), o line data les
(OST), o line address book les (OAB), and personal address book les (PAB).
b. Select the Custom folder item to add a manually entered folder path to an encryption rule.
When adding a folder path, adhere to the following rules:
Use an environment variable (for example, %FOLDER%\UserFolder\). You can use an environment
variable only once and only at the beginning of the path.
c. Select the Files by extension item to add individual le extensions to an encryption rule. Kaspersky Endpoint
Security encrypts les with the speci ed extensions on all local drives of the computer.
d. Select the Files by groups of extensions item to add groups of le extensions to an encryption rule (for
example, Microsoft O ice documents). Kaspersky Endpoint Security encrypts les that have the extensions
listed in the groups of extensions on all local drives of the computer.
As soon as the policy is applied, Kaspersky Endpoint Security encrypts the les that are included in the
encryption rule and not included in the decryption rule.
710
File encryption has the following special features:
If the same le is added to both an encryption rule and a decryption rule, then Kaspersky Endpoint Security
performs the following actions:
If the le is not encrypted, Kaspersky Endpoint Security does not encrypt this le.
Kaspersky Endpoint Security continues to encrypt new les if these les meet the criteria of the encryption
rule. For example, when you change the properties of an unencrypted le (path or extension), the le then
meets the criteria of the encryption rule. Kaspersky Endpoint Security encrypts this le.
When the user creates a new le whose properties meet the encryption rule criteria, Kaspersky Endpoint
Security encrypts the le as soon as it is opened.
Kaspersky Endpoint Security postpones the encryption of open les until they are closed.
If you move an encrypted le to another folder on the local drive, the le remains encrypted regardless of
whether or not this folder is included in the encryption rule.
If you decrypt a le and copy it to another local folder that is not included in the decryption rule, a copy of the
le may be encrypted. To prevent the copied le from being encrypted, create a decryption rule for the target
folder.
3. Select the necessary policy and double-click to open the policy properties.
Access rules are applied only when in the According to rules mode. After applying access rules in
According to rules mode, if you switch to Leave unchanged mode, Kaspersky Endpoint Security will ignore
all access rules. All applications will have access to all encrypted les.
6. In the right part of the window, select the Rules for applications tab.
7. If you want to select applications exclusively from the Kaspersky Security Center list, click the Add button and
in the drop-down list select the Applications from Kaspersky Security Center list item.
a. Specify the lters to narrow down the list of applications in the table. To do so, specify the values of the
Application, Vendor, and Period added parameters, and all check boxes from the Group block.
b. Click Refresh.
711
c. The table lists applications that match the applied lters.
d. In the Application column, select check boxes opposite the applications for which you want to form
encrypted le access rules.
e. In the Rule for applications drop-down list, select the rule that will determine the access of applications to
encrypted les.
f. In the Actions for applications that were selected earlier drop-down list, select the action to be taken by
Kaspersky Endpoint Security on encrypted le access rules that were previously formed for such
applications.
The details of an encrypted le access rule for applications appear in the table on the Rules for applications
tab.
8. If you want to manually select applications, click the Add button and in the drop-down list select the Custom
applications item.
a. In the entry eld, type the name or list of names of executable application les, including their extensions.
You can also add the names of executable les of applications from the Kaspersky Security Center list by
clicking the Add from Kaspersky Security Center list button.
c. In the Rule for applications drop-down list, select the rule that will determine the access of applications to
encrypted les.
The details of an encrypted le access rule for applications appear in the table on the Rules for applications
tab.
Files that were created or modi ed by the speci ed applications before the encryption rule was applied will
not be encrypted.
To con gure encryption of les that are created or modi ed by speci c applications:
3. Select the necessary policy and double-click to open the policy properties.
712
Encryption rules are applied only in According to rules mode. After applying encryption rules in According
to rules mode, if you switch to Leave unchanged mode, Kaspersky Endpoint Security will ignore all
encryption rules. Files that were previously encrypted will remain encrypted.
6. In the right part of the window, select the Rules for applications tab.
7. If you want to select applications exclusively from the Kaspersky Security Center list, click the Add button and
in the drop-down list select the Applications from Kaspersky Security Center list item.
a. Specify the lters to narrow down the list of applications in the table. To do so, specify the values of the
Application, Vendor, and Period added parameters, and all check boxes from the Group block.
b. Click Refresh.
The table lists applications that match the applied lters.
c. In the Application column, select the check boxes next to the applications whose created les you want to
encrypt.
d. In the Rule for applications drop-down list, select Encrypt all created les.
e. In the Actions for applications that were selected earlier drop-down list, select the action to be taken by
Kaspersky Endpoint Security on le encryption rules that were previously formed for such applications.
Information about the encryption rule for les created or modi ed by selected applications is displayed in the
table on the Rules for applications tab.
8. If you want to manually select applications, click the Add button and in the drop-down list select the Custom
applications item.
a. In the entry eld, type the name or list of names of executable application les, including their extensions.
You can also add the names of executable les of applications from the Kaspersky Security Center list by
clicking the Add from Kaspersky Security Center list button.
c. In the Rule for applications drop-down list, select Encrypt all created les.
Information about the encryption rule for les created or modi ed by selected applications is displayed in the
table on the Rules for applications tab.
3. Select the necessary policy and double-click to open the policy properties.
713
4. In the policy window, select Data Encryption → File Level Encryption.
6. On the Decryption tab, click the Add button, and in the drop-down list select one of the following items:
a. Select the Prede ned folders item to add les from folders of local user pro les suggested by Kaspersky
experts to a decryption rule.
b. Select the Custom folder item to add a manually entered folder path to a decryption rule.
c. Select the Files by extension item to add individual le extensions to a decryption rule. Kaspersky Endpoint
Security does not encrypt les with the speci ed extensions on all local drives of the computer.
d. Select the Files by groups of extensions item to add groups of le extensions to a decryption rule (for
example, Microsoft O ice documents). Kaspersky Endpoint Security does not encrypt les that have the
extensions listed in the groups of extensions on all local drives of the computer.
If the same le has been added to the encryption rule and the decryption rule, Kaspersky Endpoint Security
does not encrypt this le if it is not encrypted, and decrypts the le if it is encrypted.
3. Select the necessary policy and double-click to open the policy properties.
6. Remove les and folders that you want to decrypt from the encryption list. To do so, select les and select the
Delete rule and decrypt les item in the context menu of the Remove button.
Files and folders removed from the encryption list are automatically added to the decryption list.
As soon as the policy is applied, Kaspersky Endpoint Security decrypts encrypted les that are added to the
decryption list.
Kaspersky Endpoint Security decrypts encrypted les if their parameters ( le path / le name / le extension)
change to match the parameters of objects added to the decryption list.
Kaspersky Endpoint Security postpones the decryption of open les until they are closed.
714
Creating encrypted packages
To protect your data when sending les to users outside the corporate network, you can use encrypted packages.
Encrypted packages can be convenient for transferring large les on removable drives, as email clients have le
size restrictions.
Before creating encrypted packages, Kaspersky Endpoint Security will prompt the user for a password. To reliably
protect the data, you can enable password strength check and specify password strength requirements. This will
prevent users from using short and simple passwords, for example, 1234.
How to enable password strength check when creating encrypted archives in the Administration Console (MMC)
3. Select the necessary policy and double-click to open the policy properties.
How to enable password strength check when creating encrypted archives in the Web Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Encrypted package password settings block, con gure the password strength criteria required
when creating encrypted packages.
You can create encrypted packages on computers with Kaspersky Endpoint Security installed with File Level
Encryption available.
When adding a le to the encrypted package whose contents reside in OneDrive cloud storage, Kaspersky
Endpoint Security downloads the contents of the le and performs encryption.
2. In the context menu, select New encrypted package (see gure below).
3. In the window that opens, specify the password and con rm it.
The password must meet the complexity criteria speci ed in the policy.
4. Click Create.
The encrypted package creation process starts. Kaspersky Endpoint Security does not perform le
compression when it creates an encrypted package. When the process nishes, a self-extracting password-
protected encrypted package (an executable le with .exe extension – ) is created in the selected destination
folder.
To access les in an encrypted package, double-click it to start the Unpacking Wizard, then enter the password. If
you forgot or lost your password, it is not possible to recover it and access the les in the encrypted package. You
can recreate the encrypted package.
The user's computer stores encryption keys, but there is no connection with Kaspersky Security Center for
managing them. In this case, the user must request access to encrypted les from the LAN administrator.
If access to Kaspersky Security Center does not exist, you must:
request an access key for access to encrypted les on computer hard drives;
to access encrypted les that are stored on removable drives, request separate access keys for encrypted
les on each removable drive.
Encryption components are deleted from the user's computer. In this event, the user may open encrypted les
on local and removable disks but the contents of those les will appear encrypted.
The user may work with encrypted les under the following circumstances:
716
Files are placed inside encrypted packages created on a computer with Kaspersky Endpoint Security
installed.
Files are stored on removable drives on which portable mode has been allowed.
To gain access to encrypted les, the user needs to start the recovery procedure (Request-Response).
1. The user sends a request access le to the administrator (see the gure below).
2. The administrator adds the request access le to Kaspersky Security Center, creates an access key le and
sends the le to the user.
3. The user adds the access key le to Kaspersky Endpoint Security and gains access to the les.
To start the recovery procedure, the user needs to attempt to access a le. As a result, Kaspersky Endpoint
Security will create a request access le (a le with the KESDC extension), which the user needs to send to the
administrator, for example, by email.
Kaspersky Endpoint Security generates a request access le for access to all encrypted les stored on the
computer's drive (local drive or removable drive).
How to obtain an encrypted data access key le in the Administration Console (MMC)
717
1. Open the Kaspersky Security Center Administration Console.
3. On the Devices tab, select the computer of the user requesting access to encrypted data and right-click
to open the context menu.
7. In the window for selecting a request access le, specify the path to the le received from the user.
You will see information about the user's request. Kaspersky Security Center generates a key le. Email the
generated encrypted data access key le to the user. Or save the access le and use any available method
to transfer the le.
718
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the check box next to the name of the computer whose data you want to restore access to.
5. Click the Select le button and select the request access le that you received from the user (a le with
the KESDC extension).
The Web Console will display information about the request. This will include the name of the computer on
which the user is requesting access to the le.
6. Click the Save key button and select a folder to save the encrypted data access key le (a le with the
KESDR extension).
As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the
user.
After receiving the encrypted data access key le, the user needs to run the le by double-clicking it. As a result,
Kaspersky Endpoint Security will grant access to all encrypted les stored on the drive. To access encrypted les
that are stored on other drives, you must obtain a separate access key le for each drive.
You can restore access to data after operating system failure only for le level encryption (FLE). You cannot
restore access to data if full disk encryption (FDE) is used.
3. Establish a connection between the computer and the Kaspersky Security Center Administration Server that
controlled the computer when the data was encrypted.
Access to encrypted data will be granted under the same conditions that applied before operating system
failure.
3. Select the necessary policy and double-click to open the policy properties.
719
4. In the policy window, select Data Encryption → Common encryption settings.
If you want to edit the user message template, select the User's message tab. The following window opens
when the user attempts to access an encrypted le while there is no key available on the computer for
access to encrypted les (see gure below). Clicking the Send by e-mail button automatically creates a
user message. This message is sent to the corporate LAN administrator along with the le requesting
access to encrypted les.
If you want to edit the administrator message template, select the Administrator's message tab. The user
receives this message after access to encrypted les is granted.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
Kaspersky Endpoint Security supports encryption of les in FAT32 and NTFS le systems. If a removable drive
with an unsupported le system is connected to the computer, the encryption task for this removable drive
ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.
To protect data on removable drives, you can use the following types of encryption:
720
Encryption of the entire removable drive, including the le system.
It is not possible to access encrypted data outside the corporate network. It is also impossible to access
encrypted data inside the corporate network if the computer is not connected to Kaspersky Security
Center (e.g. on a guest computer).
Encryption of les on removable drives provides the capability to access data outside the corporate
network using a special mode called portable mode.
During encryption, Kaspersky Endpoint Security creates a master key. Kaspersky Endpoint Security saves the
master key in the following repositories:
User's computer.
The master key is encrypted with the user's secret key.
Removable drive.
The master key is encrypted with the public key of Kaspersky Security Center.
After encryption is complete, the data on the removable drive can be accessed within the corporate network as if
was on an ordinary unencrypted removable drive.
When a removable drive with encrypted data is connected, Kaspersky Endpoint Security performs the following
actions:
1. Checks for a master key in the local storage on the user's computer.
If the master key is found, the user gains access to the data on the removable drive.
If the master key is not found, Kaspersky Endpoint Security performs the following actions:
b. Kaspersky Endpoint Security saves the master key in the local storage on the user's computer for
subsequent operations with the encrypted removable drive.
The policy with preset settings for removable drive encryption is formed for a speci c group of managed
computers. Therefore, the result of applying the Kaspersky Security Center policy con gured for
721
encryption / decryption of removable drives depends on the computer to which the removable drive is
connected.
Kaspersky Endpoint Security does not encrypt / decrypt read-only les that are stored on removable drives.
Kaspersky Endpoint Security supports encryption of les in FAT32 and NTFS le systems. If a removable drive
with an unsupported le system is connected to the computer, the encryption task for this removable drive
ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.
Before encrypting les on a removable drive, make sure it is formatted and there are no hidden partitions
(such as an EFI system partition). If the drive contains unformatted or hidden partitions, le encryption may
fail with an error.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Encryption mode drop-down list, select the default action that you want Kaspersky Endpoint Security to
perform on removable drives:
Encrypt entire removable drive (FDE). Kaspersky Endpoint Security encrypts the contents of a removable
drive sector by sector. As a result, the application encrypts not only the les stored on the removable drive
but also its le systems, including the le names and folder structures on the removable drive.
Encrypt all les (FLE). Kaspersky Endpoint Security encrypts all les that are stored on removable drives.
The application does not encrypt the le systems of removable drives, including the names of les and
folder structures.
Encrypt new les only (FLE). Kaspersky Endpoint Security encrypts only those les that have been added
to removable drives or that were stored on removable drives and have been modi ed after the Kaspersky
Security Center policy was last applied.
722
Kaspersky Endpoint Security does not encrypt a removable drive that is already encrypted.
6. If you want to use portable mode for encryption of removable drives, select the Portable mode check box.
Portable mode is a mode of le encryption (FLE) on removable drives that provides the ability to access data
outside of a corporate network. Portable mode also lets you work with encrypted data on computers that do
not have Kaspersky Endpoint Security installed.
7. If you want to encrypt a new removable drive, it is recommended to select the Encrypt used disk space only
check box. If the check box is cleared, Kaspersky Endpoint Security will encrypt all les, including the residual
fragments of deleted or modi ed les.
8. If you want to con gure encryption for individual removable drives, de ne encryption rules.
9. If you want to use full disk encryption of removable drives in o line mode, select the Allow encryption of
removable drives in o line mode check box.
O line encryption mode refers to encryption of removable drives (FDE) when there is no connection to
Kaspersky Security Center. During encryption, Kaspersky Endpoint Security saves the master key only on the
user's computer. Kaspersky Endpoint Security will send the master key to Kaspersky Security Center during the
next synchronization.
If the computer on which the master key is saved is corrupted and data is not sent to Kaspersky Security
Center, it is not possible to obtain access to the removable drive.
If the Allow encryption of removable drives in o line mode check box is cleared and there is no connection to
Kaspersky Security Center, removable drive encryption is not possible.
After the policy is applied, when the user connects a removable drive or if a removable drive is already
connected, Kaspersky Endpoint Security prompts the user for con rmation to perform the encryption
operation (see the gure below).
If the user con rms the encryption request, Kaspersky Endpoint Security encrypts the data.
If the user declines the encryption request, Kaspersky Endpoint Security leaves the data unchanged and
assigns read-only access for this removable drive.
If the user does not respond to the encryption request, Kaspersky Endpoint Security leaves the data
unchanged and assigns read-only access for this removable drive. The application prompts for con rmation
again when subsequently applying a policy or the next time this removable drive is connected.
If the user initiates safe removal of a removable drive during data encryption, Kaspersky Endpoint Security
interrupts the data encryption process and allows removal of the removable drive before the encryption process
has nished. Data encryption will be continued the next time the removable drive is connected to this computer.
If encryption of a removable drive failed, view the Data Encryption report in the Kaspersky Endpoint Security
interface. Access to les may be blocked by another application. In this case, try unplugging the removable
drive from the computer and connecting it again.
723
Removable drive encryption request
3. Select the necessary policy and double-click to open the policy properties.
5. Click the Add button, and in the drop-down list select one of the following items:
If you want to add encryption rules for removable drives that are in the list of trusted devices of the Device
Control component, select From list of trusted devices of this policy.
If you want to add encryption rules for removable drives that are in the Kaspersky Security Center list,
select From Kaspersky Security Center list of devices.
6. In the Encryption mode for selected devices drop-down list, select the action to be performed by Kaspersky
Endpoint Security on les stored on the selected removable drives.
7. Select the Portable mode check box if you want Kaspersky Endpoint Security to prepare removable drives
before encryption, making it possible to use encrypted les stored on them in portable mode.
Portable mode lets you use encrypted les stored on removable drives that are connected to computers
without encryption functionality.
8. Select the Encrypt used disk space only check box if you want Kaspersky Endpoint Security to encrypt only
those disk sectors that are occupied by les.
If you are applying encryption on a drive that is already in use, it is recommended to encrypt the entire drive.
This ensures that all data is protected – even deleted data that might still contain retrievable information. The
Encrypt used disk space only function is recommended for new drives that have not been previously used.
724
If a device was previously encrypted using the Encrypt used disk space only function, after applying a
policy in Encrypt entire removable drive mode, sectors that are not occupied by les will still not be
encrypted.
9. In the Actions for devices that were selected earlier drop-down list, select the action to be performed by
Kaspersky Endpoint Security according to encryption rules that had been previously de ned for removable
drives:
If you want the previously created encryption rule for the removable drive to remain unchanged, select Skip.
If you want the previously created encryption rule for the removable drive to be replaced by the new rule,
select Refresh.
The added encryption rules for removable drives will be applied to removable drives connected to any
computers in the organization.
How to export and import a list of removable drive encryption rules in the Administration Console (MMC)
725
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
a. Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
c. In the window that opens, specify the name of the XML le to which you want to export the list of rules,
and select the folder in which you want to save this le.
How to export and import a list of removable drive encryption rules in the Web Console
726
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Encryption rules for selected devices block, click the Encryption rules link.
This opens a list of encryption rules for removable drives.
b. Click Export.
c. Con rm that you want to export only the selected rules, or export the entire list.
There is no connection between the computer and the Kaspersky Security Center Administration Server.
The infrastructure has changed with the change of the Kaspersky Security Center Administration Server.
727
Portable File Manager
To work in portable mode, Kaspersky Endpoint Security installs a special encryption module named Portable File
Manager on a removable drive. The Portable File Manager provides an interface for working with encrypted data if
Kaspersky Endpoint Security is not installed on the computer (see the gure below). If Kaspersky Endpoint
Security is installed on your computer, you can work with encrypted removable drives using your usual le manager
(for example, Explorer).
The Portable File Manager stores a key to encrypt les on a removable drive. The key is encrypted with the user
password. The user sets a password before encrypting les on a removable drive.
The Portable File Manager starts automatically when a removable drive is connected to a computer on which
Kaspersky Endpoint Security is not installed. If automatic startup of applications is disabled on the computer,
manually start the Portable File Manager. To do so, run the le named pmv.exe that is stored on the removable
drive.
How to enable portable mode support for working with encrypted les on removable drives in the Administration
Console (MMC)
728
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Encryption mode for selected devices drop-down list, select Encrypt all les or Encrypt new les
only.
Portable mode is available only with File Level Encryption (FLE). It is not possible to enable portable
mode support for Full Disk Encryption (FDE).
9. After applying the policy, connect the removable drive to the computer.
11. Specify a password that meets the strength requirements and con rm it.
How to enable portable mode support for working with encrypted les on removable drives in the Web Console
729
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Manage encryption block, select Encrypt all les or Encrypt new les only.
Portable mode is available only with File Level Encryption (FLE). It is not possible to enable portable
mode support for Full Disk Encryption (FDE).
9. After applying the policy, connect the removable drive to the computer.
11. Specify a password that meets the strength requirements and con rm it.
Kaspersky Endpoint Security will encrypt les on the removable drive. The Portable File Manager used for working
with encrypted les will also be added to the removable drive. If there are already encrypted les on the removable
drive, Kaspersky Endpoint Security will encrypt them again using its own key. This allows the user to access all les
on the removable drive in portable mode.
If Kaspersky Endpoint Security is not installed on the computer, the Portable File Manager will prompt you to
enter a password. You will need to enter the password each time you restart the computer or reconnect the
removable drive.
If the computer is located outside the corporate network and Kaspersky Endpoint Security is installed on the
computer, the application will prompt you to enter the password or send the administrator a request to access
the les. After gaining access to les on a removable drive, Kaspersky Endpoint Security will save the secret key
in the computer's key storage. This will allow access to les in the future without entering a password or asking
the administrator (see gure below).
If the computer is located inside the corporate network and Kaspersky Endpoint Security is installed on the
computer, you will get access to the device without entering a password. Kaspersky Endpoint Security will
receive the secret key from the Kaspersky Security Center Administration Server to which the computer is
connected.
If you have forgotten the password for working in portable mode, you need to connect the removable drive to a
computer with Kaspersky Endpoint Security installed inside the corporate network. You will get access to the les
because the secret key is stored in the computer's key storage or on the Administration Server. Decrypt and re-
encrypt les with a new password.
Features of portable mode when connecting a removable drive to a computer from another
network
If the computer is located outside the corporate network and Kaspersky Endpoint Security is installed on the
computer, you can access the les in the following ways:
Password-based access
After entering the password, you will be able to view, modify, and save les on the removable drive (transparent
access). Kaspersky Endpoint Security can set a read-only access right for a removable drive if the following
parameters are con gured in the policy settings for encryption of removable drives:
The Encrypt all les or Encrypt new les only mode is selected.
731
In all other cases, you will get full access to the removable drive (read/write permission). You will be able to add
and delete les.
You can change the removable drive access permissions even while the removable drive is connected to the
computer. If the removable drive access permissions are changed, Kaspersky Endpoint Security will block
access to the les and prompt you for the password again.
After entering the password, you cannot apply encryption policy settings for the removable drive. In this case, it
is impossible to decrypt or re-encrypt les on the removable drive.
732
1. Open the Kaspersky Security Center Administration Console.
3. On the Devices tab, select the computer of the user requesting access to encrypted data and right-
click to open the context menu.
7. In the window for selecting a request access le, specify the path to the le received from the user.
You will see information about the user's request. Kaspersky Security Center generates a key le. Email
the generated encrypted data access key le to the user. Or save the access le and use any available
method to transfer the le.
733
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the check box next to the name of the computer whose data you want to restore access to.
5. Click the Select le button and select the request access le that you received from the user (a le
with the KESDC extension).
The Web Console will display information about the request. This will include the name of the computer
on which the user is requesting access to the le.
6. Click the Save key button and select a folder to save the encrypted data access key le (a le with the
KESDR extension).
As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to
the user.
3. Select the necessary policy and double-click to open the policy properties.
5. If you want to decrypt all encrypted les that are stored on removable drives, in the Encryption mode drop-
down list select Decrypt entire removable drive.
6. To decrypt data that is stored on individual removable drives, edit the encryption rules for removable drives
whose data you want to decrypt. To do so:
a. In the list of removable drives for which encryption rules have been con gured, select an entry
corresponding to the removable drive you need.
b. Click the Set a rule button to edit the encryption rule for the selected removable drive.
c. In the context menu of the Set a rule button, select the Decrypt entire removable drive item.
734
As a result, if a user connects a removable drive or if it is already connected, Kaspersky Endpoint Security
decrypts the removable drive. The application warns the user that the decryption process may take some time.
If the user initiates safe removal of a removable drive during data decryption, Kaspersky Endpoint Security
interrupts the data decryption process and allows removal of the removable drive before the decryption
operation has nished. Data decryption will be continued the next time the removable drive is connected to the
computer.
If decryption of a removable drive failed, view the Data Encryption report in the Kaspersky Endpoint Security
interface. Access to les may be blocked by another application. In this case, try unplugging the removable
drive from the computer and connecting it again.
Does not meet the policy; canceled by user. The user has canceled data encryption.
Does not meet the policy due to an error. Data encryption error, for example, a license is missing.
Applying the policy. Reboot is required. Data encryption is in progress on the computer. Restart the computer
to complete data encryption.
Not supported. Data encryption components are not installed on the computer.
Applying the policy. Data encryption and / or decryption is in progress on the computer.
3. On the Devices tab in the workspace, slide the scroll bar all the way to the right. If the Encryption status
column is not displayed, add this column in Kaspersky Security Center console settings.
The Encryption status column shows the encryption status of data on computers in the selected
administration group. This status is formed based on information about le encryption on local drives of the
computer, and about full disk encryption.
4. If the status of data encryption for the computer is Applying policy, you can monitor the encryption progress
panel:
735
a. Open the properties of the computer with the Applying policy status by double-clicking it.
c. In the list of Kaspersky applications installed on the computer, select Kaspersky Endpoint Security for
Windows.
d. Click Statistics.
e. Under Encryption of devices you can see the current progress of data encryption as a percentage.
3. In the workspace to the right of the Administration Console tree, select the Statistics tab.
4. Create a new page with details panes containing data encryption statistics. To do so:
c. This opens a window; in that window, in the General section, enter the name of the page.
e. In the window that opens in the Protection status group, select the Encryption of devices item.
f. Click OK.
g. If necessary, edit the settings of the details pane. To do so, use the View and Devices sections.
h. Click OK.
i. Repeat steps d – h of the instructions, selecting the Encryption of removable drives item in the Protection
status section.
The details panes added appear in the Information panels list.
j. Click OK.
The name of the page with details panes created at the previous steps appears in the Pages list.
5. On the Statistics tab, open the page that was created during the previous steps of the instructions.
The details panes appear, showing the encryption status of computers and removable drives.
736
Viewing le encryption errors on local computer drives
To view the le encryption errors on local computer drives:
3. On the Devices tab, select the name of the computer in the list and right-click it to open the context menu.
4. In the context menu of the computer, select the Properties item. In the window that opens, select the
Protection section.
5. Click the View data encryption errors link to open the Data encryption errors window.
This window shows the details of le encryption errors on local computer drives. When an error is corrected,
Kaspersky Security Center removes the error details from the Data encryption errors window.
Report on encryption status of managed devices. The report includes information on whether the encryption
status of the computer complies with the encryption policy.
Report on encryption status of mass storage devices. The report includes information about the encryption
status of external devices and storage devices.
Report on rights to access encrypted drives. The report includes information about the status of accounts
that have access to encrypted drives.
Report on le encryption errors. The report includes information about errors that occurred during the
execution of data encryption or decryption tasks on computers.
Report on blockage of access to encrypted les. The report includes information about applications being
blocked from gaining access to encrypted les.
2. In the Administration Server node of the Administration Console tree, select the Reports tab.
4. Follow the instructions of the Report Template Wizard. In the Selecting the report template type window in
the Other section, select one of the data encryption reports.
After you have nished with the New Report Template Wizard, the new report template appears in the table on
the Reports tab.
737
5. Select the report template that was created at the previous steps of the instructions.
The report generation process starts. The report is displayed in a new window.
A user may be required to request access to encrypted devices in the following cases:
The encryption key for a device is not on the computer (for example, upon the rst attempt to access the
encrypted removable drive on the computer), and the computer is not connected to Kaspersky Security
Center.
After the user has applied the access key to the encrypted device, Kaspersky Endpoint Security saves the
encryption key on the user's computer and allows access to this device upon subsequent access attempts
even if there is no connection to Kaspersky Security Center.
1. The user uses the Kaspersky Endpoint Security application interface to create a request access le with the
kesdc extension and sends it to the corporate LAN administrator.
2. The administrator uses the Kaspersky Security Center Administration Console to create an access key le with
the kesdr extension and sends it to the user.
A user can use the Encrypted Device Restore Utility (hereinafter referred to as the Restore Utility) to work with
encrypted devices. This may be required in the following cases:
The procedure for using an access key to obtain access was unsuccessful.
Encryption components have not been installed on the computer with the encrypted device.
The data needed to restore access to encrypted devices using the Restore Utility resides in the memory of
the user's computer in unencrypted form for some time. To reduce the risk of unauthorized access to such
data, you are advised to restore access to encrypted devices on trusted computers.
1. The user uses the Restore Utility to create a request access le with the fdertc extension and sends it to the
corporate LAN administrator.
2. The administrator uses the Kaspersky Security Center Administration Console to create an access key le with
the fdertr extension and sends it to the user.
738
3. The user applies the access key.
To restore data on encrypted system hard drives, the user can also specify the Authentication Agent account
credentials in the Restore Utility. If the metadata of the Authentication Agent account has been corrupted,
the user must complete the restoration procedure using a request access le.
Before restoring data on encrypted devices, it is recommended to cancel the Kaspersky Security Center policy or
disable encryption in the Kaspersky Security Center policy settings on the computer where the procedure will be
performed. This prevents the device from being encrypted again.
Data recovery on a drive protected by Kaspersky Disk Encryption technology consists of the following steps:
2. Connect a drive to a computer that does not have Kaspersky Endpoint Security encryption components
installed.
4. Access data on the drive. To do so, enter the credentials of the Authentication Agent or start the recovery
procedure (Request-Response).
3. Click the Create Stand-alone Restore Utility button in the window of Restore Utility.
As a result, the executable le of the Restore Utility (fdert.exe) will be saved in the speci ed folder. Copy the
Restore Utility to a computer that does not have Kaspersky Endpoint Security encryption components. This
prevents the drive from being encrypted again.
The data needed to restore access to encrypted devices using the Restore Utility resides in the memory of
the user's computer in unencrypted form for some time. To reduce the risk of unauthorized access to such
data, you are advised to restore access to encrypted devices on trusted computers.
1. Run the le named fdert.exe, which is the executable le of the Restore Utility. This le is created by Kaspersky
Endpoint Security.
2. In the Restore Utility window, select the encrypted device to which you want to restore access.
3. Click the Scan button to allow the utility to de ne which of the actions should be taken on the device: whether
it should be unlocked or decrypted.
If the computer has access to Kaspersky Endpoint Security encryption functionality, the Restore Utility
prompts you to unlock the device. While unlocking the device does not decrypt it, the device becomes directly
accessible as a result of being unlocked. If the computer does not have access to Kaspersky Endpoint Security
encryption functionality, the Restore Utility prompts you to decrypt the device.
4. If you want to import diagnostic information, click the Save diagnostics button.
The utility will save an archive with les containing diagnostic information.
5. Click the Fix MBR button if diagnostics of the encrypted system hard drive has returned a message about
problems involving the master boot record (MBR) of the device.
Fixing the master boot record of the device can speed up the process of obtaining information that is needed
for unlocking or decrypting the device.
7. If you want to restore data using an Authentication Agent account, select the Use Authentication Agent
account settings option and enter the credentials of the Authentication Agent.
This method is possible only when restoring data on a system hard drive. If the system hard drive was corrupted
and Authentication Agent account data has been lost, you must obtain an access key from the corporate LAN
administrator to restore data on an encrypted device.
740
b. Click the Receive access key button and save the request access le to computer memory (a le with the
FDERTC extension).
Do not close the Receive device access key window until you have received the access key. When this
window is opened again, you will not be able to apply the access key that was previously created by the
administrator.
d. Receive and save the access le (a le with the FDERTR extension) created and sent to you by the
corporate LAN administrator (see the instructions below).
9. If you are decrypting a device, you must con gure additional decryption settings:
If you want to decrypt the entire device, select the Decrypt entire device option.
If you want to decrypt a portion of the data on a device, select the Decrypt individual device areas
option and specify the decryption area boundaries.
If you want the data on the original device to be rewritten with the decrypted data, clear the Decrypt to
a disk image le check box.
If you want to save decrypted data separately from the original encrypted data, select the Decrypt to a
disk image le check box and use the Browse button to specify the path where to save the VHD le.
741
1. Open the Kaspersky Security Center Administration Console.
2. In the Administration Console tree, select the Advanced → Data encryption and
protection → Encrypted drives folder.
3. In the workspace, select the encrypted device for which you want to create an access key le, then in the
context menu of the device, click Get access to the device in Kaspersky Endpoint Security for
Windows.
If you are not sure for which computer the access request le was generated, in the Administration
Console tree select the Advanced → Data encryption and protection folder and in the workspace,
click Get device encryption key in Kaspersky Endpoint Security for Windows.
4. In the window that opens, select the encryption algorithm to use: AES256 or AES56.
The data encryption algorithm depends on the AES encryption library that is included in the distribution
package: Strong encryption (AES256) or Lite encryption (AES56). The AES encryption library is installed
together with the application.
5. Click Browse to open a window; in this window, specify the path to the request le with the fdertc
extension that was received from the user.
6. Click Unlock.
You will see information about the user's request. Kaspersky Security Center generates a key le. Email the
generated encrypted data access key le to the user. Or save the access le and use any available method
to transfer the le.
742
1. In the main window of the Web Console, select Operations → Data encryption and protection →
Encrypted drives.
2. Select the check box next to the name of the computer on which you want to recover data.
c. Select the request access le received from the user (a le with the FDERTC extension).
d. Select a folder to save the encrypted data access key le (a le with the FDERTR extension).
As a result, you will be able to obtain the encrypted data access key, which you will need to transfer to the
user.
You can load an image of the Windows operating system using the rescue disk and restore access to the
encrypted hard drive using Restore Utility included in the operating system image.
2. Create a custom image of the Windows pre-boot environment. While creating the custom image of the
Windows pre-boot environment, add the executable le of Restore Utility to the image.
3. Save the custom image of the Windows pre-installation environment to bootable media such as a CD or
removable drive.
Refer to Microsoft help les for instructions on creating a custom image of the Windows pre-boot environment
(for example, in the Microsoft TechNet resource ).
743
Detection and Response solutions
Kaspersky Detection and Response solutions are security systems for detecting advanced threats and indicators
of attack on di erent levels of an organization's infrastructure. Detection and Response solutions provide
information about the detected threat and allow to manage Threat Response actions.
Receive information about the operation of a computer, server, or other devices (telemetry).
Generate alert details as columns of the threat development chain for analysis and choosing Threat Response
actions.
Carry out Threat Response actions (for example, network isolation of the computer).
Kaspersky Endpoint Security supports Detection and Response solutions using a built-in agent. The built-in agent
sends telemetry to servers of solutions and carries out Threat Response actions. The built-in agent supports:
Kaspersky Anti Targeted Attack Platform (Endpoint Detection and Response component);
You can use Kaspersky Endpoint Security with Detection and Response solution in di erent con gurations, for
example, [MDR+EDR Optimum 2.0+Kaspersky Sandbox 2.0].
To use Kaspersky Endpoint Agent as part of Kaspersky solutions, you must activate those solutions with a
corresponding license key.
For complete information about the Kaspersky Endpoint Agent included in the software solution you are using, and
for complete information about the standalone solution, please refer to the Help Guide of the relevant product:
11.8.0 3.11.0.216.mr1
11.7.0 3.11
11.6.0 3.10
11.5.0 3.9
11.4.0 3.9
11.3.0 3.9
11.2.0 3.9
Kaspersky is switching all Detection and Response to working with the Kaspersky Endpoint Security built-in agent
instead of Kaspersky Endpoint Agent. Kaspersky is gradually adding support for these solutions and phasing out
Kaspersky Endpoint Agent (see table below). Starting with version 12.1, the application supports all Detection and
Response solutions. In addition, starting with version 12.1, the application is no longer compatible with Kaspersky
Endpoint Agent, and installing both applications side by side on the same computer is no longer possible.
11.7.0 Built-in agent Built-in Built-in agent Kaspersky Kaspersky Endpoint Agent
agent Endpoint Agent
11.8.0 Built-in agent Built-in Built-in agent Built-in agent Kaspersky Endpoint Agent
agent
11.9.0 Built-in agent Built-in Built-in agent Built-in agent Kaspersky Endpoint Agent
agent
11.10.0 Built-in agent Built-in Built-in agent Built-in agent Kaspersky Endpoint Agent
agent
11.11.0 Built-in agent Built-in Built-in agent Built-in agent Kaspersky Endpoint Agent
agent
12 Built-in agent Built-in Built-in agent Built-in agent Kaspersky Endpoint Agent
agent
12.1 and Built-in agent Built-in Built-in agent Built-in agent Built-in agent
higher agent
745
Migrating the [KES+KEA] con guration to [KES+built-in agent] con guration
Kaspersky Endpoint Security includes built-in agents for working with Detection and Response solutions. You no
longer need a separate Kaspersky Endpoint Agent application to work with these solutions. When you deploy
Kaspersky Endpoint Security on computers that have Kaspersky Endpoint Agent installed, Detection and
Response solutions will continue working with Kaspersky Endpoint Security. In addition, Kaspersky Endpoint Agent
will be removed from the computer.
Distribution kit for Kaspersky Endpoint Security versions 11.2.0 – 11.8.0 includes Kaspersky Endpoint Agent. You
can select Kaspersky Endpoint Agent when installing Kaspersky Endpoint Security for Windows. As a result,
two applications will be installed on your computer: KEA and KES. In Kaspersky Endpoint Security 11.9.0 the
Kaspersky Endpoint Agent distribution package is no longer part of the Kaspersky Endpoint Security
distribution kit.
Migrating the [KES+KEA] con guration to [KES+built-in agent] involves the following steps:
Upgrade all Kaspersky Security Center components to version 13.2 or higher, including Network Agent on user
computers and Web Console.
In Kaspersky Security Center Web Console, upgrade the Kaspersky Endpoint Security web plug-in to version
11.7.0 or higher. To manage EDR Optimum and Kaspersky Sandbox components, you must use Web Console.
To use Kaspersky Anti Targeted Attack Platform (EDR), you will need a web plug-in for Kaspersky Endpoint
Security version 12.1 or later.
Use the Kaspersky Endpoint Agent Policy and Task Migration Wizard to migrate Kaspersky Endpoint Agent
settings to Kaspersky Endpoint Security for Windows.
This creates a new Kaspersky Endpoint Security policy. The new policy has the Inactive status. To apply the
policy, open policy properties, accept the Kaspersky Security Network Statement and set the status to Active.
4 Licensing functionality
If you use a common Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security
license to activate Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Agent, EDR Optimum
functionality will be activated automatically after upgrading the application to version 11.7.0. You do not need to
do anything else.
If you use a stand-alone Kaspersky Endpoint Detection and Response Optimum Add-on license to activate EDR
Optimum functionality, you must make sure that the EDR Optimum key is added to the Kaspersky Security
Center repository and the automatic license key distribution functionality is enabled. After you upgrade the
application to version 11.7.0, EDR Optimum functionality is activated automatically.
If you use a Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security license to
activate Kaspersky Endpoint Agent, and a di erent license to activate Kaspersky Endpoint Security for
Windows, you must replace the Kaspersky Endpoint Security for Windows key with the common Kaspersky
Endpoint Detection and Response Optimum or Kaspersky Optimum Security key. You can replace the key using
the Add key task.
You do not need to activate Kaspersky Sandbox functionality. Kaspersky Sandbox functionality will be available
immediately after upgrading and activating Kaspersky Endpoint Security for Windows.
746
Only the Kaspersky Anti Targeted Attack Platform license can be used to activate Kaspersky Endpoint Security
as part of the Kaspersky Anti Targeted Attack Platform solution. After you upgrade the application to version
12.1, EDR (KATA) functionality is activated automatically. You do not need to do anything else.
To upgrade the application and migrate EDR Optimum and Kaspersky Sandbox functionality, a remote
installation task is recommended.
To upgrade the application using a remote installation task, you must edit the following settings:
Select components for Detection and Response solutions in the settings of the installation package.
Exclude the Kaspersky Endpoint Agent component in the settings of the installation package (for Kaspersky
Endpoint Security for Windows versions 11.2.0 – 11.8.0).
You can also upgrade the application using the following methods:
Kaspersky Endpoint Security supports automatically selecting components when upgrading the application on a
computer with the Kaspersky Endpoint Agent application installed. The automatic selection of components
depends on the permissions of the user account that is upgrading the application.
If you are upgrading Kaspersky Endpoint Security using the EXE or MSI le under the system account (SYSTEM),
Kaspersky Endpoint Security gains access to current licenses of Kaspersky solutions. Therefore, if the computer
has, for example, Kaspersky Endpoint Agent installed and the EDR Optimum solution activated, the Kaspersky
Endpoint Security installer automatically con gures the set of components and selects the EDR Optimum
component. This makes Kaspersky Endpoint Security switch to using the built-in agent and removes Kaspersky
Endpoint Agent. Running the MSI installer under the system account (SYSTEM) is usually performed when
upgrading via the Kaspersky update service (SMU) or when deploying an installation package via Kaspersky
Security Center.
If you are upgrading Kaspersky Endpoint Security using an MSI le under a non-privileged user account,
Kaspersky Endpoint Security lacks access to current licenses of Kaspersky solutions. In this case, Kaspersky
Endpoint Security automatically selects components based on Kaspersky Endpoint Agent con guration. After
that Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky Endpoint Agent.
6 Computer restart
Restart your computer to nish upgrading the application with the built-in agent. When upgrading the
application, the installer removes Kaspersky Endpoint Agent before the computer is restarted. After the
computer is restarted, the installer adds the built-in agent. This means that Kaspersky Endpoint Security does
not perform the functions of EDR and Kaspersky Sandbox until the computer is restarted.
7 Checking the health of Kaspersky Endpoint Detection and Response Optimum and Kaspersky Sandbox
If after the upgrade, the computer has the Critical status in the Kaspersky Security Center console:
Make sure that the computer has Network Agent version 13.2 or higher installed.
Check the operating status of the built-in agent by viewing the Application components status report. If a
component has the Not installed status, install the component using the Change application components
task.
Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint
Security for Windows.
747
Make sure EDR Optimum functionality is activated using the Application components status report. If a
component has the Not covered by license status, make sure that the automatic license key distribution
functionality of EDR Optimum is turned on.
Kaspersky Sandbox
A wizard for migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security works only in Web Console
and Cloud Console. In the Administration Console (MMC), you can only migrate settings for Kaspersky Anti
Targeted Attack Platform (EDR) solution using the standard Kaspersky Security Center Policy and Task Migration
Wizard.
It is recommended to begin with migrating Kaspersky Endpoint Agent to Kaspersky Endpoint Security on a
single computer, then do it on a group of computers, and then complete the migration on all computers of the
organization.
To migrate policy and task settings from Kaspersky Endpoint Agent to Kaspersky Endpoint Security,
in the main window of the Web Console, select Operations → Migration from Kaspersky Endpoint Agent.
This runs the policies and tasks migration wizard. Follow the instructions of the Wizard.
The Migration Wizard creates a new policy which merges the settings of Kaspersky Endpoint Security and
Kaspersky Endpoint Agent policies. In the policy list, select Kaspersky Endpoint Agent policies whose settings you
want to merge with the Kaspersky Endpoint Security policy. Click the Kaspersky Endpoint Agent policy in order to
select the Kaspersky Endpoint Security policy with which you want to merge settings. Make sure you selected the
correct policies and go to the next step.
The Migration Wizard creates new tasks for Kaspersky Endpoint Security. In the task list, select Kaspersky
Endpoint Agent tasks which you want to create for Kaspersky Endpoint Security policy. The Wizard supports tasks
for Kaspersky Endpoint Detection and Response and Kaspersky Sandbox. Go to the next step.
748
Creates a new Kaspersky Endpoint Security policy.
The policy merges settings from Kaspersky Endpoint Security and Kaspersky Endpoint Agent. The policy is
called <Kaspersky Endpoint Security policy name> & <Kaspersky Endpoint Agent policy name>. The new policy
has the Inactive status. To continue, change the statuses of Kaspersky Endpoint Agent and Kaspersky Endpoint
Security policies to Inactive and activate the new merged policy.
After migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows, please make
sure that the new policy has the functionality for data transfer to the Administration Server (quarantine le
data and threat development chain data) set up. Data transfer parameter values are not migrated from a
Kaspersky Endpoint Agent policy.
When migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for the Kaspersky Anti
Targeted Attack Platform (EDR) solution, you may encounter errors when connecting the computer to Central
Node servers. The reason is that the migration wizard in Web Console skips the following policy settings and
does not migrate them:
Settings modi cation prohibition Settings for connecting to KATA servers ("lock").
By default, settings can be modi ed (the "lock" is open). Therefore the settings are not applied on the
computer. You must prohibit the modi cation of settings and close the "lock".
Crypto-container.
If you are using two-way authentication for connecting to Central Node servers, you must re-add the
crypto-container. The migration wizard correctly migrates the TLS certi cate of the server.
The Policy and Task Migration Wizard in Administration Console (MMC) migrates all settings for the Kaspersky
Anti Targeted Attack Platform (EDR) solution.
749
1. In the Administration Console, select the Administration Server and right-click to open the context menu.
The Policies and Tasks Batch Conversion Wizard will start. Follow the instructions of the Wizard.
Step 1. Selecting the application for which you need to convert policies and tasks
At this step, you need to select Kaspersky Endpoint Security for Windows. Go to the next step.
Migration Wizard creates a new Kaspersky Endpoint Security policy into which Kaspersky Endpoint Agent
policy settings will be migrated. In the list of policies, select Kaspersky Endpoint Agent policies whose settings
you want to transfer to the Kaspersky Endpoint Security policy. Go to the next step.
The Migration Wizard will then begin to convert the policies. During policy conversion, the Migration Wizard
prompts you to accept the Kaspersky Security Network Statement. The new policies will be named <Policy
name> (converted).
Skip this step. The Wizard supports tasks only for Kaspersky Endpoint Detection and Response Optimum and
Kaspersky Sandbox. Management of these components is only available in the Web Console. Go to the next
step.
Exit the Wizard. As a result of the wizard, a new Kaspersky Endpoint Security policy will be created.
EDR Agent is compatible with third-party EPP applications. This lets you use third-party infrastructure security
tools alongside Detection and Response by Kaspersky.
750
To deploy EDR Agent, the computer must have the Network Agent installed, and the computer must be added in
the Kaspersky Security Center console. To enable the interaction of EDR Agent with Kaspersky Security Center,
you must install the Kaspersky Endpoint Security for Windows management plug-in. You can specify EDR Agent
settings using a group policy. To integrate EDR Agent, you must con gure the integration in appropriate policy
sections.
The following Kaspersky applications should be installed on the infrastructure to support operation of MDR / KATA
(EDR):
Network Agent
EDR Agent
Endpoint
EDR Agent can be installed on the computer in one of the following ways:
To install EDR Agent, you must select the appropriate con guration in installation package settings or in Setup
Wizard.
751
1. Copy the distribution kit folder to the user's computer.
2. Run setup_kes.exe.
Select the Endpoint Detection and Response Agent con guration. In this con guration, you can only install
the components that provide support for Detection and Response solutions: Endpoint Detection and
Response (KATA) or Managed Detection and Response. This con guration is needed if a third-party Endpoint
Protection Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and Response
solution. This makes Kaspersky Endpoint Security in the Endpoint Detection and Response Agent
con guration compatible with third-party EPP applications.
Select the components that you want to install (see gure below). You can change the available application
components after the application is installed. To do so, you need to run the Setup Wizard again and choose to
change the available components.
Advanced settings
752
Advanced application installation settings
Protect the application installation process. Installation protection includes protection against replacement
of the distribution package with malicious applications, blocking access to the installation folder of Kaspersky
Endpoint Security, and blocking access to the system registry section containing application keys. However, if
the application cannot be installed (for example, when performing remote installation with the help of
Windows Remote Desktop), you are advised to disable protection of the installation process.
Ensure compatibility with Citrix PVS. You can enable support of Citrix Provisioning Services to install
Kaspersky Endpoint Security to a virtual machine.
Add the path to the le avp.com to the system variable %PATH%. You can add the installation path to the
%PATH% variable for convenient use of the command line interface.
How to install EDR Agent on the command line (only for KATA (EDR))
2. Go to the folder where the Kaspersky Endpoint Security distribution package is located.
As a result, the EDR Agent application for integration with Kaspersky Anti Targeted Attack Platform (EDR) is
installed on the computer. You can con rm that application is installed and check application settings by
issuing the status command.
753
1. Open the Kaspersky Security Center Administration Console.
2. In the console tree, select the Advanced → Remote installation → Installation packages folder.
This opens a list of installation packages that have been downloaded to Kaspersky Security Center.
5. Select the Endpoint Detection and Response Agent con guration. In this con guration, you can only
install the components that provide support for Detection and Response solutions: Endpoint Detection
and Response (KATA) or Managed Detection and Response. This con guration is needed if a third-party
Endpoint Protection Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and
Response solution. This makes Kaspersky Endpoint Security in the Endpoint Detection and Response
Agent con guration compatible with third-party EPP applications.
8. Create a remote installation task. In task properties, select the installation package you created.
754
1. In the main window of the Web Console, select Discovery & deployment → Deployment & assignment →
Installation packages.
This opens a list of installation packages that have been downloaded to Kaspersky Security Center.
755
Components included in the installation package
5. Select the Endpoint Detection and Response Agent con guration. In this con guration, you can only
install the components that provide support for Detection and Response solutions: Endpoint Detection
and Response (KATA) or Managed Detection and Response. This con guration is needed if a third-party
Endpoint Protection Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and
Response solution. This makes Kaspersky Endpoint Security in the Endpoint Detection and Response
Agent con guration compatible with third-party EPP applications.
8. Create a remote installation task. In task properties, select the installation package you created.
As a result, EDR Agent is installed on the user's computer. You can use the interface of the application and an icon
of the application is displayed in the noti cation area .
In Kaspersky Security Center, the computer with the installed application in the EDR Agent con guration has
the Critical status – . The computer has this status because the File Threat Protection component is
missing. You do not need to take any action.
If you could not install EDR Agent on a computer with a third-party EPP application because the installer found
incompatible software on the computer, you can skip the incompatible software check.
756
Main window of EDR Agent
Now you must con gure the integration with the Kaspersky Managed Detection and Response or Kaspersky Anti
Targeted Attack (EDR) solution. You can also specify advanced settings of the application and, for example, create
a trusted zone or hide the interface of the application. Settings in the following sections are available:
Application Settings
Network settings
Exclusions
Reports
Interface
Manage settings
757
To set up integration with Kaspersky Managed Detection and Response, you must enable the Managed Detection
and Response component and con gure EDR Agent. For Kaspersky Managed Detection and Response to work
with Administration Server via Kaspersky Security Center Web Console, you must also establish a new secure
connection, a background connection. Kaspersky Managed Detection and Response prompts you to establish a
background connection when you deploy the solution. Make sure the background connection is established.
Integration with Kaspersky Managed Detection and Response consists of the following steps:
You can select the MDR component during installation or upgrade, as well as using the Change application
components task.
You must restart your computer to nish upgrading the application with the new components.
Skip this step if you are using Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud
Console automatically con gures Kaspersky Private Security Network when installing the MDR plug-in.
Kaspersky Private Security Network (KPSN) is a solution that enables users of computers hosting Kaspersky
Endpoint Security or other Kaspersky applications to obtain access to Kaspersky reputation databases, and to
other statistical data without sending data to Kaspersky from their own computers.
Upload the Kaspersky Security Network con guration le in the Administration Server properties. The Kaspersky
Security Network con guration le is located within the ZIP archive of the MDR con guration le. You can obtain
the ZIP archive in the Kaspersky Managed Detection and Response Console. For details on con guring
Kaspersky Private Security Network, please refer to the Kaspersky Security Center Help . You can also upload a
Kaspersky Security Network con guration le to the computer from the command line (see the instructions
below).
How to con gure Kaspersky Private Security Network from the command line
758
1. Run the command line interpreter (cmd.exe) as an administrator.
Example:
avp.com KSN /private C:\kpsn_config.pkcs7
As a result, Kaspersky Endpoint Security will use Kaspersky Private Security Network to determine the
reputation of les, applications, and websites. Kaspersky Security Network section of the policy settings will
display the following operating status: Infrastructure: Kaspersky Private Security Network.
You must enable extended KSN mode for Managed Detection and Response to work.
Kaspersky Managed Detection and Response supports the following licensing methods:
Managed Detection and Response functionality is covered by the Kaspersky Endpoint Security for Windows
license.
The feature will be available immediately after activation of Kaspersky Endpoint Security for Windows.
A separate license for MDR (Kaspersky Managed Detection and Response Add-on) is used.
The feature will be available after you add a separate key for Kaspersky Managed Detection and Response.
As a result, two keys are installed on the computer: a key for Kaspersky Endpoint Security and a key for
Kaspersky Managed Detection and Response.
Licensing for the stand-alone Managed Detection and Response functionality is the same as the licensing of
Kaspersky Endpoint Security.
Make sure that the MDR functionality is included in the license and is working in the local interface of the
application.
Load the BLOB con guration le in the Kaspersky Endpoint Security policy (see the instructions below). The
BLOB le contains the client ID and information about the license for Kaspersky Managed Detection and
Response. The BLOB le is located inside the ZIP archive of the MDR con guration le. You can obtain the ZIP
archive in the Kaspersky Managed Detection and Response Console. For detailed information about a BLOB le,
please refer to the Kaspersky Managed Detection and Response Help .
How to enable Managed Detection and Response component in the Administration Console (MMC)
759
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Managed Detection and Response.
6. In the Settings block, click Upload and select the BLOB le received in the Kaspersky Managed
Detection and Response Console. The le has the P7 extension.
How to enable Managed Detection and Response component in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. Click Upload and select the BLOB le that was obtained in the Kaspersky Managed Detection and
Response Console. The le has the P7 extension.
How to enable Managed Detection and Response component from the command line
To execute this command, Password protection must be enabled. The user must have the
Con gure application settings permission.
760
As a result, Kaspersky Endpoint Security will verify the BLOB le. BLOB le veri cation includes checking the
digital signature and the license term. If the BLOB le is successfully veri ed, Kaspersky Endpoint Security will
download the le and send the le to the computer during the next synchronization with Kaspersky Security
Center. Check the operating status of the component by viewing the Application components status report.
You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint
Security. The Managed Detection and Response component will be added to the list of Kaspersky Endpoint
Security components.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Managed Detection and Response.
How to enable Managed Detection and Response component in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
The Kaspersky Managed Detection and Response component is enabled. Check the operating status of the
component by viewing the Application components status report. You can also view the operating status of a
component in reports in the local interface of Kaspersky Endpoint Security. The Managed Detection and
Response component will be added to the list of Kaspersky Endpoint Security components.
To integrate with EDR (KATA), you must enable the Endpoint Detection and Response (KATA) component and
con gure EDR Agent.
The following conditions must be ful lled for Endpoint Detection and Response (KATA) to work:
761
Kaspersky Anti Targeted Attack Platform version 5.0 or higher.
Kaspersky Security Center version 14.2 or higher. In earlier versions of Kaspersky Security Center, it is
impossible to activate the Endpoint Detection and Response (KATA) feature.
Integration with Endpoint Detection and Response (KATA) involves the following steps:
You need to purchase a separate license for EDR (KATA) (Kaspersky Endpoint Detection and Response (KATA)
Add-on).
The feature will be available after you add a separate key for Kaspersky Endpoint Detection and Response
(KATA). Licensing for the stand-alone Endpoint Detection and Response (KATA) functionality is the same as the
licensing of Kaspersky Endpoint Security.
Make sure that the EDR (KATA) functionality is included in the license and is running in the local interface of the
application.
Kaspersky Anti Targeted Attack Platform requires establishing a trusted connection between Kaspersky
Endpoint Security and the Central Node component. To con gure a trusted connection, you must use a TLS
certi cate. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack Platform console (see
instructions in the Kaspersky Anti Targeted Attack Platform Help ). Then you must add the TLS certi cate to
Kaspersky Endpoint Security (see instructions below).
By default, Kaspersky Endpoint Security only checks the TLS certi cate of Central Node. To make the
connection more secure, you can additionally enable the veri cation of the computer on Central Node (two-way
authentication). To enable this veri cation, you must turn on two-way authentication in Central Node and
Kaspersky Endpoint Security settings. To use two-way authentication, you will also need a crypto-container. A
crypto-container is a PFX archive with a certi cate and a private key. You can get a crypto-container in the
Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack
Platform Help ).
How to connect a Kaspersky Endpoint Security computer to Central Node using the Administration Console
(MMC)
762
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Endpoint Detection and Response
(KATA).
Timeout. Maximum Central Node server response timeout. When the timeout runs out,
Kaspersky Endpoint Security tries to connect to a di erent Central Node server.
Server TLS certi cate. TLS certi cate for establishing a trusted connection with the Central
Node server. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack Platform
console (see instructions in the Kaspersky Anti Targeted Attack Platform Help ).
8. Click OK.
9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to
connect to the server.
How to connect a Kaspersky Endpoint Security computer to Central Node using the Web Console
763
1. In the main window of the Web Console, select Devices → Policies & pro les.
Timeout. Maximum Central Node server response timeout. When the timeout runs out,
Kaspersky Endpoint Security tries to connect to a di erent Central Node server.
Server TLS certi cate. TLS certi cate for establishing a trusted connection with the Central
Node server. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack Platform
console (see instructions in the Kaspersky Anti Targeted Attack Platform Help ).
8. Click OK.
9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to
connect to the server.
As a result, the computer is added on the Kaspersky Anti Targeted Attack Platform console. Check the
operating status of the component by viewing the Application components status report. You can also view the
operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint
Detection and Response (KATA) component will be added to the list of Kaspersky Endpoint Security
components.
764
EDR Agent supports the functionality of Kaspersky Detection and Response solutions. Protection and control
components are not available for EDR Agent. This con guration allows installing third-party EPP applications and
deploying Kaspersky Detection and Response solutions in the infrastructure of the organization. EDR Agent
supports Kaspersky Managed Detection and Response and Kaspersky Anti Targeted Attack Platform (EDR).
EDR Agent is compatible with EPP applications from the following vendors:
Dr.Web
EDR Agent is compatible with Dr.Web for Windows version 13.0 or later (including AV-Desk Agent and Dr.Web
Server).
Dallas Lock
EDR Agent is compatible with Dallas Lock 8.0-C version 8.0.803.0 or later.
The application cannot be installed on a computer where Secret Net Studio is deployed with the Antivirus
component. To make interoperability possible, you must remove the Antivirus component from Secret Net
Studio.
Trend Micro
EDR Agent is compatible with Trend Micro Apex One version 14.0.12380 or later (including Security Agent).
Windows Defender
Sophos
EDR Agent is compatible with Sophos Intercept X version 2023.1.1.6 or later (including Endpoint Agent).
Bitdefender
EDR Agent is compatible with Bitdefender Endpoint Security Tools version 7.9.8.350 or later.
ESET
EDR Agent is compatible with ESET Endpoint Antivirus version 11.0.2032.0 or later and ESET Management
Agent version 11 or later.
The applications must be installed in the following order: rst, install the EPP application, then Kaspersky
Security Center Network Agent, then EDR Agent. This is necessary because the installer of the EPP
application may detect EDR Agent and Network Agent as incompatible software and remove them. The
operation of EDR Agent and Network Agent should also be checked after updating the third-party EPP
application because its installer may re-scan the computer for incompatible software and remove the
applications.
If you could not install EDR Agent on a computer with a third-party EPP application because the installer found
incompatible software on the computer, you can skip the incompatible software check.
Kaspersky Endpoint Security for Windows supports integration with the Managed Detection and
Response solution. The Kaspersky Managed Detection and Response (MDR) solution automatically
765
detects and analyzes security incidents in your infrastructure. To do so, MDR uses telemetry data
received from endpoints and machine learning. MDR sends incident data to Kaspersky experts. The
experts can then process the incident and, for example, add a new entry to Anti-Virus databases.
Alternatively, the experts can issue recommendations on processing the incident and, for example,
suggest isolating computer from the network. For detailed information about how the solution
works, please refer to the Kaspersky Managed Detection and Response Help .
[KES+built-in agent]. In this con guration, Kaspersky Endpoint Security acts as both the application that
ensures the security of the computer and the application for working with MDR. The built-in agent is available in
Kaspersky Endpoint Security 11.6.0 for Windows or later.
[third-party EPP+EDR Agent]. In this con guration, the security of the IT infrastructure is provided by the
third-party Endpoint Protection Platform (EPP). The interaction with MDR is provided by Kaspersky Endpoint
Security in the Endpoint Detection Response Agent (EDR Agent) con guration. In this con guration, EDR
Agent is compatible with third-party EPP applications. EDR Agent is available in Kaspersky Endpoint Security
12.3 for Windows or later.
Kaspersky Endpoint Security version 11 and later supports the MDR solution. Kaspersky Endpoint Security versions
11 – 11.5.0 only sends telemetry data to Kaspersky Managed Detection and Response to enable threat detection.
Kaspersky Endpoint Security version 11.6.0 has all the functionality of the built-in agent (Kaspersky Endpoint
Agent).
If you are using Kaspersky Endpoint Security 11 – 11.5.0, you must update databases to the latest version to work
with the MDR solution. You must also install Kaspersky Endpoint Agent.
If you are using Kaspersky Endpoint Security 11.6.0 or higher, you do not need to install Kaspersky Endpoint Agent
to use the MDR solution.
If the Kaspersky Endpoint Security policy also applies to computers that do not have Kaspersky Endpoint
Security 11 – 11.5.0 installed, you must rst create a separate Kaspersky Endpoint Agent policy for those
computers. In the new policy, con gure integration with Kaspersky Managed Detection and Response.
You must enable the following components for Managed Detection and Response to work:
Behavior Detection.
766
Enabling these components is non-optional. Otherwise Kaspersky Managed Detection and Response cannot
function because it does not receive required telemetry data.
In addition, Kaspersky Managed Detection and Response uses data received from other application components.
Enabling those components is optional. Components that provide additional data include:
Firewall.
For Kaspersky Managed Detection and Response to work with Administration Server via Kaspersky Security
Center Web Console, you must also establish a new secure connection, a background connection. Kaspersky
Managed Detection and Response prompts you to establish a background connection when you deploy the
solution. Make sure the background connection is established.
Integration with Kaspersky Managed Detection and Response consists of the following steps:
You can select the MDR component during installation or upgrade, as well as using the Change application
components task.
You must restart your computer to nish upgrading the application with the new components.
Skip this step if you are using Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud
Console automatically con gures Kaspersky Private Security Network when installing the MDR plug-in.
Kaspersky Private Security Network (KPSN) is a solution that enables users of computers hosting Kaspersky
Endpoint Security or other Kaspersky applications to obtain access to Kaspersky reputation databases, and to
other statistical data without sending data to Kaspersky from their own computers.
Upload the Kaspersky Security Network con guration le in the Administration Server properties. The Kaspersky
Security Network con guration le is located within the ZIP archive of the MDR con guration le. You can obtain
the ZIP archive in the Kaspersky Managed Detection and Response Console. For details on con guring
Kaspersky Private Security Network, please refer to the Kaspersky Security Center Help . You can also upload a
Kaspersky Security Network con guration le to the computer from the command line (see the instructions
below).
How to con gure Kaspersky Private Security Network from the command line
767
1. Run the command line interpreter (cmd.exe) as an administrator.
Example:
avp.com KSN /private C:\kpsn_config.pkcs7
As a result, Kaspersky Endpoint Security will use Kaspersky Private Security Network to determine the
reputation of les, applications, and websites. Kaspersky Security Network section of the policy settings will
display the following operating status: Infrastructure: Kaspersky Private Security Network.
You must enable extended KSN mode for Managed Detection and Response to work.
Kaspersky Managed Detection and Response supports the following licensing methods:
Managed Detection and Response functionality is covered by the Kaspersky Endpoint Security for Windows
license.
The feature will be available immediately after activation of Kaspersky Endpoint Security for Windows.
A separate license for MDR (Kaspersky Managed Detection and Response Add-on) is used.
The feature will be available after you add a separate key for Kaspersky Managed Detection and Response.
As a result, two keys are installed on the computer: a key for Kaspersky Endpoint Security and a key for
Kaspersky Managed Detection and Response.
Licensing for the stand-alone Managed Detection and Response functionality is the same as the licensing of
Kaspersky Endpoint Security.
Make sure that the MDR functionality is included in the license and is working in the local interface of the
application.
Load the BLOB con guration le in the Kaspersky Endpoint Security policy (see the instructions below). The
BLOB le contains the client ID and information about the license for Kaspersky Managed Detection and
Response. The BLOB le is located inside the ZIP archive of the MDR con guration le. You can obtain the ZIP
archive in the Kaspersky Managed Detection and Response Console. For detailed information about a BLOB le,
please refer to the Kaspersky Managed Detection and Response Help .
How to enable Managed Detection and Response component in the Administration Console (MMC)
768
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Managed Detection and Response.
6. In the Settings block, click Upload and select the BLOB le received in the Kaspersky Managed
Detection and Response Console. The le has the P7 extension.
How to enable Managed Detection and Response component in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. Click Upload and select the BLOB le that was obtained in the Kaspersky Managed Detection and
Response Console. The le has the P7 extension.
How to enable Managed Detection and Response component from the command line
To execute this command, Password protection must be enabled. The user must have the
Con gure application settings permission.
769
As a result, Kaspersky Endpoint Security will verify the BLOB le. BLOB le veri cation includes checking the
digital signature and the license term. If the BLOB le is successfully veri ed, Kaspersky Endpoint Security will
download the le and send the le to the computer during the next synchronization with Kaspersky Security
Center. Check the operating status of the component by viewing the Application components status report.
You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint
Security. The Managed Detection and Response component will be added to the list of Kaspersky Endpoint
Security components.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Managed Detection and Response.
How to enable Managed Detection and Response component in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
The Kaspersky Managed Detection and Response component is enabled. Check the operating status of the
component by viewing the Application components status report. You can also view the operating status of a
component in reports in the local interface of Kaspersky Endpoint Security. The Managed Detection and
Response component will be added to the list of Kaspersky Endpoint Security components.
When you deploy Kaspersky Endpoint Security on computers that have Kaspersky Endpoint Agent installed,
Kaspersky Managed Detection and Response solution will continue working with Kaspersky Endpoint Security. In
addition, Kaspersky Endpoint Agent will be removed from the computer. The same behavior in the system will
occur when you update Kaspersky Endpoint Security to version 11.6.0 or higher.
770
Kaspersky Endpoint Security is not compatible with Kaspersky Endpoint Agent. You cannot install both of
these applications on the same computer.
The following conditions must be met for Kaspersky Endpoint Security to work as part of Kaspersky Managed
Detection and Response:
Kaspersky Security Center version 13.2 or higher (including Network Agent). In earlier versions of Kaspersky
Security Center, it is impossible to activate the Managed Detection and Response feature.
A background connection between Kaspersky Security Center Web Console and Administration Server is
established. For MDR to work with Administration Server via Kaspersky Security Center Web Console, you must
establish a new secure connection, a background connection.
Steps for migrating [KES+KEA] con guration to [KES+built-in agent] for MDR
MDR component can be managed using the Kaspersky Endpoint Security Management Plug-in version 11.6 or
higher. Depending on the type of Kaspersky Security Center console you are using, update the management
plug-in in the Administration Console (MMC) or the web plug-in in the Web Console.
Transfer Kaspersky Endpoint Agent settings to Kaspersky Endpoint Security for Windows. The following options
are available:
A wizard for migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security. A wizard for migrating
from Kaspersky Endpoint Agent to Kaspersky Endpoint Security works only in Web Console
How to migrate policy and task settings from Kaspersky Endpoint Agent to Kaspersky Endpoint Security in
Web Console
771
In the main window of the Web Console, select Operations → Migration from Kaspersky Endpoint
Agent.
This runs the policies and tasks migration wizard. Follow the instructions of the Wizard.
The Migration Wizard creates a new policy which merges the settings of Kaspersky Endpoint
Security and Kaspersky Endpoint Agent policies. In the policy list, select Kaspersky Endpoint Agent
policies whose settings you want to merge with the Kaspersky Endpoint Security policy. Click the
Kaspersky Endpoint Agent policy in order to select the Kaspersky Endpoint Security policy with
which you want to merge settings. Make sure you selected the correct policies and go to the next
step.
The Migration Wizard does not support MDR tasks. Skip this step.
Exit the Wizard. As a result of the wizard, a new Kaspersky Endpoint Security policy will be created.
The policy merges settings from Kaspersky Endpoint Security and Kaspersky Endpoint Agent. The
policy is called <Kaspersky Endpoint Security policy name> & <Kaspersky Endpoint Agent policy
name>. The new policy has the Inactive status. To continue, change the statuses of Kaspersky
Endpoint Agent and Kaspersky Endpoint Security policies to Inactive and activate the new merged
policy.
A standard Policies and tasks batch conversion wizard. The Policies and tasks batch conversion wizard is only
available in the Administration Console (MMC). For more details about Policies and tasks batch conversion
wizard, please refer to the Kaspersky Security Center Help .
To activate Kaspersky Endpoint Security as part of the Kaspersky Managed Detection and Response solution,
you need a separate license for Kaspersky Managed Detection and Response Add-on. You can add the key using
the Add key task. As a result, two keys will be added to the application: Kaspersky Endpoint Security and
Kaspersky Managed Detection and Response.
To migrate MDR functionality during an application installation or upgrade, it is recommended to use the remote
installation task. When creating a remote installation task, you need to select MDR component in the installation
package settings.
You can also upgrade the application using the following methods:
Kaspersky Endpoint Security supports automatically selecting components when upgrading the application on a
computer with the Kaspersky Endpoint Agent application installed. The automatic selection of components
depends on the permissions of the user account that is upgrading the application.
772
If you are upgrading Kaspersky Endpoint Security using the EXE or MSI le under the system account (SYSTEM),
Kaspersky Endpoint Security gains access to current licenses of Kaspersky solutions. Therefore, if the computer
has Kaspersky Endpoint Agent installed and MDR solution activated, the Kaspersky Endpoint Security installer
automatically con gures the set of components and selects the MDR component. This makes Kaspersky
Endpoint Security switch to using the built-in agent and removes Kaspersky Endpoint Agent. Running the MSI
installer under the system account (SYSTEM) is usually performed when upgrading via the Kaspersky update
service or when deploying an installation package via Kaspersky Security Center.
If you are upgrading Kaspersky Endpoint Security using an MSI le under a non-privileged user account,
Kaspersky Endpoint Security lacks access to current licenses of Kaspersky solutions. In this case, Kaspersky
Endpoint Security automatically selects components based on a set of components of Kaspersky Endpoint
Agent. After that Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky
Endpoint Agent.
Kaspersky Endpoint Security supports upgrading without computer restart. You can select the application
upgrade mode in policy properties.
If after application installation or upgrade, the computer has the Critical status in the Kaspersky Security Center
console:
Make sure that the computer has Network Agent version 13.2 or higher installed.
Check the operating status of the built-in agent by viewing the Application components status report. If a
component has the Not installed status, install the component using the Change application components
task. If a component has the Not covered by license status, make sure that you have activated the built-in
agent functionality.
Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint
Security for Windows.
Starting with version 11.7.0, Kaspersky Endpoint Security for Windows includes a built-in agent for
the Kaspersky Endpoint Detection and Response Optimum solution (hereinafter also "EDR
Optimum"). Starting with version 11.8.0, Kaspersky Endpoint Security for Windows includes a built-in
agent for the Kaspersky Endpoint Detection and Response Expert solution (hereinafter also "EDR
Expert"). Kaspersky Endpoint Detection and Response is a range of solutions for protecting the
corporate IT infrastructure from advanced cyber threats. The functionality of the solutions
combines automatic detection of threats with the ability to react to these threats to counteract
advanced attacks including new exploits, ransomware, leless attacks, as well as methods using
legitimate system tools. EDR Expert o ers more threat monitoring and response functionality than
EDR Optimum. For details about the solutions, see the Kaspersky Endpoint Detection and Response
Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help .
Kaspersky Endpoint Detection and Response uses the following Threat Intelligence tools:
Integration with the Kaspersky Threat Intelligence Portal portal, which contains and displays information
about the reputation of les and web addresses.
Cloud Sandbox technology that lets you run detected les in an isolated environment and check their
reputation.
Kaspersky Endpoint Detection and Response reviews and analyses threat development and provides security
personnel or the Administrator with information about the potential attack that is necessary for a timely response.
Kaspersky Endpoint Detection and Response displays alert details in a separate window. Alert Details is a tool for
viewing the entirety of collected information about a detected threat. Alert details include, for example, the history
of les appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint
Detection and Response Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help .
If you are using Kaspersky Endpoint Security 11.2.0–11.6.0 for interoperability with Kaspersky Endpoint Detection
and Response Optimum, the application includes Kaspersky Endpoint Agent. You can install Kaspersky Endpoint
Agent side-by-side with Kaspersky Endpoint Security. In Kaspersky Endpoint Security 11.9.0 the Kaspersky
Endpoint Agent distribution package is no longer part of the Kaspersky Endpoint Security distribution kit.
The Kaspersky Endpoint Detection and Response Expert solution does not support interoperability with
Kaspersky Endpoint Agent. The Kaspersky Endpoint Detection and Response Expert solution uses Kaspersky
Endpoint Security with built-in agent (version 11.8.0 and later).
EDR Optimum, EDR Expert and EDR (KATA) components are not compatible with each other.
The following conditions must be ful lled for Endpoint Detection and Response to work:
Kaspersky Security Center version 13.2 or higher. In earlier versions of Kaspersky Security Center, it is
impossible to activate the Endpoint Detection and Response feature.
The EDR Optimum component as part of Kaspersky Endpoint Security supports interaction with the Kaspersky
Endpoint Detection and Response Optimum 2.0 solution. Interaction with Kaspersky Endpoint Detection and
Response Optimum version 1.0 is not supported.
EDR Optimum can be managed in Kaspersky Security Center Web Console and Kaspersky Security Center
Cloud Console.
774
EDR Expert can be managed only using the Kaspersky Security Center Cloud Console. You cannot manage this
functionality using the Administration Console (MMC).
Application components that Endpoint Detection and Response depends on are enabled and operational.
Endpoint Detection and Response depends on the following components:
Exploit Prevention.
Behavior Detection.
Remediation Engine.
Integration with Kaspersky Endpoint Detection and Response involves the following steps:
You can select the EDR Optimum or EDR Expert component during installation or upgrade, as well as using the
Change application components task.
You must restart your computer to nish upgrading the application with the new components.
You can acquire a license to use Kaspersky Endpoint Detection and Response in the following ways:
Endpoint Detection and Response functionality is included in the Kaspersky Endpoint Security for Windows
license.
The feature will be available immediately after activation of Kaspersky Endpoint Security for Windows.
Purchasing a separate license for EDR Optimum or EDR Expert (Kaspersky Endpoint Detection and Response
Add-on).
The feature will be available after you add a separate key for Kaspersky Endpoint Detection and Response. As
a result, two keys are installed on the computer: a key for Kaspersky Endpoint Security and a key for
Kaspersky Endpoint Detection and Response.
Licensing for the stand-alone Endpoint Detection and Response functionality is the same as the licensing of
Kaspersky Endpoint Security.
Make sure that the EDR Optimum or EDR Expert functionality is included in the license and is running in the local
interface of the application.
For more information about the EDR Optimum End User License Agreement, refer to the Kaspersky Endpoint
Detection and Response Optimum Help .
775
3 Enabling Endpoint Detection and Response components
You can enable or disable the component in Kaspersky Endpoint Security for Windows policy settings.
How to enable or disable the Endpoint Detection and Response component in the Web Console and Cloud
Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
The Kaspersky Endpoint Detection and Response component is enabled. Check the operating status of the
component by viewing the Application components status report. You can also view the operating status of a
component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint Detection and
Response Optimum or Endpoint Detection and Response Expert component is added to the list of Kaspersky
Endpoint Security components.
To enable all the Endpoint Detection and Response features, data transfer must be enabled for the following
types of data:
Quarantine le data.
The data are required to obtain information about les quarantined on a computer through Web Console and
Cloud Console. For example, you can download a le from quarantine for analysis in Web Console and Cloud
Console.
The data are required to obtain information about threats detected on a computer in Web Console and
Cloud Console. You can view alert details and take response actions in Web Console and Cloud Console.
How to enable data transfer to the Administration Server in Web Console and Cloud Console
776
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Please check the following boxes in the Data transfer to Administration Server block:
Kaspersky Endpoint Security searches for indicators of compromise using IOC les. IOC les are les containing
the sets of indicators that the application tries to match to count a detection. IOC les must conform to the
OpenIOC standard.
Kaspersky Endpoint Detection and Response lets you create standard IOC Scan tasks to detect compromised
data. Standard IOC scan task is a group or local task that is created and con gured manually in the Web Console.
Tasks are run using IOC les prepared by the user. If you want to add an indicator of compromise manually, please
read the requirements for IOC les.
The le that you can download by clicking the link below, contains a table with the full list of IOC terms of the
OpenIOC standard.
Kaspersky Endpoint Security also supports stand-alone IOC scan tasks when the application is used as part of the
Kaspersky Sandbox solution.
777
In alert details (only for EDR Optimum).
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details
include, for example, the history of les appearing on the computer. For details about managing alert details,
refer to the Kaspersky Endpoint Detection and Response Optimum Help and the Kaspersky Endpoint
Detection and Response Expert Help .
You can con gure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR
Expert are available only in Cloud Console.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Go to the next step.
5. Enter the account credentials of the user whose rights you want to use to run the task. Go to the next step.
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
The system account (SYSTEM) does not have permission to perform the IOC Scan task on network drives. If
you want to run the task for a network drive, select the account of a user that has access to that drive.
For standalone IOC Scan tasks on network drives, in the task properties you need to manually select the
user account that has access to this drive.
778
10. Load the IOC les to search for indicators of compromise.
After loading the IOC les, you can view the list of indicators from IOC les.
Adding or removing IOC les after running the task is not recommended. This can cause the IOC scan
results to display incorrectly for prior runs of the task. To search indicators of compromise by new IOC
les, it is recommended to add new tasks.
Isolate computer from the network. If this option is selected, Kaspersky Endpoint Security isolates the
computer from the network to prevent the threat from spreading. You can con gure the duration of the
isolation in Endpoint Detection and Response component settings.
Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the
malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a
backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup
copy to Quarantine.
Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas
Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk
boot sectors.
13. Select data types (IOC documents) that must be analyzed as part of the task.
Kaspersky Endpoint Security automatically selects data types (IOC documents) for the IOC Scan task in
accordance with the content of loaded IOC les. It is not recommended to deselect data types.
You can additionally con gure scan scopes for the following data types:
Files - FileItem. Set an IOC scan scope on the computer using preset scopes.
By default, Kaspersky Endpoint Security scans for IOCs only in important areas of the computer, such as
the Downloads folder, the desktop, the folder with temporary operating system les, etc. You can also
manually add the scan scope.
Windows event logs - EventLogItem. Enter the time period when the events were logged. You can also
select which Windows event logs must be used for IOC scanning. By default, the following event logs are
selected: application event log, system event log, and security event log.
For the Windows registry - RegistryItem data type, Kaspersky Endpoint Security scans a set of registry keys.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
779
18. Click Start.
As a result, Kaspersky Endpoint Security runs the search for indicators of compromise on the computer. You can
view the results of the task in task properties in the Results section. You can view the information about
detected indicators of compromise in the task properties: Application settings → IOC Scan Results.
IOC scan results are kept for 30 days. After this period, Kaspersky Endpoint Security automatically deletes
the oldest entries.
Move le to Quarantine
When reacting to threats, Kaspersky Endpoint Detection and Response can create Move le to Quarantine tasks.
This is necessary to minimize the consequences of the threat. Quarantine is a special local storage on the
computer. The user can quarantine les that the user considers dangerous for the computer. Quarantined les are
stored in an encrypted state and do not threaten the security of the device. Kaspersky Endpoint Security uses
Quarantine only when working with Detection and Response solutions: EDR Optimum, EDR Expert, KATA (EDR),
Kaspersky Sandbox. In other cases Kaspersky Endpoint Security places the relevant le in Backup. For details on
managing Quarantine as part of solutions, please refer to the Kaspersky Sandbox Help , Kaspersky Endpoint
Detection and Response Optimum Help , and Kaspersky Endpoint Detection and Response Expert Help ,
Kaspersky Anti Targeted Attack Platform Help .
2. System Critical Objects (SCO) cannot be quarantined. SCOs are les that the operating system and the
Kaspersky Endpoint Security for Windows application require to be able to run.
3. You can con gure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert
are available only in Cloud Console.
2. Click Add.
The Task Wizard starts.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Click Next.
5. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
10. To add the le, you must enter the full path to the le, or both le hash and the path.
If the le is located on a network drive, enter the le path starting with \\, and not the drive letter. For
example, \\server\shared_folder\file.exe. If the le path contains a network drive letter, you can
get a File not found error.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
If the le is locked by a di erent process, the task is displayed as Completed, but the le itself is quarantined only
after the computer is restarted. After restarting the computer, con rm that the le is deleted.
The Move le to Quarantine task can nish with the Access denied error if you are trying to quarantine an
executable le that is currently running. Create a terminate process task for the le and try again.
781
The Move le to Quarantine task can nish with the Not enough space in Quarantine storage error if you are trying
to quarantine a le that is too large. Empty the Quarantine or make Quarantine larger. Then try again.
You can restore a le from Quarantine or empty the Quarantine using Web Console. You can restore objects locally
on the computer using the command line.
Get le
You can get les from user computers. For example, you can con gure getting an event log le created by a third-
party application. To get the le, you must create a dedicated task. As a result of the execution of the task, the le
is saved in Quarantine. You can download this le from Quarantine to your computer using Web Console. On the
user's computer, the le remains in its original folder.
You can con gure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR
Expert are available only in Cloud Console.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Click Next.
5. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
10. To add the le, you must enter the full path to the le, or both le hash and the path.
If the le is located on a network drive, enter the le path starting with \\, and not the drive letter. For
example, \\server\shared_folder\file.exe. If the le path contains a network drive letter, you can
get a File not found error.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
As a result, Kaspersky Endpoint Security creates a copy of the le and moves that copy to Quarantine. You can
download the le from Quarantine in Web Console.
Delete le
You can remotely delete les using the Delete le task. For example, you can remotely delete a le when
responding to threats.
System Critical Objects (SCO) cannot be deleted. SCOs are les that the operating system and the Kaspersky
Endpoint Security for Windows application require to be able to run.
You can con gure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert
are available only in Cloud Console.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
783
c. In the Task name eld, enter a brief description.
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Click Next.
5. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
10. To add the le, you must enter the full path to the le, or both le hash and the path.
If the le is located on a network drive, enter the le path starting with \\, and not the drive letter. For
example, \\server\shared_folder\file.exe. If the le path contains a network drive letter, you can
get a File not found error.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
As a result, Kaspersky Endpoint Security deletes the le from the computer. If the le is locked by a di erent
process, the task is displayed as Completed, but the le itself is deleted only after the computer is restarted.
After restarting the computer, con rm that the le is deleted.
The Delete le task can nish with the Access denied error if you are trying to delete an executable le that is
currently running. Create a terminate process task for the le and try again.
Process start
784
You can remotely run les using the Start process task. For example, you can remotely run an utility that creates
the computer con guration le. Next you can use the Get le task to receive the created le in Kaspersky Security
Center Web Console.
You can con gure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR
Expert are available only in Cloud Console.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Click Next.
5. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
As a result, Kaspersky Endpoint Security runs the command in silent mode and starts the process. You can view
the results of the task in task properties in the Execution results section.
Terminate process
You can remotely terminate processes using the Terminate process task. For example, you can remotely terminate
an Internet speed testing utility that was started using the Run process task.
If you want to prohibit running a le, you can con gure the Execution prevention component. You can prohibit the
execution of executable les, scripts, o ice format les.
Processes of System Critical Objects (SCO) cannot be terminated. SCOs are les that the operating system
and the Kaspersky Endpoint Security application require to be able to run.
You can con gure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert
are available only in Cloud Console.
2. Click Add.
The Task Wizard starts.
a. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.5).
d. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Click Next.
5. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.
786
By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).
9. To complete the process, you must select the le that you want to terminate. You can select a le in one of the
following ways:
If the le is located on a network drive, enter the le path starting with \\, and not the drive letter. For
example, \\server\shared_folder\file.exe. If the le path contains a network drive letter, you can
get a File not found error.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
As a result, Kaspersky Endpoint Security terminates the process on the computer. For example, if a 'GAME'
application is running and you terminate the game.exe process, the application is closed without saving data. You
can view the results of the task in task properties in the Results section.
Execution prevention
Execution prevention allows managing the running of executable les and scripts, as well as opening o ice format
les. In this way, you can, for example, prevent the execution of applications that you consider insecure. As a result,
the spreading of the threat can be stopped. Execution prevention supports a set of o ice le extensions and a set
of script interpreters.
787
Execution prevention manages user access to les with execution prevention rules. Execution prevention rule is a
set of criteria that the application takes into account when reacting to an object execution, for example when
blocking object execution. The application identi es les by their paths or checksums calculated using MD5 and
SHA256 hashing algorithms.
You can also manage Execution prevention locally using the command line.
1. Prevention rules do not cover les on CDs or in ISO images. The application does not block execution or
opening of these les.
2. It is impossible to block the startup of system-critical objects (SCO). SCOs are les that the operating system
and the Kaspersky Endpoint Security for Windows application require to be able to run.
3. It is not recommended to create more than 5000 run prevention rules, as this can cause system instability.
Statistics only
In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or
open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center,
but does not block the attempt to run or open the object or document. This mode is selected by default.
Active
In this mode, the application blocks the execution of objects or opening of documents that match prevention
rule criteria. The application also publishes an event about attempts to execute objects or open documents to
the Windows event log and Kaspersky Security Center event log.
You can con gure the component settings only in the Web Console.
To prevent execution:
1. In the main window of the Web Console, select Devices → Policies & pro les.
788
The policy properties window opens.
6. In the Action on execution or opening of forbidden object block, select the component operating mode:
Block and write to report. In this mode, the application blocks the execution of objects or opening of
documents that match prevention rule criteria. The application also publishes an event about attempts to
execute objects or open documents to the Windows event log and Kaspersky Security Center event log.
Log events only. In this mode, Kaspersky Endpoint Security publishes an event about attempts to run
executable objects or open documents that match prevention rule criteria to the Windows event log and
Kaspersky Security Center, but does not block the attempt to run or open the object or document. This
mode is selected by default.
a. Click Add.
b. This opens a window; in this window, enter the name of the execution prevention rule (for example,
Application A).
c. In the Type drop-down list, select the object that you want to block: Executable le, Script, Microsoft
O ice document.
If you select a wrong object type, Kaspersky Endpoint Security does not block the le or script.
d. To add the le, you must enter the hash of the le (SHA256 or MD5), the full path to the le, or both the hash
and the path.
If the le is located on a network drive, enter the le path starting with \\, and not the drive letter. For
example, \\server\shared_folder\file.exe. If the le path contains a network drive letter,
Kaspersky Endpoint Security does not block the le or script.
Execution prevention supports a set of o ice le extensions and a set of script interpreters.
e. Click OK.
As a result, Kaspersky Endpoint Security blocks the execution of objects: running executable les and scripts,
opening o ice format les. You can, however, for example, open a script le in a text editor even if running the
script is prevented. When blocking the execution of an object, Kaspersky Endpoint Security displays a standard
noti cation (see gure below) if noti cations are enabled in application settings.
789
Execution prevention noti cation
When Network isolation is turned on, the application severs all active connections and blocks all new TCP/IP
network connections on the computer except the following connections:
You can con gure the component settings only in the Web Console.
You can con gure Network isolation to be turned on automatically in response to an IOC detection. You can
con gure the automatic Network isolation mode with a group policy.
How to con gure Network isolation to be turned on automatically in response to an IOC detection
790
1. In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
4. In the Action on IOC detection block, select the Take response actions after an IOC is found and Isolate
computer from the network check boxes.
As a result, when an IOC is detected, the application isolates the computer from the network to prevent the
threat from spreading.
You can con gure Network isolation to be turned o automatically after a speci ed time elapses. By default, the
application turns o Network isolation after 8 hours have passed from the time when it was turned on. You can
also turn o Network isolation manually (see the instructions below). After turning o network isolation, the
computer can use the Network without restrictions.
How to con gure the delay for turning o Network isolation of a computer in automatic mode
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Network isolation block, click Con gure computer unlock settings.
6. This opens a window; in this window, select the Automatically unlock isolated computer in N hours check
box and enter the delay for automatically turning o Network isolation.
You can manually turn Network isolation on and o . You can con gure the manual Network isolation mode using the
computer properties in the Kaspersky Security Center console.
791
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details
include, for example, the history of les appearing on the computer. For details about managing alert details,
refer to the Kaspersky Endpoint Detection and Response Optimum Help and the Kaspersky Endpoint
Detection and Response Expert Help .
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the computer for which you want to con gure local application settings.
This opens the computer properties.
7. In the Network isolation block, click Isolate computer from the network.
You can con gure Network isolation to be turned o automatically after a speci ed time elapses. By default, the
application turns o Network isolation after 8 hours have passed from the time when it was turned on. After
turning o network isolation, the computer can use the Network without restrictions.
How to con gure the delay for turning o Network isolation of a computer in manual mode
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the computer for which you want to con gure local application settings.
This opens the computer properties.
6. This opens a window; in this window, select the delay for turning o Network isolation.
792
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the computer for which you want to con gure local application settings.
This opens the computer properties.
7. In the Network isolation block, click Unblock computer isolated from the network.
You can also disable Network isolation locally using the command line.
You can con gure Network isolation exclusions. Network connections that match the rules are not blocked on the
computer when Network isolation is turned on.
To con gure Network isolation exclusions, you can use a list of standard network pro les. By default, exclusions
include network pro les containing rules that ensure uninterrupted operation of devices with the DNS/DHCP
server and DNS/DHCP client roles. You can also modify the settings of standard network pro les or de ne
exclusions manually (see instructions below).
Exclusions speci ed in policy properties are applied only if Network isolation is turned on automatically in
response to a detected threat. Exclusions speci ed in computer properties are applied only if Network
isolation is turned on manually in computer properties in the Kaspersky Security Center console or in alert
details.
An active policy does not prevent applying exclusions from Network isolation con gured in computer
properties because these parameters have di erent usage scenarios.
793
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. This opens a window; in this window, click Add from pro le and select standard network pro les for
con guring exclusions.
Network isolation exclusions from the pro le are added to the list of Network isolation exclusions. You can
view the properties of network connections. If necessary, you can modify network connection settings.
7. If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions,
click Add and manually edit network connection settings.
1. In the main window of the Web Console, select Devices → Managed devices.
2. Select the computer for which you want to con gure local application settings.
This opens the computer properties.
7. This opens a window; in this window, click Add from pro le and select standard network pro les for
con guring exclusions.
Network isolation exclusions from the pro le are added to the list of Network isolation exclusions. You can
view the properties of network connections. If necessary, you can modify network connection settings.
8. If necessary, add a Network isolation exclusion manually. To do so, in the window with the list of exclusions,
click Add and manually edit network connection settings.
You can also view the Network isolation exclusion list locally using the command line. In this case, the computer
must be isolated.
794
Cloud Sandbox
Cloud Sandbox is a technology that lets you detect advanced threats on a computer. Kaspersky Endpoint Security
automatically forwards detected les to Cloud Sandbox for analysis. Cloud Sandbox runs these les in an isolated
environment to identify malicious activity and decides on their reputation. Data on these les is then sent to
Kaspersky Security Network. Therefore, if Cloud Sandbox has detected a malicious le, Kaspersky Endpoint
Security will perform the appropriate action to eliminate this threat on all computers where this le is detected.
For Cloud Sandbox to operate, you must enable the use of Kaspersky Security Network.
If you are using Kaspersky Private Security Network , Cloud Sandbox technology is not available.
Cloud Sandbox technology is permanently enabled and is available to all Kaspersky Security Network users
regardless of the type of license they are using. If you have already deployed Endpoint Detection and Response
solution (EDR Optimum or EDR Expert), you can enable a separate counter for threats detected by Cloud
Sandbox. You can use this counter to generate statistics during analysis of detected threats.
1. In the main window of the Web Console, select Devices → Policies & pro les.
Whenever there is a threat, Kaspersky Endpoint Security activates the counter for threats detected using Cloud
Sandbox in the main application window under Threat detection technologies. Kaspersky Endpoint Security will
also indicate the Cloud Sandbox threat detection technology in the Report on threats in the Kaspersky Security
Center console.
When you deploy Kaspersky Endpoint Security on computers that have Kaspersky Endpoint Agent installed,
Kaspersky Endpoint Detection and Response Optimum solution will continue working with Kaspersky Endpoint
Security. In addition, Kaspersky Endpoint Agent will be removed from the computer. The same behavior in the
system will occur when you update Kaspersky Endpoint Security to version 11.7.0 or higher.
795
Kaspersky Endpoint Security is not compatible with Kaspersky Endpoint Agent. You cannot install both of
these applications on the same computer.
The following conditions must be met for Kaspersky Endpoint Security to work as part of Kaspersky Endpoint
Detection and Response Optimum:
Kaspersky Security Center version 13.2 or higher (including Network Agent). In earlier versions of Kaspersky
Security Center, it is impossible to activate the EDR Optimum feature.
EDR Optimum can be managed only using the Kaspersky Security Center Web Console.
Data transfer to Administration Server is enabled. The data are required to obtain information about les
quarantined on a computer through Web Console.
A background connection between Kaspersky Security Center Web Console and Administration Server is
established. For EDR Optimum to work with Administration Server via Kaspersky Security Center Web Console,
you must establish a new secure connection, a background connection.
Steps for migrating [KES+KEA] con guration to [KES+built-in agent] for EDR Optimum
EDR Optimum component can be managed using the Kaspersky Endpoint Security Web Plug-in version 11.7.0 or
higher.
Transfer Kaspersky Endpoint Agent settings to Kaspersky Endpoint Security for Windows. To do this, use the
wizard for migrating from Kaspersky Endpoint Agent in the Web Console.
How to migrate policy and task settings from Kaspersky Endpoint Agent to Kaspersky Endpoint Security in Web
Console
796
In the main window of the Web Console, select Operations → Migration from Kaspersky Endpoint
Agent.
This runs the policies and tasks migration wizard. Follow the instructions of the Wizard.
The Migration Wizard creates a new policy which merges the settings of Kaspersky Endpoint Security
and Kaspersky Endpoint Agent policies. In the policy list, select Kaspersky Endpoint Agent policies
whose settings you want to merge with the Kaspersky Endpoint Security policy. Click the Kaspersky
Endpoint Agent policy in order to select the Kaspersky Endpoint Security policy with which you want to
merge settings. Make sure you selected the correct policies and go to the next step.
The Migration Wizard creates new tasks for Kaspersky Endpoint Security. In the task list, select
Kaspersky Endpoint Agent tasks which you want to create for Kaspersky Endpoint Security policy. Go
to the next step.
After migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows,
please make sure that the new policy has the functionality for data transfer to the
Administration Server (quarantine le data and threat development chain data) set up. Data
transfer parameter values are not migrated from a Kaspersky Endpoint Agent policy.
If you use a common Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security
license to activate Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Agent, EDR Optimum
functionality will be activated automatically after upgrading the application to version 11.7.0 or higher. You do not
need to do anything else.
If you use a stand-alone Kaspersky Endpoint Detection and Response Optimum Add-on license to activate EDR
Optimum functionality, you must make sure that the EDR Optimum key is added to the Kaspersky Security
Center repository and the automatic license key distribution functionality is enabled. After you upgrade the
application to version 11.7.0 or higher, EDR Optimum functionality is activated automatically.
797
If you use a Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security license to
activate Kaspersky Endpoint Agent, and a di erent license to activate Kaspersky Endpoint Security for
Windows, you must replace the Kaspersky Endpoint Security for Windows key with the common Kaspersky
Endpoint Detection and Response Optimum or Kaspersky Optimum Security key. You can replace the key using
the Add key task.
To migrate EDR Optimum functionality during an application installation or upgrade, it is recommended to use the
remote installation task. When creating a remote installation task, you need to select EDR Optimum component
in the installation package settings.
You can also upgrade the application using the following methods:
Kaspersky Endpoint Security supports automatically selecting components when upgrading the application on a
computer with the Kaspersky Endpoint Agent application installed. The automatic selection of components
depends on the permissions of the user account that is upgrading the application.
If you are upgrading Kaspersky Endpoint Security using the EXE or MSI le under the system account (SYSTEM),
Kaspersky Endpoint Security gains access to current licenses of Kaspersky solutions. Therefore, if the computer
has, for example, Kaspersky Endpoint Agent installed and the EDR Optimum solution activated, the Kaspersky
Endpoint Security installer automatically con gures the set of components and selects the EDR Optimum
component. This makes Kaspersky Endpoint Security switch to using the built-in agent and removes Kaspersky
Endpoint Agent. Running the MSI installer under the system account (SYSTEM) is usually performed when
upgrading via the Kaspersky update service or when deploying an installation package via Kaspersky Security
Center.
If you are upgrading Kaspersky Endpoint Security using an MSI le under a non-privileged user account,
Kaspersky Endpoint Security lacks access to current licenses of Kaspersky solutions. In this case, Kaspersky
Endpoint Security automatically selects components based on Kaspersky Endpoint Agent con guration. After
that Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky Endpoint Agent.
Kaspersky Endpoint Security supports upgrading without computer restart. You can select the application
upgrade mode in policy properties.
If after application installation or upgrade, the computer has the Critical status in the Kaspersky Security Center
console:
Make sure that the computer has Network Agent version 13.2 or higher installed.
Check the operating status of the built-in agent by viewing the Application components status report. If a
component has the Not installed status, install the component using the Change application components
task. If a component has the Not covered by license status, make sure that you have activated the built-in
agent functionality.
Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint
Security for Windows.
Kaspersky Sandbox
Starting with version 11.7.0, Kaspersky Endpoint Security for Windows includes a built-in agent for
798
integration with Kaspersky Sandbox solution. The Kaspersky Sandbox solution detects and
automatically blocks advanced threats on computers. Kaspersky Sandbox analyzes object behavior
to detect malicious activity and activity characteristic of targeted attacks on the IT infrastructure
of the organization. Kaspersky Sandbox analyzes and scans objects on special servers with
deployed virtual images of Microsoft Windows operating systems (Kaspersky Sandbox servers). For
details about the solution, refer to the Kaspersky Sandbox Help .
The following con gurations are possible for the Kaspersky Sandbox solution:
Minimum requirements:
Minimum requirements:
Distribution kit for Kaspersky Endpoint Security versions 11.2.0 – 11.8.0 includes Kaspersky Endpoint Agent.
You can select Kaspersky Endpoint Agent when installing Kaspersky Endpoint Security for Windows. As a
result, two applications will be installed on your computer: KEA and KES. In Kaspersky Endpoint Security
11.9.0 the Kaspersky Endpoint Agent distribution package is no longer part of the Kaspersky Endpoint
Security distribution kit.
Kaspersky Security Center 13.2. Earlier versions of Kaspersky Security Center do not allow the creation of
standalone IOC Scan tasks for threat response.
799
The component can be managed only using the Web Console. You cannot manage this component using the
Administration Console (MMC).
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Data transfer to Administration Server block, select the About Quarantine les check box.
800
A background connection between Kaspersky Security Center Web Console and Administration Server is
established
For Kaspersky Sandbox to work with Administration Server via Kaspersky Security Center Web Console, you
must establish a new secure connection, a background connection. For details about the integration of
Kaspersky Security Center with other Kaspersky solutions, refer to the Kaspersky Security Center Help.
Establishing a background connection in Web Console
If a background connection between Kaspersky Security Center Web Console and Administration Server is not
established, stand-alone IOC scan tasks cannot be created as part of Threat Response.
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Use the Integration with Kaspersky Sandbox ENABLED toggle to enable or disable the component.
As a result, the Kaspersky Sandbox component is enabled. Check the operating status of the component by
viewing the Application components status report. You can also view the operating status of a component in
reports in the local interface of Kaspersky Endpoint Security. The Kaspersky Sandbox component will be added
to the list of Kaspersky Endpoint Security components.
Kaspersky Endpoint Security saves information about the functioning of the Kaspersky Sandbox component
to a report. The report also contains information about errors. If you get an error with a description tting the
Error code: XXX format (for example, 0xa67b01f4), contact Technical Support.
801
To con gure a trusted connection with Kaspersky Sandbox servers, you must prepare a TLS certi cate. Next you
must add the certi cate to Kaspersky Sandbox servers and the Kaspersky Endpoint Security policy. For details on
preparing the certi cate and adding the certi cate to servers, refer to the Kaspersky Sandbox Help .
You can add a TLS certi cate in Web Console or locally using the command line.
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. In the Server TLS certi cate block, click Add and select the TLS certi cate le.
Kaspersky Endpoint Security can only have one TLS certi cate for a Kaspersky Sandbox server. If you have
added a TLS certi cate before, that certi cate is revoked. Only the last added certi cate is used.
Timeout. Connection timeout for Kaspersky Sandbox server. After the con gured timeout elapses,
Kaspersky Endpoint Security sends a request to the next server. You can increase the connection timeout
for Kaspersky Sandbox if your connection speed is low or if the connection is unstable. The recommended
request timeout is 0.5 seconds or less.
Kaspersky Sandbox request queue. Size of the request queue folder. When an object is accessed on the
computer (executable launched or document opened, for example in DOCX or PDF format), Kaspersky
Endpoint Security can also send the object to be scanned by Kaspersky Sandbox. If there are multiple
requests, Kaspersky Endpoint Security creates a request queue. By default, the size of the request queue
folder is limited to 100 MB. After the maximum size is reached, Kaspersky Sandbox stops adding new
requests to the queue and sends the corresponding event to Kaspersky Security Center. You can con gure
the size of the request queue folder depending on your server con guration.
As a result, Kaspersky Endpoint Security veri es the TLS certi cate. If the certi cate is successfully veri ed,
Kaspersky Endpoint Security uploads the certi cate le to the computer during the next synchronization with
Kaspersky Security Center. If you have added two TLS certi cates, Kaspersky Sandbox will use the latest
certi cate to establish a trusted connection.
802
1. In the main window of the Web Console, select Devices → Policies & pro les.
6. This opens a window; in the window, enter Kaspersky Sandbox server address (IPv4, IPv6, DNS) and port.
Kaspersky Endpoint Security searches for indicators of compromise using IOC les. IOC les are les containing
the sets of indicators that the application tries to match to count a detection. IOC les must conform to the
OpenIOC standard. Kaspersky Endpoint Security automatically generates IOC les for Kaspersky Sandbox.
The application creates stand-alone IOC scan tasks for Kaspersky Sandbox. Stand-alone IOC scan task is a group
task that is automatically created when reacting to a threat detected by Kaspersky Sandbox. Kaspersky Endpoint
Security automatically generates the IOC le. Custom IOC les are not supported. Tasks are automatically deleted
30 days after the creation time. For more details about stand-alone IOC scan tasks, refer to the Kaspersky
Sandbox Help .
Kaspersky Sandbox may create and run IOC Scan tasks automatically when reacting to threats.
You can con gure the settings only in the Web Console.
You need Kaspersky Security Center 13.2 for stand-alone IOC scan tasks of Kaspersky Sandbox to work.
Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint Security deletes the
malicious object found on the computer. Before deleting the object, Kaspersky Endpoint Security creates a
backup copy in case the object needs to be restored later. Kaspersky Endpoint Security moves the backup
copy to Quarantine.
Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the Critical Areas
Scan task. By default, Kaspersky Endpoint Security scans the kernel memory, running processes, and disk
boot sectors.
6. Con gure the IOC Scan task run mode using the Run only when the computer is idle check box. This check
box enables / disables the function that suspends the IOC Scan task when computer resources are limited.
Kaspersky Endpoint Security pauses the IOC Scan task if the screensaver is o and the computer is unlocked.
This schedule option lets you conserve computer resources when the computer is being used.
You can view the results of the task in task properties in the Results section. You can view the information about
detected indicators of compromise in the task properties: Application settings → IOC Scan Results.
IOC scan results are kept for 30 days. After this period, Kaspersky Endpoint Security automatically deletes
the oldest entries.
When you deploy Kaspersky Endpoint Security on computers that have Kaspersky Endpoint Agent installed,
Kaspersky Sandbox solution will continue working with Kaspersky Endpoint Security. In addition, Kaspersky
Endpoint Agent will be removed from the computer. The same behavior in the system will occur when you update
Kaspersky Endpoint Security to version 11.7.0 or higher.
Kaspersky Endpoint Security is not compatible with Kaspersky Endpoint Agent. You cannot install both of
these applications on the same computer.
The following conditions must be met for Kaspersky Endpoint Security to work as part of Kaspersky Sandbox:
Kaspersky Security Center version 13.2 or higher (including Network Agent). In earlier versions of Kaspersky
Security Center, it is impossible to activate the Kaspersky Sandbox feature.
804
Kaspersky Sandbox can be managed only using the Kaspersky Security Center Web Console.
Data transfer to Administration Server is enabled. The data are required to obtain information about les
quarantined on a computer through Web Console.
A background connection between Kaspersky Security Center Web Console and Administration Server is
established. For Kaspersky Sandbox to work with Administration Server via Kaspersky Security Center Web
Console, you must establish a new secure connection, a background connection.
Steps for migrating [KES+KEA] con guration to [KES+built-in agent] for Kaspersky Sandbox
Kaspersky Sandbox component can be managed using the Kaspersky Endpoint Security Web Plug-in version
11.7.0 or higher.
Transfer Kaspersky Endpoint Agent settings to Kaspersky Endpoint Security for Windows. To do this, use the
wizard for migrating from Kaspersky Endpoint Agent in the Web Console.
How to migrate policy and task settings from Kaspersky Endpoint Agent to Kaspersky Endpoint Security in Web
Console
805
In the main window of the Web Console, select Operations → Migration from Kaspersky Endpoint
Agent.
This runs the policies and tasks migration wizard. Follow the instructions of the Wizard.
The Migration Wizard creates a new policy which merges the settings of Kaspersky Endpoint Security
and Kaspersky Endpoint Agent policies. In the policy list, select Kaspersky Endpoint Agent policies
whose settings you want to merge with the Kaspersky Endpoint Security policy. Click the Kaspersky
Endpoint Agent policy in order to select the Kaspersky Endpoint Security policy with which you want to
merge settings. Make sure you selected the correct policies and go to the next step.
The Migration Wizard creates new tasks for Kaspersky Endpoint Security. In the task list, select
Kaspersky Endpoint Agent tasks which you want to create for Kaspersky Endpoint Security policy. Go
to the next step.
After migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows,
please make sure that the new policy has the functionality for data transfer to the
Administration Server (quarantine le data and threat development chain data) set up. Data
transfer parameter values are not migrated from a Kaspersky Endpoint Agent policy.
To activate Kaspersky Endpoint Security as part of the Kaspersky Sandbox solution, you need a separate license
for Kaspersky Sandbox Add-on. You can add the key using the Add key task. As a result, two keys will be added to
the application: Kaspersky Endpoint Security and Kaspersky Sandbox.
806
You can also upgrade the application using the following methods:
Kaspersky Endpoint Security supports automatically selecting components when upgrading the application on a
computer with the Kaspersky Endpoint Agent application installed. The automatic selection of components
depends on the permissions of the user account that is upgrading the application.
If you are upgrading Kaspersky Endpoint Security using the EXE or MSI le under the system account (SYSTEM),
Kaspersky Endpoint Security gains access to current licenses of Kaspersky solutions. Therefore, if the computer
has, for example, Kaspersky Endpoint Agent installed and the Kaspersky Sandbox solution activated, the
Kaspersky Endpoint Security installer automatically con gures the set of components and selects the
Kaspersky Sandbox component. This makes Kaspersky Endpoint Security switch to using the built-in agent and
removes Kaspersky Endpoint Agent. Running the MSI installer under the system account (SYSTEM) is usually
performed when upgrading via the Kaspersky update service or when deploying an installation package via
Kaspersky Security Center.
If you are upgrading Kaspersky Endpoint Security using an MSI le under a non-privileged user account,
Kaspersky Endpoint Security lacks access to current licenses of Kaspersky solutions. In this case, Kaspersky
Endpoint Security automatically selects components based on Kaspersky Endpoint Agent con guration. After
that Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky Endpoint Agent.
Kaspersky Endpoint Security supports upgrading without computer restart. You can select the application
upgrade mode in policy properties.
If after application installation or upgrade, the computer has the Critical status in the Kaspersky Security Center
console:
Make sure that the computer has Network Agent version 13.2 or higher installed.
Check the operating status of the built-in agent by viewing the Application components status report. If a
component has the Not installed status, install the component using the Change application components
task. If a component has the Not covered by license status, make sure that you have activated the built-in
agent functionality.
Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint
Security for Windows.
Kaspersky Endpoint Security for Windows supports working with the Kaspersky Endpoint Detection
and Response component as part of the Kaspersky Anti Targeted Attack Platform (EDR (KATA))
solution. Kaspersky Anti Targeted Attack Platform is a solution designed for timely detection of
sophisticated threats such as targeted attacks, advanced persistent threats (APT), zero-day
attacks, and others. Kaspersky Anti Targeted Attack Platform includes two functional blocks:
Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA") and Kaspersky Endpoint
Detection and Response (hereinafter also referred to as "EDR (KATA)"). You can purchase EDR
(KATA) separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack
Platform Help .
Integration with the Kaspersky Threat Intelligence Portal portal, which contains and displays information
about the reputation of les and web addresses.
The Kaspersky Security Network (hereinafter also referred to as "KSN") cloud service infrastructure, which
provides access to real-time le, website, and software reputation information from the Kaspersky knowledge
base. Using data from Kaspersky Security Network ensures faster responses by Kaspersky applications to
threats, improves the performance of some protection components, and reduces the likelihood of false
positives.
Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and
continuously monitors processes, open network connections, and les being modi ed. Information about events
on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case,
Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about
threats discovered by the application as well as information about processing results for these threats.
The EDR (KATA) integration is con gured on the Kaspersky Security Center console. The built-in agent is then
managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing
quarantined objects, viewing reports, and other actions.
Kaspersky Endpoint Security con gurations for working with KATA (EDR)
The following con gurations can be used for working with KATA (EDR):
[KES+built-in agent]. In this con guration, Kaspersky Endpoint Security acts as both the application that
ensures the security of the computer and the application for working with KATA (EDR). The built-in agent is
available in Kaspersky Endpoint Security 12.1 for Windows or later.
[third-party EPP+EDR Agent]. In this con guration, the security of the IT infrastructure is provided by the
third-party Endpoint Protection Platform (EPP). The interaction with KATA (EDR) is provided by Kaspersky
Endpoint Security in the Endpoint Detection Response Agent (EDR Agent) con guration. In this con guration,
EDR Agent is compatible with third-party EPP applications. EDR Agent is available in Kaspersky Endpoint
Security 12.3 for Windows or later.
If you are using Kaspersky Endpoint Security 11.2.0 – 11.8.0 for interoperability with Kaspersky Anti Targeted Attack
Platform (EDR), the application includes Kaspersky Endpoint Agent. You can install Kaspersky Endpoint Agent side-
by-side with Kaspersky Endpoint Security.
If you are using Kaspersky Endpoint Security 11.9.0 – 12.0, you need to install Kaspersky Endpoint Agent separately
because starting from Kaspersky Endpoint Security 11.9.0 the Kaspersky Endpoint Agent distribution package is no
longer part of the Kaspersky Endpoint Security distribution kit.
808
To integrate with EDR (KATA), you must add the Endpoint Detection and Response (KATA) component. You can
select the EDR (KATA) component during installation or upgrade, as well as using the Change application
components task.
EDR Optimum, EDR Expert and EDR (KATA) components are not compatible with each other.
The following conditions must be ful lled for Endpoint Detection and Response (KATA) to work:
Kaspersky Security Center version 14.2 or higher. In earlier versions of Kaspersky Security Center, it is
impossible to activate the Endpoint Detection and Response (KATA) feature.
Application components that Endpoint Detection and Response (KATA) depends on are enabled and
operational. The following components ensure the operation of EDR (KATA):
Exploit Prevention.
Behavior Detection.
Remediation Engine.
Integration with Endpoint Detection and Response (KATA) involves the following steps:
You can select the EDR (KATA) component during installation or upgrade, as well as using the Change application
components task.
You must restart your computer to nish upgrading the application with the new components.
You need to purchase a separate license for EDR (KATA) (Kaspersky Endpoint Detection and Response (KATA)
Add-on).
The feature will be available after you add a separate key for Kaspersky Endpoint Detection and Response
(KATA). As a result, two keys are installed on the computer: a key for Kaspersky Endpoint Security and a key for
Kaspersky Endpoint Detection and Response (KATA).
Licensing for the stand-alone Endpoint Detection and Response (KATA) functionality is the same as the licensing
of Kaspersky Endpoint Security.
809
Make sure that the EDR (KATA) functionality is included in the license and is running in the local interface of the
application.
Kaspersky Anti Targeted Attack Platform requires establishing a trusted connection between Kaspersky
Endpoint Security and the Central Node component. To con gure a trusted connection, you must use a TLS
certi cate. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack Platform console (see
instructions in the Kaspersky Anti Targeted Attack Platform Help ). Then you must add the TLS certi cate to
Kaspersky Endpoint Security (see instructions below).
By default, Kaspersky Endpoint Security only checks the TLS certi cate of Central Node. To make the
connection more secure, you can additionally enable the veri cation of the computer on Central Node (two-way
authentication). To enable this veri cation, you must turn on two-way authentication in Central Node and
Kaspersky Endpoint Security settings. To use two-way authentication, you will also need a crypto-container. A
crypto-container is a PFX archive with a certi cate and a private key. You can get a crypto-container in the
Kaspersky Anti Targeted Attack Platform console (see instructions in the Kaspersky Anti Targeted Attack
Platform Help ).
How to connect a Kaspersky Endpoint Security computer to Central Node using the Administration Console
(MMC)
810
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Endpoint Detection and Response
(KATA).
Timeout. Maximum Central Node server response timeout. When the timeout runs out,
Kaspersky Endpoint Security tries to connect to a di erent Central Node server.
Server TLS certi cate. TLS certi cate for establishing a trusted connection with the Central
Node server. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack Platform
console (see instructions in the Kaspersky Anti Targeted Attack Platform Help ).
8. Click OK.
9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to
connect to the server.
How to connect a Kaspersky Endpoint Security computer to Central Node using the Web Console
811
1. In the main window of the Web Console, select Devices → Policies & pro les.
Timeout. Maximum Central Node server response timeout. When the timeout runs out,
Kaspersky Endpoint Security tries to connect to a di erent Central Node server.
Server TLS certi cate. TLS certi cate for establishing a trusted connection with the Central
Node server. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack Platform
console (see instructions in the Kaspersky Anti Targeted Attack Platform Help ).
8. Click OK.
9. Add Central Node servers. To do this, specify the server address (IPv4, IPv6) and the port to
connect to the server.
As a result, the computer is added on the Kaspersky Anti Targeted Attack Platform console. Check the
operating status of the component by viewing the Application components status report. You can also view the
operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint
Detection and Response (KATA) component will be added to the list of Kaspersky Endpoint Security
components.
812
Telemetry is a list of events that have occurred on the protected computer. Kaspersky Endpoint Security analyzes
telemetry data and sends it to Kaspersky Anti Targeted Attack Platform during synchronization. Telemetry events
arrive on the server almost continuously. Kaspersky Endpoint Security initiates synchronization with the server
when any of the following conditions are satis ed:
Therefore, by default, the application synchronizes every 30 seconds or whenever the bu er holds 1024 events.
You can con gure the synchronization behavior in the Kaspersky Endpoint Security policy and select optimum
values to match your network load (see instructions below).
If there is no connection between Kaspersky Endpoint Security and the server, the application queues new events.
When the connection is restored, Kaspersky Endpoint Security sends queued events to the server in proper order.
To avoid overloading the server, Kaspersky Endpoint Security may skip some events. To enable this, you can
optimize event transmission settings, for example, to set a maximum events-per-hour value (see instructions
below).
If you are using Kaspersky Anti Targeted Attack Platform together with another solution which also uses telemetry,
you can turn o telemetry for KATA (EDR) (see instructions above). This lets you optimize server load for these
solutions. For example, if you have the Managed Detection and Response solution and KATA (EDR) deployed, you
can use MDR telemetry and create Threat Response tasks in KATA (EDR).
813
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
4. In the policy window, select Detection and Response → Endpoint Detection and Response (KATA).
5. Con gure the Send sync request to KATA server every (min) setting. Frequency of synchronization
requests sent to the Central Node server. During synchronization, Kaspersky Endpoint Security sends
information about modi ed application settings and tasks.
7. If necessary, con gure the Maximum events transmission delay (sec) setting in the Data transmission
settings block. The application synchronizes with the server to send events after the synchronization
interval expires. The default setting is 30 seconds.
8. If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the
transmitted events. If the number of events exceeds the con gured limits, Kaspersky Endpoint Security
stops sending events.
Maximum number of events per hour. The application analyzes the telemetry data stream and
restricts the sending of events if the event stream exceeds the con gured events-per-hour limit.
Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events
per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the
registry" events) and restricts transmission of events if the ratio of events of the same type to the total
number of events exceeds the con gured limit in percent. Kaspersky Endpoint Security resumes
sending events when the ratio of other events to the total number of events becomes big enough
again. The default setting is 15 %.
814
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Con gure the Send sync request to KATA server every (min) setting. Frequency of synchronization
requests sent to the Central Node server. During synchronization, Kaspersky Endpoint Security sends
information about modi ed application settings and tasks.
7. If necessary, con gure the Maximum events transmission delay (sec) setting in the Data transmission
settings block. The application synchronizes with the server to send events after the synchronization
interval expires. The default setting is 30 seconds.
8. If necessary, select the Enable request throttling check box in the Request throttling block.
This feature helps optimize the load on the server. If the check box is selected, the application restricts the
transmitted events. If the number of events exceeds the con gured limits, Kaspersky Endpoint Security
stops sending events.
Maximum number of events per hour. The application analyzes the telemetry data stream and
restricts the sending of events if the event stream exceeds the con gured events-per-hour limit.
Kaspersky Endpoint Security resumes sending events after an hour. The default setting is 3000 events
per hour.
Percentage of event limit excess. The application sorts events by type (for example, "changes in the
registry" events) and restricts transmission of events if the ratio of events of the same type to the total
number of events exceeds the con gured limit in percent. Kaspersky Endpoint Security resumes
sending events when the ratio of other events to the total number of events becomes big enough
again. The default setting is 15 %.
815
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. Under Data transmission settings, select the Use exclusions check box.
Path. Full path to the le including its name and extension. Kaspersky Endpoint Security supports
environment variables and the * and ? characters when entering a mask. For the exclusion to work, the
path to the le must be speci ed.
Original le name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
Event types. For the exclusion to work, you must select at least one event type.
816
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. Under Data transmission settings, select the Use exclusions check box.
Path. Full path to the le including its name and extension. Kaspersky Endpoint Security supports
environment variables and the * and ? characters when entering a mask. For the exclusion to work, the
path to the le must be speci ed.
Original le name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
Event types. For the exclusion to work, you must select at least one event type.
817
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Scan exclusions and trusted applications → EDR telemetry block, click the Settings button.
6. This opens a window; in that window, con gure EDR telemetry exclusions (see the table below).
How to create an EDR telemetry exclusion in the Web Console and Cloud Console
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Scan exclusions and trusted applications block, click the EDR telemetry exclusions link.
6. This opens a window; in that window, con gure EDR telemetry exclusions (see the table below).
Parameter Description
Excluded Optimize the telemetry size to send. Kaspersky Endpoint Security allows optimizing
processes the amount of transmitted data and excluding events with certain codes from
telemetry: code 102 (basic communications) and 8 (network activity of the process) for
the Microsoft SMB protocol, the WinRM service, and the klnagent.exe process of the
Network Agent, as well as extended information about the types of network packets for
all types of network protocols.
Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.
818
Parent path. Path to the folder in which the le is located.
In 64-bit operating systems, you must manually enter the parameters of the 64-
bit version of the executable le of a process from the C:\windows\system32
folder because the application populates the executable le parameter elds
with data from the properties of the 32-bit version of the same executable le in
the C:\windows\syswow64 folder. For example, if you select
C:\windows\system32\cmd.exe, the plugin displays the parameters of
C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of
the operating system.
Network events.
Module loaded.
819
operations File name or mask. Name or mask of a le or folder; Kaspersky Endpoint Security applies
the exclusion rule when this le or folder is accessed. Kaspersky Endpoint Security
supports the * and ? characters when entering a mask.
Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.
In 64-bit operating systems, you must manually enter the parameters of the 64-
bit version of the executable le of a process from the C:\windows\system32
folder because the application populates the executable le parameter elds
with data from the properties of the 32-bit version of the same executable le in
the C:\windows\syswow64 folder. For example, if you select
C:\windows\system32\cmd.exe, the plugin displays the parameters of
C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of
the operating system.
When you deploy Kaspersky Endpoint Security on computers that have Kaspersky Endpoint Agent installed,
Kaspersky Anti Targeted Attack Platform (EDR) solution will continue working with Kaspersky Endpoint Security. In
addition, Kaspersky Endpoint Agent will be removed from the computer. The same behavior in the system will
occur when you update Kaspersky Endpoint Security to version 12.1 or higher.
820
Kaspersky Endpoint Security is not compatible with Kaspersky Endpoint Agent. You cannot install both of
these applications on the same computer.
The following conditions must be met for Kaspersky Endpoint Security to work as part of Endpoint Detection and
Response (KATA):
Kaspersky Security Center version 14.2 or higher (including Network Agent). In earlier versions of Kaspersky
Security Center, it is impossible to activate the Endpoint Detection and Response (KATA) feature.
Steps for migrating [KES+KEA] con guration to [KES+built-in agent] for EDR (KATA)
EDR (KATA) component can be managed using the Kaspersky Endpoint Security Management Plug-in version 12.1
or higher. Depending on the type of Kaspersky Security Center console you are using, update the management
plug-in in the Administration Console (MMC) or the web plug-in in the Web Console.
Transfer Kaspersky Endpoint Agent settings to Kaspersky Endpoint Security for Windows. The following options
are available:
A wizard for migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security. A wizard for migrating
from Kaspersky Endpoint Agent to Kaspersky Endpoint Security works only in Web Console
How to migrate policy and task settings from Kaspersky Endpoint Agent to Kaspersky Endpoint Security in
Web Console
821
In the main window of the Web Console, select Operations → Migration from Kaspersky Endpoint
Agent.
This runs the policies and tasks migration wizard. Follow the instructions of the Wizard.
The Migration Wizard creates a new policy which merges the settings of Kaspersky Endpoint
Security and Kaspersky Endpoint Agent policies. In the policy list, select Kaspersky Endpoint Agent
policies whose settings you want to merge with the Kaspersky Endpoint Security policy. Click the
Kaspersky Endpoint Agent policy in order to select the Kaspersky Endpoint Security policy with
which you want to merge settings. Make sure you selected the correct policies and go to the next
step.
The Migration Wizard does not support EDR (KATA) tasks. Skip this step.
Exit the Wizard. As a result of the wizard, a new Kaspersky Endpoint Security policy will be created.
The policy merges settings from Kaspersky Endpoint Security and Kaspersky Endpoint Agent. The
policy is called <Kaspersky Endpoint Security policy name> & <Kaspersky Endpoint Agent policy
name>. The new policy has the Inactive status. To continue, change the statuses of Kaspersky
Endpoint Agent and Kaspersky Endpoint Security policies to Inactive and activate the new merged
policy.
The migration wizard in Web Console skips the following policy settings and does not migrate them:
Settings modi cation prohibition Settings for connecting to KATA servers ("lock").
By default, settings can be modi ed (the "lock" is open). Therefore the settings are not applied on
the computer. You must prohibit the modi cation of settings and close the "lock".
Crypto-container.
If you are using two-way authentication for connecting to Central Node servers, you must re-
add the crypto-container.
As the Migration Wizard does not migrate these settings, you may encounter errors when
connecting the computer to Central Node servers. To x the errors, you need to go to the policy
properties and con gure the connection settings.
A standard Policies and tasks batch conversion wizard. The Policies and tasks batch conversion wizard is only
available in the Administration Console (MMC). For more details about Policies and tasks batch conversion
wizard, please refer to the Kaspersky Security Center Help .
To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add les
important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF
database les. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL les. You may
use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.
822
EDR telemetry exclusions do not migrate from the Kaspersky Endpoint Agent policy to the Kaspersky
Endpoint Security policy. Kaspersky Endpoint Security has its own exclusion tools - trusted applications.
The operation of Kaspersky Endpoint Security is optimized so that the absence of individual EDR telemetry
exclusions will not cause any additional load on your computer in comparison with Kaspersky Endpoint
Agent. Kaspersky Endpoint Security uses telemetry not only for EDR (KATA), but also for the operation of
application protection components. Therefore, there is no need to transfer individual EDR telemetry
exclusions. If you experience a decrease in computer performance, check the application's operation (see
step 7 Checking performance).
To activate Kaspersky Endpoint Security as part of the Kaspersky Anti Targeted Attack Platform solution, you
need a separate license for Kaspersky Endpoint Detection and Response (KATA) Add-on. You can add the key
using the Add key task. As a result, two keys will be added to the application: Kaspersky Endpoint Security and
Kaspersky Endpoint Detection and Response (KATA).
Licensing Kaspersky Endpoint Detection and Response (KATA) Add-on on computers with previously activated
EDR Optimum or EDR Expert features involves the following special considerations:
If you are using a key le for licensing Kaspersky Endpoint Security with EDR Optimum or EDR Expert
features, you cannot add a separate key for Kaspersky Endpoint Detection and Response (KATA) Add-on.
You can either switch to using an activation code for licensing, or contact your service provider to obtain a
new key le for activating Kaspersky Endpoint Security and EDR features. The service provider will provide
one or more key les for licensing.
If you are using a key le for licensing Kaspersky Endpoint Security without EDR Optimum or EDR Expert
features, you can add a separate key for Kaspersky Endpoint Detection and Response (KATA) Add-on
without having key les reissued.
If you are using an activation code for licensing, Kaspersky activation server will automatically reissue the
keys, and EDR (KATA) features will become available automatically. In this case, EDR Optimum and EDR Expert
will be disabled.
Kaspersky Endpoint Security allows you to add up to two active keys: Kaspersky Endpoint Security key and
Add-on type key. You can also add up to two reserve keys. One Kaspersky Endpoint Security reserve key and
one Add-on type reserve key.
To migrate EDR (KATA) functionality during an application installation or upgrade, it is recommended to use the
remote installation task. When creating a remote installation task, you need to select EDR (KATA) component in
the installation package settings.
You can also upgrade the application using the following methods:
Kaspersky Endpoint Security supports automatically selecting components when upgrading the application on a
computer with the Kaspersky Endpoint Agent application installed. The automatic selection of components
depends on the permissions of the user account that is upgrading the application.
If you are upgrading Kaspersky Endpoint Security using the EXE or MSI le under the system account (SYSTEM),
Kaspersky Endpoint Security gains access to current licenses of Kaspersky solutions. Therefore, if the computer
has Kaspersky Endpoint Agent installed and EDR (KATA) solution activated, the Kaspersky Endpoint Security
installer automatically con gures the set of components and selects the EDR (KATA) component. This makes
Kaspersky Endpoint Security switch to using the built-in agent and removes Kaspersky Endpoint Agent. Running
the MSI installer under the system account (SYSTEM) is usually performed when upgrading via the Kaspersky
update service or when deploying an installation package via Kaspersky Security Center.
823
If you are upgrading Kaspersky Endpoint Security using an MSI le under a non-privileged user account,
Kaspersky Endpoint Security lacks access to current licenses of Kaspersky solutions. In this case, Kaspersky
Endpoint Security automatically selects components based on a set of components of Kaspersky Endpoint
Agent. After that Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky
Endpoint Agent.
Kaspersky Endpoint Security supports upgrading without computer restart. You can select the application
upgrade mode in policy properties.
If after application installation or upgrade, the computer has the Critical status in the Kaspersky Security Center
console:
Make sure that the computer has Network Agent version 13.2 or higher installed.
Check the operating status of the built-in agent by viewing the Application components status report. If a
component has the Not installed status, install the component using the Change application components
task. If a component has the Not covered by license status, make sure that you have activated the built-in
agent functionality.
Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint
Security for Windows.
Check the connection to Kaspersky Anti Targeted Attack Platform server. To do so:
If a connection to the server is established, the application sends the event Successful connection to the
Kaspersky Anti Targeted Attack Platform server. If there is no successful connection event and there are no
events with connection errors, check the event log settings and enable event sending for Endpoint Detection
and Response (KATA).
The server connection status does not a ect the computer status in the Kaspersky Security Center
console. Therefore, if there is no connection to the server, the computer can still have the OK status. Check
the event log to verify the connection to the server.
7 Checking performance
If your computer's performance has slowed down after installing or updating an application, you can optimize
data transfer. To do so:
1. Disable the EDR (KATA) component and check that the performance degradation is due to EDR (KATA).
2. For trusted applications, turn o telemetry collection on console input operations (enabled by default).
3. Add applications that reduce computer performance to the list of trusted applications.
4. Contact Kaspersky Technical Support. Support experts will help you to con gure telemetry ltering in
Kaspersky Anti Targeted Attack Platform. This will reduce the amount of tra ic. If your computer
performance is a ected by a certain application, attach the distribution package of that application to the
request.
824
Managing Quarantine
Quarantine is a special local storage on the computer. The user can quarantine les that the user considers
dangerous for the computer. Quarantined les are stored in an encrypted state and do not threaten the security
of the device. Kaspersky Endpoint Security uses Quarantine only when working with Detection and Response
solutions: EDR Optimum, EDR Expert, KATA (EDR), Kaspersky Sandbox. In other cases Kaspersky Endpoint Security
places the relevant le in Backup. For details on managing Quarantine as part of solutions, please refer to the
Kaspersky Sandbox Help , Kaspersky Endpoint Detection and Response Optimum Help , and Kaspersky Endpoint
Detection and Response Expert Help , Kaspersky Anti Targeted Attack Platform Help .
Kaspersky Endpoint Security uses the system account (SYSTEM) to quarantine les.
You can con gure quarantine settings only in the Kaspersky Security Center Console. You can also use Kaspersky
Security Center Console to manage quarantined objects (restore, delete, add, etc). Locally, on the computer, you
can only restore the object using the command line.
If the Kaspersky Anti Targeted Attack Platform (EDR) solution is deployed in your organization, we recommend
increasing the size of Quarantine. When doing a YARA scan, the application may encounter a large memory
dump. If the size of the memory dump exceeds the size of Quarantine, the YARA scan nishes with an error
and the memory dump is not quarantined. We recommend setting the size of Quarantine equal to the total
size of the RAM on the computer (for example, 8 GB).
825
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
Limit the size of Quarantine to N MB. Maximum Quarantine size in MB. For example, you can set the
maximum Quarantine size to 200 MB. When Quarantine reaches maximum size, Kaspersky Endpoint
Security sends the corresponding event to Kaspersky Security Center and publishes the event in
Windows Event Log. Meanwhile the application stops quarantining new objects. You must empty the
Quarantine manually.
Notify when the Quarantine storage reaches N percent. Threshold value of the Quarantine. For
example, you can set the Quarantine threshold to 50%. When Quarantine reaches the threshold,
Kaspersky Endpoint Security sends the corresponding event to Kaspersky Security Center and
publishes the event in Windows Event Log. Meanwhile the application continues quarantining new
objects.
How to con gure the maximum quarantine size in the Web Console and Cloud Console
826
1. In the main window of the Web Console, select Devices → Policies & pro les.
Limit the size of Quarantine to N MB. Maximum Quarantine size in MB. For example, you can set the
maximum Quarantine size to 200 MB. When Quarantine reaches maximum size, Kaspersky Endpoint
Security sends the corresponding event to Kaspersky Security Center and publishes the event in
Windows Event Log. Meanwhile the application stops quarantining new objects. You must empty the
Quarantine manually.
Notify when the Quarantine storage reaches N percent. Threshold value of the Quarantine. For
example, you can set the Quarantine threshold to 50%. When Quarantine reaches the threshold,
Kaspersky Endpoint Security sends the corresponding event to Kaspersky Security Center and
publishes the event in Windows Event Log. Meanwhile the application continues quarantining new
objects.
Quarantine settings
827
Sending data about quarantined les to Kaspersky Security Center
To perform actions with quarantined objects in Web Console, you must enable the sending of quarantined les
data to the Administration Server. For example, you can download a le from quarantine for analysis in Web
Console. The sending of quarantined les data must be enabled for all functionality of Kaspersky Sandbox and
Kaspersky Endpoint Detection and Response to work.
3. Select the necessary policy and double-click to open the policy properties.
5. In the Data transfer to Administration Server block, click the Settings button.
6. In the window that opens, select the About Quarantine les check box.
How to enable the transfer of quarantined les data to the Web Console
828
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Data transfer to Administration Server block, select the About Quarantine les check box.
As a result, you can view a list of les, quarantined on your computer, in the Kaspersky Security Center Console.
You can use Kaspersky Security Center Console to manage quarantined objects (restore, delete, add, etc). For
more details about working with Quarantine, refer to the Kaspersky Security Center Help .
829
By default, Kaspersky Endpoint Security restores les to their original folder. If the destination folder has been
deleted or the user does not have access rights to that folder, the application places the le in the
%DataRoot%\QB\Restored folder. Then you must manually move the le to the destination folder.
1. In the main window of the Web Console, select Operations → Repositories → Quarantine.
2. This opens the list of les in Quarantine; in that list, select the les that you want to restore and click Restore.
Kaspersky Endpoint Security restores the le. If the destination folder already has a le with the same name, the
application cancels the restoration of the le. For EDR Optimum and EDR Expert solutions, the application
deletes the le after restoration. For other solutions, the applications keeps a copy of the le in Quarantine.
830
KSWS to KES Migration Guide
Starting with version 11.8.0, Kaspersky Endpoint Security for Windows supports the basic
functionality of the Kaspersky Security for Windows Server (KSWS) solution. Kaspersky Security for
Windows Server protects servers running Microsoft Windows operating systems and network
attached storages against viruses and other computer security threats which servers and network
attached storages are exposed to while exchanging les. For detailed information about how the
solution works, please refer to the Kaspersky Security for Windows Server Help . Starting with
Kaspersky Endpoint Security 11.8.0, you can migrate from Kaspersky Security for Windows Server to
Kaspersky Endpoint Security for Windows and use the same solution for protecting workstations
and servers.
Software requirements
Before you begin the migration from KSWS to KES, make sure your server satis es the hardware and software
requirements of Kaspersky Endpoint Security for Windows. The lists of supported operating system versions
are di erent for KES and KSWS. For example, KES does not support servers running Windows Server 2003.
Migration recommendations
Plan the KSWS to KES migration time in advance. Choose a time when servers are operating under the lightest
load, for example, during the weekend.
After the migration, turn on application components gradually. That is, for example, start by enabling the File
Threat Protection component alone, then enable other protection components, then enable control
components, and so on. At each step, you must make sure the application is working correctly, and monitor the
performance of the server. The architecture of KES di ers from KSWS, therefore the operating system may
also behave di erently.
831
Carry out the migration gradually. First migrate a single server, then multiple servers, then carry out the
migration on all servers of the organization.
Migrate di erent types of servers separately. That is, for example, rst migrate database servers, then mail
servers, and so on.
Migration steps
Migration from KSWS to KES is performed semi-automatically. This is necessary because of di ering architectures
of the applications. To migrate policy settings, you must run the Policies and tasks batch conversion wizard (the
migration wizard). After migrating policy settings, you must manually con gure settings that the migration wizard
cannot migrate automatically (for example, Password protection settings). After the migration, it is also
recommended to check if the migration wizard correctly migrated all settings.
After migrating the policies and tasks, you must perform additional con guration steps. We also recommend to
make sure that Kaspersky Endpoint Security provides the necessary level of security after migration from KSWS.
The Policies and tasks batch conversion wizard for Kaspersky Security for Windows Server is only available
in the Administration Console (MMC). Policy and task settings cannot be migrated in the Web Console and
Kaspersky Security Center Cloud Console.
After migrating from KSWS to KES, make sure that the application is operating correctly. Check the status of
the server in the console (should be OK). Make sure no errors are reported for the application, also check the
time of the last connection to the Administration Server, the time of the last database update and the server
protection status.
Pay special attention to the migration of exclusion lists, trusted applications, trusted web addresses,
Application Control rules.
Correspondence of Kaspersky Security for Windows Server and Kaspersky Endpoint Security for Windows components
832
Kaspersky Kaspersky Endpoint Security for Windows component
Security for
Windows Server
component
833
Script (not supported)
Monitoring
Script Monitoring is handled by other components, for example, AMSI Protection.
Application settings
834
Application settings are not supported in Kaspersky Endpoint Security for Windows.
Application settings
835
KSWS security settings are migrated to the General settings section, Application settings and Interface
subsections.
Do not start scheduled Postpone scheduled tasks while running on battery power
scan tasks (Application settings subsection)
Connection settings
836
Administration Server interaction settings are migrated to the General settings section, Network settings
and Application settings subsections.
Do not use proxy server Bypass proxy server for local addresses (Network settings subsection)
for local addresses
Use Kaspersky Security Use Kaspersky Security Center as proxy server for activation
Center as a proxy (Application settings subsection)
server when activating
the application
Kaspersky Endpoint Security ignores the settings for running local system tasks of Kaspersky Security for
Windows Server. You can con gure the use of local KES tasks under Local Tasks, Task management. You can
also con gure a schedule for running the Malware Scan and Update tasks in the properties of these tasks.
Supplementary
Trusted zone
837
KSWS trusted zone settings are migrated to the General settings section, Exclusions subsection.
838
Removable Drives Scan settings are migrated to the Local Tasks section, Removable Drives Scan subsection.
Kaspersky Security for Windows Server settings Kaspersky Endpoint Security for Windows
settings
Scan removable drives on connection via USB Action on a removable drive connection
Scan removable drives if its stored data volume Maximum removable drive size
does not exceed (MB)
Kaspersky Endpoint Security does not support assigning user access permissions for application
management and application service management. You can con gure access settings for users and user
groups for managing the application in Kaspersky Security Center.
Kaspersky Endpoint Security does not support assigning user access permissions for application
management and application service management. You can con gure access settings for users and user
groups for managing the application in Kaspersky Security Center.
Storages
839
KSWS storage settings are migrated to General settings section, Reports and Storage subsection, and to
Essential Threat Protection section, Network Threat Protection subsection.
Storage settings
Maximum Backup size Limit the size of Backup to N MB (General settings → Reports and Storage
(MB) section)
Unblock automatically Block attacking devices for N min (Essential Threat Protection → Network
in N Threat Protection section)
840
KSWS Real-Time File Protection settings are migrated to the Essential Threat Protection section, File
Threat Protection subsection.
Kaspersky Security for Windows Server Kaspersky Endpoint Security for Windows settings
settings
On access On access
KSN Usage
841
KSWS settings for Kaspersky Security Network are migrated to the Advanced Threat Protection section,
Kaspersky Security Network subsection.
Kaspersky Security for Windows Kaspersky Endpoint Security for Windows settings
Server settings
Use Kaspersky Security Center as Use Administration Server as a KSN proxy server
KSN Proxy
Tra ic Security
842
KSWS Tra ic Security settings are migrated to the Essential Threat Protection section, Web Threat
Protection and Mail Threat Protection subsection, Security Controls section, Web Control subsection,
General settings section, Network settings subsection.
Apply rules for web tra ic Web Control (Web Control subsection)
category control
Blocking rules for web tra ic category control are migrated to a single
blocking rule in Kaspersky Endpoint Security. Kaspersky Endpoint
Security ignores allowing rules for category control.
The correspondence of KSWS and KES categories is listed below.
External Proxy
Check safe connections Scan encrypted connections / Always scan encrypted connections
through the HTTPS protocol mode (Network settings subsection)
843
Do not trust web-servers Visiting a domain with an untrusted certi cate (Network settings
with invalid certi cate subsection)
Use anti-phishing database Check the web address against the database of phishing web
to scan web pages addresses (Web Threat Protection subsection)
Use heuristic analyzer Use Heuristic Analysis (Web Threat Protection and Mail Threat
Protection subsections)
Enable mail threat protection Mail Threat Protection (Mail Threat Protection subsection)
Connect Microsoft Outlook extension
Exploit Prevention
844
KSWS Exploit Prevention settings are migrated to the Advanced Threat Protection section, Exploit
Prevention subsection.
Kaspersky Security for Windows Kaspersky Endpoint Security for Windows settings
Server settings
845
KSWS Network Threat Protection settings are migrated to the Essential Threat Protection section, Network
Threat Protection subsection.
Block
connections
when attack
is detected
Script Monitoring
Kaspersky Endpoint Security does not support the Script Monitoring component. Script Monitoring is handled
by other components, for example, AMSI Protection.
Website categories
846
Kaspersky Endpoint Security does not support all categories of Kaspersky Security for Windows Server.
Categories that do not exist in Kaspersky Endpoint Security are not migrated. Therefore, web resource
classi cation rules with unsupported categories are not migrated.
Website categories
Kaspersky Security for Windows Server Kaspersky Endpoint Security for Windows
categories categories
Banks Banks
Blogs Blogs
847
Lotteries Gambling, lotteries, sweepstakes
848
Dating sites Dating sites
Torrents Torrents
849
KSWS Application Control settings are migrated to the Security Controls section, Application Control
subsection.
Active
Monitor Control DLL modules load (signi cantly increases the load on the system)
loading of
DLL modules
850
Apply rules to (does not migrate)
scripts and
Rule application scope cannot be con gured in KES Application Control settings. KES
MSI packages
Application Control applies rules to all types of les: executable les, scripts, and MSI
packages. If all le types are included in the rule application scope in KSWS, during
migration KES carries over the KSWS rules. If some le type is excluded from the rule
application scope in KSWS, during migration KES carries over KSWS rules, but Test
rules is selected as the Application Control action.
Allow During the migration, KES adds a new allowing rule. The Other Software →
applications Applications trusted according to reputation in KSN KL category is speci ed as the
trusted by rule triggering condition.
KSN
Users and / or Users and their rights in an Application Control allow rule that includes the KL
user groups category Other applications → Applications trusted according to reputation in
allowed to run KSN
applications
trusted by
KSN
Automatically Software Distribution Control in KSWS and KES works di erently. During the
allow migration, KES adds new allowing rules for applications that have automatic software
software distribution allowed. The le hash is speci ed as the rule triggering condition.
distribution
via
applications
and packages
listed
Always allow Use trusted system certi cate store (Exclusions subsection)
software
The Trusted system certi cate store setting has the Trusted root certi cation
distribution
authorities value.
via Windows
Installer
Software Software Distribution Control in KSWS and KES works di erently. During the
distribution migration, KES adds new allowing rules for applications that have automatic software
applications distribution allowed. The le hash is speci ed as the rule triggering condition.
and packages
allowed
851
If a schedule is con gured for the component in KSWS settings, the Application
Control component is enabled upon migration. If a schedule is not con gured for
the component in KSWS settings, Application Control is disabled upon migration.
It is not possible to con gure a separate schedule for the component. The
component is always on while Kaspersky Endpoint Security is operational.
Device Control
KSWS Device Control settings are migrated to the Security Controls section, Device Control subsection.
Kaspersky Security for Windows Server Kaspersky Endpoint Security for Windows settings
settings
Kaspersky Endpoint Security does not support Network-Attached Storages Protection components. If you
need these components, you can continue using Kaspersky Security for Windows Server.
Kaspersky Endpoint Security does not support Network-Attached Storages Protection components. If you
need these components, you can continue using Kaspersky Security for Windows Server.
Kaspersky Endpoint Security does not support Anti-Cryptor for NetApp. Anti-Cryptor functionality is
provided by other application components, such as Behavior Detection.
852
Network activity control
Firewall Management
Kaspersky Endpoint Security does not support KSWS Firewall Management. KSWS Firewall functions are
performed by the system-level Firewall. After migration, you can con gure the Kaspersky Endpoint Security
Firewall.
Anti-Cryptor
Network Anti-Cryptor settings are migrated to the Advanced Threat Protection section, Behavior
Detection subsection.
Anti-Cryptor settings
System Inspection
853
File Integrity Monitor settings from KSWS are migrated to the Security Controls section, File Integrity
Monitor subsection.
Exclusions Exclusions
Log Inspection
854
KSWS Log Inspection settings are migrated to the Security Controls section, Log Inspection subsection.
Task logs
855
KSWS Logs settings are migrated to the General settings section, Interface and Reports and Storage
subsections.
Logs settings
856
KSWS Noti cations settings are migrated to the General settings section, Interface subsection.
By using Windows
Messenger
Service command
Notify administrators: Only email noti cation settings are migrated to Kaspersky Endpoint Security
– Email noti cation settings (Noti cations block). Other methods of
By using Windows
notifying administrators are not supported.
Messenger
Service command
By running
executable le
By sending email
Application database Send the "Databases out of date" noti cation if databases were not
is out of date updated
Application database Send the "Databases extremely out of date" noti cation if databases were
is extremely out of not updated
date
KSWS Administration Server interaction settings are migrated to the General settings section, Reports and
Storage subsection.
Kaspersky Security for Windows Kaspersky Endpoint Security for Windows settings
Server settings
857
Tasks
Kaspersky Endpoint Security does not support the Application activation task (KSWS). You can create a Add
key task (KES), add a license key to the Installation package, or enable automatic license key distribution.
Copying Updates
858
The Copying Updates task settings (KSWS) are migrated to the Update task (KES).
Custom HTTP or
FTP servers, or
network folders
Copy critical
software modules
updates
Copy database
updates and
critical updates of
application
modules
859
Kaspersky Endpoint Security does not support the Baseline File Integrity Monitor task. File integrity
monitoring functionality is provided by other application components, such as Behavior Detection.
Database Update
The Database Update task settings (KSWS) are migrated to the Update task (KES).
Custom HTTP or
FTP servers, or
network folders
860
The Software Modules Update task settings (KSWS) are migrated to the Update task (KES).
Custom HTTP or
FTP servers, or
network folders
861
The Rollback of Application Database Update task settings (KSWS) are migrated to the Update rollback task
(KES). The new Update rollback task (KES) has a task start schedule – Manually.
On-Demand Scan
862
The On-Demand Scan task settings (KSWS) are migrated to the Malware Scan task (KES).
Kaspersky Security for Windows Kaspersky Endpoint Security for Windows settings
Server settings
Recommended Recommended
Remove
863
Perform recommended
action
Notify only
Remove
Perform recommended
action
Notify only
Scan entire le
864
The Application Integrity Control task settings (KSWS) are migrated to the Application Integrity Check task
(KES).
Kaspersky Endpoint Security does not support the Applications Launch Control Generator task. You can
generate rules in Application Control settings.
Kaspersky Endpoint Security does not support the Rule Generator for Device Control task. You can generate
access rules in Device Control settings.
KES components that KSWS does not have are installed as follows:
AMSI Protection, Host Intrusion Prevention, Remediation Engine are installed with default settings.
BadUSB Attack Prevention, Adaptive Anomaly Control, Data Encryption, Detection and Response components
are ignored.
When installed remotely, the KES application ignores the set of installed KSWS components. The installer installs
components that you select in properties of the installation package. After installing Kaspersky Endpoint Security
and migrating policies and tasks, KES settings are con gured in accordance with KSWS settings.
Using the Policies and Tasks Batch Conversion Wizard (hereinafter also referred to as the Migration Wizard).
The Migration Wizard for KSWS is available only in the Administration Console (MMC). Policy and task
settings cannot be migrated in the Web Console and Cloud Console.
The batch conversion wizard works di erently for di erent versions of Kaspersky Security Center. We
recommend upgrading the solution to version 14.2 or higher. In this version of Kaspersky Security Center, the
Policies and tasks batch conversion wizard lets you migrate policies into a pro le rather than into a policy. In this
version of Kaspersky Security Center, the Policies and tasks batch conversion wizard also lets you migrate a
broader range of policy settings.
Using the New Policy Wizard for Kaspersky Endpoint Security for Windows.
The New Policy Wizard lets you create a KES policy based on a KSWS policy.
865
KSWS policy migration procedures are di erent when using Migration Wizard and the New Policy Wizard.
The migration wizard transfers KSWS policy settings into the policy pro le instead of KES policy settings. The
policy pro le is a set of policy settings that is activated on a computer if the computer satis es the con gured
activation rules. The UpgradedFromKSWS device tag is selected as the triggering criterion of the policy pro le.
Kaspersky Security Center automatically adds the UpgradedFromKSWS tag to all computers on which you install
KES on top of KSWS using the remote installation task. If you chose a di erent installation method, you can assign
the tag to devices manually.
2. Create a new administration group in the Kaspersky Security Center console and add servers to which you
want to assign the tag to this group.
You can group servers using the selection tool. For more details about working with selections, refer to the
Kaspersky Security Center Help .
3. Select all servers of the administration group in the Kaspersky Security Center console, open the properties of
the selected servers and assign the tag.
If you are migrating multiple KSWS policies, each policy is converted to a pro le within one overarching policy. If the
KSWS policy already contains pro les, these pro les are also migrated as pro les. As a result you will get a single
policy that includes pro les corresponding to all KSWS policies.
How to use the Policies and Tasks Batch Conversion Wizard to migrate KSWS policy settings
866
1. In the Administration Console, select the Administration Server and right-click to open the context menu.
The Policies and Tasks Batch Conversion Wizard will start. Follow the instructions of the Wizard.
Step 1. Selecting the application for which you need to convert policies and tasks
At this step, you need to select Kaspersky Endpoint Security for Windows. Go to the next step.
The migration wizard creates KSWS policy pro les inside a KES policy. Select the Kaspersky Security for
Windows Server policies that you want to convert to policy pro les. Go to the next step.
The Migration Wizard will then begin to convert the policies. The names of new policy pro les will correspond
to original KSWS policies.
The migration wizard creates a policy migration report. The policy migration report contains the date and time
when the policies were converted, the name of the original KSWS policy, the name of the target KES policy,
and the name of the new policy pro le.
The Migration Wizard creates new tasks for Kaspersky Endpoint Security for Windows. In the task list, select
the KSWS tasks that you want to create for Kaspersky Endpoint Security. The new tasks will be named <KSWS
task name> (converted). Go to the next step.
New policy pro les are added to the Kaspersky Endpoint Security policy.
The policy includes pro les with the settings of Kaspersky Security for Windows Server. The new policy
has the Active status. The Wizard leaves the KSWS policies unchanged.
The new policy pro le with KSWS settings will be named UpgradedFromKSWS <Name of the Kaspersky Security
for Windows Server policy>. In pro le properties, the migration wizard automatically selects the
UpgradedFromKSWS device tag as the triggering criterion. Thus the settings from the policy pro le are applied to
servers automatically.
867
Wizard for creating a policy based on a KSWS policy
When a KES policy is created based on a KSWS policy, the wizard transfers settings to the new policy accordingly.
That is, one KES policy will correspond to one KSWS policy. The wizard does not convert the policy to a pro le.
How to use the New Policy Wizard to migrate KSWS policy settings
2. In the Managed devices folder in the Administration Console tree, select the folder with the name of the
administration group to which the relevant client computers belong.
7. At the step for entering a new name for the group policy, select the Use policy settings for an earlier
version of the application check box.
8. Click Browse and select the KSWS policy. Go to the next step.
9. Follow the instructions of the New Policy Wizard until its completion.
When nished, the Wizard will create a new Kaspersky Endpoint Security for Windows policy with the
settings from the KSWS policy.
KSWS and KES have di erent sets of components and policy settings, so after migration you must verify that
policy settings satisfy your corporate security requirements.
Password protection. KSWS Password protection settings are not migrated. Kaspersky Endpoint Security has a
built-in Password protection feature. If necessary, turn on Password protection and set a password.
Trusted zone. The methods used by KSWS and KES for selecting objects di er. When migrating, KES supports
exclusions de ned as individual les or paths to le / folder. If KSWS has exclusions con gured as a prede ned
area or a script URL, such exclusions are not migrated. After migration, you must add such exclusions manually.
To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add les
important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF
database les. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL les. You may
use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.
868
Firewall. KSWS Firewall functions are performed by the system-level Firewall. In KES, a separate component is
responsible for the Firewall functionality. After migration, you can con gure the Kaspersky Endpoint Security
Firewall.
Kaspersky Security Network. Kaspersky Endpoint Security does not support con guring KSN for individual
components. Kaspersky Endpoint Security uses KSN for all application components. To use KSN, you must
accept the new terms and conditions of the Kaspersky Security Network Statement.
Web Control. Blocking rules for web tra ic category control are migrated to a single blocking rule in Kaspersky
Endpoint Security. Kaspersky Endpoint Security ignores allowing rules for category control. Kaspersky Endpoint
Security does not support all categories of Kaspersky Security for Windows Server. Categories that do not
exist in Kaspersky Endpoint Security are not migrated. Therefore, web resource classi cation rules with
unsupported categories are not migrated. If necessary, add Web Control rules.
Proxy server. The proxy server connection password is not migrated. Enter the password to be used for
connecting to the proxy server manually.
Schedules of individual components. Kaspersky Endpoint Security does not support con guring schedules for
individual components. The components are always on while Kaspersky Endpoint Security is operational.
Set of components. The set of available Kaspersky Endpoint Security features depends on the type of
operating system: workstation or server. For example, out of encryption tools, only BitLocker Drive Encryption is
available on servers.
attribute. The state of the attribute is not migrated. The attribute will have the default value. By default,
almost all settings in the new policy have a prohibition applied on modifying settings in child policies and in the
local application interface. The attribute has the value for policy settings in the Managed Detection and
Response section and in the User support group of settings (Interface section). If necessary, con gure the
inheritance of settings from the parent policy.
Working with active threats. Advanced Disinfection works di erently for workstations and servers. You can
con gure advanced disinfection in Malware Scan task settings and in application settings.
Upgrading the application. To install major updates and patches without restarting, you must change the
application upgrade mode. By default, the Install application updates without restart feature is disabled.
Kaspersky Endpoint Agent. Kaspersky Endpoint Security has a built-in agent for working with Detection and
Response solutions. If necessary, transfer Kaspersky Endpoint Agent policy settings to the Kaspersky Endpoint
Security policy.
Update tasks. Make sure that the settings of the Update task were migrated correctly. Instead of KSWS's three
tasks, KES uses a single KES task. You may optimize the Update tasks and remove super uous tasks.
Other tasks. Application Control, Device Control, and File Integrity Monitor components work di erently in
KSWS and KES. KES does not use Baseline File Integrity Monitor, Applications Launch Control Generator, Rule
Generator for Device Control tasks. Therefore these tasks are not migrated. After migration, you can con gure
the File Integrity Monitor, Application Control, Device Control components.
869
A trusted zone is a system administrator-con gured list of objects and applications that Kaspersky Endpoint
Security does not monitor when active. You can migrate trusted zone objects from KSWS to KES using the Policies
and Tasks Batch Conversion Wizard or the wizard for creating a new KES policy based on the KSWS policy. KSWS
and KES have di erent sets of components and features, so after migration you must verify that exclusions
satisfy your corporate security requirements. The methods of adding exclusions to the trusted zone are also
di erent for KES and KSWS. The Migration Wizard does not have tools to migrate all KSWS exclusions. This means
that after the migration, you must manually add some of the KSWS exclusions.
To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add les
important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF
database les. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL les. You may use
masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.
KSWS KES
Object to scan
KSWS exclusions that have the Object to scan method selected in their properties are migrated to KES exclusions
that have the File or folder method selected in their properties, with some limitations. The migration of an
exclusion depends on the object selection method:
Disk, folder or network location – migrate to KES exclusions that have the "File or folder" method selected in
properties.
File – migrate to KES exclusions that have the "File or folder" method selected in properties.
870
If the Apply also to subfolders check box is selected for the scanned object, this setting is migrated to KES
exclusions (the Include subfolders check box).
KSWS exclusions that have the Detected object method selected in their properties are migrated to KES
exclusions that have the Object name method selected in their properties. The name of the detected object
corresponds to the classi cation of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit, or
RemoteAdmin). Kaspersky Endpoint Security supports masks with the question mark ? (matches any single
character) and the asterisk * (matches any sequence of characters).
The usage scope of an exclusion is a set of components to which the exclusion applies. KES and KSWS have
di erent sets of components so the Migration Wizard cannot migrate the exclusion usage scope. Therefore, if at
least one component is selected in the KSWS usage scope, KES applies the exclusion to all application
components.
871
You can con gure the KSWS usage scope in trusted zone settings and also in the settings of KSWS
protection components. To do so, you can select or clear the Apply Trusted Zone check box in the
corresponding section of the policy. The settings of KES protection components do not include such a check
box. This means the trusted zone status in individual component settings is lost upon migration. After
completing the migration, select components to which the exclusion applies in trusted zone settings in the
KES policy.
Migrating comments
Comments from the KSWS trusted zone are migrated to KES exclusion comments without modi cation.
KSWS trusted processes are migrated to KES trusted processes with some limitations. Migrating trusted
processes depends on the object selection method:
If KSWS has trusted processes con gured as a le has, such trusted processes are not migrated. After migration,
you must add such trusted processes manually.
If the Do not check le backup operations check box is selected in trusted process settings, this setting is
migrated to KES trusted applications (the Do not monitor application activity check box).
872
KSWS trusted process settings
You can remove the application remotely using the Uninstall application remotely task or locally on the server .
You may need to restart the server after removing KSWS. If you want to install Kaspersky Endpoint Security
without a restart, please make sure that Kaspersky Security for Windows Server is completely removed. If the
application is not completely removed, installing Kaspersky Endpoint Security may cause faulty operation of the
server. Making sure that the application is completely removed is also recommended if you have used the
kavremover utility. The kavremover utility does not support managing KSWS.
After removing KSWS, install Kaspersky Endpoint Security for Windows using any available method.
Administrators typically enable Password protection to restrict access to KSWS. This means that you will need
to enter the password to remove KSWS. Kaspersky Endpoint Security does not support password transfer to
remove Kaspersky Security for Windows Server when installing KES on top of KSWS. You can transfer the
password only if you are installing KES on the command line. Therefore, before removing KSWS, you must turn
o Password protection in application settings and turn Password protection back on in application settings
after you complete the migration from KSWS to KES.
873
When you install KES remotely, components that you have selected in installation package properties are installed
on the server. We recommend selecting default components in installation package properties. A restart is not
necessary when installing KES on top of KSWS.
Prior to the local installation, Kaspersky Endpoint Security checks the computer for the presence of Kaspersky
applications. If Kaspersky Security for Windows Server is installed on the computer, KES detects the set of KSWS
components that are installed and selects the same components for installation. A restart is not necessary when
installing KES on top of KSWS.
If installing KES on top of KSWS failed, you can roll back the installation. After rolling back the installation, it is
recommended to restart the server and try again.
KSWS settings and tasks are not migrated when Kaspersky Endpoint Security for Windows is installed. To migrate
settings and tasks, run the Policies and tasks batch conversion wizard.
You can check the list of installed components in the Security section of the application interface, using the
status command, or in the Kaspersky Security Center console in computer properties. You can change the set of
components after installation by using the Change application components.
To support using Kaspersky Endpoint Security for Windows as part of EDR (KATA), EDR Optimum, EDR Expert,
Kaspersky Sandbox, and MDR, a built-in agent has been added to the application. You no longer need a
separate Kaspersky Endpoint Agent application to work with these solutions.
When migrating from KSWS to KES, the EDR (KATA), EDR Optimum, EDR Expert, Kaspersky Sandbox, and MDR
solutions continue to work with Kaspersky Endpoint Security. In addition, Kaspersky Endpoint Agent will be
removed from the computer.
Migrating the [KSWS+KEA] con guration to [KES+built-in agent] involves the following steps:
Migrating from KSWS to KES involves installing Kaspersky Endpoint Security instead of Kaspersky Security for
Windows Server.
To carry out the migration, you must select the components needed to support Detection and Response
solutions as part of Kaspersky Endpoint Security. After installing the application, Kaspersky Endpoint
Security switches to using the built-in agent and removes Kaspersky Endpoint Agent.
Migrating [KSWS+KEA] policies and tasks to [KES+built-in agent] involves the following steps:
1. Migrating policies and tasks from KSWS to KES using the Policies and Tasks Batch Conversion Wizard (only
available on the Administration Console (MMC)).
As a result, a policy pro le with the UpgradedFromKSWS <Name of the Kaspersky Security for Windows
Server policy> name is added to the KES policy. New KES tasks are also created with <KSWS task name>
(converted) names.
874
2. Migrating policies and tasks from KEA to KES using the wizard for migration from Kaspersky Endpoint Agent
(only available in Web Console and Cloud Console).
As a result, a new policy is created with the name <Name of the Kaspersky Endpoint Security policy> & <Name
of the Kaspersky Endpoint Agent policy>. New tasks and KES tasks are also created.
3 Licensing functionality
If you use a common Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security
license to activate Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Agent, EDR Optimum
functionality will be activated automatically after upgrading the application to version 11.7.0. You do not need to
do anything else.
If you use a stand-alone Kaspersky Endpoint Detection and Response Optimum Add-on license to activate EDR
Optimum functionality, you must make sure that the EDR Optimum key is added to the Kaspersky Security
Center repository and the automatic license key distribution functionality is enabled. After you upgrade the
application to version 11.7.0, EDR Optimum functionality is activated automatically.
If you use a Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security license to
activate Kaspersky Endpoint Agent, and a di erent license to activate Kaspersky Endpoint Security for
Windows, you must replace the Kaspersky Endpoint Security for Windows key with the common Kaspersky
Endpoint Detection and Response Optimum or Kaspersky Optimum Security key. You can replace the key using
the Add key task.
You do not need to activate Kaspersky Sandbox functionality. Kaspersky Sandbox functionality will be available
immediately after upgrading and activating Kaspersky Endpoint Security for Windows.
Only the Kaspersky Anti Targeted Attack Platform license can be used to activate Kaspersky Endpoint Security
as part of the Kaspersky Anti Targeted Attack Platform solution. After you upgrade the application to version
12.1, EDR (KATA) functionality is activated automatically. You do not need to do anything else.
4 Checking the health of Kaspersky Endpoint Detection and Response Optimum and Kaspersky Sandbox
If after the upgrade, the computer has the Critical status in the Kaspersky Security Center console:
Make sure that the computer has Network Agent version 13.2 or higher installed.
Check the operating status of the built-in agent by viewing the Application components status report. If a
component has the Not installed status, install the component using the Change application components
task.
Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint
Security for Windows.
Make sure EDR Optimum functionality is activated using the Application components status report. If a
component has the Not covered by license status, make sure that the automatic license key distribution
functionality of EDR Optimum is turned on.
The %ProgramFiles%\Kaspersky Lab\Kaspersky Security for Windows Server\ folder does not
exist.
875
Kaspersky Security Management (KAVFSGT)
You can check running services in Task Manager or by issuing the sc query command (see gure below).
klam.sys
kl t.sys
klramdisk.sys
klelaml.sys
kl tdev.sys
klips.sys
klids.sys
klwtpee
You can check installed drivers in the C:\Windows\System32\drivers folder or by issuing the sc query
command. If a service or driver are missing, you will get the following response:
Making sure Kaspersky Security for Windows Server services and drivers were successfully removed
If application or driver les remain on the server, delete the relevant les manually. If Kaspersky Security for
Windows Server services are still running on the server, stop (sc stop) and delete (sc delete) the services
manually. To stop the klam.sys driver, use the fltmc unload klam command.
876
Kaspersky Endpoint Security does not support the Kaspersky Security for Storage license. To work with this
license, you need to use Kaspersky Security for Windows Server.
To activate KES with the KSWS key you can use only the activation code. If you are using a key le to activate
the application, you need to contact Technical Support for a Kaspersky Endpoint Security key le.
Activating Kaspersky Endpoint Security for Windows with a Kaspersky Security for Windows Server key
Kaspersky Security for Migrating the key to Kaspersky Endpoint Security for Windows.
Windows Server activation
method
Automatic distribution of the If automatic key distribution is enabled in KSWS license key properties,
KSWS license key to KES is automatically activated with the KSWS key.
computers.
The KSWS key is added by a If your KSWS is activated using the task, the KSWS license key is deleted
task. during migration from KSWS. You must activate the application again. For
example, you can add a license key to the Kaspersky Endpoint Security for
Windows installation package.
The KSWS key is added locally If your KSWS is activated locally using the Application Activation Wizard,
in the application interface. the KSWS license key is deleted during migration from KSWS. You must
activate the application again. For example, you can add a license key to
the Kaspersky Endpoint Security for Windows installation package.
The KSWS key is added to the If your KSWS is activated using the key from the installation package, the
installation package. KSWS license key is deleted during migration from KSWS. You must
activate the application again. For example, you can add a license key to
the Kaspersky Endpoint Security for Windows installation package.
Paid virtual machine image If you purchased Kaspersky Security Center as a paid virtual machine
(Amazon Machine Image – image (Amazon Machine Image – AMI) in Amazon Web Services (AWS),
AMI) in Amazon Web Services activating KES is not required. In this case, Kaspersky Security Center uses
(AWS). the AWS subscription that is already added to the application.
Ready-made free-of-charge If you are using an out-of-the-box free Kaspersky Security Center image
Kaspersky Security Center with your own license in a cloud environment (the Bring Your Own License
image with your own license – BYOL model), you must activate the application using any available
(Bring Your Own License – method. You will need a Kaspersky Hybrid Cloud Security license.
BYOL model).
877
2. In policy settings, turn o the following components: Network Threat Protection, Behavior Detection, Exploit
Prevention, Remediation Engine, Application Control.
If your organization has the Kaspersky Managed Detection and Response (MDR) solution deployed, upload the
BLOB con guration le to the Kaspersky Endpoint Security policy.
4. Install Kaspersky Endpoint Security for Windows with the default set of components.
If your organization has Detection and Response solutions deployed, select the relevant components in the
properties of the installation package.
6. Make sure the server is working. Make sure that Kaspersky Endpoint Security for Windows is not using more
than 1% of the server's resources.
7. If necessary, create scan exclusions, add trusted applications, create a list of trusted web addresses.
8. Turn on Behavior Detection, Exploit Prevention, Remediation Engine components. Make sure that Kaspersky
Endpoint Security for Windows is not using more than 1% of the server's resources.
9. Turn on the Network Threat Protection component. Make sure that Kaspersky Endpoint Security for Windows
is not using more than 2% of the server's resources.
11. Make sure Application Control is working. If necessary, add new Application Control rules and turn o rule
testing mode after con rming that Application Control is working.
After migrating from KSWS to KES, make sure that the application is operating correctly. Check the status of the
server in the console (should be OK). Make sure no errors are reported for the application, also check the time of
the last connection to the Administration Server, the time of the last database update and the server protection
status.
Installing the application using the Kaspersky Security Center console is not di erent from installing it the normal
way. When creating an installation package, you can add a license key to activate the application. You can use a
Kaspersky Endpoint Security for Windows key or a Kaspersky Security for Windows Server key.
On a Core Mode server, the following application components are not available: Web Threat Protection, Mail
Threat Protection, Web Control, BadUSB Attack Prevention, File Level Encryption (FLE), Kaspersky Disk
Encryption (FDE).
878
Restart is not required when installing Kaspersky Endpoint Security. Restart is required only if you have to remove
incompatible applications prior to installation. Restart may also be required when updating the application version.
The application cannot display a window to prompt the user to restart the server. You can learn about the need to
restart the server from reports in the Kaspersky Security Center console.
Managing the application on Core Mode server is not di erent from managing a computer. You can use policies
and tasks to con gure the application.
Managing the application on Core Mode servers involves the following special considerations:
The Core Mode server does not have a GUI, therefore Kaspersky Endpoint Security does not display a warning
telling the user that Advanced Disinfection is needed. To disinfect a threat, you need to enable Advanced
Disinfection technology in application settings and enable immediate Advanced Disinfection in Malware Scan
task settings. Then you need to start a Malware Scan task.
BitLocker Drive Encryption is only available with a Trusted Platform Module (TPM). A PIN / password cannot be
used for encryption because the application is unable to display the password prompt window for preboot
authentication. If the operating system has Federal Information Processing standard (FIPS) compatibility mode
enabled, connect a removable drive for saving the encryption key before you begin encrypting the drive.
When you cannot use a GUI, you can manage Kaspersky Endpoint Security from the command line.
To install the application to a Core Mode server, run the following command:
avp.com status
To view the list of application management commands, run the following command:
avp.com help
879
The administrator manages Kaspersky solutions using the Administration Console (MMC). Kaspersky Endpoint
Detection and Response Optimum (EDR Optimum) is also deployed
In Kaspersky Security Center, three administration groups are created, containing servers of the organization:
two administration groups for SQL servers and an administration group for Microsoft Exchange servers. Each
administration group is managed by its own policy. Database Update and On-demand scan tasks are created for
all servers in the organization.
The KSWS activation key is added to Kaspersky Security Center. Automatic key distribution is enabled.
SQL servers with Kaspersky Security for Windows Server 11.0.1 and Kaspersky Endpoint Agent 3.11 installed. The
SQL servers are combined into two clusters.
KSWS is managed by SQL_Policy(1) and SQL_Policy(2) policies. Database Update, On-demand scan tasks are
also created.
A Microsoft Exchange server with Kaspersky Security for Windows Server 11.0.1 and Kaspersky Endpoint Agent
3.11 installed.
KSWS is managed by the Exchange_Policy policy. Database Update, On-demand scan tasks are also created.
1. Migrating KSWS tasks and policies using the Policies and Tasks Batch Conversion Wizard.
2. Migrating the Kaspersky Endpoint Agent policy using the Policies and Tasks Batch Conversion Wizard.
3. Using tags to activate policy pro les in the properties of the new policy.
The migration scenario is initially performed on one of the cluster of SQL servers. Then the migration scenario is
performed on the other cluster of SQL servers. Then the migration scenario is performed on the Microsoft
Exchange.
Migrating KSWS tasks and policies using the Policies and Tasks Batch Conversion Wizard
To migrate KSWS tasks, you can use the Policies and Tasks Batch Conversion Wizard (the migration wizard). As a
result, instead of the SQL_Policy(1), SQL_Policy(2), and Exchange_Policy policies, you will get a single policy with
three pro les for SQL and Microsoft Exchange servers respectively. The new policy pro le with KSWS settings will
be named UpgradedFromKSWS <Name of the Kaspersky Security for Windows Server policy>. In pro le properties,
the migration wizard automatically selects the UpgradedFromKSWS device tag as the triggering criterion. Thus the
settings from the policy pro le are applied to servers automatically.
Migrating the Kaspersky Endpoint Agent policy using the Policies and Tasks Batch Conversion
Wizard
To migrate Kaspersky Endpoint Agent policies, you can use the Policies and Tasks Batch Conversion Wizard. The
Policy and Task Migration Wizard for Kaspersky Endpoint Agent is only available in the Web Console.
880
Using tags to activate policy pro les in the properties of the new policy
Select the device tag that you assigned earlier as the pro le activation condition. Open policy properties and
select General rules for policy pro le activation as the pro le activation condition.
Before installing KES, you must disable Password protection in KSWS policy properties.
1. Prepare the installation package. In installation package properties, select the Kaspersky Endpoint Security for
Windows 12.0 distribution kit and select the default set of components.
2. Create a Install application remotely task for one of the SQL server administration groups.
3. In task properties, select the installation package and the license key le.
Kaspersky Security Center automatically adds the UpgradedFromKSWS tag to names of computers on the
console after the KES installation is complete.
To check the KES installation, you can use the Report on protection deployment. You can also check the device
status. To con rm application activation, you can use the Report on usage of license keys.
You can activate EDR Optimum functionality using a stand-alone Kaspersky Endpoint Detection and Response
Optimum Add-on license. You must con rm that the EDR Optimum key is added to the Kaspersky Security Center
repository and the automatic license key distribution functionality is enabled.
To check EDR Optimum activation, you can use the Report on status of application components.
To con rm that KES is working, you can check and see that no errors are reported. The device status must be OK.
Update and malware scan tasks and successfully completed.
881
Managing the application from the command line
You can manage Kaspersky Endpoint Security from the command line. You can view the list of commands for
managing the application by executing the HELP command. To read about the syntax of a speci c command, enter
HELP <command>.
Special characters in the command must be escaped. To escape the characters &, |, (, ), <, >, ^, use the ^
character (for example, to use the & character, enter ^&). To escape the % character, enter %%.
In silent mode. After installation is started in silent mode, your involvement in the installation process is not
required (silent installation). To install the application in silent mode, use the /s and /qn keys.
Prior to installing the application in silent mode, please open and read the End User License Agreement and
the text of the Privacy Policy. The End User License Agreement and the text of the Privacy Policy are
included in the Kaspersky Endpoint Security distribution kit. You may proceed to install the application only
if you have fully read, understand, and accept the provisions and terms of the End User License
Agreement, you understand and agree that your data will be processed and transmitted (including to third-
party countries) in accordance with the Privacy Policy, and you have fully read and understand the Privacy
Policy. If you do not accept the provisions and terms of the End User License Agreement and the Privacy
Policy, please do not install or use Kaspersky Endpoint Security.
You can view the list of commands for installing the application by executing the /h command. To get help on the
installation command syntax, type setup_kes.exe /h. As a result, the installer displays a window with a
description of command options (see the gure below).
882
Description of installation command options
2. Go to the folder where the Kaspersky Endpoint Security distribution package is located.
As a result, the application is installed on the computer. You can con rm that application is installed and check
application settings by issuing the status command.
EULA=1 Acceptance of the terms of the End User License Agreement. The text of
the License Agreement is included in the distribution kit of Kaspersky
Endpoint Security.
883
Accepting the terms of the End User License Agreement is necessary
for installing the application or upgrading the application version.
PRIVACYPOLICY=1 Acceptance of the Privacy Policy. The text of the Privacy Policy is included in
the Kaspersky Endpoint Security distribution kit.
SKIPPRODUCTCHECK=1 Disable the check for incompatible software. The list of incompatible
software is available in the incompatible.txt le that is included in the
distribution kit. If no value is set for this parameter and incompatible
software is detected, the installation of Kaspersky Endpoint Security will be
terminated.
884
incompatible software le that was detected, Kaspersky Endpoint Security
installation is stopped with an error.
The default value is di erent depending on the software installation method:
0 means that digital signature veri cation is disabled (default value if
deployed through Kaspersky Security Center).
1 means that digital signature veri cation is enabled (default value if the
application is being installed locally).
STANDALONEMODE=1 Installing the application in the Endpoint Detection and Response Agent
(EDR Agent) con guration for integration with the Kaspersky Endpoint
Detection and Response (KATA) solution. This con guration is needed if a
third-party Endpoint Protection Platform (EPP) is deployed in your
organization alongside the Kaspersky Endpoint Detection and Response
(KATA) solution. This makes Kaspersky Endpoint Security in the Endpoint
Detection and Response Agent con guration compatible with third-party
EPP applications.
You can also use EDR Agent for integration with the Kaspersky Managed
Detection and Response solution. To do so, you must change the selection
of application components.
KLLOGIN Set the user name for accessing the features and settings of Kaspersky
Endpoint Security (the Password protection component). The user name is
set together with the KLPASSWD and KLPASSWDAREA parameters. The user
name KLAdmin is used by default.
KLPASSWD Specify a password for accessing Kaspersky Endpoint Security features and
settings (the password is speci ed together with the KLLOGIN and
KLPASSWDAREA parameters).
If you speci ed a password but did not specify a user name with the
KLLOGIN parameter, the KLAdmin user name is used by default.
KLPASSWDAREA Specify the scope of the password for accessing Kaspersky Endpoint
Security. When a user attempts to perform an action that is included in this
scope, Kaspersky Endpoint Security prompts for the user's account
credentials (KLLOGIN and KLPASSWD parameters). Use the ";" character to
specify multiple values. Available values:
SET – modifying application settings.
For example,
KLPASSWDAREA=SET;KLPASSWDAREA=UNINST;KLPASSWDAREA=EXIT.
885
ENABLETRACES Enabling or disabling application tracing. After Kaspersky Endpoint Security
starts, it saves trace les in the folder %ProgramData%\Kaspersky
Lab\KES.21.17\Traces. Available values:
1 – tracing is enabled.
500 (normal). Messages about all errors and warnings, as well as detailed
information about the operation of the application in normal mode
(default).
This feature allows correctly displaying the state of the Azure virtual
machine in the Kaspersky Anti Targeted Attack Platform console. To monitor
the performance of the computer, Kaspersky Endpoint Security sends
telemetry to KATA servers. Telemetry includes an ID of the computer (Sensor
ID). Azure WVD compatibility mode allows assigning a permanent unique
Sensor ID to these virtual machines. If the compatibility mode is turned o ,
the Sensor ID can change after the computer is restarted because of how
Azure virtual machines work. This can cause duplicates of virtual machines to
appear on the console.
886
Seamless means upgrading the application with a computer restart
(default value).
You can upgrade the application without a restart starting with version 11.10.0.
To upgrade an earlier version of the application, you must restart the
computer. You can also install patches without a restart starting with version
11.11.0.
Restart is not required when installing Kaspersky Endpoint Security. So, the
upgrade mode of the application will be speci ed in the application settings.
You can change this parameter in the application settings or in the policy.
When upgrading already installed application, the priority of the command
line parameter is lower than that of the parameter speci ed in the
application settings or in the setup.ini le. For example, if Force upgrade
mode is speci ed in the command line and Seamless mode is speci ed in
the application settings, the upgrade will be installed with a computer restart
(Seamless).
RESTAPI Managing the application through the REST API. To manage the application
through the REST API, you must specify the user name (RESTAPI_User
parameter).
Available values:
1 – management via REST API is allowed.
RESTAPI_User User name of the Windows domain account used for managing the
application through the REST API. Management of the application through
the REST API is available only to this user. Enter the user name in the format
<DOMAIN>\<UserName> (for example,
RESTAPI_User=COMPANY\Administrator). You can select only one user to
work with the REST API.
Adding a user name is a prerequisite for managing the application through
the REST API.
RESTAPI_Port Port used for managing the application through the REST API. Port 6782 is
used by default. Make sure that the port is free.
Example:
setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=1
/pALLOWREBOOT=1
msiexec /i kes_win.msi EULA=1 PRIVACYPOLICY=1
KSN=1 KLLOGIN=Admin KLPASSWD=Password
KLPASSWDAREA=EXIT;DISPOLICY;UNINST /qn
setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=1
/pENABLETRACES=1 /pTRACESLEVEL=600 /s
After Kaspersky Endpoint Security is installed, the trial license is activated unless you provided an activation
code in the setup.ini le. A trial license usually has a short term. When the trial license expires, all Kaspersky
Endpoint Security features become disabled. To continue using the application, you need to activate the
application with a commercial license by using the Application Activation Wizard or a special command.
When installing the application or upgrading the application version in silent mode, use of the following les is
supported:
To apply settings from the setup.ini, install.cfg, and setup.reg les, place these les into the folder containing
the Kaspersky Endpoint Security distribution package. You can also put the setup.reg le in a di erent folder.
If you do so, you need to specify the path to the le in the following application installation command:
SETUPREG=<path to the setup.reg file>.
In silent mode. After uninstallation is started in silent mode, your involvement in the removal process is not
required (silent uninstallation). To uninstall the application in silent mode, use the /s and /qn switches.
2. Go to the folder where the Kaspersky Endpoint Security distribution package is located.
Example:
msiexec.exe /x {9A017278-F7F4-4DF9-A482-0B97B70DD7ED} KLLOGIN=KLAdmin
KLPASSWD=!Password1 /qn
AVP commands
To manage Kaspersky Endpoint Security from the command line:
As a result, Kaspersky Endpoint Security will execute the command (see gure below).
889
Run the Malware Scan task.
Command syntax
avp.com SCAN [<scan scope>] [<action on threat detection>] [<file types>] [<scan
exclusions>] [/R[A]:<report file>] [<scan technologies>] [/C:<file with scan
settings>]
Scan scope
<files to A space-separated list of les and folders. Long paths must be enclosed in quotation
scan> marks. Short paths (MS-DOS format) do not need to be enclosed in quotation marks. For
example:
"C:\Program Files (x86)\Example Folder" – long path.
/ALL Run the Malware Scan task. Kaspersky Endpoint Security scans the following objects:
Kernel memory;
Boot sectors;
/STARTUP Scan the Objects that are loaded at startup of the operating system
/@:<file Scan the les and folders from a list. Each le in the list must be on a new row. Long paths
list.lst> must be enclosed in quotation marks. Short paths (MS-DOS format) do not need to be
enclosed in quotation marks. For example:
"C:\Program Files (x86)\Example Folder" – long path.
Action on
threat
detection
/i0 Inform. If this option is selected, Kaspersky Endpoint Security adds the information about
infected les to the list of active threats on detection of these les.
890
/i1 Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security
automatically attempts to disinfect all infected les that are detected. If disinfection is not
possible, Kaspersky Endpoint Security adds the information about the infected les that are
detected to the list of active threats.
/i2 Disinfect, delete if disinfection fails. If this option is selected, the application automatically
attempts to disinfect all infected les that are detected. If disinfection fails, the application
deletes the les.
This action is selected by default.
/i3 Disinfect the infected les that are detected. If disinfection fails, delete the infected les. Also
delete compound les (for example, archives) if the infected le cannot be disinfected or
deleted.
/i4 Delete infected les. Also delete compound les (for example, archives) if the infected le
cannot be deleted.
File
types
/fe Files scanned by extension. If this setting is enabled, the application scans infectable les only.
The le format is then determined based on the le's extension.
/fi Files scanned by format. If this setting is enabled, the application scans infectable les only.
Before scanning a le for malicious code, the internal header of the le is analyzed to determine the
format of the le (for example, .txt, .doc, or .exe). The scan also looks for les with particular le
extensions.
/fa All les. If this setting is enabled, the application checks all les without exception (all formats and
extensions).
This is the default setting.
Scan
exclusions
-e:a RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE archives are excluded from the scan scope.
-e:b Mail databases, incoming and outgoing e-mails are excluded from the scan scope.
-e:<file Files that match the le mask are excluded from the scan scope. For example:
mask> The mask *.exe will include all paths to les that have the exe extension.
The mask example* will include all paths to les named EXAMPLE.
-e:<seconds> Files that take longer to scan than the speci ed time limit (in seconds) are excluded from
the scan scope.
-es: Files that are larger than the speci ed size limit (in megabytes) are excluded from the
<megabytes> scan scope.
891
Scan technologies
/iChecker=on|off This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into
account the release date of Kaspersky Endpoint Security databases, the date when
the le was last scanned, and any modi cations to the scan settings. There are
limitations to iChecker Technology: it does not work with large les and applies only
to les with a structure that the application recognizes (for example, EXE, DLL, LNK,
TTF, INF, SYS, COM, CHM, ZIP, and RAR).
/iSwift=on|off This technology allows increasing scan speed by excluding certain les from
scanning. Files are excluded from scans by using a special algorithm that takes into
account the release date of Kaspersky Endpoint Security databases, the date when
the le was last scanned, and any modi cations to the scan settings. The iSwift
technology is an advancement of the iChecker technology for the NTFS le system.
Advanced
settings
/C:<file File with the Malware Scan task settings. The le must be created manually and saved in TXT
with scan format. The le can have the following contents: [<scan scope>] [<action on threat
settings> detection>] [<file types>] [<scan exclusions>] [/R[A]:<report file>]
[<scan technologies>].
Example:
avp.com SCAN /R:log.txt /MEMORY /STARTUP /MAIL "C:\Documents and Settings\All
Users\My Documents" "C:\Program Files"
Command syntax
avp.com UPDATE [local] ["<update source>"] [/R[A]:<report file>] [/C:<file with update
settings>]
Update
task
settings
local Start of the Update task that was created automatically after the application was installed. You
can change the settings of the Update task in the local application interface or in the console of
Kaspersky Security Center. If this setting is not con gured, Kaspersky Endpoint Security starts
the Update task with the default settings or with the settings speci ed in the command. You can
con gure the Update task settings as follows:
UPDATE starts the Update task with the default settings: the update source is Kaspersky
update servers, the account is System, and other default settings.
UPDATE local starts the Update task that was created automatically after installation
(prede ned task).
892
UPDATE <update settings> starts the Update task with manually de ned settings (see
below).
Update
source
"<update Address of a HTTP or FTP server, or of a shared folder with the update package. You can
source>" specify only one update source. If the update source is not speci ed, Kaspersky Endpoint
Security uses the default source: Kaspersky update servers.
Advanced
settings
/C:<file File with the Update task settings. The le must be created manually and saved in TXT
with update format. The le can have the following contents: ["<update source>"] [/R[A]:
settings> <report file>].
Example:
avp.com UPDATE local
avp.com UPDATE "ftp://my_server/kav updates" /RA:avbases_upd.txt
Command syntax
Example:
avp.com ROLLBACK /RA:rollback.txt
893
TRACES. Tracing
Enable / disable tracing. Trace les are stored on the computer as long as the application is in use, and are deleted
permanently when the application is removed. Trace les, except trace les of Authentication Agent, are stored in
the folder %ProgramData%\Kaspersky Lab\KES.21.17\Traces. By default, tracing is disabled.
Command syntax
Tracing
level
500 (normal). Messages about all errors and warnings, as well as detailed information about
the operation of the application in normal mode (default).
Advanced
settings
all Run a command with the dbg, file and mem parameters.
dbg Use the OutputDebugString function and save the trace le. The OutputDebugString function
sends a character string to the application debugger to display on screen. For details, visit the
MSDN website .
rot Save traces to a limited number of le sets of limited size and overwrite the older les when
the maximum size is reached.
Examples:
avp.com TRACES on 500
avp.com TRACES on 500 dbg
avp.com TRACES off
avp.com TRACES on 500 dbg mem
avp.com TRACES off file
894
START. Start the pro le
Start the pro le (for example, to update databases or to enable a protection component).
Command syntax
Pro le
<profile> Pro le name. A Pro le is a Kaspersky Endpoint Security component, task or feature. You can
view the list of available pro les by executing the HELP START command.
Example:
avp.com START Scan_Objects
To execute this command, Password protection must be enabled. The user must have the Disable protection
components and Disable control components permissions.
Command syntax
Pro le
<profile> Pro le name. A Pro le is a Kaspersky Endpoint Security component, task or feature. You can
view the list of available pro les by executing the HELP STOP command.
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
895
STATUS. Pro le status
Show status information for application pro les (for example, running or completed). You can view the list of
available pro les by executing the HELP STATUS command.
Kaspersky Endpoint Security also displays information about the status of service pro les. Information about
the status of service pro les may be required when you are contacting Kaspersky Technical Support.
Command syntax
If you enter the command without a pro le, Kaspersky Endpoint Security displays the status for all pro les of the
application.
Command syntax
To execute this command, Password protection must be enabled. The user must have the Restore from
Backup permission.
Backup stores backup copies of les that were deleted or modi ed during disinfection. A backup copy is a le
copy created before the le was disinfected or deleted. Backup copies of les are stored in a special format and
do not pose a threat.
Users in the Administrators group are granted full permission to access this folder. Limited access rights to this
folder are granted to the user whose account was used to install Kaspersky Endpoint Security.
896
Kaspersky Endpoint Security does not provide the capability to con gure user access permissions to backup
copies of les.
Command syntax
Advanced settings
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
Example:
avp.com RESTORE /REPLACE true_file.txt /login=KLAdmin /password=!Password1
Command syntax
Pro le
<profile> Pro le name. A Pro le is a Kaspersky Endpoint Security component, task or feature. You can
view the list of available pro les by executing the HELP EXPORT command.
File to
export
<file The name of the le to which the application settings will be exported. You can export Kaspersky
name> Endpoint Security settings to a DAT or CFG con guration le, to a TXT text le, or to an XML
document.
Examples:
avp.com EXPORT ids ids_config.dat
avp.com EXPORT fm fm_config.txt
897
Imports settings for Kaspersky Endpoint Security from a le that was created with the EXPORT command.
To execute this command, Password protection must be enabled. The user must have the Con gure
application settings permission.
Command syntax
File to
import
<file The name of the le from which the application settings will be imported. You can import
name> Kaspersky Endpoint Security settings from a DAT or CFG con guration le, a TXT text le, or an
XML document.
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
Example:
avp.com IMPORT config.dat /login=KLAdmin /password=!Password1
Command syntax
Key le
Authentication
/login=<user name> User account credentials. These credentials need to be entered only if
/password=<password> Password protection is enabled.
Example:
avp.com ADDKEY file.key
LICENSE. Licensing
898
Perform operations with the license keys of Kaspersky Endpoint Security or with the keys of EDR Optimum or EDR
Expert (Kaspersky Endpoint Detection and Response Add-on).
To execute this command and remove a license key, Password protection must be enabled. The user must have
the Remove key permission.
Command syntax
Operation
/ADD <file name> Apply the key le to activate Kaspersky Endpoint Security. If the application is
already activated, the key will be added as a reserve one.
/ADD <activation Activate Kaspersky Endpoint Security using an activation code. If the application
code> is already activated, the key will be added as a reserve one.
/REFRESH Update the status of the Kaspersky Endpoint Security license. As a result, the
application receives up-to-date license status information from Kaspersky
activation servers.
/REFRESH EDR Update the status of the Kaspersky Endpoint Detection and Response Add-on
license. As a result, the application receives up-to-date license status
information from Kaspersky activation servers.
/DEL /login=<user Remove the license key of the application. Reserve key will also be removed.
name> /password=
<password>
/DEL EDR /login= Remove the license key of Kaspersky Endpoint Detection and Response Add-on.
<user name> Reserve key will also be removed.
/password=
<password>
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
Example:
avp.com LICENSE /ADD file.key
avp.com LICENSE /ADD AAAAA-BBBBB-CCCCC-DDDDD
avp.com LICENSE /DEL EDR /login=KLAdmin /password=!Password1
PBATESTRESET. Reset the disk check results before encrypting the disk
899
Reset the compatibility check results for Full Disk Encryption(FDE), including both the Kaspersky Disk Encryption
and BitLocker Drive Encryption technologies.
Before running Full Disk Encryption, the application performs a number of checks to verify that the computer can
be encrypted. If the computer does not support Full Disk Encryption, Kaspersky Endpoint Security logs
information about the incompatibility. The next time you try to encrypt, the application does not perform this
check and warns you that encryption is not possible. If the hardware con guration of the computer has changed,
the compatibility check results previously logged by the application must be reset to re-check the system hard
drive for compatibility with Kaspersky Disk Encryption or BitLocker drive encryption technologies.
To execute this command, Password protection must be enabled. The user must have the Exit the application
permission.
Command syntax
To execute this command, Password protection must be enabled. The user must have the Disable Kaspersky
Security Center policy permission.
Command syntax
900
SPYWARE. Spyware detection
Enable / disable spyware detection. By default, spyware detection is enabled.
Command syntax
Kaspersky Security Network (KSN) is the solution that is used by most Kaspersky applications. KSN participants
receive information from Kaspersky and send Kaspersky information about objects detected on the user's
computer to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical
databases.
Kaspersky Private Security Network (KPSN) is a solution that enables users of computers hosting Kaspersky
Endpoint Security or other Kaspersky applications to obtain access to Kaspersky reputation databases, and to
other statistical data without sending data to Kaspersky from their own computers. KPSN is designed for
corporate customers who are unable to participate in Kaspersky Security Network for any of the following
reasons:
Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted
by corporate security policies.
Command syntax
Kaspersky Security
Network con guration le
<file name> Name of the con guration le containing Kaspersky Private Security Network
settings. This le has the PKCS7 or PEM extension.
Example:
avp.com KSN /global
avp.com KSN /private C:\ksn_config.pkcs7
901
SERVERBINDINGDISABLE. Disabling the server connection protection
Runs the Administration Server connection protection task, which removes the password of the computer's
connection to the Administration Server. In this way, the task disables the protection of the Administration Server
connection.
Command syntax
Password
/password= The password of the KLAdmin user account or the password from the Administration
<password> Server connection protection task.
If the parameter is not speci ed, Kaspersky Endpoint Security prompts you to enter a
password on the next line.
KESCLI commands
KESCLI commands let you receive information about the state of computer protection using the OPSWAT
component, and let you perform standard tasks such as Malware Scan and Update tasks.
You can view the list of KESCLI commands by using the --help command or by using the abbreviated command -
h.
As a result, Kaspersky Endpoint Security will execute the command (see gure below).
902
Managing the application from the command line
To run the task, the administrator must Allow use of local tasks in the policy.
Command syntax
You can check the completion status of a Malware Scan task by using the GetScanState command and view the
date and time when the scan was last completed by using the GetLastScanTime command.
Scan scope
<files to ;-separated list of les and folders. For example, "C:\Program Files
scan> (x86)\Example Folder".
Action on
threat
detection
0 Inform. If this option is selected, Kaspersky Endpoint Security adds the information about
infected les to the list of active threats on detection of these les.
1 Disinfect, delete if disinfection fails. If this option is selected, the application automatically
attempts to disinfect all infected les that are detected. If disinfection fails, the application
deletes the les.
This action is selected by default.
Example:
kescli --opswat Scan "C:\Documents and Settings\All Users\My Documents;C:\Program
Files" 1
903
0 – the scan is not running.
Command syntax
Command syntax
Command syntax
When this command is executed, Kaspersky Endpoint Security will send a response in the following format:
<name of detected object> <type of object> <detection date and time> <path to file>
<action on threat detection> <threat danger level>
Object
type
1 Viruses (Virware).
904
6 Applications that could be used by a cybercriminal to harm the user's computer or data
(Riskware).
7 Packed objects whose packing method may be used to protect malicious code (Packed).
40 Ad banners (Banner).
60 Vulnerabilities (Vulnerability).
70 Phishing.
Action on threat
detection
905
36 False positive (false alarm).
0 Unknown
1 High
2 Medium scan
4 Low
To run the task, the administrator must Allow use of local tasks in the policy.
Command syntax
You can view the release date and time of the current antivirus databases by using the GetDefinitionsetState
command.
GetDe nitionState. Determining the release date and time of the databases
Receive information about the release date and time of the antivirus databases in use.
Command syntax
To enable protection components, the administrator must make sure that the relevant policy settings can be
modi ed ( attributes are open).
Command syntax
As a result, protection components are enabled even if you have prohibited the modi cation of application
settings with Password protection.
You can check the operating status of File Threat Protection by using the GetRealTimeProtectionState
command.
Command syntax
Command syntax
Command syntax
907
kescli --Version
To manage built-in features of Detection and Response solutions using the command line:
Con gure a trusted connection between the computer and Kaspersky Sandbox servers.
908
To con gure a trusted connection with Kaspersky Sandbox servers, you must prepare a TLS certi cate.
Next you must add the certi cate to Kaspersky Sandbox servers and the Kaspersky Endpoint Security
policy. For details on preparing the certi cate and adding the certi cate to servers, refer to the Kaspersky
Sandbox Help .
Command syntax
Operation
set Con gure the Kaspersky Sandbox component. You can modify the following settings:
Use a trusted connection (--tls);
show Display the current settings of the component. You get the following response:
sandbox.timeout=<Kaspersky Sandbox server connection timeout (ms)>
sandbox.tls=<trusted connection status>
sandbox.servers=<list of Kaspersky Sandbox servers>
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
Example:
avp.com start sandbox
avp.com sandbox /set --tls=yes --pinned-certificate="C:\Users\Admin\certificate.pem"
avp.com sandbox /set --servers=10.10.111.0:147
Command syntax
909
avp.com prevention disable
avp.com prevention /show
Upon executing the prevention /show command, you will get the following response:
prevention.enable=true|false
prevention.mode=audit|prevent
prevention.rules
-1 means the command is not supported by the version of the application that is installed on the computer.
9 – wrong operation (for example, an attempt to disable the component when it is already disabled).
Command syntax:
As a result of running the stat command, you receive the following response: Network isolation on|off.
910
You can restore a le from Quarantine to its original folder. Quarantine is a special local storage on the computer.
The user can quarantine les that the user considers dangerous for the computer. Quarantined les are stored in
an encrypted state and do not threaten the security of the device. Kaspersky Endpoint Security uses Quarantine
only when working with Detection and Response solutions: EDR Optimum, EDR Expert, KATA (EDR), Kaspersky
Sandbox. In other cases Kaspersky Endpoint Security places the relevant le in Backup. For details on managing
Quarantine as part of solutions, please refer to the Kaspersky Sandbox Help , Kaspersky Endpoint Detection and
Response Optimum Help , and Kaspersky Endpoint Detection and Response Expert Help , Kaspersky Anti
Targeted Attack Platform Help .
To execute this command, Password protection must be enabled. The user must have the Restore from
Backup permission.
If the destination folder has been deleted or the user does not have access rights to that folder, the application
places the le in the %DataRoot%\QB\Restored folder. Then you must manually move the le to the
destination folder.
The application treats the name of the le being restored as case sensitive. If you do not observe the case
when entering the le name, the application does not restore the le.
If the destination folder already has a le with the same name, the application cancels the restoration of the le.
If you are using the KATA (EDR) solution, the application saves a copy of the le in Quarantine after restoring
the le. You can clear the Quarantine manually. For EDR Optimum and EDR Expert solutions, the application
deletes the le after restoration.
Command syntax
Advanced settings
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
Example:
avp.com RESTORE /REPLACE true_file.txt /login=KLAdmin /password=!Password1
-1 means the command is not supported by the version of the application that is installed on the computer.
911
1 means a mandatory argument was not passed to the command.
Command syntax
avp.com IOCSCAN <full path to the IOC file>|/path=<path to the IOC files folder>
[/process=on|off] [/hint=<full path to executable file of a process|full file path>]
[/registry=on|off] [/dnsentry=on|off] [/arpentry=on|off] [/ports=on|off]
[/services=on|off] [/system=on|off] [/users=on|off] [/volumes=on|off]
[/eventlog=on|off] [/datetime=<event publication date>] [/channels=<list of channels>]
[/files=on|off] [/drives=<all|system|critical|custom>] [/excludes=<list of
exclusions>][/scope=<list of folders to scan>]
IOC les
<full path to Full path to the IOC le that you want to use for scanning. You can specify multiple IOC
the IOC file> les separated by spaces. The full path to the IOC le must be entered without the
/path argument.
For example, C:\Users\Admin\Desktop\IOC\file1.ioc
/path=<path to Path to the folder with IOC les that you want to use for scanning. IOC les are les
the folder containing the sets of indicators that the application tries to match to count a
with IOC detection. IOC les must conform to the OpenIOC standard.
files> For example, C:\Users\Admin\Desktop\IOC
/process=on|off Analyze process data when performing the IOC scan (ProcessItem
term).
If the value of the argument is off, Kaspersky Endpoint Security
does not analyze processes running on the computer when
performing the scan. If the IOC le contains IOC terms of the
ProcessItem IOC document, they are ignored (detected as no
match).
If the argument is not speci ed, Kaspersky Endpoint Security
analyzes process data only if the ProcessItem IOC document is
described in the IOC le that is provided for the scan.
/hint=<full path to the Analyze le data when performing the IOC scan (ProcessItem and
executable file of the FileItem terms).
process|full path to the You can select a le in one of the following ways:
file>
<full path to the executable file of the process> –
ProcessItem term;
912
<full path to the file> – FileItem term.
/dnsentry=on|off Analyze the data about records in the local DNS cache when
performing the IOC scan (DnsEntryItem term).
/arpentry=on|off Analyze the data about records in the ARP table when performing
the IOC scan (ArpEntryItem term).
/ports=on|off Analyze data about ports open for listening when performing the IOC
scan (PortItem term).
/services=on|off Analyze data about services installed on the device when performing
the IOC scan (ServiceItem term).
913
If the argument is not speci ed, Kaspersky Endpoint Security
analyzes service data only if the ServiceItem IOC document is
described in the IOC le that is provided for the scan.
/users=on|off Analyze data about users when performing the IOC scan (UserItem
term).
/volumes=on|off Analyze data about volumes when performing the IOC scan
(VolumeItem term).
If the value of the argument is off, Kaspersky Endpoint Security
does not scan the data about volumes on the device. If the IOC le
contains VolumeItem IOC document terms, they are ignored
(detected as no match).
If the argument is not speci ed, Kaspersky Endpoint Security
analyzes volume data only if the VolumeItem IOC document is
described in the IOC le that is provided for the scan.
/eventlog=on|off Analyze the data about records in the Windows event log when
performing the IOC scan (EventLogItem term).
If the value of the argument is off, Kaspersky Endpoint Security
does not scan the records in the Windows event log. If the IOC le
contains EventLogItem IOC document terms, they are ignored
(detected as no match).
If the argument is not speci ed, Kaspersky Endpoint Security
analyzes the Windows event log if the EventLogItem IOC document
is described in the IOC le that is provided for the scan.
/datetime=<event publication Take into consideration the date when the event was published in the
date> Windows event log when determining the IOC scan scope for the
corresponding IOC document.
When performing an IOC scan, Kaspersky Endpoint Security scans
Windows event log entries published during the period from the
speci ed time and date to the moment when the task is run.
914
Kaspersky Endpoint Security allows specifying the event publication
date as the value of the argument. The scan is performed only for
events published in the Windows event log after the speci ed date
and before the scan is run.
If the argument is not speci ed, Kaspersky Endpoint Security scans
events with any publication date. The
TaskSettings::BaseSettings::EventLogItem::datetime setting cannot
be edited.
The setting is used only if the EventLogItem IOC document is
described in the IOC le provided for the scan.
/channel=<list of channels> List of channel (log) names for which you want to perform an IOC
scan.
If the argument is speci ed, Kaspersky Endpoint Security scans
records published in the speci ed logs. The IOC document must have
the EventLogItem term described.
The name of the log is speci ed as a string in accordance with the
name of the log (channel) speci ed in the properties of the log (the
Full Name parameter) or in the event properties (the <Channel>
</Channel> parameter in the xml schema of the event). You can
specify multiple channels separated by spaces.
If the argument is not speci ed, Kaspersky Endpoint Security scans
records for channels Application, System, Security.
/files=on|off Analyze le data when performing the IOC scan (FileItem term).
If the value of the argument is off, Kaspersky Endpoint Security
does not analyze le data. If the IOC le contains FileItem IOC
document terms, they are ignored (detected as no match).
If the argument is not speci ed, Kaspersky Endpoint Security
analyzes le data only if the FileItem IOC document is described in
the IOC le that is provided for the scan.
/drives= Set IOC scan scope when analyzing data for the FileItem IOC
<all|system|critical|custom> document.
You can set the following values for the scan scope:
<all> for all available le scopes.
If the argument is not speci ed, the scan is performed for critical
areas.
/excludes=<list of Set exclusion scope when analyzing data for the FileItem IOC
exclusions> document. You can specify multiple paths separated by spaces.
/scope=<list of folders to User-de ned IOC scan scope when analyzing data for the FileItem
scan> IOC document (/drives=custom). You can specify multiple paths
separated by spaces.
915
-1 means the command is not supported by the version of the application that is installed on the computer.
If the command was executed successfully (return value 0) and indicators of compromise were detected along the
way, Kaspersky Endpoint Security outputs the following task result information to the command line:
Uuid ID of the IOC le from the header of the IOC le structure (the <ioc id=""> tag)
Name Description of the IOC le from the header of the IOC le structure (the
<description></description> tag)
Matched objects Data for each IOC document for which there was a match.
Administrator privileges are required for performing operations with a BLOB le. Managed Detection and
Response settings in the policy must also be available for editing ( ).
Command syntax
Operation
/ADD Apply the BLOB con guration le for integration with Kaspersky Managed Detection and
<file Response (P7 le format). You can apply only one BLOB le. If a BLOB le was already added to
name> the computer, the le will be replaced.
Authentication
/login=<user name> /password= User account credentials with the required Password protection
<password> permissions.
Example:
avp.com MDRLICENSE /ADD file.key
916
avp.com MDRLICENSE /DEL /login=KLAdmin /password=!Password1
Con gure the connection to Kaspersky Anti Targeted Attack Platform servers.
Command syntax
Operation
set Con gure the EDR (KATA) component. You can modify the following settings:
Add Central Node servers (servers=<server address>:<port>).
Set the Central Node server connection timeout (/timeout=<Central Node server
connection timeout (seconds)>).
Set the period for synchronization with the Central Node server (/sync-period=
<Central Node server synchronization period (minutes)>).
Error codes
Errors may occur when working with the application through the command line. When errors occur, Kaspersky
Endpoint Security shows an error message, for example, Error: Cannot start task 'EntAppControl'.
Kaspersky Endpoint Security can also show additional information in the form of a code, for example,
error=8947906D (see the table below).
Error codes
917
Error code Description
89479014 File signature does not match the digital signature of Kaspersky
89479015 Cannot use a key for trial license as a key for commercial license
89479016 The license for beta testing is required to use the beta version of the application
89479017 The key le is not compatible with this application. It is impossible to activate Kaspersky
Endpoint Security for Windows with a key le for another application. Please check the
installed application
89479019 The application has already been used under a trial license. Cannot add a key for trial license
again
8947901B Digital signature is missing, corrupted, or does not match the Kaspersky digital signature
8947901C Cannot add a key if the corresponding non-commercial license has expired
8947901E The date the key le was created or used is invalid. Please check the system date
8947901F Cannot add a key for trial license: another key for trial license is already active
918
89479023 Cannot use invalid key le to add a reserve key
89479025 Error sending activation server request. Possible reasons: Internet connection error or
temporary problems on the activation server. Try to activate the application later (in 1 to 2
hours) with the activation code. If this error reoccurs, contact your Internet provider
89479029 Incorrect activation code is entered or invalid system date is set on the computer. Please
check the system date on your computer
8947902B Failed to receive a key le. Incorrect activation code was entered
8947902F Necessary resource is unavailable on the activation server. Activation server has returned error
404. Please check your Internet connection settings
89479035 Necessary resource is unavailable on the activation server. Activation server has returned error
410. Please check your Internet connection settings
89479040 Gateway response timed out. Please check your network settings
89479049 Error occurred when converting parameters to ANSI string (URL, folder, agent)
89479053 The license that corresponds to the added key has already expired
89479054 Invalid system date is set on the computer. Please check the system date value
89479057 The limit of application activations has been exceeded for the speci ed code
89479059 Cannot use a key for trial license as a key for commercial license
89479064 Activation server is unavailable. Please check your Internet connection settings and retry
activation
89479067 Cannot add a reserve key if the corresponding license expires before the current license
8947906C License types that correspond to active and reserve keys do not match
89479217 Failed to convert server address. Please check Internet connection settings
89479408 The activation code is not compatible with this application. It is impossible to activate
Kaspersky Endpoint Security for Windows with an activation code for another application.
Please check the installed application
921
89479411 This activation code cannot be used for this localization of the application
89479412 The activation code is intended for the new version of this application. Get a di erent
activation code to activate the installed version of the application
89479502 Invalid parameter transferred. For example, an empty list of activation server addresses
922
BehaviorDetection – Behavior Detection.
Firewall or FW – Firewall.
Updater – Update.
Kaspersky Endpoint Security also supports service pro les. Service pro les may be required when you are
contacting Kaspersky Technical Support.
923
Managing the application through the REST API
Kaspersky Endpoint Security lets you con gure application settings, run a scan, update the anti-virus databases,
and perform other tasks using third-party solutions. Kaspersky Endpoint Security provides an API for this purpose.
The Kaspersky Endpoint Security REST API operates over HTTP and consists of a set of request/response
methods. In other words, you can manage Kaspersky Endpoint Security through a third-party solution, and not the
local application interface or the Kaspersky Security Center Administration Console.
To start using REST API, you need to install Kaspersky Endpoint Security with support for the REST API. The REST
client and Kaspersky Endpoint Security must be installed on the same computer.
To ensure safe interaction between Kaspersky Endpoint Security and the REST client:
Con gure REST client's protection from unauthorized access according the recommendations of the REST
client developer. Con gure REST client folder protection from writing with the help of Discretionary Access
Control List – DACL.
To run REST client, use a separate account with administrator rights. Deny interactive sign-in into the system
for this account.
The application is managed through the REST API at http://127.0.0.1 or http://localhost. It is not possible to remotely
manage Kaspersky Endpoint Security through the REST API.
Secure interaction of Kaspersky Endpoint Security with the REST client requires con guring request identi cation.
To do so, you must install a certi cate and subsequently sign the payload of each request.
Example:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1825 -nodes
Use the RSA encryption algorithm with a key length of 2048 bits or more.
As a result, you will get a cert.pem certi cate and a key.pem private key.
924
1. Run the command line interpreter (cmd.exe) as an administrator.
2. Go to the folder that contains the distribution package for Kaspersky Endpoint Security version 11.2.0 or later.
RESTAPI=1
RESTAPI_User=<User name>
User name for managing the application through the REST API. Enter the user name in the format
<DOMAIN>\<UserName> (for example, RESTAPI_User=COMPANY\Administrator). You can manage the
application through the REST API only under this account. You can select only one user to work with the
REST API.
RESTAPI_Port=<Port>
Port used for managing the application through the REST API. Port 6782 is used by default. Make sure that
the port is free. Optional parameter.
RESTAPI_Certificate=<Path to certificate>
Certi cate for identifying requests (for example, RESTAPI_Certificate=C:\cert.pem).
You can install the certi cate after installing the application or update the certi cate after the certi cate
expires.
How to install a certi cate for REST API request identi cation
3. Enter the path to the certi cate, for example, Certificate = C:\Folder\cert.pem.
AdminKitConnector=1
Application management using administration systems. Management is allowed by default.
You can also use the setup.ini le to de ne the settings for working with the REST API.
Example:
setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 /pKSN=1 /pALLOWREBOOT=1
/pAdminKitConnector=1 /pRESTAPI=1 /pRESTAPI_User=COMPANY\Administrator
/pRESTAPI_Certificate=C:\cert.pem /s
As a result, you will be able to manage the application through the REST API. To verify its operation, open the REST
API documentation using a GET request.
Example:
GET http://localhost:6782/kes/v1/api-docs
925
If you installed the application with REST API support, Kaspersky Endpoint Security automatically creates an
allow rule in the Web Control settings for accessing web resources (Service Rule for REST API). This rule is
needed to allow the REST client to access Kaspersky Endpoint Security at all times. For example, if you have
restricted user access to web resources, this will not a ect managing the application through the REST API.
We recommend that you do not delete the rule or change the Service Rule for REST API settings. If you
deleted the rule, Kaspersky Endpoint Security will restore it after restarting the application.
It is not possible to restrict access to the application through the REST API using Password Protection. For
example, it is not possible to block a user from disabling protection through the REST API. You can con gure
Password Protection through the REST API and restrict user access to the application through the local
interface.
To manage the application through the REST API, you need to run the REST client under the account that you
speci ed when installing the application with REST API support. You can select only one user to work with the
REST API.
Managing the application through the REST API consists of the following steps:
1. Get the current values of the application settings. To do so, send a GET request.
Example:
GET http://localhost:6782/kes/v1/settings/ExploitPrevention
2. The application will send a response with the structure and values of settings. Kaspersky Endpoint Security
supports XML- and JSON formats.
Example:
{
"action": 0,
"enableSystemProcessesMemoryProtection": true,
"enabled": true
}
3. Edit the application settings. Use the settings structure received in response to the GET request.
Example:
{
"action": 0,
"enableSystemProcessesMemoryProtection": false,
"enabled": true
}
926
$ openssl smime -sign -in payload.json -signer cert.pem -inkey key.pem -nodetach -
binary -outform pem -out signed_payload.pem
As a result, you get a signed le with the payload of the request (signed_payload.pem).
6. Edit the application settings. To do so, send a POST request and attach the signed le with the request payload
(signed_payload.pem).
The application applies the new settings and sends a response containing the application con guration results
(the response can be empty). You can verify that the settings are updated using a GET request.
927
Sources of information about the application
On the Kaspersky Endpoint Security page , you can view general information about the application and its
functions and features.
The Kaspersky Endpoint Security page contains a link to the online store. There you can purchase or renew the
application.
On the Kaspersky Endpoint Security page in the Knowledge Base , you can read articles that provide useful
information, recommendations, and answers to frequently asked questions on how to purchase, install, and use the
application.
Knowledge Base articles can answer questions relating to not only Kaspersky Endpoint Security but also to other
Kaspersky applications. Articles in the Knowledge Base may also contain news from Technical Support.
If your question does not require an urgent answer, you can discuss it with Kaspersky experts and other users in
our Forum .
In the Forum, you can view existing topics, post your own comments, and create new discussion topics.
928
Contacting Technical Support
If you cannot nd a solution to your problem in the documentation or in other sources of information about
Kaspersky Endpoint Security, we recommend that you contact Technical Support. Technical Support will answer
your questions about installing and using Kaspersky Endpoint Security.
Kaspersky provides support for Kaspersky Endpoint Security during the application's life cycle (refer to the
application life cycle page ). Before contacting Technical Support, please read the support rules .
By sending a request to Kaspersky Technical Support through the Kaspersky CompanyAccount portal
After you inform Kaspersky Technical Support specialists about your issue, they may ask you to create a trace le.
The trace le allows tracing the process of performing application commands step by step and determining the
stage of application operation at which an error occurs.
Technical Support specialists may also require additional information about the operating system, processes that
are running on the computer, detailed reports on the operation of application components.
While running diagnostics, Technical Support experts may ask you to change application settings by:
Con gure individual components of the application by changing special settings that are not accessible
through the standard user interface.
Technical Support experts will provide all the information needed to perform these operations (description of the
sequence of steps, settings to be modi ed, con guration les, scripts, additional command line functionality,
debugging modules, special-purpose utilities, etc.) and inform you about the scope of data used for purposes of
debugging. The extended diagnostic information is saved on the user's computer. The data is not automatically
transmitted to Kaspersky.
The operations listed above should be performed only under the supervision of Technical Support specialists
by following their instructions. Changing application settings on your own in ways not described in the Online
Help or in Technical Support recommendations can cause slowdowns and crashes of the operating system,
reduce the protection level of your computer, and damage the availability and integrity of information being
processed.
You are personally responsible for the security of the data that is stored on your computer, particularly for
monitoring and restricting access to the data until it is submitted to Kaspersky.
929
Trace les are stored on the computer as long as the application is in use, and are deleted permanently when the
application is removed.
Trace les, except trace les of Authentication Agent, are stored in the folder %ProgramData%\Kaspersky
Lab\KES.21.17\Traces.
Event time.
A description of the event involving command execution by a component of the application and the result of
execution of this command.
Kaspersky Endpoint Security saves user passwords to a trace le only in encrypted form.
SRV.log, GUI.log and ALL.log trace les may store the following information in addition to general data:
Personal data, including the last name, rst name, and middle name, if such data is included in the path to les
on the local computer.
Data on the hardware installed on the computer (such as BIOS/UEFI rmware data). This data is written to trace
les when performing Kaspersky Disk Encryption.
The user name and password if they were transmitted openly. This data can be recorded in trace les during
Internet tra ic scanning.
The user name and password if they are contained in HTTP headers.
The name of the Microsoft Windows account if the account name is included in a le name.
Your email address or a web address containing the name of your account and password if they are contained
in the name of the object detected.
Websites that you visit and redirects from these websites. This data is written to trace les when the
application scans websites.
Proxy server address, computer name, port, IP address, and user name used to sign in to the proxy server. This
data is written to trace les if the application uses a proxy server.
930
Remote IP addresses to which your computer established connections.
Message subject, ID, sender's name and address of the message sender's web page on a social network. This
data is written to trace les if the Web Control component is enabled.
Network tra ic data. This data is written to trace les if tra ic monitoring components are enabled (such as
Web Control).
Data received from Kaspersky servers (such as the version of anti-virus databases).
In addition to general data, the HST.log trace le contains information about the execution of a database and
application module update task.
In addition to general data, the BL.log trace le contains information about events occurring during operation of
the application, as well as data required to troubleshoot application errors. This le is created if the application is
started with the avp.exe –bl parameter.
In addition to general data, the Dumpwriter.log trace le contains service information required for
troubleshooting errors that occur when the application dump le is written.
In addition to general data, the WD.log trace le contains information about events occurring during operation of
the avpsus service, including application module update events.
In addition to general data, the AVPCon.dll.log trace le contains information about events occurring during the
operation of the Kaspersky Security Center connectivity module.
In addition to general data, performance trace les contain information about the load on the processor,
information about the loading time of the operating system and applications, and information about running
processes.
In addition to general data, the AMSI.log trace le contains information about the results of scans performed on
requests from third-party applications.
The trace le mcou.OUTLOOK.EXE.log may contain parts of email messages, including email addresses, in
addition to general data.
931
Contents of trace les of the Scan from Context Menu component
The shellex.dll.log trace le contains information about completion of the scan task and data required to
debug the application, in addition to general information.
Trace les of the application web plug-in are stored on the computer on which Kaspersky Security Center Web
Console is deployed, in the folder Program Files\Kaspersky Lab\Kaspersky Security Center Web
Console\logs.
Trace les of the application web plug-in are named as follows: logs-kes_windows-<type of trace
file>.DESKTOP-<date of file update>.log. Web Console begins writing data after installation and deletes
the trace les after Web Console is removed.
Trace les of the application web plug-in contain the following information in addition to general data:
KLAdmin user password for unlocking the Kaspersky Endpoint Security interface (Password protection).
Temporary password for unlocking the Kaspersky Endpoint Security interface (Password protection).
User name and password for the SMTP mail server (Email noti cations).
User name and password for the Internet proxy server (Proxy server).
User name and password for the Change application components task.
Account credentials and paths speci ed in Kaspersky Endpoint Security tasks and policy properties.
The Authentication Agent trace le is stored in the System Volume Information folder and is named as follows:
KLFDE.{EB2A5993-DFC8-41a1-B050-F0824113A33A}.PBELOG.bin.
In addition to general data, the Authentication Agent trace le contains information about the operation of
Authentication Agent and the actions performed by the user with Authentication Agent.
Application tracing should be performed under the supervision of Kaspersky Technical Support.
932
3. Use the Enable application tracing toggle to enable or disable tracing of application operation.
With size limitation. Save traces to a limited number of le sets of limited size and overwrite the older les
when the maximum size is reached. If this mode is selected, you can de ne the maximum number of le sets
for rotation and the maximum size for each set of les.
By default, the application saves ve sets of trace les. The size of each set of les is 3072 MB. This way,
you need 15 GB of free disk space to save the trace les.
7. To stop the tracing process, return to the Support Tools window and disable tracing.
You can also create trace les when installing the application from the command line, including by using the
setup.ini le.
Kaspersky Endpoint Security automatically deletes trace les when the application is removed. You can also delete
the les manually. To do so, you must disable tracing and stop the application.
Application tracing should be performed under the supervision of Kaspersky Technical Support.
3. Use the Enable performance tracing toggle to enable or disable tracing of application performance.
933
With size limitation. Save traces to a limited number of les of limited size and overwrite the older les
when the maximum size is reached. If this mode is selected, you can de ne the maximum size for each le.
Light. Kaspersky Endpoint Security analyzes the most important operating system processes related to
performance.
Detailed. Kaspersky Endpoint Security analyzes all operating system processes related to performance.
Basic information. Kaspersky Endpoint Security analyzes processes while the operating system is running.
Use this tracing type if a problem persists after the operating system is loaded, such as a problem accessing
the Internet in the browser.
On restart. Kaspersky Endpoint Security analyzes processes only while the operating system is loading.
After the operating system is loaded, Kaspersky Endpoint Security stops tracing. Use this tracing type if the
problem is related to delayed loading of the operating system.
8. To stop the tracing process, return to the Support Tools window and disable tracing.
Dump writing
A dump le contains all information about the working memory of Kaspersky Endpoint Security processes at the
moment when the dump le was created.
Saved dump les may contain con dential data. To control access to data, you must independently ensure the
security of dump les.
Dump les are stored on the computer as long as the application is in use, and are deleted permanently when the
application is removed. Dump les are stored in the folder %ProgramData%\Kaspersky
Lab\KES.21.17\Traces.
934
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
6. In the window that opens, use the Enable dump writing check box to enable or disable application dump
writing.
935
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Debug information block, use the Enable dump writing check box to enable or disable application
dump writing.
936
1. In the main application window, click the button.
3. In the Debug information block, use the Enable dump writing check box to enable or disable application
dump writing.
If protection of dump les and trace les is enabled, the les can be accessed by the following users:
Dump les can be accessed by the system administrator and local administrator, and by the user that enabled
the writing of dump les and trace les.
Trace les can be accessed only by the system administrator and local administrator.
How to enable protection of dump les and trace les in the Administration Console (MMC)
937
1. Open the Kaspersky Security Center Administration Console.
3. Select the necessary policy and double-click to open the policy properties.
6. In the window that opens, use the Enable dump and trace les protection check box to enable or disable
le protection.
How to enable protection of dump les and trace les in Web Console and Cloud Console
938
1. In the main window of the Web Console, select Devices → Policies & pro les.
5. In the Debug information block, use the Enable dump and trace les protection check box to enable or
disable le protection.
How to enable protection of dump les and trace les in the application interface
939
1. In the main application window, click the button.
3. In the Debug information block, use the Enable dump and trace les protection check box to enable or
disable le protection.
Dump les and trace les that were written while protection was active remain protected even after this function
is disabled.
940
Limitations and warnings
Kaspersky Endpoint Security has a number of limitations that are not critical to operation of the application.
941
For details about support for the Microsoft Windows 10, Microsoft Windows Server 2016 and Microsoft
Windows Server 2019 operating systems, please refer to the Technical Support Knowledge Base .
For details about support for the Microsoft Windows 11 and Microsoft Windows Server 2022 operating
systems, please refer to the Technical Support Knowledge Base .
After being installed to an infected computer, the application does not inform the user about the need to
run a computer scan. You may experience problems activating the application. To resolve these problems,
start a Critical Areas Scan.
If non-ASCII characters (for example, Russian letters) are used in the setup.ini and setup.reg les, you are
advised to edit the le using notepad.exe and to save the le in UTF-16LE encoding. Other encodings are
not supported.
The application does not support the use of non-ASCII characters when specifying the application
installation path in the installation package settings.
When application settings are imported from a CFG le, the value of the setting that de nes participation
in Kaspersky Security Network is not applied. After importing the settings, please read the text of the
Kaspersky Security Network Statement and con rm your consent to participate in Kaspersky Security
Network. You can read the text of the Statement in the application interface or in the ksn_*.txt le located
in the folder containing the application distribution kit.
If you want to remove and then re-install encryption (FLE or FDE) or the Device Control component, you
must restart the system before reinstallation.
When using the Microsoft Windows 10 operating system, you must restart the system after removing the
File Level Encryption (FLE) component.
When removing individual application components (for example, using the Change application components
task), a computer restart may be required.
Installation of the application may end with an error stating An application whose name is missing or
unreadable is installed on your computer. This means that incompatible applications or fragments of them
remain on your computer. To remove artifacts of incompatible applications, send a request with a detailed
description of the situation to Kaspersky Technical Support via Kaspersky CompanyAccount .
If you canceled removal of the application, start its recovery after the computer restarts.
The application requires Microsoft .NET Framework 4.0 or later. Microsoft .NET Framework 4.6.1 has
vulnerabilities. If you are using Microsoft .NET Framework 4.6.1, you must install security updates. For details
about Microsoft .NET Framework security updates, refer to the Microsoft Technical Support website .
If the application is unsuccessfully installed with the Kaspersky Endpoint Agent component selected in a
server operating system and the Windows Installer Coordinator Error window appears, refer to the
instructions on the Microsoft support website.
If the application was installed locally in non-interactive mode, use the provided setup.ini le to replace the
installed components.
After Kaspersky Endpoint Security for Windows is installed in some con gurations of Windows 7, Windows
Defender continues to operate. You are advised to manually disable Windows Defender to prevent
degraded system performance.
When installing Kaspersky Endpoint Security for Windows on a server with installed Kaspersky Security for
Windows Server (KSWS) and Windows Defender applications, you must restart the system. A system
942
restart is necessary even if you have enabled application installation without system restart. Windows
Defender for Windows Server is included in the list of software that is incompatible with Kaspersky
Endpoint Security for Windows. Before installing the application, the installer removes Windows Defender
for Windows Server. Removing incompatible software makes a system restart necessary.
Before installing Kaspersky Endpoint Security for Windows (KES) on a server with Kaspersky Security for
Windows Server (KSWS) installed, you must turn o KSWS Password Protection. After migrating from
KSWS to KES, enable Password Protection in the application settings.
To install the application on computers running Windows 7 or Windows Server 2008 R2 with Veeam Backup
& Replication software deployed, you may need to reboot your computer and run the installation again.
Migration from Kaspersky Small O ice Security (KSOS) to Kaspersky Endpoint Security (KES) with
Password Protection enabled is available starting with KSOS build 21.16.*.*. To migrate earlier versions of
KSOS, you must disable Password Protection or manually remove KSOS. Migration from KSOS to KES with
disabled Password Protection is performed correctly.
943
Starting from 11.0.0 application version, you can install Kaspersky Endpoint Security for Windows MMC
plugin on top of the previous plugin version. To return to a previous plugin version, delete the current plugin
and install a previous version of the plugin.
When upgrading Kaspersky Endpoint Security 11.0.0 or 11.0.1 for Windows, the local task schedule settings
for the Update, Critical Areas Scan, Custom Scan, and Integrity Check tasks are not saved.
On computers running Windows 10 version 1903 and 1909, upgrades from Kaspersky Endpoint Security 10
for Windows Service Pack 2 Maintenance Release 3 (build 10.3.3.275), Service Pack 2 Maintenance Release
4 (build 10.3.3.304), 11.0.0 and 11.0.1 with the File Level Encryption (FLE) component installed may end with an
error. This is because le encryption is not supported for these versions of Kaspersky Endpoint Security
for Windows in Windows 10 version 1903 and 1909. Prior to installing this upgrade, you are advised to
remove the le encryption component.
The application requires Microsoft .NET Framework 4.0 or later. Microsoft .NET Framework 4.6.1 has
vulnerabilities. If you are using Microsoft .NET Framework 4.6.1, you must install security updates. For details
about Microsoft .NET Framework security updates, refer to the Microsoft Technical Support website .
When upgrading Kaspersky Endpoint Security, the application disables the use of KSN until the Kaspersky
Security Network Statement is accepted. In addition, the computer status can be changed to Critical in
Kaspersky Security Center; the event KSN servers are unavailable is received. If you use Kaspersky
Managed Detection and Response, you will receive events about violations in the operation of the solution.
The use of KSN is required for the operation of Kaspersky Managed Detection and Response. Kaspersky
Endpoint Security enables the use of KSN after applying the policy in which the administrator accepts the
KSN terms of use. Once the Kaspersky Security Network Statement is accepted, Kaspersky Endpoint
Security resumes its operation.
After upgrading Kaspersky Endpoint Security to version 11.10.0 or later without a restart, the computer will
have two Kaspersky Endpoint Security applications installed. Do not manually remove the previous version
of the application. The previous version will be removed automatically when the computer is restarted.
After upgrading Kaspersky Endpoint Security on a computer running Microsoft Windows 11, the le context
menu may display items for both previous and new application versions. Restart your computer twice to
ensure the correct operation of the le context menu.
If the application's Self-Defense is turned o and all network adapters are stopped, the network
components of the application will not work between the end of the application upgrade and the restart of
the computer. The network components of the application include Web Threat Protection, Mail Threat
Protection, Network Threat Protection, Firewall, Host Intrusion Prevention, and Web Control. Restart the
computer for the application to work correctly.
The BadUSB Attack Prevention component does not work between the end of the application upgrade
and the restart of the computer. Restart the computer for the application to work correctly.
It is not possible to upgrade the application if you skipped restarting the computer after the previous
upgrade. Restart the computer for the application to work correctly.
After the application is upgraded from versions earlier than Kaspersky Endpoint Security 11 for Windows,
the computer must be restarted.
944
The ReFS le system is supported with limitations:
Kaspersky Endpoint Security may process threat disinfection events incorrectly. For example, if the
application has deleted a malicious le, the report might have an Object not processed entry. At the
same time, Kaspersky Endpoint Security disinfects threats in accordance with application settings.
Kaspersky Endpoint Security can also create a duplicate of the Object will be disinfected on restart
event for the same object.
File Threat Protection may skip some threats. At the same time, Malware Scan works correctly.
After the Malware Scan task is started, the exclusions added with iChecker are reset when the server is
rebooted.
The iSwift technology is not supported. Kaspersky Endpoint Security does not consider scan
exclusions added using the iSwift technology.
Kaspersky Endpoint Security does not detect eicar.com and susp-eicar.com les if meicar.exe le
existed on the computer before Kaspersky Endpoint Security was installed.
Kaspersky Endpoint Security may incorrectly display threat disinfection noti cations. For example, the
application may display a threat noti cation for a previously disinfected threat.
File Level Encryption (FLE) and Kaspersky Disk Encryption (FDE) technologies are not supported on server
platforms. At the same time, Kaspersky Endpoint Security may incorrectly process data encryption events.
In server operating systems, no warning is displayed regarding the need for advanced disinfection.
Microsoft Windows Server 2008 was excluded from support. - Installing the application on a computer
running the Microsoft Windows Server 2008 operating system is not supported.
Kaspersky Endpoint Security installed on a server with Microsoft Data Protection Manager (DPM) deployed
can cause DPM to malfunction. It is related to limitations in DPM operation. To eliminate malfunctions, you
should add local server drives to exclusions for File Threat Protection component and Malware Scan tasks.
The local graphical user interface is not available, including noti cations, pop-up noti cations, and other
interface controls. The application cannot display prompt windows, including the following windows:
The following components are not available: Web Threat Protection, Mail Threat Protection, Web
Control, BadUSB Attack Prevention.
You can only accept the Kaspersky Security Network Statement in the application policy in the
Kaspersky Security Center console.
945
BitLocker Drive Encryption is only available with a Trusted Platform Module (TPM). A PIN / password
cannot be used for encryption because the application is unable to display the password prompt
window for preboot authentication. If the operating system has Federal Information Processing
standard (FIPS) compatibility mode enabled, connect a removable drive for saving the encryption key
before you begin encrypting the drive.
Kaspersky Endpoint Security disinfects active threats without notifying the user, just like when
disinfecting active threats on servers. Because the operating system continues to run in multi-session
mode, other active users may lose their data if the threat is not immediately resolved.
Using Kaspersky Endpoint Security with removable drives is not supported. The Microsoft Azure
infrastructure de nes removable drives as network drives.
Installation and use of le level encryption (FLE) on Citrix virtual platforms is not supported.
To support compatibility of Kaspersky Endpoint Security for Windows with Citrix PVS, perform installation
with the Ensure compatibility with Citrix PVS option enabled. This option can be enabled in the Setup
Wizard or by using the command line parameter /pCITRIXCOMPATIBILITY=1. In case of remote
installation, the KUD le must be edited by adding the following parameter to it:
/pCITRIXCOMPATIBILITY=1.
Citrix XenDesktop. Before starting cloning, you must disable Self-Defense to clone virtual machines that
use vDisk.
When preparing a template machine for the Citrix XenDesktop master image with pre-installed Kaspersky
Endpoint Security for Windows and Kaspersky Security Center Network Agent, add the following types of
exclusions to the con guration le:
[Rule-Begin]
Type=File-Catalog-Construction
Action=Catalog-Location-Guest-Modifiable
name="%ALLUSERSPROFILE%\Kaspersky Lab\**\*"
name="%ALLUSERSPROFILE%\KasperskyLab\**\*"
[Rule-End]
For details about Citrix XenDesktop, visit the Citrix Support website .
In some cases, an attempt to safely disconnect a removable drive may be unsuccessful on a virtual
machine that is deployed on a VMware ESXi hypervisor. Attempt to safely disconnect the device once
again.
946
Compatibility with Kaspersky Security Center
In Kaspersky Security Center Web Console version 14.1 and earlier, the names of functional areas for Log
Inspection and File Integrity Monitor components are not correctly displayed in the user access
permissions settings section of Administration Server properties.
Kaspersky Security Center Linux provides limited support of Kaspersky Endpoint Security. For more details
on support limitations, refer to the Kaspersky Security Center Linux 14.2 Help or Kaspersky Security
Center Linux 15 Help .
After repairing the application, the protection of the computer's connection to the Administration Server
is disabled. After repairing the application, run the Administration Server connection protection task again.
Licensing
If the Error receiving data system message is displayed, verify that the computer on which you are
performing activation has network access, or con gure the activation settings via Kaspersky Security
Center Activation Proxy.
The application cannot be activated by subscription via the Kaspersky Security Center if the license has
expired or if a trial license is active on the computer. To replace a trial license or a soon-to-be expired
license with a subscription license, use the license distribution task.
In the application interface, the license expiration date is displayed in the local time of the computer.
Installation of the application with an embedded key le on a computer that has unstable Internet access
may result in the temporary display of events stating that the application is not activated or that the
license does not permit component operation. This is because the application rst installs and attempts to
activate the embedded trial license, which requires Internet access for activation during the installation
procedure.
During the trial period, installation of any application upgrade or patch on a computer that has unstable
Internet access may result in the temporary display of events stating that the application is not activated.
This is because the application once again installs and attempts to activate the embedded trial license,
which requires Internet access for activation when installing an upgrade.
If the trial license was automatically activated during application installation and then the application was
removed without saving the license information, the application will not be automatically activated with the
trial license when re-installed. In this case, manually activate the application.
If you are using Kaspersky Security Center version 11 and Kaspersky Endpoint Security version 12.5,
component performance reports may work incorrectly. If you installed Kaspersky Endpoint Security
components that are not included in your license, Network Agent may send component status errors to
the Windows Event Log. To avoid errors, remove the components that are not included in your license.
947
When scanning mail with the Mail Threat Protection extension for Microsoft Outlook, you are advised to
use Cached Exchange Mode (the Use Cached Exchange Mode option).
Kaspersky Endpoint Security does not support the 64-bit version of MS Outlook email client. This means
that Kaspersky Endpoint Security does not scan MS Outlook les (PST and OST les) if a 64-bit version of
MS Outlook is installed on the computer, even if mail is included in the scan scope.
Remediation Engine
The application restores les only on devices that have the NTFS or FAT32 le system.
The application can restore les with the following extensions: odt, ods, odp, odm, odc, odb, doc, docx,
docm, wps, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, pptm, mdb, accdb, pst, dwg, dxf, dxg, wpd, rtf, wb2, pdf, mdf,
dbf, psd, pdd, eps, ai, indd, cdr, jpg, jpe, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf,
raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, 1cd.
It is not possible to restore les residing on network drives or on rewritable CD/DVD discs.
It is not possible to restore les that were encrypted with the Encryption File System (EFS). For more
details on EFS operation, please visit the Microsoft website .
The application does not monitor modi cations to les performed by processes at the level of the
operating system kernel.
The application does not monitor modi cations made to les over a network interface (for example, if a le
is stored in a shared folder and a process is started remotely from another computer).
Firewall
948
Filtration of packets or connections by local address, physical interface, and packet time to live (TTL) is
supported in the following cases:
By local address for outbound packets or connections in application rules for TCP and UDP and packet
rules.
By local address for inbound packets or connections (except UDP) in block application rules and packet
rules.
By packet time to live (TTL) in block packet rules for inbound or outbound packets.
By network interface for inbound and outbound packets or connections in packet rules.
In application versions 11.0.0 and 11.0.1, de ned MAC addresses are incorrectly applied. The MAC address
settings for versions 11.0.0, 11.0.1 and 11.1.0 or later are not compatible. After upgrading the application or
plug-in from these versions to version 11.1.0 or later, you must verify and recon gure the de ned MAC
addresses in Firewall rules.
When upgrading the application from versions 11.1.1 and 11.2.0 to version 12.5, the statuses of permissions for
the following Firewall rules are not migrated:
If you con gured a network adapter or packet time to live (TTL) for an allowing packet rule, the priority of
this rule is lower than a blocking application rule. In other words, if network activity is blocked for an
application (for example, the application is in the High Restricted trust group), you cannot allow network
activity of the application by using a packet rule with these settings. In all other cases, the priority of a
packet rule is higher than an application network rule.
When importing Firewall packet rules, Kaspersky Endpoint Security may modify rule names. The application
determines rules with identical sets of general parameters: protocol, direction, remote and local ports,
packet time-to-live (TTL). If this set of general parameters is identical for multiple rules, the application
assigns the same name to those rules or appends a parameter tag to the name. In this way, Kaspersky
Endpoint Security imports all packet rules, but the name of rules that have identical general settings can
be modi ed.
If you have enabled application event reporting in a network rule, on moving the application to a di erent
trust group, the restrictions of this trust group will not be applied. Thus, if the application is in the Trusted
trust group, it will have no network restrictions. Then you enabled event reporting for this application and
moved it to the Untrusted trust group. Firewall will not enforce network restrictions for this application. We
recommend that you rst move the application to the appropriate trust group and then enable event
reporting. If this method is not suitable, you can manually con gure restrictions for the application in the
network rule settings. The restriction applies only to the local interface of the application. Moving the
application between trust groups in the policy works correctly.
The Firewall and Intrusion Prevention components have common settings: application rights and protected
resources. If you change these settings for Firewall, Kaspersky Endpoint Security automatically applies the
949
new settings to Intrusion Prevention. If, for example, you have allowed changes to the general settings of
the Firewall policy (the padlock is open), the Intrusion Prevention settings will also become editable.
When a network packet rule is triggered in Kaspersky Endpoint Security 11.6.0 or earlier, the Application
name column in the Firewall report will always display the Kaspersky Endpoint Security value. In addition,
the Firewall will block the connection at packet level for all applications. This behavior has been modi ed for
Kaspersky Endpoint Security 11.7.0 or later. The Rule type column has been added to the Firewall report.
When a network packet rule is triggered, the value in the Application name column remains empty.
Kaspersky Endpoint Security resets the timeout of USB device lock when the computer is locked (for
example, screen lock timeout elapsed). That is, if you enter a wrong USB device authorization code multiple
times and the application locks the USB device, Kaspersky Endpoint Security allows you to repeat the
authorization attempt after unlocking the computer. In this case, Kaspersky Endpoint Security does not
lock the USB device for a time speci ed in BadUSB Attack Prevention component settings.
Kaspersky Endpoint Security resets the USB device lock timeout when computer protection is paused.
That is, if you enter a wrong USB device authorization code multiple times and the application locks the
USB device, Kaspersky Endpoint Security allows you to repeat the authorization attempt after resuming
computer protection. In this case, Kaspersky Endpoint Security does not lock the USB device for a time
speci ed in BadUSB Attack Prevention component settings.
Application Control
950
Only ZIP format archives are supported when working with Application Control rules in Kaspersky Security
Center Web Console. Archives in other formats, such as RAR or 7z, are not supported. There is no such
restriction if you work with Application Control rules in the Administration Console (MMC).
When working with Application Control rules in Kaspersky Security Center Web Console, the maximum
supported size of an uploaded le is 104 MB. There is no such restriction if you work with Application
Control rules in the Administration Console (MMC).
When working in Microsoft Windows 10 in application denylist mode, block rules may be incorrectly applied,
which could cause blocking of applications that are not speci ed in rules.
When progressive web apps (PWA) are blocked by the Application Control component, appManifest.xml is
indicated as the blocked app in the report.
When adding the standard Notepad application to an Application Control rule for Windows 11, it is not
recommended to specify the path to the application. On computers running Windows 11, the operating
system uses Metro Notepad located in the folder C:\Program
Files\WindowsApps\Microsoft.WindowsNotepad*\Notepad\Notepad.exe. In previous versions of the
operating system, Notepad is located in the following folders:
C:\Windows\notepad.exe
C:\Windows\System32\notepad.exe
C:\Windows\SysWOW64\notepad.exe
When adding Notepad to an Application Control rule, you can specify the application name and the le
hash from the properties of the running application, for example.
Device Control
951
Access to Printer devices that were added to the trusted list is blocked by device and bus blocking rules.
For MTP devices, control of Read, Write, and Connect operations is supported if you are using the built-in
Microsoft drivers of the operating system. If a user installs a custom driver for working with a device (for
example, as part of iTunes or Android Debug Bridge), control of Read and Write operations may not work.
When working with MTP devices, access rules are changed after reconnecting the device.
The Device Control component registers events related to monitored devices, such as connection and
disconnection of a device, reading a le from a device, writing a le to a device, and other events.
Kaspersky Endpoint Security registers disconnection events only for the following device types: Portable
devices (MTP), Removable drives, Floppy disks, CD/DVD drives. For other device types, the application
does not register disconnection events. The application registers the operation of connecting a device to
a computer for all device types.
If you are adding a device to the trusted list based on a model mask and use characters that are included in
the ID but not in the model name, these devices are not added. On a workstation, these devices will be
added to the trusted list based on an ID mask.
When the application is upgraded without computer restart, Device Control does not apply access rules to
devices that are reconnected. However, if the device was connected before the upgrade, Device Control
applies the rules correctly. Restart the computer for the application to work correctly with devices that are
reconnected.
On computers with Kaspersky Endpoint Security version 12.0 installed, the Allow and do not log printer
access mode for the Network printers device type is called Depends on connection bus, if Kaspersky
Endpoint Security version 12.1 policy is applied on the computer. In these modes the application performs
the same actions. In Kaspersky Endpoint Security version 12.1, the access mode for network printers is
correctly named Allow and do not log.
Starting with Kaspersky Endpoint Security 12.0 for Windows, the application allows con guring printing
rules for printers (printing control). After installing the application with printing control or upgrading the
application to a version with printing control, you must restart the computer. Until the computer is
restarted, Kaspersky Endpoint Security does not apply printing rules and can only control access to
printers. If restarting the computer adversely a ects work ows in your organization, you can restart just
the spoolsv service (Print Spooler).
Starting with Kaspersky Endpoint Security for Windows version 12.0, the WPA3 protocol is supported by
the application for Wi-Fi type devices. If a Kaspersky Endpoint Security version 12.2 policy is applied on a
computer, the WPA2 protocol is selected on computers with Kaspersky Endpoint Security version 11.11.0
and earlier; WPA2 / WPA3 is selected for versions 12.0 to 12.1; WPA3 is selected for versions 12.2 and later.
Apple devices are classi ed as portable devices (MTP) and iTunes devices. The operating system can
incorrectly identify the connection of the Apple device and not determine the Apple device as a portable
device (MTP). Therefore the Apple device will be unavailable in the le manager, but accessible in the iTunes
application. As a result, Kaspersky Endpoint Security will control access to the Apple device in the iTunes
application only. To access your Apple device as a portable device (MTP), you need to go to Device
Manager and remove the Apple Mobile Device USB Driver from the USB Controllers list. After computer
restart, the operating system will identify the Apple device as a portable device (MTP) and iTunes device.
Kaspersky Endpoint Security will control access to the device both in the iTunes application and in the le
manager.
In Kaspersky Endpoint Security 12.3 for Windows, access settings are di erent for the Bluetooth device
type. If you speci ed the Depends on connection bus value in the previous version of the application, then
after upgrading the application to version 12.3, the con gured value changes to Allow and do not log. This
does not alter the behavior of the device.
952
Device Control supports Bluetooth devices only through the Microsoft Windows Bluetooth stack. Device
Control may function incorrectly with third-party Bluetooth stacks.
If the Bluetooth device hides or spoofs its Class of Device (COD), Device Control may function incorrectly.
On Windows 7 or Windows 8 computers with certain Realtek Bluetooth dongle drivers, it may not be
possible to only allow connecting Bluetooth devices as input devices (HID class). That is, if you prohibit
access to Bluetooth devices in application settings and add input devices to exclusions, Device Control
may prevent access to all Bluetooth devices instead.
Web Control
It is recommended to create exclusions automatically based on the event. When manually adding an
exclusion, add the * character to the beginning of the path when specifying the target object.
An Adaptive Anomaly Control Rules report cannot be generated if the sample includes even one event
whose name contains more than 260 characters.
Adding exclusions from Adaptive Anomaly Control Triggering of Rules repository is not supported if the
properties of an object or a process have a value consisting of more than 256 characters (for example,
path to target object). You can add an exclusion manually in the Policy settings. You can also add an
exclusion in the Report on triggered Adaptive Anomaly Control rules.
953
After installing the application, you must restart the operating system for hard drive encryption to work
properly.
The Authentication Agent does not support hieroglyphics or the special characters | and \.
For optimal computer performance after encryption, it is required that the processor supports AES-NI
instruction set (Intel Advanced Encryption Standard New Instructions). If the processor does not support
AES-NI, computer performance might decrease.
When there are processes that attempt to access encrypted devices before the application has granted
access to such devices, the application shows a warning stating that such processes must be terminated.
If the processes cannot be terminated, re-connect the encrypted devices.
The unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
When multiple removable drives are simultaneously connected to a computer, the encryption policy can be
applied to only one removable drive. When the removable devices are reconnected, the encryption policy is
applied correctly.
Encryption may fail to start on a heavily fragmented hard drive. Defragment the hard drive.
When hard drives are encrypted, hibernation is blocked from the time when the encryption task starts until
the rst restart of a computer running Microsoft Windows 7/8/8.1/10, and after installation of hard drive
encryption until the rst restart of Microsoft Windows 8/8.1/10 operating systems. When hard drives are
decrypted, hibernation is blocked from the time when the boot drive is fully decrypted until the rst restart
of the operating system. When the Quick Start option is enabled in Microsoft Windows 8/8.1/10, blocking of
hibernation prevents you from shutting down the operating system.
Windows 7 computers don't allow to change password during recovery when the disk is encrypted with
BitLocker technology. After the recovery key is entered and the operating system is loaded, Kaspersky
Endpoint Security won't prompt the user to change the password or PIN code. Thus, it is impossible to set
a new password or a PIN code. This issue stems from the peculiarities of the operating system. To continue,
you need to re-encrypt the hard drive.
It is not recommended to use the xbootmgr.exe tool with additional providers enabled. For example,
Dispatcher, Network, or Drivers.
Formatting an encrypted removable drive is not supported on a computer that has Kaspersky Endpoint
Security for Windows installed.
Formatting an encrypted removable drive with the FAT32 le system is not supported (the drive is
displayed as encrypted). To format a drive, reformat it to the NTFS le system.
For details on restoring an operating system from a backup copy to an encrypted GPT device, visit the
Technical Support Knowledge Base .
It is impossible to access a removable drive that was previously encrypted on a di erent computer when all
of the following conditions are simultaneously met:
Discovery of USB devices by the Authentication Agent may not be supported when xHCI mode for USB is
enabled in BIOS settings.
Kaspersky Disk Encryption (FDE) for the SSD part of a device that is used for caching the most frequently
used data is not supported for SSHD devices.
Encryption of hard drives in 32-bit Microsoft Windows 8/8.1/10 operating systems running in UEFI mode is
not supported.
Hard drive encryption is not compatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use
hard drive encryption on computers that have Kaspersky Anti-Virus for UEFI installed.
Creating Authentication Agent accounts based on Microsoft accounts is supported with the following
limitations:
Automatic creation of Authentication Agent accounts is not supported if the option to create
accounts for users who log in to the system in the last N days is selected.
If the name of an Authentication Agent account has the format <domain>/<Windows account name>,
after changing the computer name you need to also change the names of accounts that were created for
local users of this computer. For example, imagine that there is a local user Ivanov on the Ivanov
computer, and an Authentication Agent account with the name Ivanov/Ivanov has been created for this
user. If the computer name Ivanov has been changed to Ivanov-PC, you need to change the name of the
Authentication Agent account for the user Ivanov from Ivanov/Ivanov to Ivanov-PC/Ivanov. You
can change the account name using the local account management task of the Authentication Agent.
Before the name of the account has been changed, authentication in the preboot environment is possible
using the old name (for example, Ivanov/Ivanov).
If a user is allowed to access a computer that was encrypted using Kaspersky Disk Encryption technology
only by using a token and this user needs to complete the access recovery procedure, make sure that this
user is granted password-based access to this computer after access to the encrypted computer has
been restored. The password that the user set when restoring access might not be saved. In this case, the
user will have to complete the procedure for restoring access to the encrypted computer again the next
time the computer is restarted.
When decrypting a hard drive using the FDE Recovery Tool, the decryption process may end with an error
if data on the source device is overwritten with the decrypted data. Part of the data on the hard drive will
remain encrypted. It is recommended to choose the option to save decrypted data to a le in the device
decryption settings when using the FDE Recovery Tool.
If the Authentication Agent password has been changed, a message containing the text Your password has
been changed successfully. Click OK appears and the user restarts the computer, the new password is not
saved. The old password must be used for subsequent authentication in the preboot environment.
In some cases, when attempting to decrypt an encrypted drive using the FDE Recovery Tool, the tool
mistakenly detects the device status as "unencrypted" after the "Request-Response" procedure is
955
completed. The tool's log shows an event stating that the device was successfully decrypted. In this case,
you must restart the data recovery procedure to decrypt the device.
After the Kaspersky Endpoint Security for Windows plug-in is updated in the Web Console, the client
computer properties do not show the BitLocker recovery key until the Web Console service is restarted.
To see the other limitations of full disk encryption support and a list of devices for which encryption of
hard drives is supported with restrictions, please refer to the Technical Support Knowledge Base .
956
File and folder encryption is not supported in operating systems of the Microsoft Windows Embedded
family.
Once you have installed the application, you must restart the operating system for le and folder
encryption to work properly.
The application supports le encryption only on devices with NTFS and FAT32 le systems. If an encrypted
le is transferred to a device with an unsupported le system (for example, exFAT), the le on that device
will not be encrypted and will be available for modi cation.
If an encrypted le is stored on a computer that has available encryption functionality and you access the
le from a computer where encryption is not available, direct access to this le will be provided. An
encrypted le that is stored in a network folder on a computer that has available encryption functionality is
copied in decrypted form to a computer that does not have available encryption functionality.
You are advised to decrypt les that were encrypted with Encrypting File System before encrypting les
with Kaspersky Endpoint Security for Windows.
If an unpacked le from an encrypted archive has the same name as an already existing le on your
computer, the latter will be overwritten by the new le that is unpacked from an encrypted archive. The
user is not noti ed about the overwrite operation.
Before you unpack an encrypted archive, make sure you have enough free disk space to accommodate the
unpacked les. If you do not have enough disk space, the archive unpacking may be completed but the les
may be corrupted. In this case, it is possible that Kaspersky Endpoint Security does not display any error
messages.
The Portable File Manager interface does not display messages about errors that occur during its
operation.
Kaspersky Endpoint Security for Windows does not start the Portable File Manager on a computer that
has the File Level Encryption component installed.
You cannot use the Portable File Manager to access a removable drive if the following conditions are true
simultaneously:
Access is impossible even if you know the password of the Portable File Manager.
When le encryption is used, the application is incompatible with the Sylpheed mail client.
Kaspersky Endpoint Security for Windows does not support the rules of restriction of access to
encrypted les for some applications. This is due to the fact that some le operations are performed by a
third-party application. For example, le copying is performed by the le manager, not by the application
itself. In this way, if access to encrypted les is denied to the Outlook mail client, Kaspersky Endpoint
Security will allow the mail client to access the encrypted le, if the user has copied les to the email
message via the clipboard or using the drag-and-drop function. The copy operation was performed by a
957
le manager, for which the rules of restriction of access to encrypted les are not speci ed, i.e. the access
is allowed.
When removable drives are encrypted with portable mode support, password age control cannot be
disabled.
Changing the page le settings is not supported. The operating system uses the default values instead of
the speci ed parameter values.
Use safe removal when working with encrypted removable drives. We cannot guarantee data integrity if the
removable drive is not safely removed.
After les are encrypted, their non-encrypted originals are securely deleted.
Synchronization of o line les using Client-Side Caching (CSC) is not supported. It is recommended to
prohibit o line management of shared resources at the group policy level. Files that are in o line mode can
be edited. After synchronization, changes made to an o line le may be lost. For details regarding support
for Client-Side Caching (CSC) when using encryption, please refer to the Technical Support Knowledge
Base .
Creation of an encrypted archive in the root of the system hard drive is not supported.
You may experience problems when accessing encrypted les over the network. You are advised to move
the les to a di erent source or make sure that the computer being used as a le server is managed by the
same Kaspersky Security Center Administration Server.
Changing the keyboard layout may cause the password entry window for an encrypted self-extracting
archive to hang. To solve this problem, close the password entry window, switch the keyboard layout in your
operating system, and re-enter the password for the encrypted archive.
When le encryption is used on systems that have multiple partitions on one disk, you are advised to use
the option that automatically determines the size of the page le.sys le. After the computer restarts, the
page le.sys le may move between disk partitions.
After applying le encryption rules, including les in the My Documents folder, make sure that users for
whom encryption has been applied can successfully access encrypted les. To do so, have each user sign
in to the system when a connection to Kaspersky Security Center is available. If a user attempts to access
encrypted les without a connection to Kaspersky Security Center, the system may hang.
If system les are somehow included in the scope of le level encryption, events regarding errors when
encrypting these les may appear in reports. The les speci ed in these events are not actually encrypted.
Case-sensitive paths are not supported. When encryption rules or decryption rules are applied, the paths
in product events are displayed in lowercase.
It is not recommended to encrypt les that are used by the system on startup. If these les are encrypted,
an attempt to access encrypted les without a connection to Kaspersky Security Center may cause the
system to hang or result in prompts for access to unencrypted les.
If users jointly work with a le over the network under FLE rules via applications that use the le-to-
memory mapping method (such as WordPad or FAR) and applications designed for working with large les
(such as Notepad ++ ), the le in unencrypted form may be blocked inde nitely without the capability to
access it from the computer on which it resides.
Kaspersky Endpoint Security does not encrypt les that are located in OneDrive cloud storage or in other
folders that have OneDrive as their name. Kaspersky Endpoint Security also blocks the copying of
958
encrypted les to OneDrive folders if those les are not added to the decryption rule.
When the le level encryption component is installed, management of users and groups does not work in
WSL mode (Windows Subsystem for Linux).
When the le level encryption component is installed, POSIX (Portable Operating System Interface) for
renaming and deleting les is not supported.
It is not recommended to encrypt temporary les, as this can cause data loss. For example, Microsoft
Word creates temporary les when processing a document. If temporary les are encrypted, but the
original le is not, the user may receive an Access Denied error when trying to save the document.
Additionally, Microsoft Word might save the le, but it will not be possible to open the document the next
time, i.e. the data will be lost. To prevent data loss, you need to exclude the temporary les folder from
encryption rules.
After updating Kaspersky Endpoint Security for Windows version 11.0.1 or earlier, to access encrypted les
after restarting the computer, make sure that the Network Agent is running. Network Agent has a delayed
startup, so you cannot access the encrypted les immediately after the operating system loads. There is
no need to wait for the Network Agent to start after the next computer startup.
959
You cannot scan an object quarantined as a result of the Move le to Quarantine task.
It is not possible to quarantine an Alternate Data Stream (ADS) that is larger than 4 MB. Kaspersky
Endpoint Security skips any ADS this large without notifying the user.
Kaspersky Endpoint Security does not run IOC Scan tasks on network drives if the folder path in the task
properties begins with a drive letter. Kaspersky Endpoint Security supports only the UNC path format for
IOC Scan tasks on network drives. For example, \\server\shared_folder.
An import of an application con guration le ends with an error if the integration with Kaspersky Sandbox
setting is enabled in the con guration le. Prior to exporting application settings, disable Kaspersky
Sandbox. Then perform the export/import procedure. After importing the con guration le, enable
Kaspersky Sandbox.
When an indicator of compromise is detected while running the IOC Scan task, the application quarantines
a le only for the FileItem term. Quarantining a le for other terms is not supported.
Kaspersky Endpoint Security for Windows web plug-in 11.7.0 or later is required for managing alert details.
Alert details are necessary when working with Endpoint Detection and Response solutions (EDR Optimum
and EDR Expert). Alert details are available only in Kaspersky Security Center Web Console and Kaspersky
Security Center Cloud Console.
Migrating the [KES+KEA] con guration to [KES+built-in agent] con guration may complete with a
Kaspersky Endpoint Agent application removal error. The application removal error is xed in the latest
version of Kaspersky Endpoint Agent. To remove Kaspersky Endpoint Agent, restart the computer and
create an application removal task.
The [KES+KEA+built-in agent] con guration is not supported. Such con guration disrupts the interaction
between applications and the Detection and Response solution that is deployed in your organization. In
addition, using Kaspersky Endpoint Agent and the built-in agent on the same computer can lead to
duplication of telemetry and increased load on the computer and network. After migrating to [KES + built-
in agent] con guration, make sure that Kaspersky Endpoint Agent has been removed from the computer. If
Kaspersky Endpoint Agent continues to work after migration, uninstall the application manually (for
example, using the Uninstall application remotely task).
The installer allows you to deploy Kaspersky Endpoint Agent on a computer with Kaspersky Endpoint
Security and the built-in agent installed. Kaspersky Endpoint Agent and the built-in agent can also be
installed on one computer as a result of the Change application components task. The behavior depends
on the versions of Kaspersky Endpoint Security and Kaspersky Endpoint Agent.
Kaspersky Endpoint Security for Windows web plug-in 11.7.0 or later is required for managing EDR Optimum
and Kaspersky Sandbox components. Kaspersky Endpoint Security for Windows web plug-in 11.8.0 or later
is required for managing the EDR Expert component. If you created the Change application components
task using a web plug-in that does not support working with these components, the installer will delete
these components on computers with EDR Optimum, EDR Expert or Kaspersky Sandbox installed.
The built-in agent, EDR (KATA), resumes the network isolation of a computer after a computer restart, even
if the isolation period has expired. To prevent the repeated computer isolation, you need to turn o
network isolation in the Kaspersky Anti Targeted Attack Platform console.
We recommend upgrading the application after Network isolation nishes. After upgrading Kaspersky
Endpoint Security, Network isolation can be stopped.
Built-in agents for EDR (KATA), EDR Optimum, and EDR Expert are not compatible with each other.
Therefore, the activation of the EDR built-in agent with a stand-alone Kaspersky Endpoint Detection and
Response Add-on license can be skipped if you have activated Kaspersky Endpoint Security with di erent
960
EDR functionality. For example, the activation of EDR (KATA) built-in agent with a stand-alone license is
skipped if you have activated Kaspersky Endpoint Security with the [KES+EDR Optimum] license.
In Kaspersky Endpoint Security version 12.1, the built-in EDR (KATA) agent does not support the following
meta les for the Get NTFS meta les task: $Secure:$SDH:$INDEX_ROOT;
$Secure:$SDH:$INDEX_ALLOCATION; $Secure:$SDH:$BITMAP; $Secure:$SII:$INDEX_ROOT;
$Secure:$SII:$INDEX_ALLOCATION; $Secure:$SII:$BITMAP; $Extend\$UsnJrnl:$J:$DATA;
$Extend\$UsnJrnl:$Max:$DATA. Support for these meta les has been added to Kaspersky Endpoint
Security version 12.2.
When migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for the Kaspersky Anti
Targeted Attack Platform (EDR) solution, you may encounter errors when connecting the computer to
Central Node servers. The reason is that the migration wizard in Web Console skips the following policy
settings and does not migrate them:
Settings modi cation prohibition Settings for connecting to KATA servers ("lock").
By default, settings can be modi ed (the "lock" is open). Therefore the settings are not applied on the
computer. You must prohibit the modi cation of settings and close the "lock".
Crypto-container.
If you are using two-way authentication for connecting to Central Node servers, you must re-add the
crypto-container. The migration wizard correctly migrates the TLS certi cate of the server.
The Policy and Task Migration Wizard in Administration Console (MMC) migrates all settings for the
Kaspersky Anti Targeted Attack Platform (EDR) solution.
Application activation status is incorrectly displayed when the application is installed in the Endpoint
Detection and Response Agent mode to support the Kaspersky Managed Detection and Response
solution with no connection to Kaspersky Security Center. After the BLOB le download, the Windows
taskbar noti cation area displays an incorrect status: Application is not activated. However, the application
interface displays the activation status correctly. Restart the computer for the application to work
correctly.
Other limitations
961
If the application returns errors or hangs up during operation, it may be restarted automatically. If the
application encounters recurring errors that cause the application to crash, the application performs the
following operations:
3. Attempts to restore the application to a functional state after updating anti-virus databases or
applying application module updates.
Web addresses that are added to the trusted list may be incorrectly processed.
In the Kaspersky Security Center console, you cannot save a le to disk from the Advanced →
Repositories → Active threats folder. To save the le, you must disinfect the infected le. When
disinfecting, the application saves a copy of the le in Backup. Now you can save the le to disk from the
Advanced → Repositories → Backup folder.
Inheritance of settings of data transfer to Administration Server (General settings → Reports and
Storage → Data transfer to Administration Server) di ers from inheritance of other settings. If you have
allowed changing data transmission settings in the policy (the "lock" is open), these settings will be reset to
default values in the local computer properties in the console if they were not previously de ned. If these
settings were previously de ned, then their values will be restored. When deleting a policy, the settings are
inherited in the same way. In these cases, other settings in the local computer properties are inherited from
the policy.
Kaspersky Endpoint Security monitors HTTP tra ic that complies with the RFC 2616, RFC 7540, RFC 7541,
RFC 7301 standards. If Kaspersky Endpoint Security detects another data exchange format in HTTP
tra ic, the application blocks this connection to prevent downloading malicious les from the Internet.
Kaspersky Endpoint Security prevents communication over the QUIC protocol. Browsers use the standard
transport protocol (TLS or SSL) regardless of whether QUIC support is enabled in the browser or not.
TLS connection errors may occur when third-party software works with the Libcurl library. This can be
related to the Kaspersky certi cate that Kaspersky Endpoint Security uses to scan encrypted
connections. To continue working, you can disable certi cate validation for third-party software (not
recommended) or add a Kaspersky certi cate body to the cURL certi cate storage. For detailed
information, refer to the Kaspersky Knowledge Base.
When Kaspersky Endpoint Security for Windows is started for the rst time, a digitally signed application
may be temporarily placed into the wrong group. The digitally signed application will later be put into the
correct group.
In Kaspersky Security Center, when switching from using the global Kaspersky Security Network to using a
private Kaspersky Security Network, or vice versa, the option to participate in Kaspersky Security Network
is disabled in the policy of the speci c product. After switching, carefully read the text of the Kaspersky
Security Network Statement and con rm your consent to participate in KSN. You can read the text of the
Statement in the application interface or when editing the product policy.
During a rescan of a malicious object that was blocked by third-party software, the user is not noti ed
when the threat is detected again. The threat re-detection event is displayed in the application report and
in the Kaspersky Security Center report.
The Endpoint Sensor component cannot be installed in Microsoft Windows Server 2008.
962
The Kaspersky Security Center report on device encryption will not include information about devices that
were encrypted using Microsoft BitLocker on server platforms or on workstations on which the Device
Control component is not installed.
It is not possible to enable the display of all report entries in the Kaspersky Security Center Web Console.
In the Web Console, you can only change the number of entries displayed in reports. By default, Kaspersky
Security Center Web Console shows 1000 report entries. You can enable the display of all report entries in
the Administration Console (MMC).
It is not possible to set the display of more than 1000 report entries in the Kaspersky Security Center
Console. If you set a higher value than 1000, the Kaspersky Security Center Console will display only 1000
report entries.
When using a policy hierarchy, the settings of the Encryption of Removable Drives section in a child policy
are accessible for editing if the parent policy prohibits modi cation of those settings.
You must enable Audit Logon in the operating system settings to ensure proper functioning of exclusions
for the protection of shared folders against external encryption.
If shared folder protection is enabled, Kaspersky Endpoint Security for Windows monitors attempts to
encrypt shared folders for each remote access session that was started before the startup of Kaspersky
Endpoint Security for Windows, including if the computer from which the remote access session was
started has been added to exclusions. If you do not want Kaspersky Endpoint Security for Windows to
monitor attempts to encrypt shared folders for remote access sessions that were started from a
computer that was added to exclusions and that were started before the startup of Kaspersky Endpoint
Security for Windows, terminate and re-establish the remote access session or restart the computer on
which Kaspersky Endpoint Security for Windows is installed.
If the update task is run with the permissions of a speci c user account, product patches will not be
downloaded when updating from a source that requires authorization.
The application may fail to start due to insu icient system performance. To resolve this problem, use the
Ready Boot option or increase the operating system timeout for starting services.
We cannot guarantee that Audio Control will work until after the rst restart after installing the application.
In the Administration Console (MMC), in the Intrusion Prevention settings in the window for con guring
application permissions, the Remove button is unavailable. You can remove an application from a trust
group via the context menu of the application.
In the local interface of the application, in the Intrusion Prevention settings, application permissions and
protected resources are not available for viewing if the computer is managed by a policy. Scroll, search,
lter and other window controls are unavailable. You can view application permissions in the policy
properties in the Kaspersky Security Center Console.
When rotated trace les are enabled, no traces are created for the AMSI component and the Outlook
plug-in.
Performance traces for the "Restart" trace type are not supported.
963
Turning o the "Disable external management of the system services" option will not allow you to stop the
service of the application that was installed with the AMPPL=1 parameter (by default, the parameter value
is set to 1 starting with the Windows 10RS2 operating system version). The AMPPL parameter with a value
of 1 enables the use of Protection Processes technology for the product service.
To run a custom scan of a folder, the user that starts the custom scan must have the permissions to read
the attributes of this folder. Otherwise the custom folder scan will be impossible and will end with an error.
When a scan rule de ned in a policy includes a path without the \ character at the end, for example,
C:\folder1\folder2, the scan will be run for the path C:\folder1\.
If you are using software restriction policies (SRP), the computer may fail to load (black screen). To prevent
malfunctions, you need to allow the use of application libraries in the SRP properties. In the SRP properties
add the rule with Unrestricted security level for khkum.dll le (New Hash Rule menu item). The le is
located in the C:\Program Files (x86)\Common Files\Kaspersky Lab\KES.
<version>\klhk\klhk_x64\ folder. If you selected this method, you need to additionally clear the
Download updates of application modules check box in the Update task settings for Kaspersky Endpoint
Security. For details on using SRP, refer to the Microsoft documentation .
You can also disable SRP and use the Application Control component of Kaspersky Endpoint Security to
control application usage.
If the computer belongs to a domain under Windows Group Policy Object (GPO) with DriverLoadPolicy
parameter set to 8 (Good only), restarting the computer with Kaspersky Endpoint Security installed causes
a BSOD. To prevent a failure, the Early Launch Antimalware (ELAM) parameter in Group Policy must be set
to 1 (Good and unknown). ELAM settings are located in the policy under: Computer Con guration →
Administrative Templates → System → Early Launch Antimalware.
Task run settings for a speci c user cannot be transferred between devices via a con guration le. After
settings are applied from a con guration le, manually specify the user name and password.
After installing an update, the integrity check task does not work until the system is restarted to apply the
update.
When the rotated tracing level is changed through the remote diagnostics utility, Kaspersky Endpoint
Security for Windows incorrectly displays a blank value for the trace level. However, trace les are written
according to the correct trace level. When the rotated tracing level is changed through the local interface
of the application, the tracing level is correctly modi ed but the remote diagnostics utility incorrectly
displays the trace level that was last de ned by the utility. This may cause the administrator to not have
up-to-date information about the current tracing level, and relevant information may be absent from
traces if a user manually changes the tracing level in the local interface of the application.
In the local interface, Password protection settings don't allow changing the name of the administrator
account (KLAdmin by default). To change the name of the administrator account, you need to disable
Password protection, then enable Password protection and specify a new name of the administrator
account.
The Kaspersky Endpoint Security application when installed on a Windows Server 2019 server is
incompatible with Docker. Deploying Docker containers on a computer with Kaspersky Endpoint Security
causes a crash (BSOD).
Kaspersky Endpoint Security does not support HTTPS when connecting to KSN Proxy (Use HTTPS check
box selected in KSN Proxy connection settings) if the address of the server includes non-Latin letters
(non-ASCII symbols).
Compatibility of Kaspersky Endpoint Security and Secret Net Studio software is limited:
964
The Kaspersky Endpoint Security application is not compatible with the Antivirus component of Secret
Net Studio software.
The application cannot be installed on a computer where Secret Net Studio is deployed with the
Antivirus component. To make interoperability possible, you must remove the Antivirus component
from Secret Net Studio.
The Kaspersky Endpoint Security application is not compatible with the Full Disk Encryption component
of Secret Net Studio software.
The application cannot be installed on a computer where Secret Net Studio is deployed with the Full
Disk Encryption component. To make interoperability possible, you must remove the Full Disk Encryption
component from Secret Net Studio.
Secret Net Studio is not compatible with the File Level Encryption (FLE) component of Kaspersky
Endpoint Security.
When you install Kaspersky Endpoint Security with the File Level Encryption (FLE) component, Secret
Net Studio can operate with errors. To ensure interoperability, you must remove the File Level
Encryption (FLE) component from Kaspersky Endpoint Security.
965
Glossary
Active key
A key that is currently used by the application.
Additional key
A key that certi es the right to use the application but is not currently being used.
Administration group
A set of devices that share common functions and a set of Kaspersky applications installed on them. Devices are
grouped so that they can be managed conveniently as a single unit. A group may include other groups. It is possible
to create group policies and group tasks for each installed application in the group.
Anti-virus databases
Databases that contain information about computer security threats known to Kaspersky as of the anti-virus
database release date. Anti-virus database signatures help to detect malicious code in scanned objects. Anti-virus
databases are created by Kaspersky specialists and updated hourly.
Archive
One or several les packed into a single compressed le. A specialized application called an archiver is required for
packing and unpacking data.
Authentication Agent
Interface that lets you complete authentication to access encrypted hard drives and load the operating system
after the bootable hard drive has been encrypted.
966
A list of web addresses whose content may be considered to be dangerous. The list is created by Kaspersky
specialists. It is regularly updated and is included in the Kaspersky application distribution kit.
Disinfection
A method of processing infected objects that results in complete or partial recovery of data. Not all infected
objects can be disinfected.
False alarm
A false alarm occurs when the Kaspersky application reports an uninfected le as infected because the signature
of the le is similar to that of a virus.
Infectable le
A le which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious
code. As a rule, these are executable les, with such le extensions as .com, .exe, and .dll. There is a fairly high risk of
intrusion of malicious code in such les.
Infected le
A le which contains malicious code (code of known malware has been detected when scanning the le).
Kaspersky does not recommend using such les, because they may infect your computer.
IOC
Indicator of Compromise. A set of data about a malicious object or activity.
IOC le
A le containing a set of indicators of compromise (IOCs) that the application tries to match to count a detection.
The likelihood of detection can be higher if exact matches with multiple IOC les are found for the object as a
result of the scan.
Mask
Representation of a le name and extension by using wildcards.
File masks can contain any characters that are allowed in le names, including wildcards:
The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters
(delimiters of the names of les and folders in paths to les and folders). For example, the mask C:\*\*.txt
will include all paths to les with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the le or
folder name, including the \ and / characters (delimiters of the names of les and folders in paths to les and
folders). For example, the mask C:\Folder\**\*.txt will include all paths to les with the TXT extension
located in folders nested within the Folder, except the Folder itself. The mask must include at least one
nesting level. The mask C:\**\*.txt is not a valid mask. The ** mask is available only for creating scan
exclusions.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters
(delimiters of the names of les and folders in paths to les and folders). For example, the mask
C:\Folder\???.txt will include paths to all les residing in the folder named Folder that have the TXT
extension and a name consisting of three characters.
Network Agent
A Kaspersky Security Center component that enables interaction between the Administration Server and
Kaspersky applications that are installed on a speci c network node (workstation or server). This component is
common for all Kaspersky applications running under Windows. Dedicated versions of Network Agent are intended
for applications running under other operating systems.
Regarding the operation of protection components, the purpose of normalization of web resource addresses is to
avoid scanning website addresses, which may di er in syntax while being physically equivalent, more than once.
Example:
Non-normalized form of an address: www.Example.com\.
Normalized form of an address: www.example.com.
968
OLE object
An attached le or a le that is embedded in another le. Kaspersky applications allow scanning OLE objects for
viruses. For example, if you insert a Microsoft O ice Excel® table into a Microsoft O ice Word document, the
table is scanned as an OLE object.
OpenIOC
Open standard of Indicator of Compromise (IOC) descriptions based on XML and including over 500 di erent
Indicators of Compromise.
Protection scope
Objects that are constantly being scanned by the Essential Threat Protection component when it is running. The
protection scopes of di erent components have di erent properties.
Scan scope
Objects that Kaspersky Endpoint Security scans while performing a scan task.
Task
Functions performed by the Kaspersky application as tasks, for example: Real-time File Protection, Full Device
Scan, Database Update.
969
Appendices
This section contains information that supplements the body of the document.
The component scans the les accessed by the user or application. If a malicious le is detected, Kaspersky
Endpoint Security blocks the le operation. The application then disinfects or deletes the malicious le, depending
on the settings of the File Threat Protection component.
When attempting to access a le whose contents are stored in the OneDrive cloud, Kaspersky Endpoint
Security downloads and scans the le contents.
Parameter Description
Security level For File Threat Protection, Kaspersky Endpoint Security can apply di erent groups of
(available only settings. These groups of settings that are stored in the application are called security
in the levels:
Administration High. When this le security level is selected, the File Threat Protection component
Console takes the strictest control of all les that are opened, saved, and started. The File
(MMC) and in Threat Protection component scans all le types on all hard drives, removable drives,
the Kaspersky and network drives of the computer. It also scans archives, installation packages, and
Endpoint embedded OLE objects.
Security
interface) Recommended. This le security level is recommended by Kaspersky Lab experts. The
File Threat Protection component scans only the speci ed le formats on all hard
drives, removable drives, and network drives of the computer, and embedded OLE
objects. The File Threat Protection component does not scan archives or installation
packages.
Low. The settings of this le security level ensure maximum scanning speed. The File
Threat Protection component scans only les with speci ed extensions on all hard
drives, removable drives, and network drives of the computer. The File Threat
Protection component does not scan compound les.
File types All les. If this setting is enabled, Kaspersky Endpoint Security checks all les without
exception (all formats and extensions).
970
(available only Files scanned by format. If this setting is enabled, the application scans infectable les
in the only. Before scanning a le for malicious code, the internal header of the le is analyzed to
Administration determine the format of the le (for example, .txt, .doc, or .exe). The scan also looks for les
Console with particular le extensions.
(MMC) and in
Files scanned by extension. If this setting is enabled, the application scans infectable les
the Kaspersky
only. The le format is then determined based on the le's extension.
Endpoint
Security
interface)
Scan scope Contains objects that are scanned by the File Threat Protection component. A scan object
may be a hard drive, removable drive, network drive, folder, le, or multiple les de ned by a
mask.
By default, the File Threat Protection component scans les that are started on any hard
drives, removable drives, or network drives. The protection scope for these objects cannot
be changed or deleted. You can also exclude an object (such as removable drives) from
scans.
Machine The machine learning and signature analysis method uses the Kaspersky Endpoint Security
learning and databases that contain descriptions of known threats and ways to neutralize them.
signature Protection that uses this method provides the minimum acceptable security level.
analysis Based on the recommendations of Kaspersky experts, machine learning and signature
(available only analysis is always enabled.
in the
Administration
Console
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
Heuristic The technology was developed for detecting threats that cannot be detected by using the
Analysis current version of Kaspersky application databases. It detects les that may be infected
(available only with an unknown virus or a new variety of a known virus.
in the When scanning les for malicious code, the heuristic analyzer executes instructions in the
Administration executable les. The number of instructions that are executed by the heuristic analyzer
Console depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level
(MMC) and in ensures a balance between the thoroughness of searching for new threats, the load on the
the Kaspersky resources of the operating system, and the duration of heuristic analysis.
Endpoint
Security
interface)
Action on Disinfect, delete if disinfection fails. If this option is selected, the application
threat automatically attempts to disinfect all infected les that are detected. If disinfection fails,
detection the application deletes the les.
Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security
automatically attempts to disinfect all infected les that are detected. If disinfection is not
possible, Kaspersky Endpoint Security adds the information about the infected les that
are detected to the list of active threats.
Block. If this option is selected, the File Threat Protection component automatically blocks
all infected les without attempting to disinfect them.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about
infected les to the list of active threats on detection of these les.
971
Before attempting to disinfect or delete an infected le, the application creates a
backup copy of the le in case you need to restore the le or if it can be disinfected in
the future.
Scan only Scans only new les and those les that have been modi ed since the last time they were
new and scanned. This helps reduce the duration of a scan. This mode applies both to simple and to
modi ed les compound les.
Scan archives Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The
application scans archives not only by extension, but also by format. When checking
archives, the application performs a recursive unpacking. This allows to detect threats
inside multi-level archives (archive within an archive).
Scan les in Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and other Microsoft extensions).
Microsoft O ice format les include OLE objects as well. Kaspersky Endpoint Security scans o ice
O ice format les that are smaller than 1 MB, regardless of whether the check box is selected or
formats not.
Do not If this check box is selected, the application does not scan compound les if their size
unpack large exceeds the speci ed value.
compound If this check box is cleared, the application scans compound les of all sizes.
les
The application scans large les that are extracted from archives regardless of
whether the check box is selected or not.
Unpack If the check box is selected, the application provides access to compound les that are
compound larger than the speci ed value before these les are scanned. In this case, Kaspersky
les in the Endpoint Security unpacks and scans compound les in the background.
background
The application provides access to compound les that are smaller than this value only
after unpacking and scanning these les.
If the check box is not selected, the application provides access to compound les only
after unpacking and scanning les of any size.
Scan mode
(available only
Kaspersky Endpoint Security scans les accessed by the user, operating system, or an
in the
application running under the user's account.
Administration
Console
(MMC) and in
Smart mode. In this mode, File Threat Protection scans an object based on an analysis of
the Kaspersky
actions taken on the object. For example, when working with a Microsoft O ice document,
Endpoint
Kaspersky Endpoint Security scans the le when it is rst opened and last closed.
Security
Intermediate operations that overwrite the le do not cause it to be scanned.
interface)
On access and modi cation. In this mode, File Threat Protection scans objects whenever
there is an attempt to open or modify them.
On access. In this mode, File Threat Protection scans objects only upon an attempt to
open them.
On execution. In this mode, File Threat Protection only scans objects upon an attempt to
run them.
972
Use iSwift This technology allows increasing scan speed by excluding certain les from scanning. Files
technology are excluded from scans by using a special algorithm that takes into account the release
date of Kaspersky Endpoint Security databases, the date when the le was last scanned,
(available only
and any modi cations to the scan settings. The iSwift technology is an advancement of
in the
the iChecker technology for the NTFS le system.
Administration
Console
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
Use iChecker This technology allows increasing scan speed by excluding certain les from scanning. Files
technology are excluded from scans by using a special algorithm that takes into account the release
(available only date of Kaspersky Endpoint Security databases, the date when the le was last scanned,
in the and any modi cations to the scan settings. There are limitations to iChecker Technology: it
Administration does not work with large les and applies only to les with a structure that the application
Console recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
Pause File This temporarily and automatically pauses operation of File Threat Protection at the
Threat speci ed time or when working with the speci ed applications.
Protection
(available only
in the
Administration
Console
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
Kaspersky Endpoint Security scans HTTP-, HTTPS- and FTP-tra ic. Kaspersky Endpoint Security scans URLs and
IP addresses. You can specify the ports that Kaspersky Endpoint Security will monitor, or select all ports.
For HTTPS tra ic monitoring, you need to enable encrypted connections scan.
When a user tries to open a malicious or phishing website, Kaspersky Endpoint Security will block access and show
a warning (see the gure below).
973
Website access denied message
Parameter Description
Security level For Web Threat Protection, the application can apply di erent groups of settings. These
groups of settings that are stored in the application are called security levels:
(available only in
the High. The security level under which the Web Threat Protection component performs
Administration maximum scanning of web tra ic that the computer receives over the HTTP and FTP
Console (MMC) protocols. Web Threat Protection performs detailed scanning of all web tra ic
and in the objects by using the full set of application databases, and performs the deepest
Kaspersky possible heuristic analysis .
Endpoint
Security Recommended. The security level that provides the optimal balance between the
interface) performance of Kaspersky Endpoint Security and the security of web tra ic. The
Web Threat Protection component performs heuristic analysis at the medium scan
level. This web tra ic security level is recommended by Kaspersky specialists.
Low. The settings of this web tra ic security level ensure the maximum web tra ic
scanning speed. The Web Threat Protection component performs heuristic analysis at
the light scan level.
Action on Block. If this option is selected and an infected object is detected in web tra ic, the Web
threat Threat Protection component blocks access to the object and displays a message in the
detection browser.
Inform. If this option is selected and an infected object is detected in web tra ic,
Kaspersky Endpoint Security allows this object to be downloaded to the computer but
adds information about the infected object to the list of active threats.
Check the web Scanning the links to determine whether they are included in the database of malicious
address web addresses allows you to track websites that have been added to denylist. The
against the database of malicious web addresses is maintained by Kaspersky, included in the
database of application installation package, and updated during Kaspersky Endpoint Security
malicious web database updates.
addresses
974
(available only in
the
Administration
Console (MMC)
and in the
Kaspersky
Endpoint
Security
interface)
Use Heuristic The technology was developed for detecting threats that cannot be detected by using
Analysis the current version of Kaspersky application databases. It detects les that may be
infected with an unknown virus or a new variety of a known virus.
(available only in
the When web tra ic is scanned for viruses and other applications that present a threat, the
Administration heuristic analyzer performs instructions in the executable les. The number of
Console (MMC) instructions that are executed by the heuristic analyzer depends on the level that is
and in the speci ed for the heuristic analyzer. The heuristic analysis level ensures a balance between
Kaspersky the thoroughness of searching for new threats, the load on the resources of the
Endpoint operating system, and the duration of heuristic analysis.
Security
interface)
Check the web The database of phishing web addresses includes the web addresses of currently known
address websites that are used to launch phishing attacks. Kaspersky supplements this database
against the of phishing links with addresses obtained from the international organization known as
database of the Anti-Phishing Working Group. The database of phishing addresses is included in the
phishing web application installation package and supplemented with Kaspersky Endpoint Security
addresses database updates.
(available only in
the
Administration
Console (MMC)
and in the
Kaspersky
Endpoint
Security
interface)
Do not scan If the check box is selected, the Web Threat Protection component does not scan the
web tra ic content of web pages or websites whose addresses are included in the list of trusted
from trusted web addresses. You can add both the speci c address and the address mask of a web
web addresses page/website to the list of trusted web addresses.
You can also create a general list of exclusions for encrypted connections. In this case,
Kaspersky Endpoint Security does not scan HTTPS tra ic of trusted web addresses
when Web Threat Protection, Mail Threat Protection, Web Control components are doing
their work.
Mail Threat Protection can scan both incoming and outgoing messages. The application supports POP3, SMTP,
IMAP, and NNTP in the following mail clients:
975
Microsoft O ice Outlook
Mozilla Thunderbird
Windows Mail
To scan tra ic in Mozilla Thunderbird, MyO ice Mail and R7-O ice Organizer mail clients, you need to add
Kaspersky certi cate to the certi cate store and select the own certi cate store.
Mail Threat Protection does not support other protocols and mail clients.
Mail Threat Protection may not always be able to gain protocol-level access to messages (for example, when using
the Microsoft Exchange solution). For this reason, Mail Threat Protection includes an extension for Microsoft
O ice Outlook. The extension allows scanning messages at the level of the mail client. The Mail Threat Protection
extension supports operations with Outlook 2010, 2013, 2016, and 2019.
The Mail Threat Protection component does not scan messages if the mail client is open in a browser.
When a malicious le is detected in an attachment, Kaspersky Endpoint Security adds information about the
performed action to the message subject, for example, [Message has been processed] <message subject>.
Parameter Description
Security level For Mail Threat Protection, Kaspersky Endpoint Security applies di erent groups of
(available only settings. These groups of settings that are stored in the application are called security
in the levels:
Administration High. When this email security level is selected, the Mail Threat Protection component
Console scans email messages most thoroughly. The Mail Threat Protection component scans
(MMC) and in incoming and outgoing email messages, and performs deep heuristic analysis. The High
the Kaspersky mail security level is recommended for high-risk environments. An example of such an
Endpoint environment is a connection to a free email service from a home network that is not
Security guarded by centralized email protection.
interface)
Recommended. The email security level that provides the optimal balance between the
performance of Kaspersky Endpoint Security and email security. The Mail Threat
Protection component scans incoming and outgoing email messages, and performs
medium-level heuristic analysis. This mail tra ic security level is recommended by
Kaspersky specialists.
Low. When this email security level is selected, the Mail Threat Protection component
only scans incoming email messages, performs light heuristic analysis, and does not
scan archives that are attached to email messages. At this mail security level, the Mail
Threat Protection component scans email messages at maximum speed and uses a
minimum of operating system resources. The Low mail security level is recommended
for use in a well-protected environment. An example of such an environment might be
an enterprise LAN with centralized email security.
Action on Disinfect, delete if disinfection fails. When an infected object is detected in an inbound
threat or outbound message, Kaspersky Endpoint Security attempts to disinfect the detected
976
detection object. The user will be able to access the message with a safe attachment. If the object
cannot be disinfected, Kaspersky Endpoint Security deletes the infected object. Kaspersky
Endpoint Security adds information about the performed action to the message subject,
for example, [Message has been processed] <message subject>.
Disinfect, block if disinfection fails. When an infected object is detected in an inbound
message, Kaspersky Endpoint Security attempts to disinfect the detected object. The
user will be able to access the message with a safe attachment. If the object cannot be
disinfected, Kaspersky Endpoint Security adds a warning to the message subject. The user
will be able to access the message with the original attachment. When an infected object is
detected in an outbound message, Kaspersky Endpoint Security attempts to disinfect the
detected object. If the object cannot be disinfected, Kaspersky Endpoint Security blocks
transmission of the message, and the mail client shows an error.
Block. If an infected object is detected in an inbound message, Kaspersky Endpoint
Security adds a warning to the message subject. The user will be able to access the
message with the original attachment. If an infected object is detected in an outbound
message, Kaspersky Endpoint Security blocks transmission of the message, and the mail
client shows an error.
Protection The Protection scope includes objects that the component checks when it is run: incoming
scope and outgoing messages or incoming messages only.
(available only In order to protect your computers, you need only scan incoming messages. You can turn
in the on scanning for outgoing messages to prevent infected les from being sent in archives.
Administration You can also turn on the scanning of outgoing messages if you want to prevent les in
Console particular formats from being sent, such as audio and video les, for example.
(MMC) and in
the Kaspersky
Endpoint
Security
interface)
Scan POP3, The check box enables / disables scanning by the Mail Threat Protection component of
SMTP, NNTP, tra ic that is transferred via the POP3, SMTP, NNTP, and IMAP protocols.
and IMAP
tra ic
Connect If the check box is selected, scanning of email messages transmitted via the POP3, SMTP,
Microsoft NNTP, IMAP protocols is enabled on the side of the extension integrated into Microsoft
Outlook Outlook.
extension If mail is scanned using the extension for Microsoft Outlook, it is recommended to use
Cached Exchange Mode. For more detailed information about Cached Exchange Mode and
recommendations on its use, refer to the Microsoft Knowledge Base.
Heuristic The technology was developed for detecting threats that cannot be detected by using the
analysis current version of Kaspersky application databases. It detects les that may be infected
(available only with an unknown virus or a new variety of a known virus.
in the When scanning les for malicious code, the heuristic analyzer executes instructions in the
Administration executable les. The number of instructions that are executed by the heuristic analyzer
Console depends on the level that is speci ed for the heuristic analyzer. The heuristic analysis level
(MMC) and in ensures a balance between the thoroughness of searching for new threats, the load on the
the Kaspersky resources of the operating system, and the duration of heuristic analysis.
Endpoint
Security
interface)
Scan Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The
attached application scans archives not only by extension, but also by format. When checking
archives archives, the application performs a recursive unpacking. This allows to detect threats
inside multi-level archives (archive within an archive).
977
If during the scan, Kaspersky Endpoint Security detects a password for an archive in
the text of the message, this password will be used to scan the content of the archive
for malicious applications. In this case, the password is not saved. An archive is
unpacked during scan. If an application error occurs during the unpacking process, you
can manually delete the unpacked les that are saved to the following path:
%systemroot%\temp. The les have the PR pre x.
Scan Scans Microsoft O ice les (DOC, DOCX, XLS, PPT and other Microsoft extensions).
attached les O ice format les include OLE objects as well. Kaspersky Endpoint Security scans o ice
of Microsoft format les that are smaller than 1 MB, regardless of whether the check box is selected or
O ice not.
formats
Do not scan If this check box is selected, the Mail Threat Protection component excludes archives
archives attached to email messages from scanning if their size exceeds the speci ed value. If the
larger than N check box is cleared, the Mail Threat Protection component scans email attachment
MB archives of any size.
Limit the time If the check box is selected, the time that is allocated for scanning archives attached to
for checking email messages is limited to the speci ed period.
archives to N
sec
Attachment
lter
The attachment lter is not applied to outgoing email messages.
Disable ltering. If this option is selected, the Mail Threat Protection component does not
lter les that are attached to email messages.
Rename attachments of selected types. If this option is selected, the Mail Threat
Protection component will replace the last extension character found in the attached les
of the speci ed types with the underscore character (for example, attachment.doc_).
Thus, in order to open the le, the user must rename the le.
Delete attachments of selected types. If this option is selected, the Mail Threat
Protection component deletes attached les of the speci ed types from email messages.
In the list of le masks, you can specify the types of attached les to rename or delete
from email messages.
Parameter Description
Treat port Network Flooding is an attack on network resources of an organization (such as web servers).
scanning This attack consists of sending a large number of requests to overload the bandwidth of
and
978
network network resources. When this happens, users are unable to access the network resources of
ooding the organization.
as attacks
A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on
the computer. This attack allows the attacker to identify the degree of vulnerability of the
computer before conducting more dangerous types of network attacks. Port Scanning also
enables the attacker to identify the operating system on the computer and select the
appropriate network attacks for this operating system.
If this check box is selected, Kaspersky Endpoint Security monitors network tra ic to detect
these attacks. If an attack is detected, the application noti es the user and sends the
corresponding event to Kaspersky Security Center. The application provides information
about the attacking computer, which is required for timely threat response actions.
You can disable detection of these types of attacks in case some of your allowed applications
perform operations that are typical for these types of attacks. This will help avoid false alarms.
Block If the option is enabled, the Network Threat Protection component adds the attacking
attacking computer to the blocked list. This means that the Network Threat Protection component
devices blocks the network connection with the attacking computer after the rst network attack
for N min attempt for the speci ed amount of time. This block automatically protects the user's
computer against possible future network attacks from the same address. The minimum time
an attacking computer must spend in the block list is one minute. The maximum time is 999
minutes.
You can view the block list in the Network Monitor tool window.
Kaspersky Endpoint Security clears the block list when the application is restarted and
when the Network Threat Protection settings are changed.
Exclusions
The list contains IP addresses from which Network Threat Protection does not block network
attacks.
You can add an IP address with port and protocol speci ed.
The application does not log information on network attacks from the IP addresses that are in
the list of exclusions.
MAC A MAC spoo ng attack consists of changing the MAC address of a network device (network
Spoo ng card). As a result, an attacker can redirect data sent to a device to another device and gain
Protection access to this data. Kaspersky Endpoint Security lets you block MAC Spoo ng attacks and
receive noti cations about the attacks.
Firewall
The Firewall blocks unauthorized connections to the computer while working on the Internet or local network. The
Firewall also controls the network activity of applications on the computer. This allows you to protect your
corporate LAN from identity theft and other attacks. The component provides computer protection with the help
of anti-virus databases, the Kaspersky Security Network cloud service, and prede ned network rules.
Network Agent is used for interaction with Kaspersky Security Center. Firewall automatically creates network
rules required for the application and the Network Agent to work. As a result, the Firewall opens several ports
on the computer. Which ports are opened depends on computer's role (for example, distribution point). To
learn more about the ports that will be opened on the computer, refer to the Kaspersky Security Center
Help .
979
Network rules
Network packet rules. Network packet rules impose restrictions on network packets, regardless of the
application. Such rules restrict inbound and outbound network tra ic through speci c ports of the selected
data protocol. Kaspersky Endpoint Security has prede ned network packet rules with permissions
recommended by Kaspersky experts.
Application network rules. Application network rules impose restrictions on the network activity of a speci c
application. They factor in not only the characteristics of the network packet, but also the speci c application
to which this network packet is addressed or which issued this network packet.
Controlled access of applications to operating system resources, processes and personal data is provided by
the Host Intrusion Prevention component by using application rights.
During the rst startup of the application, the Firewall performs the following actions:
3. Places the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group de nes the rights that Kaspersky Endpoint Security refers to when controlling application
activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger
that this application may pose to the computer.
Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion
Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion
Prevention.
If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the
application in a trust group depending on the settings of the Host Intrusion Prevention component. After
receiving the reputation of the application from KSN, the trust group can be changed automatically.
4. It blocks network activity of the application depending on the trust group. For example, applications in the High
Restricted trust group are not allowed to use any network connections.
The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the
application is unchanged, the component uses the current network rules for it. If the application has been
modi ed, Kaspersky Endpoint Security analyzes the application as if it were being started for the rst time.
Each rule has a priority. The higher a rule is on the list, the higher its priority. If network activity is added to several
rules, the Firewall regulates network activity according to the rule with the highest priority.
980
Network packet rules have a higher priority than network rules for applications. If both network packet rules and
network rules for applications are speci ed for the same type of network activity, the network activity is handled
according to the network packet rules.
Network rules for applications work in a particular way. Network rule for applications includes access rules based
on the network status: Public network, Local network, Trusted network. For example, applications in the High
Restricted trust group are not allowed any network activity in networks of all statuses by default. If a network rule
is speci ed for an individual application (parent application), then the child processes of other applications will run
according to the network rule of the parent application. If there is no network rule for the application, the child
processes will run according to network access rule of the application's trust group.
For example, you have prohibited any network activity in networks of all statuses for all applications, except
browser X. If you start browser Y installation (child process) from browser X (parent application), then browser Y
installer will access the network and download the necessary les. After installation, browser Y will be denied any
network connections according to the Firewall settings. To prohibit network activity of browser Y installer as a child
process, you must add a network rule for the installer of browser Y.
The Firewall allows you to control network activity depending on the status of the network connection. Kaspersky
Endpoint Security receives the network connection status from the computer's operating system. The status of
the network connection in the operating system is set by the user when setting up the connection. You can change
the status of the network connection in the Kaspersky Endpoint Security settings. The Firewall will monitor
network activity depending on the network status in the Kaspersky Endpoint Security settings, and not in the
operating system.
The network connection can have one of the following status types:
Public network. The network is not protected by antivirus applications, rewalls, or lters (such as Wi-Fi in a
cafe). When the user operates a computer that is connected to such a network, Firewall blocks access to les
and printers of this computer. External users are also unable to access data through shared folders and remote
access to the desktop of this computer. Firewall lters the network activity of each application according to
the network rules that are set for it.
Firewall assigns Public network status to the Internet by default. You cannot change the status of the Internet.
Local network. Network for users with restricted access to les and printers on this computer (such as for a
corporate LAN or home network).
Trusted network. Safe network in which the computer is not exposed to attacks or unauthorized data access
attempts. Firewall permits any network activity within networks with this status.
Parameter Description
Packet Table with a list of network packet rules. Network packet rules serve to impose
rules restrictions on network packets, regardless of the application. Such rules restrict inbound
and outbound network tra ic through speci c ports of the selected data protocol.
The table lists pre-con gured network packet rules that are recommended by Kaspersky
for optimum protection of the network tra ic of computers that run on Microsoft
Windows operating systems.
Firewall sets the execution priority of each network packet rule. Firewall processes
network packet rules in the order in which they appear in the list of network packet
rules, from top to bottom. Firewall locates the topmost network packet rule that is
suitable for the network connection and applies it by either allowing or blocking network
activity. Firewall then ignores all subsequent network packet rules for the speci c network
connection.
981
Network packet rules have a higher priority than network rules for applications.
Available This table contains information about network connections that Firewall detects on the
networks computer.
The Public network status is assigned to the Internet by default. You cannot change
the status of the Internet.
The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting
to the computer.
When a USB device is connected to the computer and identi ed as a keyboard by the operating system, the
application prompts the user to enter a numerical code generated by the application from this keyboard or using
On-Screen Keyboard if available (see the gure below). This procedure is known as keyboard authorization.
If the code has been entered correctly, the application saves the identi cation parameters – VID/PID of the
keyboard and the number of the port to which it has been connected – in the list of authorized keyboards.
Keyboard authorization does not need to be repeated when the keyboard is reconnected or after the operating
system is restarted.
When the authorized keyboard is connected to a di erent USB port of the computer, the application shows a
prompt for authorization of this keyboard again.
982
If the numerical code has been entered incorrectly, the application generates a new code. You can con gure the
number of attempts for entering the numerical code. If the numerical code is entered incorrectly several times or
the keyboard authorization window is closed (see gure below), the application blocks input from this keyboard.
When the USB device blocking time elapses or the operating system is restarted, the application prompts the user
to perform keyboard authorization again.
The application allows use of an authorized keyboard and blocks a keyboard that has not been authorized.
The BadUSB Attack Prevention component is not installed by default. If you need the BadUSB Attack
Prevention component, you can add the component in the properties of the installation package before
installing the application or change the available application components after installing the application.
Keyboard authorization
Parameter Description
Prohibit use If the check box is selected, the application blocks use of On-Screen Keyboard for
of On- authorization of a USB device from which an authorization code cannot be entered.
Screen
Keyboard for
authorization
of USB
devices
Maximum Automatically blocking the USB device if the authorization code is entered incorrectly the
number of speci ed number of times. Valid values are 1 to 10. For example, if you allow 5 attempts to
USB device enter the authorization code, the USB device is blocked after the fth failed attempt.
authorization Kaspersky Endpoint Security displays the blocking duration for the USB device. After this
attempts time elapses, you can have 5 attempts to enter the authorization code.
Timeout Blocking duration of the USB device after the speci ed number of failed attempts to enter
when the authorization code. Valid values are 1 to 180 (minutes).
reaching the
maximum
number of
attempts
983
AMSI Protection
AMSI Protection component is intended to support Antimalware Scan Interface from Microsoft. The Antimalware
Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell
scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these
objects. Third-party applications may include, for example, Microsoft O ice applications (see the gure below). For
details on AMSI, please refer to the Microsoft documentation .
The AMSI Protection can only detect a threat and notify a third-party application about the detected threat.
Third-party application after receiving a noti cation of a threat does not allow to perform malicious actions (for
example, terminates).
AMSI Protection component may decline a request from a third-party application, for example, if this
application exceeds maximum number of requests within a speci ed interval. Kaspersky Endpoint Security
sends information about a rejected request from a third-party application to the Administration Server. The
AMSI Protection component does not deny requests from those third-party applications for which
continuous integration with the AMSI Protection component is enabled.
AMSI Protection is available for the following operating systems for workstations and servers:
Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise / Enterprise multi-session;
Windows Server 2022 Standard / Datacenter / Datacenter: Azure Edition (including Core Mode).
Parameter Description
Scan Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The
archives application scans archives not only by extension, but also by format. When checking
archives, the application performs a recursive unpacking. This allows to detect threats
inside multi-level archives (archive within an archive).
Do not If this check box is selected, the application does not scan compound les if their size
unpack exceeds the speci ed value.
large If this check box is cleared, the application scans compound les of all sizes.
compound
les The application scans large les that are extracted from archives regardless of whether
the check box is selected or not.
Exploit Prevention
The Exploit Prevention component detects program code that takes advantage of vulnerabilities on the computer
to exploit administrator privileges or to perform malicious activities. For example, exploits can utilize a bu er
over ow attack. To do so, the exploit sends a large amount of data to a vulnerable application. When processing
this data, the vulnerable application executes malicious code. As a result of this attack, the exploit can start an
unauthorized installation of malware. When there is an attempt to run an executable le from a vulnerable
application that was not performed by the user, Kaspersky Endpoint Security blocks this le from running or
noti es the user.
Parameter Description
On detecting Block operation. If this item is selected, on detecting an exploit, Kaspersky Endpoint
exploit Security blocks the operations of this exploit and makes a log entry with information
about this exploit.
Inform. If this item is selected, when Kaspersky Endpoint Security detects an exploit it
logs an entry containing information about the exploit and adds information about this
exploit to the list of active threats.
Enable system If this toggle button is switched on, Kaspersky Endpoint Security blocks external
process processes that attempt to access system process memory.
memory
protection
Behavior Detection
The Behavior Detection component receives data on the actions of applications on your computer and provides
this information to other protection components to improve their performance. The Behavior Detection
component utilizes Behavior Stream Signatures (BSS) for applications. If application activity matches a behavior
stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint
Security functionality based on behavior stream signatures provides proactive defense for the computer.
Parameter Description
Action on Delete le. If this option is selected, on detecting malicious activity Kaspersky Endpoint
malware Security deletes the executable le of the malicious application and creates a backup
activity copy of the le in Backup.
detection
985
Block. If this option is selected, on detecting malicious activity Kaspersky Endpoint
Security terminates this application.
Inform. If this option is selected and malicious activity of an application is detected,
Kaspersky Endpoint Security does not terminate this application but adds information
about the malicious activity of this application to the list of active threats.
Enable If the toggle button is switched on, Kaspersky Endpoint Security analyzes activity in
protection of shared folders. If this activity matches a behavior stream signature that is typical for
shared folders external encryption, Kaspersky Endpoint Security performs the selected action.
against external
encryption
Kaspersky Endpoint Security prevents external encryption of only those les that
are located on media that have the NTFS le system and are not encrypted by the
EFS system.
Block connection for N min. If this option is selected, when Kaspersky Endpoint
Security detects an attempt to modify les in shared folders, it blocks access to le
modi cation (read only) for the session that initiated the malicious activity and
creates backup copies of the modi ed les.
If the Remediation Engine component is enabled and the Block connection for N
min option is selected, modi ed les are restored from backup copies.
Exclusions List of computers from which attempts to encrypt shared folders will not be monitored.
The component controls the operation of applications by using application rights. Application rights include the
following access parameters:
Access to operating system resources (for example, automatic startup options, registry keys)
986
Network activity of applications is controlled by the Firewall using network rules.
During the rst startup of the application, the Host Intrusion Prevention component performs the following
actions:
You are advised to participate in Kaspersky Security Network to help the Host Intrusion Prevention
component work more e ectively.
3. Places the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.
A trust group de nes the rights that Kaspersky Endpoint Security refers to when controlling application
activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger
that this application may pose to the computer.
Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion
Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion
Prevention.
If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the
application in a trust group depending on the settings of the Host Intrusion Prevention component. After
receiving the reputation of the application from KSN, the trust group can be changed automatically.
4. Blocks application actions depending on the trust group. For example, applications from the High Restricted
trust group are denied access to the operating system modules.
The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the
application is unchanged, the component uses the current application rights for it. If the application has been
modi ed, Kaspersky Endpoint Security analyzes the application as if it were being started for the rst time.
Parameter Description
Application Table of applications that are monitored by the Host Intrusion Prevention component.
rights Applications are assigned to trust groups. A trust group de nes the rights that Kaspersky
Endpoint Security refers to when controlling application activity.
You can select an application from a single list of all applications installed on computers
under the in uence of a policy and add the application to a trust group.
Application access rights are presented in the following tables:
Files and system registry. This table contains the rights of applications within a trust
group to access operating system resources and personal data.
Rights. This table contains the rights of applications in a trust group to access
processes and resources of the operating system.
Network rules. Table of network rules for applications that are part of a trust group. In
accordance with these rules, Firewall regulates the network activity of applications.
The table displays the prede ned network rules that are recommended by Kaspersky
987
experts. These network rules have been added to optimally protect the network
tra ic of computers running Windows operating systems. It is not possible to delete
the prede ned network rules.
Protected
The table contains categorized computer resources. The Host Intrusion Prevention
resources
component monitors attempts by other applications to access resources in the table.
A resource can be a registry category, le or folder, or registry key.
Trust group for A trust group in which Kaspersky Endpoint Security will place applications that are
applications started before Kaspersky Endpoint Security.
started before
Kaspersky
Endpoint
Security
Update rules If the check box is selected, the Host Intrusion Prevention component updates rights for
for previously previously unknown applications by using the Kaspersky Security Network database.
unknown
applications
from KSN
Trust digitally
If this check box is selected, the Host Intrusion Prevention component places the
signed
applications with the digital signature of trusted vendors in the Trusted group.
applications
Trusted vendors are those software vendors that are trusted by Kaspersky. You can also
add vendor certi cate to the trusted certi cate store manually.
If this check box is cleared, the Host Intrusion Prevention component does not consider
such applications to be trusted, and uses other parameters to determine their trust
group.
Delete rules for If the check box is selected, Kaspersky Endpoint Security automatically deletes
applications information about the application (trust group and access rights) if the following
that have not conditions are met:
been started
for longer than You manually put the application into a trust group or con gured its access rights.
N days (from 1
to 90) The application has not started within the de ned period of time.
If the trust group and rights of an application were determined automatically, Kaspersky
Endpoint Security deletes information about this application after 30 days. It is not
possible to change the storage term for application information or turn o automatic
deletion.
The next time you start this application, Kaspersky Endpoint Security analyzes the
application as if it were starting for the rst time.
Trust group for
Items in this drop-down list determine to which trust group Kaspersky Endpoint Security
applications
will assign an unknown application.
that could not
be added to You can choose one of the following items:
existing groups Low Restricted.
High Restricted.
Untrusted.
988
Remediation Engine
The Remediation Engine lets Kaspersky Endpoint Security roll back actions that have been performed by malware
in the operating system.
When rolling back malware activity in the operating system, Kaspersky Endpoint Security handles the following
types of malware activity:
File activity
Kaspersky Endpoint Security performs the following actions:
Deletes executable les that were created by malware (on all media except network drives).
Deletes executable les that were created by programs that have been in ltrated by malware.
Registry activity
Kaspersky Endpoint Security performs the following actions:
Does not restore registry keys that have been modi ed or deleted by malware.
System activity
Kaspersky Endpoint Security performs the following actions:
Network activity
Kaspersky Endpoint Security performs the following actions:
Blocks the network activity of processes that have been in ltrated by malware.
A rollback of malware actions can be started by the File Threat Protection or Behavior Detection component, or
during a malware scan.
Rolling back malware operations a ects a strictly de ned set of data. Rollback has no adverse e ects on the
operating system or on the integrity of your computer data.
989
To protect your computer more e ectively, Kaspersky Endpoint Security uses data that is received from users
around the globe. Kaspersky Security Network is designed for obtaining this data.
Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to the online Kaspersky
Knowledge Base that contains information about the reputation of les, web resources, and software. The use of
data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats,
improves the performance of some protection components, and reduces the likelihood of false positives. If you are
participating in Kaspersky Security Network, KSN services provide Kaspersky Endpoint Security with information
about the category and reputation of scanned les, as well as information about the reputation of scanned web
addresses.
Use of Kaspersky Security Network is voluntary. The application prompts you to use KSN during initial
con guration of the application. Users can begin or discontinue participation in KSN at any time.
For more detailed information about sending Kaspersky statistical information that is generated during
participation in KSN, and about the storage and destruction of such information, please refer to the Kaspersky
Security Network Statement and the Kaspersky website . The ksn_<language ID>.txt le with the text of the
Kaspersky Security Network Statement is included in the application distribution kit.
Kaspersky Endpoint Security supports the following infrastructure solutions for working with Kaspersky reputation
databases:
Kaspersky Security Network (KSN) is the solution that is used by most Kaspersky applications. KSN participants
receive information from Kaspersky and send Kaspersky information about objects detected on the user's
computer to be analyzed additionally by Kaspersky analysts and to be included in the reputation and statistical
databases.
Kaspersky Private Security Network (KPSN) is a solution that enables users of computers hosting Kaspersky
Endpoint Security or other Kaspersky applications to obtain access to Kaspersky reputation databases, and to
other statistical data without sending data to Kaspersky from their own computers. KPSN is designed for
corporate customers who are unable to participate in Kaspersky Security Network for any of the following
reasons:
Transmission of any data outside the country or outside the corporate LAN is prohibited by law or restricted
by corporate security policies.
By default, Kaspersky Security Center uses KSN. You can con gure the use of KPSN in the Administration
Console (MMC), in the Kaspersky Security Center Web Console, and in the command line. It is not possible to
con gure the use of KPSN in the Kaspersky Security Center Cloud Console.
For more details about KPSN, please refer to the documentation on Kaspersky Private Security Network.
Parameter Description
Enable Extended KSN mode is a mode in which Kaspersky Endpoint Security sends additional
extended KSN data to Kaspersky. Kaspersky Endpoint Security uses KSN to detect threats regardless of
mode the toggle position.
Enable cloud Cloud mode refers to the application operating mode in which Kaspersky Endpoint
990
mode Security uses a light version of anti-virus databases. Kaspersky Security Network
supports the operation of the application when light anti-virus databases are being used.
The light version of anti-virus databases lets you use approximately half of the computer
RAM that would otherwise be used with the usual databases. If you do not participate in
Kaspersky Security Network or if cloud mode is disabled, Kaspersky Endpoint Security
downloads the full version of anti-virus databases from Kaspersky servers.
If the toggle button is switched on, Kaspersky Endpoint Security uses the light version of
anti-virus databases, which reduces the load on operating system resources.
If the toggle button is switched o , Kaspersky Endpoint Security uses the full version of
anti-virus databases.
Computer The items in this drop-down list determine the status of a computer in Kaspersky Security
status when Center when KSN servers are unavailable.
KSN servers
are unavailable
(available only
in the
Kaspersky
Security
Center
Console)
Use If the check box is selected, Kaspersky Endpoint Security uses the KSN Proxy service. You
Administration can con gure the KSN Proxy service settings in the Administration Server properties.
Server as a
KSN proxy
server
(available only
in the
Kaspersky
Security
Center
Console)
Use Kaspersky If the check box is selected, Kaspersky Endpoint Security uses KSN servers when the KSN
Security Proxy service is unavailable. KSN servers may be located both on the side of Kaspersky
Network and on the side of third parties (when Kaspersky Private Security Network is used).
servers if the
KSN proxy
server is
unavailable
(available only
in the
Kaspersky
Security
Center
Console)
991
Log Inspection
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for servers. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs
on Windows for workstations.
Starting with version 11.11.0, Kaspersky Endpoint Security for Windows includes the Log Inspection component. Log
Inspection monitors the integrity of the protected environment based on the Windows event log analysis. When
the application detects signs of atypical behavior in the system, it informs the administrator, as this behavior may
indicate an attempted cyber attack.
Kaspersky Endpoint Security analyzes Windows event logs and detects violation in accordance with rules. The
component includes prede ned rules. Prede ned rules are powered by heuristic analysis. You can also add your
own rules (custom rules). When a rule triggers, the application creates an event with the Critical status (see gure
below).
If you want to use Log Inspection, make sure security the audit policy is con gured and the system is logging
the relevant events (for details, see the Microsoft technical support website. ).
Parameter Description
Prede ned List of Log Inspection rules. Prede ned rules include templates of abnormal activity on the
rules protected computer. Abnormal activity can signify an attempted attack.
Custom List of Log Inspection rules added by the user. You can set your own Log Inspection rule
rules triggering criteria. To do so, you must enter an event ID and select an event source.
You can select an event source from among the standard logs: Application, Security or
System. You can also specify the log of a third-party application.
Web Control
Web Control manages users' access to web resources. This helps reduce tra ic and inappropriate use of work
time. When a user tries to open a website that is restricted by Web Control, Kaspersky Endpoint Security will block
access or show a warning (see the gure below).
Kaspersky Endpoint Security monitors only HTTP- and HTTPS tra ic.
992
For HTTPS tra ic monitoring, you need to enable encrypted connections scan.
Web Control lets you con gure access to websites by using the following methods:
Website category. Websites are categorized according to the Kaspersky Security Network cloud service,
heuristic analysis, and the database of known websites (included in application databases). For example, you
can restrict user access to the Social networks category or to other categories .
Data type. You can restrict users' access to data on a website, and hide images, for example. Kaspersky
Endpoint Security determines the data type based on the le format and not based on its extension.
Kaspersky Endpoint Security does not scan les within archives. For example, if image les were placed in
an archive, Kaspersky Endpoint Security identi es the Archives data type and not Graphics.
You can simultaneously use multiple methods for regulating access to websites. For example, you can restrict
access to the "O ice les" data type just for the Web-based email website category.
Web Control manages users' access to websites by using access rules. You can con gure the following advanced
settings for a website access rule:
Rule schedule.
For example, you can restrict Internet access through a browser during working hours only.
Each rule has a priority. The higher a rule is on the list, the higher its priority. If a website has been added to multiple
rules, Web Control regulates access to the website based on the rule with the highest priority. For example,
Kaspersky Endpoint Security may identify a corporate portal as a social network. To restrict access to social
networks and provide access to the corporate web portal, create two rules: one block rule for the Social networks
website category and one allow rule for the corporate web portal. The access rule for the corporate web portal
must have a higher priority than the access rule for social networks.
993
Web Control messages
Parameter Description
Rules of List containing web resource access rules. Each rule has a priority. The higher a rule is on the
access to list, the higher its priority. If a website has been added to multiple rules, Web Control regulates
web access to the website based on the rule with the highest priority.
resources
Default The Default rule is a rule for accessing web resources that are not covered by any other rule.
rule The following options are available:
Allow all except the rules list, also known as denylist mode for prohibited websites.
Deny everything except the rules list, also known as allowlist mode for allowed websites.
994
Templates Warning. The entry eld consists of a template of the message that is displayed if a rule for
warning about attempts to access an unwanted web resource is triggered.
Message about blocking. The entry eld contains the template of the message that appears
if a rule which blocks access to a web resource is triggered.
Message to administrator. Template of the message to be sent to the LAN administrator if
the user considers the block to be a mistake. After the user requests to provide access,
Kaspersky Endpoint Security sends an event to Kaspersky Security Center: Web page access
blockage message to administrator. The event description contains a message to
administrator with substituted variables. You can view these events in the Kaspersky Security
Center console using the prede ned event selection User requests. If your organization does
not have Kaspersky Security Center deployed or there is no connection to the Administration
Server, the application will send a message to administrator to the speci ed email address.
Log the Kaspersky Endpoint Security logs data on visits to all websites, including allowed websites.
opening Kaspersky Endpoint Security sends events to Kaspersky Security Center, to the local log of
of allowed Kaspersky Endpoint Security, and to the Windows Event log. To monitor user Internet activity,
pages you need to con gure the settings for saving events.
Browsers that support the monitoring function: Microsoft Edge, Microsoft Internet
Explorer, Google Chrome, Yandex Browser, Mozilla Firefox. User activity monitoring does
not work in other browsers.
Monitoring user Internet activity may require more computer resources when decrypting
HTTPS tra ic.
Device Control
Device Control manages user access to devices that are installed on or connected to the computer (for example,
hard drives, cameras, or Wi-Fi modules). This lets you protect the computer from infection when such devices are
connected, and prevent loss or leaks of data.
Device type. For example, printers, removable drives, and CD/DVD drives.
You can con gure device access as follows:
Allow – .
Block – .
995
Connection bus. A connection bus is an interface used for connecting devices to the computer (for example,
USB or FireWire). Therefore, you can restrict the connection of all devices, for example, over USB.
You can con gure device access as follows:
Allow – .
Block – .
Trusted devices. Trusted devices are devices to which users that are speci ed in the trusted device settings
have full access at all times.
You can add trusted devices based on the following data:
Devices by ID. Each device has a unique identi er (Hardware ID, or HWID). You can view the ID in the device
properties by using operating system tools. Example device ID:
SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&354AE4D7&0&000000. Adding devices by ID is
convenient if you want to add several speci c devices.
Devices by model. Each device has a vendor ID (VID) and a product ID (PID). You can view the IDs in the
device properties by using operating system tools. Template for entering the VID and PID:
VID_1234&PID_5678. Adding devices by model is convenient if you use devices of a certain model in your
organization. This way, you can add all devices of this model.
Devices by ID mask. If you are using multiple devices with similar IDs, you can add devices to the trusted list
by using masks. The * character replaces any set of characters. Kaspersky Endpoint Security does not
support the ? character when entering a mask. For example, WDC_C*.
Devices by model mask. If you are using multiple devices with similar VIDs or PIDs (for example, devices
from the same manufacturer), you can add devices to the trusted list by using masks. The * character
replaces any set of characters. Kaspersky Endpoint Security does not support the ? character when
entering a mask. For example, VID_05AC & PID_ *.
Device Control regulates user access to devices by using access rules. Device Control also lets you save device
connection/disconnection events. To save events, you need to con gure the registration of events in a policy.
If access to a device depends on the connection bus (the status), Kaspersky Endpoint Security does not
save device connection/disconnection events. To enable Kaspersky Endpoint Security to save device
connection/disconnection events, allow access to the corresponding type of device (the status) or add the
device to the trusted list.
When a device that is blocked by Device Control is connected to the computer, Kaspersky Endpoint Security will
block access and show a noti cation (see the gure below).
996
Device Control operating algorithm
Kaspersky Endpoint Security makes a decision on whether to allow access to a device after the user connects the
device to the computer (see the gure below).
If a device is connected and access is allowed, you can edit the access rule and block access. In this case, the next
time someone attempts to access the device (such as to view the folder tree, or perform read or write
operations), Kaspersky Endpoint Security blocks access. A device without a le system is blocked only the next
time that the device is connected.
If a user of the computer with Kaspersky Endpoint Security installed must request access to a device that the user
believes was blocked by mistake, send the user the request access instructions.
Parameter Description
Allow If the check box is selected, the Request access button is available through the local
request for interface of Kaspersky Endpoint Security. Using this button, the user can request temporary
temporary access to a blocked device.
access
997
(available
only in the
Kaspersky
Security
Center
Console)
Devices This table contains all possible types of devices according to the classi cation of the Device
and Wi-Fi Control component, including their respective access statuses.
networks
Connection A list of all available connection buses according to the Device Control component's
buses classi cation, including their respective access statuses.
Trusted List of trusted devices and users who are granted access to these devices.
devices
Anti- Anti-Bridging inhibits the creation of network bridges by preventing the simultaneous
Bridging establishment of multiple network connections for a computer. This lets you protect a
corporate network from attacks over unprotected, unauthorized networks.
Anti-Bridging blocks the establishment of multiple connections according to the priorities of
devices. The higher a device is on the list, the higher its priority.
If an active connection and a new connection are both of the same type (for example, Wi-Fi),
Kaspersky Endpoint Security blocks the active connection and allows establishment of the
new connection.
If an active connection and a new connection are of di erent types (for example, a network
adapter and Wi-Fi), Kaspersky Endpoint Security blocks the connection with the lower
priority and allows the connection with the higher priority.
Anti-Bridging supports operation with the following types of devices: network adapter, Wi-Fi,
and modem.
Message Message about blocking. Template of the message that appears when a user attempts to
templates access a blocked device. This message also appears when a user attempts to perform an
operation on the device contents that was blocked for this user.
Message to administrator. A template of the message that is sent to the LAN administrator
when the user believes that access to the device is blocked or an operation with device
content is forbidden by mistake. After the user requests to provide access, Kaspersky
Endpoint Security sends an event to Kaspersky Security Center: Device access blockage
message to administrator. The event description contains a message to administrator with
substituted variables. You can view these events in the Kaspersky Security Center console
using the prede ned event selection User requests. If your organization does not have
Kaspersky Security Center deployed or there is no connection to the Administration Server,
the application will send a message to administrator to the speci ed email address.
Application Control
Application Control manages the startup of applications on users' computers. This allows you to implement a
corporate security policy when using applications. Application Control also reduces the risk of computer infection
by restricting access to applications.
998
The administrator creates categories of applications that the administrator wants to manage. Categories of
applications are intended for all computers in the corporate network, regardless of administration groups. To
create a category, you can use the following criteria: KL category (for example, Browsers), le hash, application
vendor, and other criteria.
When a user attempts to start a prohibited application, Kaspersky Endpoint Security will block the application from
starting and will display a noti cation (see the gure below).
A test mode is provided to check the con guration of Application Control. In this mode, Kaspersky Endpoint
Security does the following:
Shows a noti cation about the startup of a prohibited application and adds information to the report on the
user's computer.
Sends data about the startup of prohibited applications to Kaspersky Security Center.
Denylist. In this mode, Application Control allows users to start all applications except for applications that are
prohibited in Application Control rules.
This mode of Application Control is enabled by default.
Allowlist. In this mode, Application Control blocks users from starting any applications except for applications
that are allowed and not prohibited in Application Control rules.
If the allow rules of Application Control are fully con gured, the component blocks the startup of all new
applications that have not been veri ed by the LAN administrator, while allowing the operation of the operating
system and of trusted applications that users rely on in their work.
999
You can read the recommendations on con guring Application Control rules in allowlist mode.
Application Control can be con gured to operate in these modes both by using the Kaspersky Endpoint Security
local interface and by using Kaspersky Security Center.
However, Kaspersky Security Center o ers tools that are not available in the Kaspersky Endpoint Security local
interface, such as the tools that are needed for the following tasks:
Receiving information about applications that are installed on corporate LAN computers.
This is why it is recommended to use Kaspersky Security Center to con gure the operation of the Application
Control component.
Kaspersky Endpoint Security uses an algorithm to make a decision about starting an application (see the gure
below).
1000
Application Control component settings
Parameter Description
Action on Apply rules. Kaspersky Endpoint Security manages the startup of applications according to
starting the selected mode.
applications
Test rules. Kaspersky Endpoint Security allows the startup of an application that is blocked
blocked by
in the current Application Control mode, but logs information about the application startup
rules
in the report.
Allowlist. If this option is selected, Application Control blocks all users from starting any
applications, except in cases that satisfy the conditions of Application Control allow
rules.
When Allowlist mode is selected, two Application Control rules are automatically created:
Golden Image.
Trusted Updaters.
You cannot edit the settings of or delete automatically created rules. You can enable or
disable these rules.
Control
If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL
DLL
modules when users attempt to start applications. Information about the DLL module and
modules
the application that loaded this DLL module is logged in the report.
load
When enabling control over the loading of DLL modules and drivers, make sure that one
of the following rules is enabled in the Application Control settings: the default Golden
Image rule or another rule that contains the "Trusted certi cates" KL category and
ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint
Security is started. Enabling control of the loading of DLL modules and drivers when the
Golden Image rule is disabled may cause instability in the operating system.
Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been
loaded since the check box was selected. After selecting the check box, it is recommended
to restart the computer to ensure that the application monitors all DLL modules and drivers,
including those loaded before Kaspersky Endpoint Security starts.
Templates Message about blocking. Template of the message that is displayed when an Application
of Control rule that blocks an application from starting is triggered.
messages
about
application
blocking
1001
Message to administrator. Template of the message that a user can send to the corporate
LAN administrator if the user believes that an application was blocked by mistake. After the
user requests to provide access, Kaspersky Endpoint Security sends an event to Kaspersky
Security Center: Application startup blockage message to administrator. The event
description contains a message to administrator with substituted variables. You can view
these events in the Kaspersky Security Center console using the prede ned event selection
User requests. If your organization does not have Kaspersky Security Center deployed or
there is no connection to the Administration Server, the application will send a message to
administrator to the speci ed email address.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
The Adaptive Anomaly Control component monitors and blocks actions that are not typical of the computers in a
company's network. Adaptive Anomaly Control uses a set of rules to track non-typical behavior (for example, the
Start of Microsoft PowerShell from o ice application rule). Rules are created by Kaspersky specialists based on
typical scenarios of malicious activity. You can con gure how Adaptive Anomaly Control handles each rule and, for
example, allow the execution of PowerShell scripts that automate certain work ow tasks. Kaspersky Endpoint
Security updates the set of rules along with the application databases. Updates to the sets of rules must be
con rmed manually.
Adaptive Anomaly Control is con gured in real time. Adaptive Anomaly Control is con gured via the following
channels:
Adaptive Anomaly Control automatically starts to block the actions associated with the rules that were never
triggered in training mode.
1002
Kaspersky Endpoint Security adds new rules or removes obsolete ones.
The administrator con gures the operation of the Adaptive Anomaly Control after reviewing the rule triggering
report and the contents of the Triggering of rules in Smart Training state repository. It is recommended to
check the rule triggering report and the contents of the Triggering of rules in Smart Training state repository.
When a malicious application attempts to perform an action, Kaspersky Endpoint Security will block the action and
display a noti cation (see gure below).
Kaspersky Endpoint Security decides whether to allow or block an action that is associated with a rule based on
the following algorithm (see the gure below).
1003
Adaptive Anomaly Control operating algorithm
Parameter Description
Report on This report contains information about the status of Adaptive Anomaly Control detection
Adaptive rules (for example, the Disabled or Block). The report is generated for all administration groups.
Anomaly
Control
rules
state
(available
only in the
Kaspersky
Security
Center
Console)
Report on This report contains information about non-typical actions detected using Adaptive Anomaly
triggered Control. The report is generated for all administration groups.
Adaptive
Anomaly
Control
rules
1004
(available
only in the
Kaspersky
Security
Center
Console)
Rules Adaptive Anomaly Control table of rules. Rules are created by Kaspersky specialists based on
typical scenarios of potentially malicious activity.
Templates Message about blocking. Template of the message that is displayed to a user when an
Adaptive Anomaly Control rule that blocks a non-typical action is triggered.
Message to administrator. Template of the message that a user can be sent to the local
corporate network administrator if the user considers the blocking to be a mistake. After the
user requests to provide access, Kaspersky Endpoint Security sends an event to Kaspersky
Security Center: Application activity blockage message to administrator. The event
description contains a message to administrator with substituted variables. You can view these
events in the Kaspersky Security Center console using the prede ned event selection User
requests. If your organization does not have Kaspersky Security Center deployed or there is
no connection to the Administration Server, the application will send a message to
administrator to the speci ed email address.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for servers. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that runs
on Windows for workstations.
File Integrity Monitor works only on servers with NTFS or ReFS le system.
Starting with version 11.11.0, Kaspersky Endpoint Security for Windows includes the File Integrity Monitor
component. File Integrity Monitor detects changes to objects ( les and folders) in a given monitoring area. These
changes may indicate a computer security breach. When object changes are detected, the application informs the
administrator.
To use File Integrity Monitor you need to con gure component's scope, i.e. select objects, the state of which
should be monitored by the component.
You can view information about the results of File Integrity Monitor operation in Kaspersky Security Center and in
the interface of Kaspersky Endpoint Security for Windows.
Parameter Description
Event Kaspersky Endpoint Security logs le modi cation events whenever a le in the monitoring
severity scope is modi ed. The following event severity levels are available: Informational, Warning,
level Critical.
Monitoring List of les and folders that File Integrity Monitor monitors. Kaspersky Endpoint Security
scope supports environment variables and the * and ? characters when entering a mask. For
example, C:\Folder\Application\.
Exclusions List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports
1005
environment variables and the * and ? characters when entering a mask. For example,
C:\Folder\Application\*.log. Exclusion entries have a higher priority than monitoring
scope entries.
Endpoint Sensor
You can manage the Endpoint Sensor in the Kaspersky Security Center Web Console and in the Kaspersky
Security Center Administration Console. It is not possible to manage Endpoint Sensor in the Kaspersky
Security Center Cloud Console.
Endpoint Sensor is designed to interact with Kaspersky Anti Targeted Attack Platform. Kaspersky Anti Targeted
Attack Platform is a solution designed for timely detection of sophisticated threats such as targeted attacks,
advanced persistent threats (APT), zero-day attacks, and others. Kaspersky Anti Targeted Attack Platform
includes two functional blocks: Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA") and
Kaspersky Endpoint Detection and Response (hereinafter also referred to as "EDR (KATA)"). You can purchase EDR
(KATA) separately. For details about the solution, please refer to the Kaspersky Anti Targeted Attack Platform
Help .
You can con gure Endpoint Sensor settings in a policy provided that Kaspersky Endpoint Security version 11.0.0
to 11.3.0 is installed on the computer. For more information about con guring Endpoint Sensor settings using
the policy, refer to the help articles for the previous versions of Kaspersky Endpoint Security .
If Kaspersky Endpoint Security version 11.4.0 and later is installed on the computer, you cannot con gure
Endpoint Sensor settings in the policy.
Endpoint Sensor is installed on client computers. On these computers, the component constantly monitors
processes, active network connections, and les that are modi ed. Endpoint Sensor relays information to the
KATA server.
1006
Windows Server 2012 R2 Foundation / Standard / Enterprise (64-bit);
For detailed information on KATA operation, refer to the Kaspersky Anti Targeted Attack Platform Help .
Kaspersky Sandbox
Starting with version 11.7.0, Kaspersky Endpoint Security for Windows includes a built-in agent for integration with
Kaspersky Sandbox solution. The Kaspersky Sandbox solution detects and automatically blocks advanced threats
on computers. Kaspersky Sandbox analyzes object behavior to detect malicious activity and activity characteristic
of targeted attacks on the IT infrastructure of the organization. Kaspersky Sandbox analyzes and scans objects on
special servers with deployed virtual images of Microsoft Windows operating systems (Kaspersky Sandbox
servers). For details about the solution, refer to the Kaspersky Sandbox Help .
The component can be managed only using the Kaspersky Security Center Web Console. You cannot manage
this component using the Administration Console (MMC).
Parameter Description
Server To con gure a trusted connection with Kaspersky Sandbox servers, you must prepare a TLS
TLS certi cate. Next you must add the certi cate to Kaspersky Sandbox servers and the
certi cate Kaspersky Endpoint Security policy. For details on preparing the certi cate and adding the
certi cate to servers, refer to the Kaspersky Sandbox Help .
Timeout Connection timeout for Kaspersky Sandbox server. After the con gured timeout elapses,
Kaspersky Endpoint Security sends a request to the next server. You can increase the
connection timeout for Kaspersky Sandbox if your connection speed is low or if the
connection is unstable. The recommended request timeout is 0.5 seconds or less.
Kaspersky Size of the request queue folder. When an object is accessed on the computer (executable
Sandbox launched or document opened, for example in DOCX or PDF format), Kaspersky Endpoint
request Security can also send the object to be scanned by Kaspersky Sandbox. If there are multiple
queue requests, Kaspersky Endpoint Security creates a request queue. By default, the size of the
request queue folder is limited to 100 MB. After the maximum size is reached, Kaspersky
Sandbox stops adding new requests to the queue and sends the corresponding event to
Kaspersky Security Center. You can con gure the size of the request queue folder depending
on your server con guration.
Kaspersky Kaspersky Sandbox server connection settings. The servers use deployed virtual images of
Sandbox Microsoft Windows operating systems to run objects that need to be scanned. You can enter
servers an IP address (IPv4 or IPv6) or a fully quali ed domain name.
Action on Move copy to Quarantine, delete object. If this option is selected, Kaspersky Endpoint
threat Security deletes the malicious object found on the computer. Before deleting the object,
detection Kaspersky Endpoint Security creates a backup copy in case the object needs to be restored
later. Kaspersky Endpoint Security moves the backup copy to Quarantine.
Run scan of critical areas. If this option is selected, Kaspersky Endpoint Security runs the
Critical Areas Scan task. By default, Kaspersky Endpoint Security scans the kernel memory,
running processes, and disk boot sectors.
1007
Create IOC scan task. If this option is selected, Kaspersky Endpoint Security automatically
creates the IOC Scan task (autonomous IOC scan task). For this task, you can con gure the
run mode, scan scope, and action on IOC detection: delete object, run the Critical Areas Scan
task. To modify other settings of the IOC Scan task, go to the task settings.
IOC scan Critical le areas. If this option is selected, Kaspersky Endpoint Security does an IOC scan
scope only in critical le areas of the computer: kernel memory and boot sectors.
File areas on system drives of the computer. IF this option is selected, Kaspersky Endpoint
Security does an IOC scan on the system drive of the computer.
Run IOC Manually. Run mode in which you can start the IOC scan task manually at a time of your
scan task choosing.
After threat is detected. Run mode in which Kaspersky Endpoint Security runs the IOC Scan
task automatically whenever a threat is detected.
Run only when the computer is idle. Run mode in which Kaspersky Endpoint Security runs the
IOC Scan task if the screensaver is active or the screen is locked. If the user unlocks the
computer, Kaspersky Endpoint Security pauses the task. This means that the task can take
several days to complete.
Parameter Description
MDR The BLOB le contains the client ID and information about the license for Kaspersky
con guration Managed Detection and Response. The BLOB le is located inside the ZIP archive of the
le MDR con guration le. You can obtain the ZIP archive in the Kaspersky Managed Detection
and Response Console. For detailed information about a BLOB le, please refer to the
Kaspersky Managed Detection and Response Help .
1008
Kaspersky Endpoint Detection and Response reviews and analyses threat development and provides security
personnel or the Administrator with information about the potential attack that is necessary for a timely response.
Kaspersky Endpoint Detection and Response displays alert details in a separate window. Alert Details is a tool for
viewing the entirety of collected information about a detected threat. Alert details include, for example, the history
of les appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint
Detection and Response Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help .
You can con gure the EDR Optimum component in Web Console and Cloud Console. Component settings for
EDR Expert are available only in Cloud Console.
Parameter Description
Network Automatic isolation of the computer from the network in response to detected threats.
isolation When network isolation is turned on, the application severs all active connections and
blocks all new TCP/IP connections on the computer. The application leaves only the
following connections active:
Connections listed in Network isolation exclusions.
Automatically Network isolation can be turned o automatically after a speci ed time or manually. By
unlock default, Kaspersky Endpoint Security turns o Network isolation 5 hours after the start of
isolated the isolation.
computer in
N hours
Network List of rules for exclusions from network isolation. Network connections that match the
isolation rules are not blocked on computers when Network isolation is turned on.
exclusions To con gure Network isolation exclusions, you can use a list of standard network pro les.
By default, exclusions include network pro les containing rules that ensure uninterrupted
operation of devices with the DNS/DHCP server and DNS/DHCP client roles. You can also
modify the settings of standard network pro les or de ne exclusions manually.
Exclusions speci ed in policy properties are applied only if Network isolation is turned
on automatically in response to a detected threat. Exclusions speci ed in computer
properties are applied only if Network isolation is turned on manually in computer
properties in the Kaspersky Security Center console or in alert details.
Execution Control the execution of executable les and scripts and opening of o ice format les. For
prevention example, you can prevent the execution of applications that are considered insecure on the
selected computer. Execution prevention supports a set of o ice le extensions and a set
of script interpreters.
To use Execution prevention component, you need to add execution prevention rules.
Execution prevention rule is a set of criteria that the application takes into account when
reacting to an object execution, for example when blocking object execution. The
application identi es les by their paths or checksums calculated using MD5 and SHA256
hashing algorithms.
Action on Block and write to report. In this mode, the application blocks the execution of objects or
execution or opening of documents that match prevention rule criteria. The application also publishes
1009
opening of an event about attempts to execute objects or open documents to the Windows event log
forbidden and Kaspersky Security Center event log.
object
Log events only. In this mode, Kaspersky Endpoint Security publishes an event about
attempts to run executable objects or open documents that match prevention rule criteria
to the Windows event log and Kaspersky Security Center, but does not block the attempt
to run or open the object or document. This mode is selected by default.
Cloud Cloud Sandbox is a technology that lets you detect advanced threats on a computer.
Sandbox Kaspersky Endpoint Security automatically forwards detected les to Cloud Sandbox for
analysis. Cloud Sandbox runs these les in an isolated environment to identify malicious
activity and decides on their reputation. Data on these les is then sent to Kaspersky
Security Network. Therefore, if Cloud Sandbox has detected a malicious le, Kaspersky
Endpoint Security will perform the appropriate action to eliminate this threat on all
computers where this le is detected.
If this check box is selected, Kaspersky Endpoint Security will enable the counter for
threats detected using Cloud Sandbox in the main application window under Threat
detection technologies. Kaspersky Endpoint Security will also indicate the Cloud Sandbox
threat detection technology in application events and in the Report on threats in the
Kaspersky Security Center console.
Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and
continuously monitors processes, open network connections, and les being modi ed. Information about events
on the computer (telemetry data) is sent to the Kaspersky Anti Targeted Attack Platform server. In this case,
Kaspersky Endpoint Security also sends information to the Kaspersky Anti Targeted Attack Platform server about
threats discovered by the application as well as information about processing results for these threats.
The EDR (KATA) integration is con gured on the Kaspersky Security Center console. The built-in agent is then
managed using the Kaspersky Anti Targeted Attack Platform console, including running tasks, managing
quarantined objects, viewing reports, and other actions.
Parameter Description
Settings for Timeout. Maximum Central Node server response timeout. When the timeout runs out,
connecting Kaspersky Endpoint Security tries to connect to a di erent Central Node server.
to KATA
Server TLS certi cate. TLS certi cate for establishing a trusted connection with the
servers
Central Node server. You can get a TLS certi cate in the Kaspersky Anti Targeted Attack
Platform console (see instructions in the Kaspersky Anti Targeted Attack Platform Help ).
1010
Use two-way authentication. Two-way authentication when establishing a secure
connection between Kaspersky Endpoint Security and Central Node. To use two-way
authentication, you need to enable two-way authentication in the Central Node settings,
then get a crypto-container and set a password to protect the crypto-container. A crypto-
container is a PFX archive with a certi cate and a private key. You can get a crypto-
container in the Kaspersky Anti Targeted Attack Platform console (see instructions in the
Kaspersky Anti Targeted Attack Platform Help ). After con guring the Central Node
settings, you need to also enable two-way authentication in Kaspersky Endpoint Security
settings and load a password-protected crypto-container.
KATA Central node server connection settings. You can enter an IP address (IPv4 or IPv6).
servers
Send sync Frequency of synchronization requests sent to the Central Node server. During
request to synchronization, Kaspersky Endpoint Security sends information about modi ed application
KATA server settings and tasks.
every (min)
Send This functionality lets you completely turn o the sending of telemetry to the server. If you
telemetry to are using Kaspersky Anti Targeted Attack Platform together with another solution which
KATA also uses telemetry, you can turn o telemetry for KATA (EDR). This lets you optimize server
load for these solutions. For example, if you have the Managed Detection and Response
solution and KATA (EDR) deployed, you can use MDR telemetry and create Threat Response
tasks in KATA (EDR).
Maximum The application synchronizes with the server to send events after the synchronization
events interval expires. The default setting is 30 seconds.
transmission
delay (sec)
Enable This feature helps optimize the load on the server. If the check box is selected, the
request application restricts the transmitted events. If the number of events exceeds the
throttling con gured limits, Kaspersky Endpoint Security stops sending events.
Maximum The application analyzes the telemetry data stream and restricts the sending of events if
number of the event stream exceeds the con gured events-per-hour limit. Kaspersky Endpoint
events per Security resumes sending events after an hour. The default setting is 3000 events per hour.
hour
Percentage The application sorts events by type (for example, "changes in the registry" events) and
of event restricts transmission of events if the ratio of events of the same type to the total number
limit excess of events exceeds the con gured limit in percent. Kaspersky Endpoint Security resumes
sending events when the ratio of other events to the total number of events becomes big
enough again. The default setting is 15 %.
1011
After the system hard drives have been encrypted, at the next computer startup the user must complete
authentication using the Authentication Agent before the hard drives can be accessed and the operating system
is loaded. This requires entering the password of the token or smart card connected to the computer, or the user
name and password of the Authentication Agent account created by the local area network administrator using
the Manage Authentication Agent accounts task. These accounts are based on Microsoft Windows accounts
under which users log into the operating system. You can also use Single Sign-On (SSO) technology, which lets you
automatically log in to the operating system using the user name and password of the Authentication Agent
account.
Enter the name and password of the Authentication Agent account created by the LAN administrator using
Kaspersky Security Center tools.
Use of a token or smart card is available only if the computer hard drives were encrypted using the AES256
encryption algorithm. If the computer hard drives were encrypted using the AES56 encryption algorithm,
addition of the electronic certi cate le to the command will be denied.
BitLocker is an encryption technology built into Windows operating systems. Kaspersky Endpoint Security allows
you to control and manage Bitlocker using Kaspersky Security Center. BitLocker encrypts logical volumes.
BitLocker cannot be used for encryption of removable drives. For more details on BitLocker, refer to the Microsoft
documentation .
BitLocker provides secure storage of access keys using a trusted platform module. A Trusted Platform Module
(TPM) is a microchip developed to provide basic functions related to security (for example, to store encryption
keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other
system components via the hardware bus. Using TPM is the safest way to store BitLocker access keys, since TPM
provides pre-startup system integrity veri cation. You can still encrypt drives on a computer without a TPM. In this
case, the access key will be encrypted with a password. BitLocker uses the following authentication methods:
TPM.
Password.
After encrypting a drive, BitLocker creates a master key. Kaspersky Endpoint Security sends the master key to
Kaspersky Security Center so that you can restore access to the disk, for example, if a user has forgotten the
password.
If a user encrypts a disk using BitLocker, Kaspersky Endpoint Security will send information about disk encryption
to Kaspersky Security Center. However, Kaspersky Endpoint Security will not send the master key to Kaspersky
Security Center, so it will be impossible to restore access to the disk using Kaspersky Security Center. For
BitLocker to work correctly with Kaspersky Security Center, decrypt the drive and re-encrypt the drive using a
policy. You can decrypt a drive locally or using a policy.
After encrypting the system hard drive, the user needs to go through BitLocker authentication to boot the
operating system. After the authentication procedure, BitLocker will allow for users to log in. BitLocker does not
support single sign-on technology (SSO).
1012
If you are using Windows group policies, turn o BitLocker management in the policy settings. Windows policy
settings may con ict with Kaspersky Endpoint Security policy settings. When encrypting a drive, errors may
occur.
Parameter Description
Encryption Encrypt all hard drives. If this item is selected, the application encrypts all hard drives
mode when the policy is applied.
If the computer has several operating systems installed, after encryption you will be
able to load only the operating system that has the application installed.
Decrypt all hard drives. If this item is selected, the application decrypts all previously
encrypted hard drives when the policy is applied.
Leave unchanged. If this item is selected, the application leaves drives in their previous
state when the policy is applied. If the drive was encrypted, it remains encrypted. If the
drive was decrypted, it remains decrypted. This item is selected by default.
During If this check box is selected, the application creates Authentication Agent accounts
encryption, based on the list of Windows user accounts on the computer. By default, Kaspersky
automatically Endpoint Security uses all local and domain accounts with which the user logged in to the
create operating system over the past 30 days.
Authentication
Agent
accounts for
Windows users
Authentication All accounts on the computer. All accounts on the computer that have been active at
Agent account any time.
creation
All domain accounts on the computer. All accounts on the computer that belong to
settings
some domain and that have been active at any time.
All local accounts on the computer. All local accounts on the computer that have been
active at any time.
Service account with a one-time password. The service account is necessary to gain
access to the computer, for example, when the user forgets the password. You can also
use the service account as a reserve account. You must enter the name of the account
(by default, ServiceAccount). Kaspersky Endpoint Security creates a password
automatically. You can nd the password in the Kaspersky Security Center console.
Local administrator. Kaspersky Endpoint Security creates an Authentication Agent user
account for the local administrator of the computer.
Computer manager. Kaspersky Endpoint Security creates an Authentication Agent user
account for the account of the computer manager. You can see which account has the
computer manager role in computer properties in Active Directory. By default, the
computer manager role is not de ned, that is, it does not correspond to any account.
Active account. Kaspersky Endpoint Security automatically creates an Authentication
Agent account for the account that is active at the time of disk encryption.
Automatically If this check box is selected, the application checks information about Windows user
create accounts on the computer before starting Authentication Agent. If Kaspersky Endpoint
Authentication Security detects a Windows user account that has no Authentication Agent account, the
Agent application will create a new account for accessing encrypted drives. The new
accounts for Authentication Agent account will have the following default settings: password-
all users of this protected sign-on only, and password change on rst authentication. Therefore, you do
1013
computer not need to manually add Authentication Agent accounts using the Manage
upon sign-in Authentication Agent accounts task for computers with already encrypted drives.
Save user If the check box is selected, the application saves the name of the Authentication Agent
name entered account. You will not be required to enter the account name the next time you attempt to
in complete authorization in the Authentication Agent under the same account.
Authentication
Agent
Encrypt used
This check box enables / disables the option that limits the encryption area to only
disk space
occupied hard drive sectors. This limit lets you reduce encryption time.
only (reduces
encryption
time) Enabling or disabling the Encrypt used disk space only (reduces encryption time)
feature after starting encryption does not modify this setting until the hard drives
are decrypted. You must select or clear the check box before starting encryption.
If the check box is selected, only portions of the hard drive that are occupied by les are
encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added.
If the check box is cleared, the entire hard drive is encrypted, including residual fragments
of previously deleted and modi ed les.
This option is recommended for new hard drives whose data has not been modi ed
or deleted. If you are applying encryption on a hard drive that is already in use, it is
recommended to encrypt the entire hard drive. This ensures protection of all data,
even deleted data that is potentially recoverable.
Use Legacy This check box enables/disables the Legacy USB Support function. Legacy USB Support
USB Support is a BIOS/UEFI function that allows you to use USB devices (such as a security token)
(not during the computer's boot phase before starting the operating system (BIOS mode).
recommended) Legacy USB Support does not a ect support for USB devices after the operating
system is started.
If the check box is selected, support for USB devices during initial startup of the
computer will be enabled.
When the Legacy USB Support function is enabled, the Authentication Agent in
BIOS mode does not support working with tokens via USB. It is recommended to use
this option only when there is a hardware compatibility issue and only for those
computers on which the problem occurred.
Password Authentication Agent account password strength settings. When using Single Sign-on
settings technology, the Authentication Agent ignores the password strength requirements
speci ed in Kaspersky Security Center. You can set the password strength requirements
in the operating system settings.
Use Single
SSO technology makes it possible to use the same account credentials to access
Sign-On (SSO)
encrypted hard drives and to sign in to the operating system.
technology
If the check box is selected, you must enter the account credentials for accessing
encrypted hard drives and then automatically logging in to the operating system.
1014
If the check box is cleared, to access encrypted hard drives and subsequently log into the
operating system you must separately enter the credentials for accessing encrypted hard
drives and the operating system user account credentials.
Wrap third- Kaspersky Endpoint Security supports the third-party credential provider ADSelfService
party Plus.
credential
providers When working with third-party credential providers, Authentication Agent intercepts the
password before the operating system is loaded. This means that a user needs to enter a
password only once when signing in to Windows. After signing in to Windows, the user can
utilize the capabilities of a third-party credential provider for authentication in corporate
services, for example. Third-party credential providers also allow users to independently
reset their own password. In this case, Kaspersky Endpoint Security will automatically
update the password for Authentication Agent.
If you are using a third-party credential provider that is not supported by the application,
you may encounter some limitations in Single Sign-On technology operation.
Help Authentication. Help text that appears in the Authentication Agent window when
entering account credentials.
Change password. Help text that appears in the Authentication Agent window when
changing the password for the Authentication Agent account.
Recover password. Help text that appears in the Authentication Agent window when
recovering the password for the Authentication Agent account.
Parameter Description
Encryption mode Encrypt all hard drives. If this item is selected, the application encrypts all hard drives
when the policy is applied.
If the computer has several operating systems installed, after encryption you will
be able to load only the operating system that has the application installed.
Decrypt all hard drives. If this item is selected, the application decrypts all previously
encrypted hard drives when the policy is applied.
Leave unchanged. If this item is selected, the application leaves drives in their previous
state when the policy is applied. If the drive was encrypted, it remains encrypted. If the
drive was decrypted, it remains decrypted. This item is selected by default.
Enable use of This check box enables / disables the use of authentication requiring data input in a
BitLocker preboot environment, even if the platform does not have the capability for preboot
authentication input (for example, with touchscreen keyboards on tablets).
requiring pre-
boot keyboard
input on tablets The touchscreen of tablet computers is not available in the preboot environment.
To complete BitLocker authentication on tablet computers, the user must
connect a USB keyboard, for example.
If the check box is selected, use of authentication requiring preboot input is allowed. It
is recommended to use this setting only for devices that have alternative data input
tools in a preboot environment, such as a USB keyboard in addition to touchscreen
keyboards.
If the check box is cleared, BitLocker Drive Encryption is not possible on tablets.
Use hardware If the check box is selected, the application applies hardware encryption. This lets you
1015
encryption increase the speed of encryption and use less computer resources.
(Windows 8 and
later versions)
Encrypt used This check box enables / disables the option that limits the encryption area to only
disk space only occupied hard drive sectors. This limit lets you reduce encryption time.
(Windows 8 and
later versions)
Enabling or disabling the Encrypt used disk space only (reduces encryption
time) feature after starting encryption does not modify this setting until the hard
drives are decrypted. You must select or clear the check box before starting
encryption.
If the check box is selected, only portions of the hard drive that are occupied by les
are encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is
added.
If the check box is cleared, the entire hard drive is encrypted, including residual
fragments of previously deleted and modi ed les.
This option is recommended for new hard drives whose data has not been
modi ed or deleted. If you are applying encryption on a hard drive that is already in
use, it is recommended to encrypt the entire hard drive. This ensures protection of
all data, even deleted data that is potentially recoverable.
For computers running Windows 7 or Windows Server 2008 R2, only encryption
using a TPM module is available. If a TPM module is not installed, BitLocker
encryption is not possible. Use of a password on these computers is not
supported.
A device equipped with a Trusted Platform Module can create encryption keys that
can be decrypted only with the device. A Trusted Platform Module encrypts
encryption keys with its own root storage key. The root storage key is stored within the
Trusted Platform Module. This provides an additional level of protection against
attempts to hack encryption keys.
This action is selected by default.
You can set an additional layer of protection for access to the encryption key, and
encrypt the key with a password or a PIN:
Use PIN for TPM. If this check box is selected, a user can use of a PIN code to
obtain access to an encryption key that is stored in a Trusted Platform Module
1016
(TPM).
If this check box is cleared, users are prohibited from using PIN codes. To access
the encryption key, a user must enter the password.
Use enhanced PIN (letters and numbers). Enhanced PIN allows using other
characters in addition to numerical characters: uppercase and lowercase Latin
letters, special characters, and spaces.
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
Kaspersky Endpoint Security encrypts / decrypts les in prede ned folders only for local user pro les of the
operating system. Kaspersky Endpoint Security does not encrypt or decrypt les in prede ned folders of
roaming user pro les, mandatory user pro les, temporary user pro les, or redirected folders.
Kaspersky Endpoint Security does not encrypt les whose modi cation could harm the operating system and
installed applications. For example, the following les and folders with all nested folders are on the list of
encryption exclusions:
1017
%WINDIR%;
The list of encryption exclusions cannot be viewed or edited. While les and folders on the list of encryption
exclusions can be added to the encryption list, they will not be encrypted during le encryption.
Parameter Description
Encryption Leave unchanged. If this item is selected, Kaspersky Endpoint Security leaves the les
mode and folders unchanged without encrypting or decrypting them.
According to rules. If this item is selected, Kaspersky Endpoint Security encrypts the
les and folders according to encryption rules, decrypts the les and folders according to
decryption rules, and regulates the access of applications to encrypted les according to
application rules.
Decrypt all. If this item is selected, Kaspersky Endpoint Security decrypts all encrypted
les and folders.
Encryption This tab shows encryption rules for les stored on local drives. You can add les as
follows:
Prede ned folders. Kaspersky Endpoint Security allows you to add the following
areas:
Documents. Files in the standard Documents folder of the operating system, and its
subfolders.
Favorites. Files in the standard Favorites folder of the operating system, and its
subfolders.
Desktop. Files in the standard Desktop folder of the operating system, and its
subfolders.
Temporary les. Temporary les related to the operation of applications installed on
the computer. For example, Microsoft O ice applications create temporary les
containing backup copies of documents.
Outlook les. Files related to the operation of the Outlook mail client: data les (PST),
o line data les (OST), o line address book les (OAB), and personal address book
les (PAB).
Custom folder. You can type the path to the folder. When adding a folder path,
adhere to the following rules:
Use an environment variable (for example, %FOLDER%\UserFolder\). You can use an
environment variable only once and only at the beginning of the path.
Do not use relative paths.
Do not use the * and ? characters.
Do not use UNC paths.
Use ; or , as a separator character.
Files by extension. You can select extension groups from the list, such as the
extension group Archives. You can also manually add the le extension.
Decryption This tab shows decryption rules for les stored on local drives.
Rules for The tab displays a table containing encrypted le access rules for applications and
applications encryption rules for les that are created or modi ed by individual applications.
1018
Encryption of removable drives
This component is available if Kaspersky Endpoint Security is installed on a computer that runs on Windows
for workstations. This component is unavailable if Kaspersky Endpoint Security is installed on a computer that
runs on Windows for servers.
Kaspersky Endpoint Security supports encryption of les in FAT32 and NTFS le systems. If a removable drive
with an unsupported le system is connected to the computer, the encryption task for this removable drive
ends with an error and Kaspersky Endpoint Security assigns the read-only status to the removable drive.
To protect data on removable drives, you can use the following types of encryption:
It is not possible to access encrypted data outside the corporate network. It is also impossible to access
encrypted data inside the corporate network if the computer is not connected to Kaspersky Security
Center (e.g. on a guest computer).
Encryption of les on removable drives provides the capability to access data outside the corporate
network using a special mode called portable mode.
During encryption, Kaspersky Endpoint Security creates a master key. Kaspersky Endpoint Security saves the
master key in the following repositories:
User's computer.
The master key is encrypted with the user's secret key.
Removable drive.
The master key is encrypted with the public key of Kaspersky Security Center.
After encryption is complete, the data on the removable drive can be accessed within the corporate network as if
was on an ordinary unencrypted removable drive.
When a removable drive with encrypted data is connected, Kaspersky Endpoint Security performs the following
actions:
1. Checks for a master key in the local storage on the user's computer.
1019
If the master key is found, the user gains access to the data on the removable drive.
If the master key is not found, Kaspersky Endpoint Security performs the following actions:
b. Kaspersky Endpoint Security saves the master key in the local storage on the user's computer for
subsequent operations with the encrypted removable drive.
The policy with preset settings for removable drive encryption is formed for a speci c group of managed
computers. Therefore, the result of applying the Kaspersky Security Center policy con gured for
encryption / decryption of removable drives depends on the computer to which the removable drive is
connected.
Kaspersky Endpoint Security does not encrypt / decrypt read-only les that are stored on removable drives.
Parameter Description
Encryption Encrypt entire removable drive. If this item is selected, when applying the policy with the
mode speci ed encryption settings for removable drives, Kaspersky Endpoint Security encrypts
removable drives sector by sector, including their le systems.
Encrypt all les. If this item is selected, when applying the policy with the speci ed
encryption settings for removable drives, Kaspersky Endpoint Security encrypts all les
that are stored on removable drives. Kaspersky Endpoint Security does not re-encrypt
les that are already encrypted. The contents of the le system of a removable drive,
including the folder structure and names of encrypted les, are not encrypted and remain
accessible.
Encrypt new les only. If this item is selected, when applying the policy with the speci ed
encryption settings for removable drives, Kaspersky Endpoint Security encrypts only
those les that were added or modi ed on removable drives after the Kaspersky Security
Center policy was last applied. This encryption mode is convenient when a removable drive
is used for both personal and work purposes. This encryption mode lets you leave all old
les unchanged and encrypt only those les that the user creates on a work computer
that has Kaspersky Endpoint Security installed and encryption functionality enabled. As a
result, access to personal les is always available, regardless of whether or not Kaspersky
Endpoint Security is installed on the computer with encryption functionality enabled.
Decrypt entire removable drive. If this item is selected, when applying the policy with the
speci ed encryption settings for removable drives, Kaspersky Endpoint Security decrypts
all encrypted les stored on removable drives as well as the le systems of the removable
drives if they were previously encrypted.
1020
Leave unchanged. If this item is selected, the application leaves drives in their previous
state when the policy is applied. If the drive was encrypted, it remains encrypted. If the
drive was decrypted, it remains decrypted. This item is selected by default.
Portable
This check box enables / disables the preparation of a removable drive that makes it
mode
possible to access les stored on this removable drive on computers outside of the
corporate network.
If this check box is selected, Kaspersky Endpoint Security prompts the user to specify a
password before encrypting les on a removable drive upon the application of the policy.
The password is needed to access les encrypted on a removable drive on computers
outside of the corporate network. You can con gure the password strength.
Portable mode is available for the Encrypt all les or Encrypt new les only modes.
Encrypt This check box enables / disables the encryption mode in which only occupied disk sectors
used disk are encrypted. This mode is recommended for new drives whose data has not been
space only modi ed or deleted.
If the check box is selected, only portions of the drive that are occupied by les are
encrypted. Kaspersky Endpoint Security automatically encrypts new data as it is added.
If the check box is cleared, the entire drive is encrypted, including residual fragments of
previously deleted and modi ed les.
The ability to encrypt only occupied space is available only for the Encrypt entire
removable drive mode.
After encryption started, enabling / disabling the Encrypt used disk space only
function will not change this setting. You must select or clear the check box before
starting encryption.
Custom This table contains devices for which custom encryption rules are de ned. You can create
rules encryption rules for individual removable drives in the following ways:
Add a removable drive from the list of trusted devices for Device Control.
Allow
If this check box is selected, Kaspersky Endpoint Security encrypts removable drives even
encryption
when there is no connection to Kaspersky Security Center. In this case, the data required
of
for decrypting removable drives is stored on the hard drive of the computer to which the
removable
removable drive is connected, and is not transmitted to Kaspersky Security Center.
drives in
o line If the check box is cleared, Kaspersky Endpoint Security does not encrypt removable
mode drives without a connection to Kaspersky Security Center.
1021
Templates (data encryption)
After data encryption, Kaspersky Endpoint Security may restrict access to data, for example, due to a change in
the organization's infrastructure and a change in the Kaspersky Security Center Administration Server. If a user
does not have access to encrypted data, the user can ask the administrator for access to the data. In other words,
the user needs to send a request access le to the administrator. The user then needs to upload the response le
received from the administrator to Kaspersky Endpoint Security. Kaspersky Endpoint Security allows you to
request access to data from the administrator via email (see the gure below).
A template is provided for reporting a lack of access to encrypted data. For user convenience, you can ll out the
following elds:
To. Enter the email address of the administrator group with rights to the data encryption features.
Subject. Enter the subject of the email with your request for access to encrypted les. You can, for example,
add tags to lter messages.
User's message. If necessary, change the contents of the message. You can use variables to get the necessary
data (for example, %USER_NAME% variable).
Exclusions
A trusted zone is a system administrator-con gured list of objects and applications that Kaspersky Endpoint
Security does not monitor when active.
The administrator forms the trusted zone independently, taking into account the features of the objects that are
handled and the applications that are installed on the computer. It may be necessary to include objects and
applications in the trusted zone when Kaspersky Endpoint Security blocks access to a certain object or
application, if you are sure that the object or application is harmless. An administrator can also allow a user to
create their own local trusted zone for a speci c computer. This way, users can create their own local lists of
exclusions and trusted applications in addition to the general trusted zone in a policy.
1022
Starting with Kaspersky Endpoint Security 12.5 for Windows, you can add EDR telemetry to the trusted zone. This
allows to optimize data that the application sends to the Telemetry server for the Kaspersky Anti Targeted Attack
Platform (EDR) solution.
Scan exclusions
A scan exclusion is a set of conditions that must be ful lled so that Kaspersky Endpoint Security will not scan a
particular object for viruses and other threats.
Scan exclusions make it possible to safely use legitimate software that can be exploited by criminals to damage the
computer or user data. Although they do not have any malicious functions, such applications can be exploited by
intruders. For details on legitimate software that could be used by criminals to harm the computer or personal data
of a user, please refer to the Kaspersky IT Encyclopedia website .
Such applications may be blocked by Kaspersky Endpoint Security. To prevent them from being blocked, you can
con gure scan exclusions for the applications in use. To do so, add the name or name mask that is listed in the
Kaspersky IT Encyclopedia to the trusted zone. For example, you often use the Radmin application for remote
administration of computers. Kaspersky Endpoint Security regards this activity as suspicious and may block it. To
prevent the application from being blocked, create a scan exclusion with the name or name mask that is listed in
the Kaspersky IT Encyclopedia.
If an application that collects information and sends it to be processed is installed on your computer, Kaspersky
Endpoint Security may classify this application as malware. To avoid this, you can exclude the application from
scanning by con guring Kaspersky Endpoint Security as described in this document.
Scan exclusions can be used by the following application components and tasks that are con gured by the system
administrator:
Behavior Detection.
Exploit Prevention.
The list of trusted applications is a list of applications whose le and network activity (including malicious activity)
and access to the system registry are not monitored by Kaspersky Endpoint Security. By default, Kaspersky
Endpoint Security monitors objects that are opened, executed, or saved by any application process and controls
the activity of all applications and network tra ic that is generated by them. After an application is added to the
list of trusted applications, Kaspersky Endpoint Security stops monitoring the application's activity.
The di erence between scan exclusions and trusted applications is that for exclusions Kaspersky Endpoint
Security does not scan les, while for trusted applications it does not control the initiated processes. If a trusted
application creates a malicious le in a folder which is not included in scan exclusions, Kaspersky Endpoint Security
will detect the le and eliminate the threat. If the folder is added to exclusions, Kaspersky Endpoint Security will
skip this le.
1023
For example, if you consider objects that are used by the standard Microsoft Windows Notepad application to be
safe, meaning that you trust this application, you can add Microsoft Windows Notepad to the list of trusted
applications so that the objects used by this application are not monitored. This will increase computer
performance, which is especially important when using server applications.
In addition, certain actions that are classi ed by Kaspersky Endpoint Security as suspicious may be safe within the
context of the functionality of a number of applications. For example, the interception of text that is typed from
the keyboard is a routine process for automatic keyboard layout switchers (such as Punto Switcher). To take
account of the speci cs of such applications and exclude their activity from monitoring, we recommend that you
add such applications to the trusted applications list.
Trusted applications help to avoid compatibility issues between Kaspersky Endpoint Security and other
applications (for example, the problem of double-scanning of the network tra ic of a third-party computer by
Kaspersky Endpoint Security and by another anti-virus application).
At the same time, the executable le and process of the trusted application are still scanned for viruses and other
malware. An application can be fully excluded from Kaspersky Endpoint Security scanning by means of scan
exclusions.
Settings of exclusions
Parameter Description
Types of Regardless of the con gured application settings, Kaspersky Endpoint Security always
detected detects and blocks viruses, worms, and Trojans. They can cause signi cant harm to the
objects computer.
Viruses and worms
1024
Subcategory: viruses and worms (Viruses_and_Worms)
Classic viruses and worms perform actions that are not authorized by the user. They
can create copies of themselves which are able to self-replicate.
Classic virus
A classic virus multiplies only on local resources of the computer; it cannot penetrate
other computers on its own. It can be passed to another computer only if it adds a
copy of itself to a le that is stored in a shared folder or on an inserted CD, or if the
user forwards an email message with an attached infected le.
Classic virus code can penetrate various areas of computers, operating systems, and
applications. Depending on the environment, viruses are divided into le viruses, boot
viruses, script viruses, and macro viruses.
Viruses can infect les by using a variety of techniques. Overwriting viruses write
their code over the code of the le that is infected, thus erasing the le's content.
The infected le stops functioning and cannot be restored. Parasitic viruses modify
les, leaving them fully or partially functional. Companion viruses do not modify les,
but instead create duplicates. When an infected le is opened, a duplicate of it (what
is actually a virus) is started. The following types of viruses are also encountered: link
viruses, OBJ viruses, LIB viruses, source code viruses, and many others.
Worm
As with a classic virus, the code of a worm is activated and performs malicious
actions after it in ltrates a computer. Worms are so named because of their ability
to "crawl" from one computer to another and to spread copies via numerous data
channels without the user's permission.
The main feature that allows di erentiating between various types of worms is the
way they spread. The following table provides an overview of various types of worms,
which are classi ed by the way in which they spread.
IRC- Internet They spread via Internet Relay Chats, service systems
Worm chat which allow communicating with other people over the
worms Internet in real time.
These worms publish a le with a copy of themselves or a
link to the le in an Internet chat. When the user
downloads and opens the le, the worm activates.
1026
Subcategory: Trojans
Unlike worms and viruses, Trojans do not self-replicate. For example, they penetrate a
computer via email or a browser when the user visits an infected web page. Trojans
are started with the user's participation. They begin performing their malicious
actions right after they are started.
Backdoor Trojans for They are considered the most dangerous type
remote of Trojan. In their functions, they are similar to
administration remote administration applications that are
installed on computers.
These programs install themselves on the
computer without being noticed by the user,
allowing the intruder to manage the computer
remotely.
Trojan- Trojan clickers They access web pages from the user's
Clicker computer, either by sending commands to a
browser on their own or by changing the web
addresses that are speci ed in operating
system les.
By using these programs, intruders perpetrate
network attacks and increase website visits,
increasing the number of displays of banner
ads.
1028
computer; they are often used for sending
spam.
1029
Trojan- Trojans that They steal account credentials from users of
GameThief steal online games, after which they send the data
information to the intruder by email, via FTP, by accessing
from users of the intruder's web page, or in another way.
online games
Malicious tools
1030
Subcategory: Malicious tools
Unlike other types of malware, malicious tools do not perform their actions right after
they are started. They can be safely stored and started on the user's computer.
Intruders often use the features of these programs to create viruses, worms, and
Trojans, perpetrate network attacks on remote servers, hack computers, or perform
other malicious actions.
Various features of malicious tools are grouped by the types that are described in
the following table.
Adware
1032
Subcategory: advertising software (Adware);
Adware displays advertising information to the user. Adware programs display banner
ads in the interfaces of other programs and redirect search queries to advertising
web pages. Some of them collect marketing information about the user and send it
to the developer: this information may include the names of the websites that are
visited by the user or the content of the user's search queries. Unlike Trojan-Spy–
type programs, adware sends this information to the developer with the user's
permission.
Auto-dialers
1033
Subcategory: legal software that may be used by criminals to damage your
computer or personal data.
Most of these applications are useful, so many users run them. These applications
include IRC clients, auto-dialers, le download programs, computer system activity
monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.
However, if intruders gain access to these programs, or if they plant them on the
user's computer, some of the application's features may be used to violate security.
These applications di er by function; their types are described in the following table.
Downloader Programs for They can download les from web pages in
downloading hidden mode.
Legitimate software that can be used by intruders to damage your computer or personal
data
1035
Subcategory: legal software that may be used by criminals to damage your
computer or personal data.
Most of these applications are useful, so many users run them. These applications
include IRC clients, auto-dialers, le download programs, computer system activity
monitors, password utilities, and Internet servers for FTP, HTTP, and Telnet.
However, if intruders gain access to these programs, or if they plant them on the
user's computer, some of the application's features may be used to violate security.
These applications di er by function; their types are described in the following table.
Downloader Programs for They can download les from web pages in
downloading hidden mode.
1037
Kaspersky Endpoint Security scans compressed objects and the unpacker module
within SFX (self-extracting) archives.
Kaspersky virus analysts have identi ed packers that are the most popular amongst
hackers.
If Kaspersky Endpoint Security detects such a packer in a le, the le most likely
contains a malicious application or an application that can be used by criminals to
cause harm to your computer or personal data.
Packed les that may cause harm – used for packing malware, such as viruses,
worms, and Trojans.
Multi-packed les (medium threat level) – the object has been packed three times
by one or more packers.
Multi-packed objects
Kaspersky Endpoint Security scans compressed objects and the unpacker module
within SFX (self-extracting) archives.
Kaspersky virus analysts have identi ed packers that are the most popular amongst
hackers.
If Kaspersky Endpoint Security detects such a packer in a le, the le most likely
contains a malicious application or an application that can be used by criminals to
cause harm to your computer or personal data.
Packed les that may cause harm – used for packing malware, such as viruses,
worms, and Trojans.
Multi-packed les (medium threat level) – the object has been packed three times
by one or more packers.
Exclusions
This table contains information about scan exclusions.
You can exclude objects from scans by using the following methods:
Use masks:
1038
The * (asterisk) character, which takes the place of any set of characters, except the
\ and / characters (delimiters of the names of les and folders in paths to les and
folders). For example, the mask C:\*\*.txt will include all paths to les with the TXT
extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an
empty set) in the le or folder name, including the \ and / characters (delimiters of
the names of les and folders in paths to les and folders). For example, the mask
C:\Folder\**\*.txt will include all paths to les with the TXT extension located in
folders nested within the Folder, except the Folder itself. The mask must include at
least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except
the \ and / characters (delimiters of the names of les and folders in paths to les
and folders). For example, the mask C:\Folder\???.txt will include paths to all les
residing in the folder named Folder that have the TXT extension and a name
consisting of three characters.
You can use masks anywhere in a le or folder path. For example, if you want the scan
scope to include the Downloads folder for all user accounts on the computer, enter
the C:\Users\*\Downloads\ mask.
Kaspersky Endpoint Security supports environment variables
Enter the name of the object type according to the classi cation of the Kaspersky
Encyclopedia (for example, Email-Worm, Rootkit or RemoteAdmin). You can use
masks with the ? character (replaces any single character) and the * character (replaces
any number of characters). For example, if the Client* mask is speci ed, the application
excludes Client-IRC, Client-P2P and Client-SMTP objects from scans.
Kaspersky Endpoint Security hides the list of scan exclusions in the user interface of the
application if con guration of scan exclusions is blocked by the administrator in the
console ("closed lock" symbol) and local scan exclusions are prohibited (the Allow use of
local exclusions check box is cleared).
Trusted This table lists trusted applications whose activity is not monitored by Kaspersky Endpoint
applications Security during its operation.
Kaspersky Endpoint Security supports environment variables and the * and ? characters
when entering a mask.
1039
The Application Control component regulates the startup of each of the applications
regardless of whether or not the application is included in the table of trusted applications.
Kaspersky Endpoint Security hides the consolidated list of trusted applications in the
user interface of the application if con guration of trusted applications is blocked by
the administrator in the console ("closed lock" symbol) and local trusted applications are
prohibited (the Allow use of local trusted applications check box is cleared).
Merge This merges the list of scan exclusions and trusted applications in the parent and child
values when policies of Kaspersky Security Center. To merge lists, the child policy must be con gured to
inheriting inherit the settings of the parent policy of Kaspersky Security Center.
(available If the check box is selected, list items from the Kaspersky Security Center parent policy are
only in the displayed in child policies. This way you can, for example, create a consolidated list of trusted
Kaspersky applications for the entire organization.
Security
Inherited list items in a child policy cannot be deleted or edited. Items on the list of scan
Center
exclusions and the list of trusted applications that are merged during inheritance can be
Console)
deleted and edited only in the parent policy. You can add, edit or delete list items in lower-
level policies.
If items on lists of the child and parent policy match, these items are displayed as the same
item of the parent policy.
If the check box is not selected, list items are not merged when inheriting the settings of
Kaspersky Security Center policies.
Allow use of Local exclusions and local trusted applications (local trusted zone) – user-de ned list of
local objects and applications in Kaspersky Endpoint Security for a speci c computer. Kaspersky
exclusions / Endpoint Security does not monitor objects and applications from the local trusted zone.
Allow use of This way, users can create their own local lists of exclusions and trusted applications in
local addition to the general trusted zone in a policy.
trusted
If the check box is selected, a user can create a local list of scan exclusions and a local list of
applications
trusted applications. An administrator can use Kaspersky Security Center to view, add, edit,
(available or delete list items in the computer properties.
only in the
If the check box is cleared, a user can access only the general lists of scan exclusions and
Kaspersky
trusted applications generated in the policy.
Security
Center
Console)
EDR This table contains information about EDR telemetry exclusions.
telemetry
(available
only in the
Kaspersky
Security
Center
Console)
Trusted If one of the trusted system certi cate stores is selected, Kaspersky Endpoint Security
system excludes applications signed with a trusted digital signature from scans. Kaspersky Endpoint
certi cate Security automatically assigns such applications to the Trusted group.
store
If Do not use is selected, Kaspersky Endpoint Security scans applications regardless of
whether or not they have a digital signature. Kaspersky Endpoint Security places an
application in a trust group depending on the level of danger that this application may pose
to the computer.
1040
Application settings
You can con gure the following general settings of the application:
Operating mode
Self-Defense
Performance
Debug information
Application settings
Parameter Description
Start the
When the check box is selected, Kaspersky Endpoint Security is started after the
application on
operating system loads, protecting the computer during the entire session.
computer
startup When the check box is cleared, Kaspersky Endpoint Security is not started after the
(recommended) operating system loads, until the user starts it manually. Computer protection is
disabled and user data may be exposed to threats.
Use Advanced If the check box is selected, a pop-up noti cation appears on the screen when
Disinfection malicious activity is detected in the operating system. In its noti cation, Kaspersky
technology Endpoint Security o ers the user to perform Advanced Disinfection of the computer.
(requires After the user approves this procedure, Kaspersky Endpoint Security neutralizes the
considerable threat. After completing the advanced disinfection procedure, Kaspersky Endpoint
computer Security restarts the computer. The advanced disinfection technology uses
resources) considerable computing resources, which may slow down other applications.
Use Kaspersky If this check box is selected, the application uses the Kaspersky Security Center
Security Administration Server as a proxy server for connecting to activation servers. This is
Center as proxy necessary when you are using an activation code to activate the application in an
server for isolated network segment without internet access. If you are activating the
activation application with a key le, internet access is not necessary.
(available only in
the Kaspersky
Security Center
Console)
Enable Self- When this check box is selected, Kaspersky Endpoint Security prevents alteration or
1041
Defense deletion of application les on the hard drive, memory processes, and entries in the
system registry.
Block external If the check box is cleared, Kaspersky Endpoint Security prevents management of
management of application services from a remote computer. When an attempt is made to manage
system application services remotely, a noti cation is displayed in the Microsoft Windows
services taskbar, above the application icon (unless the noti cation service has been disabled
by the user).
Postpone If the check box is selected, energy conservation mode is enabled. Kaspersky
scheduled Endpoint Security postpones scheduled tasks. You can start scan and update tasks
tasks while manually, if necessary.
running on
When energy conservation mode is enabled and the computer is running on battery
battery power
power, the following tasks are not run even if scheduled:
Update
Full Scan
Custom Scan
Integrity check
IOC Scan.
Enable dump
If the check box is selected, Kaspersky Endpoint Security writes dumps when it
writing
crashes.
If the check box is cleared, Kaspersky Endpoint Security does not write dumps. The
application also deletes existing dump les from the computer hard drive.
Enable dump If the check box is selected, access to dump les is granted to the system
and trace les administrator and local administrator as well as to the user who enabled dump writing.
protection Only system and local administrators can access trace les.
If the check box is cleared, any user can access dump les and trace les.
Computer Settings for displaying the statuses of client computers with Kaspersky Endpoint
status when Security installed in the Web Console when errors occur while applying a policy or
settings are executing a task. The following statuses are available OK, Warning and Critical.
applied
(available only in
the Kaspersky
Security Center
Console)
Install updates Upgrading the application without computer restart allows you to ensure
without uninterrupted operation of servers.
1042
computer You can upgrade the application without a restart starting with version 11.10.0. To
restart upgrade an earlier version of the application, you must restart the computer.
Starting with version 11.11.0 you can perform the following actions without restarting a
computer:
install patches
install Kaspersky Endpoint Security over Kaspersky Security for Windows Server
The default value of the parameter varies depending on the type of the operating
system. If the application is installed on a workstation, the upgrading the application
without a restart option is disabled. If the application is installed on a server, the
upgrading the application without a restart option is enabled.
Compatibility If using Kaspersky Endpoint Security alongside Remote Administration Tools (RAT)
with remote causes problems, you can enable the compatibility mode. The problems may be
administration related to the incompatibility of RATs with the Secure Desktop functionality of the
software application. This purpose of this functionality is to con rm actions that can
potentially lower the security level of the computer. This functionality lets an
(available only in
application display a con rmation dialog that is isolated from other processes. This
the Kaspersky
functionality uses elevated rights to secure the request. In this way, only the user can
Security Center
con rm the action and not the malware.
Console)
If the check box is selected, the RAT compatibility mode is enabled. The Secure
Desktop functionality for Kaspersky Endpoint Security is disabled. The application
displays a con rmation dialog without this functionality. This can reduce the security
level of the computer. We do not recommend enabling the compatibility mode if
Kaspersky Endpoint Security is not causing problems with your RAT.
If the check box is cleared, the RAT compatibility mode is disabled. The Secure
Desktop functionality is enabled. This check box is cleared by default.
Example: When using the browser in RemoteApp mode, Kaspersky Endpoint Security
may not display a con rmation window when visiting a website with an untrusted
certi cate because RemoteApp does not support the Secure Desktop functionality
of the application. This can cause the browser to become unresponsive. For the
browser to work correctly in RemoteApp mode, you must enable the compatibility
mode.
You can also try enabling the compatibility mode if you encounter problems with the
Secure Desktop functionality when using other third-party software.
Reports
Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the
performance of each scan task, the update task and integrity check task, and the overall operation of the
application is recorded in reports.
Backup
1043
Backup stores backup copies of les that were deleted or modi ed during disinfection. A backup copy is a le
copy created before the le was disinfected or deleted. Backup copies of les are stored in a special format and
do not pose a threat.
Users in the Administrators group are granted full permission to access this folder. Limited access rights to this
folder are granted to the user whose account was used to install Kaspersky Endpoint Security.
Kaspersky Endpoint Security does not provide the capability to con gure user access permissions to backup
copies of les.
Quarantine
Quarantine is a special local storage on the computer. The user can quarantine les that the user considers
dangerous for the computer. Quarantined les are stored in an encrypted state and do not threaten the security
of the device. Kaspersky Endpoint Security uses Quarantine only when working with Detection and Response
solutions: EDR Optimum, EDR Expert, KATA (EDR), Kaspersky Sandbox. In other cases Kaspersky Endpoint Security
places the relevant le in Backup. For details on managing Quarantine as part of solutions, please refer to the
Kaspersky Sandbox Help , Kaspersky Endpoint Detection and Response Optimum Help , and Kaspersky Endpoint
Detection and Response Expert Help , Kaspersky Anti Targeted Attack Platform Help .
Quarantine can only be con gured using Web Console. You can also use Web Console to manage quarantined
objects (restore, delete, add, etc). You can restore objects locally on the computer using the command line.
Kaspersky Endpoint Security uses the system account (SYSTEM) to quarantine les.
Parameter Description
Store reports If the check box is selected, the maximum report storage term is limited to the de ned
no longer than time interval. The default maximum storage term for reports is 30 days. After that period
N days of time, Kaspersky Endpoint Security automatically deletes the oldest entries from the
report le.
Limit the size If the check box is selected, the maximum report le size is limited to the de ned value. By
of report le default, the maximum le size is 1024 MB. To avoid exceeding the maximum report le size,
to N MB Kaspersky Endpoint Security automatically deletes the oldest entries from the report le
when the maximum report le size is reached.
Store objects If the check box is selected, the maximum le storage term is limited to the de ned time
no longer than interval. The default maximum storage term for les is 30 days. After expiration of the
N days maximum storage term, Kaspersky Endpoint Security deletes the oldest les from Backup.
Limit the size If the check box is selected, the maximum storage size is limited to the de ned value. By
of Backup to default, the maximum size is 1024 MB. To avoid exceeding the maximum storage size,
N MB Kaspersky Endpoint Security automatically deletes the oldest les from storage when the
maximum storage size is reached.
Limit the size Maximum Quarantine size in MB. For example, you can set the maximum Quarantine size to
of Quarantine 200 MB. When Quarantine reaches maximum size, Kaspersky Endpoint Security sends the
to N MB corresponding event to Kaspersky Security Center and publishes the event in Windows
(available only Event Log. Meanwhile the application stops quarantining new objects. You must empty the
in Web Quarantine manually.
Console)
1044
Notify when Threshold value of the Quarantine. For example, you can set the Quarantine threshold to
the 50%. When Quarantine reaches the threshold, Kaspersky Endpoint Security sends the
Quarantine corresponding event to Kaspersky Security Center and publishes the event in Windows
storage Event Log. Meanwhile the application continues quarantining new objects.
reaches N
percent
(available only
in Web
Console)
Data transfer Categories of events on client computers whose information must be relayed to the
to Administration Server.
Administration
Server
(available only
in Kaspersky
Security
Center)
Network settings
You can con gure the proxy server used for connecting to the Internet and updating anti-virus databases, select
the network port monitoring mode, and con gure encrypted connections scan.
Network options
Parameter Description
Limit tra ic on If this check box is selected, the application limits its own network tra ic when the
metered Internet connection is limited. Kaspersky Endpoint Security identi es a high-speed
connections mobile Internet connection as a limited connection and identi es a Wi-Fi connection as
an unlimited connection.
Cost-Aware Networking works on computers running Windows 8 or later.
Inject script If the check box is selected, Kaspersky Endpoint Security injects a web page interaction
into web tra ic script into web tra ic. This script ensures that the Web Control component can work
to interact with correctly. The script enables registration of Web Control events. Without this script, you
web pages cannot enable user Internet activity monitoring.
Kaspersky experts recommend injecting this web page interaction script into tra ic
to ensure correct operation of Web Control.
Proxy server Settings of the proxy server used for Internet access of users of client computers.
Kaspersky Endpoint Security uses these settings for certain protection components,
including for updating databases and application modules.
For automatic con guration of a proxy server, Kaspersky Endpoint Security uses the
WPAD protocol (Web Proxy Auto-Discovery Protocol). If the IP address of the proxy
server cannot be determined by using this protocol, the application uses the proxy
server address that is speci ed in the Microsoft Internet Explorer browser settings.
Bypass proxy If the check box is selected, Kaspersky Endpoint Security does not use a proxy server
server for local when performing an update from a shared folder.
addresses
1045
Monitored Monitor all network ports. In this network port monitoring mode, the protection
ports components (File Threat Protection, Web Threat Protection, Mail Threat Protection)
monitor data streams that are transmitted via any open network ports of the computer.
Monitor selected network ports only. In this network port monitoring mode, the
protection components monitor the selected ports of the computer and the network
activity of the selected applications. The list of network ports that are normally used for
transmission of email and network tra ic is con gured according to the
recommendations of Kaspersky experts.
Monitor all ports for the applications from the list recommended by Kaspersky. This
uses a prede ned list of applications whose network ports are monitored by Kaspersky
Endpoint Security. For example, this list includes Google Chrome, Adobe Reader, Java,
and other applications.
Monitor all ports for speci ed applications. This uses a list of applications whose
network ports are monitored by Kaspersky Endpoint Security.
Encrypted Kaspersky Endpoint Security scans encrypted network tra ic transmitted over the
connections following protocols:
scan
SSL 3.0.
Do not scan encrypted connections. Kaspersky Endpoint Security will not have
access to the contents of websites whose addresses begin with https://.
Kaspersky Endpoint Security does not scan encrypted connections that were
established by trusted applications for which tra ic scanning is disabled. Kaspersky
Endpoint Security does not scan encrypted connections from the prede ned list of
trusted websites. The prede ned list of trusted websites is created by Kaspersky
experts. This list is updated with the application's anti-virus databases. You can view
the prede ned list of trusted websites only in the Kaspersky Endpoint Security
interface. You cannot view the list in the Kaspersky Security Center Console.
Trusted root List of trusted root certi cates. Kaspersky Endpoint Security lets you install trusted root
certi cates certi cates on user computers if, for example, you need to deploy a new certi cation
center. The application lets you add a certi cate to a special Kaspersky Endpoint
Security certi cate store. In this case, the certi cate is considered trusted only for the
Kaspersky Endpoint Security application. In other words, the user can gain access to a
website with the new certi cate in the browser. If another application tries to gain
access to the website, you can get a connection error because of a certi cate issue. To
add to the system certi cate store, you can use Active Directory group policies.
Visiting a
Allow. When visiting a domain with an untrusted certi cate, Kaspersky Endpoint
domain with an
Security allows the network connection.
untrusted
certi cate
1046
When opening a domain with an untrusted certi cate in a browser, Kaspersky
Endpoint Security displays an HTML page showing a warning and the reason why
visiting that domain is not recommended. A user can click the link from the HTML
warning page to obtain access to the requested web resource.
If a third-party application or service establishes a connection with a domain with an
untrusted certi cate, Kaspersky Endpoint Security creates its own certi cate to
scan tra ic. The new certi cate has the Untrusted status. This is necessary to warn
the third-party application about the untrusted connection because the HTML page
cannot be shown in this case and the connection can be established in background
mode.
Block. When visiting a domain with an untrusted certi cate, Kaspersky Endpoint
Security blocks the network connection. When opening a domain with an untrusted
certi cate in a browser, Kaspersky Endpoint Security displays an HTML page showing
the reason why that domain is blocked.
Visiting a
Block. If this item is selected, when an encrypted connection scan error occurs,
domain with an
Kaspersky Endpoint Security blocks the network connection.
encrypted
connections
Allow and add domain to exclusions. If this item is selected, when an encrypted
scan error
connection scan error occurs, Kaspersky Endpoint Security adds the domain that
resulted in the error to the list of domains with scan errors and does not monitor
encrypted network tra ic when this domain is visited. You can view a list of domains
with encrypted connections scan errors only in the local interface of the application.
To clear the list contents, you need to select Block. Kaspersky Endpoint Security also
generates an event for the encrypted connection scan error.
Block SSL 2.0 If the check box is selected, the application blocks network connections established
connections over the SSL 2.0 protocol.
(recommended)
If the check box is cleared, the application does not block network connections
established over the SSL 2.0 protocol and does not monitor network tra ic transmitted
over these connections.
Decrypt an EV certi cates (Extended Validation Certi cates) con rm the authenticity of websites
encrypted and enhance the security of the connection. Browsers use a lock icon in their address
connection bar to indicate that a website has an EV certi cate. Browsers may also fully or partially
with the color the address bar in green.
website that
If the check box is selected, the application decrypts and monitors encrypted
uses EV
connections with websites that use an EV certi cate.
certi cate
If the check box is cleared, the application does not have access to the contents of
HTTPS tra ic. For this reason, the application monitors HTTPS tra ic only based on the
website address, for example, https://bing.com.
If you are opening a website with an EV certi cate for the rst time, the encrypted
connection will be decrypted regardless of whether or not the check box is selected.
Con gure This uses a list of web addresses for which Kaspersky Endpoint Security does not scan
trusted network connections. In this case, Kaspersky Endpoint Security does not scan HTTPS
addresses tra ic of trusted web addresses when Web Threat Protection, Mail Threat Protection,
Web Control components are doing their work.
You can enter a domain name or an IP address. Kaspersky Endpoint Security supports
the * character for entering a mask in the domain name.
Kaspersky Endpoint Security does not support the * symbol for IP addresses. You
can select a range of IP addresses using a subnet mask (for example, 198.51.100.0/24).
1047
Examples:
domain.com – the record is inclusive of the following addresses:
https://domain.com, https://www.domain.com,
https://domain.com/page123. The record is exclusive of subdomains (for
example, subdomain.domain.com).
Con gure List of applications whose activity is not monitored by Kaspersky Endpoint Security
trusted during its operation. You can select the types of application activity that Kaspersky
applications Endpoint Security will not monitor (for example, do not scan network tra ic). Kaspersky
Endpoint Security supports environment variables and the * and ? characters when
entering a mask.
Use the If this check box is selected, the application scans encrypted tra ic in the Mozilla Firefox
selected browser and Thunderbird mail client. Access to some websites via the HTTPS protocol
certi cate may be blocked.
store to scan
encrypted
connections in To scan tra ic in the Mozilla Firefox browser and the Thunderbird mail client, you
Mozilla must enable the Encrypted Connections Scan. If Encrypted Connections Scan is
applications disabled, the application does not scan tra ic in the Mozilla Firefox browser and
Thunderbird mail client.
(available only in
the Kaspersky
Endpoint
The application uses the Kaspersky root certi cate to decrypt and analyze encrypted
Security
tra ic. You can select the certi cate store that will contain the Kaspersky root
interface)
certi cate.
Windows certi cate store (recommended). The Kaspersky root certi cate is added
to this store during installation of Kaspersky Endpoint Security.
Certi cate store from Mozilla Firefox browser settings. Mozilla Firefox and
Thunderbird use their own certi cate stores. If the Mozilla certi cate store is
selected, you need to manually add the Kaspersky root certi cate to this store
through the browser properties.
Interface
You can con gure the settings of the application interface.
Interface settings
Parameter Description
Interaction Display simpli ed interface. On a client computer, the main application window is
with user inaccessible, and only the icon in the Windows noti cation area is available. In the context
menu of the icon, the user can perform a limited number of operations with Kaspersky
1048
(available Endpoint Security. Kaspersky Endpoint Security also displays noti cations above the
only in the application icon.
Kaspersky
Display user interface. On a client computer, the main window of Kaspersky Endpoint
Security
Security and the icon in the Windows noti cation area are available. In the context menu of
Center
the icon, the user can perform operations with Kaspersky Endpoint Security. Kaspersky
Console)
Endpoint Security also displays noti cations above the application icon.
Hide Application Activity Monitor section. On the client computer, in the main window of
Kaspersky Endpoint Security, the Application Activity Monitor button is not available.
Application Activity Monitor is a tool designed for viewing information about the activity of
applications on a user's computer in real time.
Do not display. On a client computer, no signs of Kaspersky Endpoint Security operation are
displayed. The icon in the Windows noti cation area and noti cations are not available.
Con gure A table with the settings of noti cations about events of di erent importance levels that
noti cations may occur during the operation of a component, task, or the entire application. Kaspersky
Endpoint Security shows noti cations about these events on the screen, sends them by
email, or logs them.
Con gure SMTP server settings for delivery of noti cations about events registered during operation
email of the application.
noti cations
By default, Kaspersky Endpoint Security uses email noti cation settings from Kaspersky
Security Center. For more details on email noti cation settings, refer to the Kaspersky
Security Center Help .
If you need to con gure individual email noti cation, you can edit the following settings:
Sender's address. Email address of the sender. Using a non-existent address is not
recommended.
SMTP server. One or more addresses of email servers of your organization (for example,
mail.company.com). You can enter an IP address (IPv4 or IPv6).
To authenticate the user on the SMTP server, enter sender credentials in the
corresponding elds. To test email noti cations, you can send a test message.
Recipient's address. Email addresses of recipients to whom the application will send
noti cations.
Send mode. Send mode of email noti cations. Kaspersky Endpoint Security can send
messages immediately when an event occurs; alternatively, it can follow a pre-con gured
schedule.
Show Categories of application events that cause the Kaspersky Endpoint Security icon to
application's change in the Microsoft Windows taskbar noti cation area ( or ) and result in a pop-up
status in noti cation.
noti cations
area
Local anti- Settings of noti cations about outdated anti-virus databases used by the application.
malware
database
status
noti cations
Password If the toggle button is switched on, Kaspersky Endpoint Security prompts the user for a
protection password when the user attempts to perform an operation that is within the scope of
Password Protection. The Password Protection scope includes forbidden operations (such
as disabling protection components) and the user accounts to which the Password
Protection scope is applied.
1049
After Password Protection is enabled, Kaspersky Endpoint Security prompts you to set a
password for performing operations.
User List of links to web resources containing information about technical support for Kaspersky
support / Endpoint Security. Added links are displayed in the Support window of the Kaspersky
Links to web Endpoint Security local interface instead of standard links.
resources
(available
only in the
Kaspersky
Security
Center
Console)
User Message that is displayed in the Support window of the local interface of Kaspersky
support / Endpoint Security.
Description
(available
only in the
Kaspersky
Security
Center
Console)
Manage Settings
You can save the current Kaspersky Endpoint Security settings to a le and use them to quickly con gure the
application on a di erent computer. You can also use a con guration le when deploying the application through
Kaspersky Security Center with an installation package. You can restore the default settings at any time.
Application con guration management settings are available only in the Kaspersky Endpoint Security interface.
Settings Description
Import Extract application settings from a le in CFG format and apply them.
Restore You can restore the application settings recommended by Kaspersky at any time. When the
settings are restored, the Recommended security level is set for all protection components.
1050
Regular updates require a license in e ect. If there is no current license, you will be able to perform an update
only once.
Your computer must be connected to the Internet to successfully download the update package from Kaspersky
update servers. By default, the Internet connection settings are determined automatically. If you are using a proxy
server, you need to con gure the proxy server settings.
Updates are downloaded over the HTTPS protocol. They may also be downloaded over the HTTP protocol
when it is impossible to download updates over the HTTPS protocol.
While performing an update, the following objects are downloaded and installed on your computer:
Kaspersky Endpoint Security databases. Computer protection is provided using databases that contain
signatures of viruses and other threats and information on ways to neutralize them. Protection components
use this information when searching for and neutralizing infected les on your computer. The databases are
constantly updated with records of new threats and methods for counteracting them. Therefore, we
recommend that you update the databases regularly.
In addition to the Kaspersky Endpoint Security databases, the network drivers that enable the application's
components to intercept network tra ic are updated.
Application modules. In addition to the databases of Kaspersky Endpoint Security, you can also update the
application modules. Updating the application modules xes vulnerabilities in Kaspersky Endpoint Security, adds
new functions, or enhances existing functions.
While updating, the application modules and databases on your computer are compared against the up-to-date
version at the update source. If your current databases and application modules di er from their respective up-
to-date versions, the missing portion of the updates is installed on your computer.
If the databases are obsolete, the update package may be large, which may cause additional Internet tra ic
(up to several dozen MB).
Information about the current state of the Kaspersky Endpoint Security databases is displayed in the main
application window or the tooltip that you see when you hover the cursor over the icon of the application in the
noti cation area.
Information on update results and on all events that occur during the performance of the update task is logged in
the Kaspersky Endpoint Security report.
Parameter Description
Databases Automatically. In this mode, the application checks the update source for availability of new
update update packages with a certain frequency. The frequency of checking for the update package
schedule increases during virus outbreaks and decreases when there are none. After detecting a fresh
update package, Kaspersky Endpoint Security downloads it and installs updates on your
computer.
Manually. This update task run mode allows you to manually start the update task.
By schedule. In this update task run mode, Kaspersky Endpoint Security runs the update task
in accordance with the schedule that you have speci ed. If this update task run mode is
selected, you can also start the Kaspersky Endpoint Security update task manually.
Run If the check box is selected, Kaspersky Endpoint Security starts the skipped task as soon as it
missed becomes possible. The task may be skipped, for example, if the computer was o at the
1051
tasks scheduled task start time. When the application gets an opportunity to execute missed tasks,
it runs the tasks randomly within a certain time interval to distribute the load on the computer.
If the check box is cleared, Kaspersky Endpoint Security does not run skipped tasks. Instead, it
carries out the next task in accordance with the current schedule.
Update An update source is a resource that contains updates for databases and application modules
sources of Kaspersky Endpoint Security.
Update sources include the Kaspersky Security Center server, Kaspersky update servers, and
network or local folders.
The default list of update sources includes Kaspersky Security Center and Kaspersky update
servers. You can add other update sources to the list. You can specify HTTP/FTP servers and
shared folders as update sources.
Kaspersky Endpoint Security does not support updates from HTTPS servers unless they
are Kaspersky's update servers.
If several resources are selected as update sources, Kaspersky Endpoint Security tries to
connect to them one after another, starting from the top of the list, and performs the update
task by retrieving the update package from the rst available source.
By default, Kaspersky Endpoint Security uses the Kaspersky Security Center server as the
rst update source. This helps conserve tra ic when updating. If a policy is not applied to the
computer, Kaspersky servers are selected as the rst update source in the settings of the
Update local task because the application may not have access to the Kaspersky Security
Center server.
Run By default, the Kaspersky Endpoint Security update task is started on behalf of the user
database whose account you have used to log in to the operating system. However, Kaspersky Endpoint
updates as Security may be updated from an update source that the user cannot access due to a lack of
required rights (for example, from a shared folder that contains an update package) or an
update source for which proxy server authentication is not con gured. In the application
settings, you can specify a user that has such rights and start the Kaspersky Endpoint
Security update task under that user account.
Download
Downloading application module updates with application database updates.
updates of
application If the check box is selected, Kaspersky Endpoint Security noti es the user about available
modules application module updates and includes application module updates in the update package
while running the update task. The way application module updates are applied is determined
by the following settings:
Install critical and approved updates. If this option is selected, when application module
updates are available Kaspersky Endpoint Security installs critical updates automatically
and all other application module updates only after their installation is approved locally via
the application interface or on the side of Kaspersky Security Center.
Install only approved updates. If this option is selected, when application module updates
are available Kaspersky Endpoint Security installs them only after their installation is
approved locally via the application interface or on the side of Kaspersky Security Center.
This option is selected by default.
If the check box is cleared, Kaspersky Endpoint Security does not notify the user about
available application module updates and does not include application module updates in
the update package while running the update task.
1052
If application module updates require reviewing and accepting the terms of the End User
License Agreement, the application installs updates after the terms of the End User
License Agreement have been accepted.
Copy If this check box is selected, Kaspersky Endpoint Security copies the update package to the
updates to shared folder speci ed under the check box. After that, other computers on your LAN are
folder able to receive the update package from this shared folder. This reduces Internet tra ic
because the update package is downloaded only once. The following folder is speci ed by
default: C:\ProgramData\Kaspersky Lab\KES.21.17\Update distribution\.
Proxy Proxy server settings for Internet access of users of client computers to update application
server for modules and databases.
updates
(available For automatic con guration of a proxy server, Kaspersky Endpoint Security uses the WPAD
only in the protocol (Web Proxy Auto-Discovery Protocol). If the IP address of the proxy server cannot
Kaspersky be determined by using this protocol, Kaspersky Endpoint Security uses the proxy server
Endpoint address that is speci ed in the Microsoft Internet Explorer browser settings.
Security
interface)
Bypass If the check box is selected, Kaspersky Endpoint Security does not use a proxy server when
proxy performing an update from a shared folder.
server for
local
addresses
(available
only in the
Kaspersky
Endpoint
Security
interface)
Trusted. This group includes applications for which one or more of the following conditions are met:
Applications are recorded in the trusted applications database of Kaspersky Security Network.
Low Restricted. This group includes applications for which the following conditions are met:
1053
Applications are not digitally signed by trusted vendors.
Applications are not recorded in the trusted applications database of Kaspersky Security Network.
Such applications are subject to minimal restrictions on access to operating system resources.
High Restricted. This group includes applications for which the following conditions are met:
Applications are not recorded in the trusted applications database of Kaspersky Security Network.
Such applications are subject to high restrictions on access to operating system resources.
Untrusted. This group includes applications for which the following conditions are met:
Applications are not recorded in the trusted applications database of Kaspersky Security Network.
prg – program text for dBase™, Clipper or Microsoft Visual FoxPro®, or a WAVmaker program
bin – binary le
bat – batch le
cmd – command le for Microsoft Windows NT (similar to a bat le for DOS), OS/2
1054
ocx – Microsoft OLE (Object Linking and Embedding) object
ini – con guration le which contains con guration data for Microsoft Windows, Windows NT, and some
applications
1055
doc* – Microsoft O ice Word documents, such as: doc for Microsoft O ice Word documents, docx for Microsoft
O ice Word 2007 documents with XML support, and docm for Microsoft O ice Word 2007 documents with
macro support
dot* – Microsoft O ice Word document templates, such as: dot for Microsoft O ice Word document templates,
dotx for Microsoft O ice Word 2007 document templates, dotm for Microsoft O ice Word 2007 document
templates with macro support
xl* – Microsoft O ice Excel documents and les, such as: xla, the extension for Microsoft O ice Excel, xlc for
diagrams, xlt for document templates, xlsx for Microsoft O ice Excel 2007 workbooks, xltm for Microsoft O ice
Excel 2007 workbooks with macro support, xlsb for Microsoft O ice Excel 2007 workbooks in binary (non-XML)
format, xltx for Microsoft O ice Excel 2007 templates, xlsm for Microsoft O ice Excel 2007 templates with
macro support, and xlam for Microsoft O ice Excel 2007 plug-ins with macro support
pp* – Microsoft O ice PowerPoint® documents and les, such as: pps for Microsoft O ice PowerPoint slides,
ppt for presentations, pptx for Microsoft O ice PowerPoint 2007 presentations, pptm for Microsoft O ice
PowerPoint 2007 presentations with macros support, potx for Microsoft O ice PowerPoint 2007 presentation
templates, potm for Microsoft O ice PowerPoint 2007 presentation templates with macro support, ppsx for
Microsoft O ice PowerPoint 2007 slide shows, ppsm for Microsoft O ice PowerPoint 2007 slide shows with
macro support, and ppam for Microsoft O ice PowerPoint 2007 plug-ins with macro support
md* – Microsoft O ice Access® documents and les, such as: mda for Microsoft O ice Access workgroups and
mdb for databases
1056
Appendix 4. File Types for the Mail Threat Protection attachment lter
Note that the actual format of a le may not match its le name extension.
If you enabled ltering of email attachments, the Mail Threat Protection component may rename or delete les
with the following extensions:
prg – program text for dBase™, Clipper or Microsoft Visual FoxPro®, or a WAVmaker program
bin – binary le
bat – batch le
cmd – command le for Microsoft Windows NT (similar to a bat le for DOS), OS/2
ini – con guration le which contains con guration data for Microsoft Windows, Windows NT, and some
applications
1057
vbe – BIOS video extension
doc* – Microsoft O ice Word documents, such as: doc for Microsoft O ice Word documents, docx for Microsoft
O ice Word 2007 documents with XML support, and docm for Microsoft O ice Word 2007 documents with
macro support
dot* – Microsoft O ice Word document templates, such as: dot for Microsoft O ice Word document templates,
dotx for Microsoft O ice Word 2007 document templates, dotm for Microsoft O ice Word 2007 document
templates with macro support
1058
swf – Shockwave® Flash package object
xl* – Microsoft O ice Excel documents and les, such as: xla, the extension for Microsoft O ice Excel, xlc for
diagrams, xlt for document templates, xlsx for Microsoft O ice Excel 2007 workbooks, xltm for Microsoft O ice
Excel 2007 workbooks with macro support, xlsb for Microsoft O ice Excel 2007 workbooks in binary (non-XML)
format, xltx for Microsoft O ice Excel 2007 templates, xlsm for Microsoft O ice Excel 2007 templates with
macro support, and xlam for Microsoft O ice Excel 2007 plug-ins with macro support
pp* – Microsoft O ice PowerPoint® documents and les, such as: pps for Microsoft O ice PowerPoint slides,
ppt for presentations, pptx for Microsoft O ice PowerPoint 2007 presentations, pptm for Microsoft O ice
PowerPoint 2007 presentations with macros support, potx for Microsoft O ice PowerPoint 2007 presentation
templates, potm for Microsoft O ice PowerPoint 2007 presentation templates with macro support, ppsx for
Microsoft O ice PowerPoint 2007 slide shows, ppsm for Microsoft O ice PowerPoint 2007 slide shows with
macro support, and ppam for Microsoft O ice PowerPoint 2007 plug-ins with macro support
md* – Microsoft O ice Access® documents and les, such as: mda for Microsoft O ice Access workgroups and
mdb for databases
Kaspersky Endpoint Security uses the following network settings for interacting with external services.
Network settings
Address Description
1059
s04.upd.kaspersky.com
s05.upd.kaspersky.com
s06.upd.kaspersky.com
s07.upd.kaspersky.com
s08.upd.kaspersky.com
s09.upd.kaspersky.com
s10.upd.kaspersky.com
s11.upd.kaspersky.com
s12.upd.kaspersky.com
s13.upd.kaspersky.com
s14.upd.kaspersky.com
s15.upd.kaspersky.com
s16.upd.kaspersky.com
s17.upd.kaspersky.com
s18.upd.kaspersky.com
s19.upd.kaspersky.com
cm.k.kaspersky-labs.com
Protocol: HTTPS
Port: 443
downloads.upd.kaspersky.com
Updating databases and
Protocol: HTTPS application software modules.
Port: 443
Verifying access to Kaspersky
servers. If access to the
servers using system DNS is
not possible, the application
uses public DNS. This is
necessary to make sure anti-
virus databases are updated
and the level of security is
maintained for the computer.
Kaspersky Endpoint Security
uses the following list of
public DNS servers in the
following order:
5. CleanBrowsing
(185.228.168.168).
1060
Requests emitted by the
application may contain
addresses of domains and
the public IP address of
the user because the
application establishes a
TCP/UDP connection with
the DNS server. This
information is needed, for
example, to validate the
certi cate of a web
resource when using
HTTPS. If Kaspersky
Endpoint Security is using
a public DNS server, data
processing is governed by
the privacy policy of the
relevant service. If you
want to prevent Kaspersky
Endpoint Security from
using a public DNS server,
contact Technical Support
for a private patch.
touch.kaspersky.com
Receiving the trusted time for
Protocol: HTTP checking the validity period of
the certi cate (TLS
connection).
1061
p15.upd.kaspersky.com
p16.upd.kaspersky.com
p17.upd.kaspersky.com
p18.upd.kaspersky.com
p19.upd.kaspersky.com
downloads.kaspersky-labs.com
cm.k.kaspersky-labs.com
Protocol: HTTP
Port: 80
redirect.kaspersky.com
Protocol: HTTPS
Address Description
Kaspersky Endpoint Security generates events of the following types: general events and speci c events. Speci c
events are created only by Kaspersky Endpoint Security for Windows. Speci c events have a simple ID, such as
000000cb. Speci c events contain the following required parameters:
1062
GNRL_EA_DESCRIPTION is the content of the event.
TASK_DISPLAY_NAME is the name of the application component that initiated the event.
General events can be created by Kaspersky Endpoint Security for Windows as well as other Kaspersky
applications (for example, Kaspersky Security for Windows Server). General events have a more complex ID, such
as GNRL_EV_VIRUS_FOUND. In addition to required settings, general events contain advanced settings.
Critical
End User License Agreement violated
Status
Status
1063
Status
Status
Status
Activation error
Status
Status
Status
Status
Status
Windows event ID 57
Failed to verify an encrypted connection. The domain is added to the list of exclusions
Status
Windows event ID 60
1066
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
1067
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Disinfection impossible
1068
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Cannot be deleted
Status
1069
Processing error
Status
Process terminated
Status
Status
1070
Status
Event parameters
GNRL_EA_PARAM_2 is the path to the object.
1071
Status
Event parameters
GNRL_EA_PARAM_2 is the path to the object.
1072
Status
Event parameters
GNRL_EA_PARAM_2 is the path to the object.
1073
Status
Event parameters
GNRL_EA_PARAM_1 is the name of the Adaptive Anomaly
Control rule.
Status
1074
Status
Status
Component Firewall
1075
Status
Kaspersky GNRL_EV_ATTACK_DETECTED
Security Center
event ID
Event
GNRL_EA_PARAM_1 is the name of the attack.
parameters
GNRL_EA_PARAM_2 is the protocol.
Windows event
log (default)
Kaspersky
Security Center
event log
(default)
1076
Status
Event parameters
GNRL_EA_PARAM_2 is the name of the session user.
Status
1077
Status
Event parameters
GNRL_EA_PARAM_1 is the URL.
Status
Event parameters
GNRL_EA_PARAM_1 is the URL.
1078
Status
Event parameters
GNRL_EA_PARAM_1 is the Hardware ID (HWID).
Status
Status
Component Update
1079
Status
Component Update
Status
Component Update
Status
Component Update
Status
Component Update
1080
Error verifying application databases and modules
Status
Component Update
Status
Component Update
Status
Component Update
Status
Component Update
1081
Internal task error
Status
Status
Component Update
Status
Component Update
Status
1082
File encryption / decryption error
Status
Event parameters
GNRL_EA_PARAM_1 is the path to the le.
Status
Kaspersky Security –
Center event log
(default)
1083
Status
Status
Status
Status
The task for managing Authentication Agent accounts ended with an error
Status
Status
Status
1085
FDE upgrade rollback failed (for more information, please refer to the Kaspersky Endpoint Security for Windows
Online Help)
Status
Status
Status
1086
Status
Status
Status
Status
Status
IOC found
Status
Status
Status
Status
Status
Status
Status
Status
Status
Status
Status
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system
1091
Status
Status
Status
Status
Status
Status
Status
Invalid certi cate of the agent on the Kaspersky Anti Targeted Attack Platform server
1093
Status
Your device is connected to an untrusted Administration Server. Please contact the administrator of your
organization
Status
Functional failure
Task cannot be performed
Status
1094
Status
Warning
Application crashed during previous session
Status
Status
1095
Status
Status
Self-Defense is disabled
Status
Status
Status
Status
Task stopped
Status
Status
The license allows the use of components that have not been installed
Status
Status
Status
Status
Blocked
1099
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security –
Center event log (default)
Status
1100
Suspicious network activity detected
Status
Status
Status
Status
1101
Quarantine storage is almost out of space
Status
Status
Status
1102
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Object encrypted
Status
Object corrupted
1103
Status
Legitimate software that can be used by intruders to damage your computer or personal data was detected (local
bases)
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Legitimate software that can be used by intruders to damage your computer or personal data was detected (KSN)
1104
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Object deleted
1105
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Object disinfected
1106
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Status
1107
Status
Status
Rollback completed
Status
1108
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Status
1109
Status
Event parameters
GNRL_EA_PARAM_1 is the hash of the object (SHA256).
Kaspersky Security
Center event log (default)
Status
1110
Status
Event parameters
GNRL_EA_PARAM_1 is the URL.
Status
1111
Status
Status
Status
Component Update
1112
Status
Status
Status
Status
1113
Failed to install or upgrade Kaspersky Disk Encryption drivers in the WinRE image
Status
Status
Status
1114
Status
Process was terminated by the Kaspersky Anti Targeted Attack Platform server administrator
Status
The application was terminated by the Kaspersky Anti Targeted Attack Platform server administrator
Status
File or stream was deleted by the Kaspersky Anti Targeted Attack Platform server administrator
1115
Status
File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator
Status
File was quarantined on the Kaspersky Anti Targeted Attack Platform server by the administrator
Status
1116
Status
Status
Status
1117
Status
Status
Status
1118
Status
Network isolation
Status
Status
1119
Status
Status
1120
Status
Event parameters
c_er_descr is the message to user.
Status
Event parameters
GNRL_EA_DESCRIPTION is the message to user.
Status
1121
Application activity blockage message to administrator
Status
Event parameters
GNRL_EA_DESCRIPTION is the message to user.
Status
Object changes too often. Event aggregation started (File Integrity Monitor)
1122
Status
Report on object modi cation for the aggregation period (File Integrity Monitor)
Status
Status
1123
Status
Status
Informational message
Application started
Status
Application stopped
1124
Status
Status
Report cleared
Status
1125
Status
Status
Task started
Status
Task completed
1126
Status
All application components that are de ned by the license have been installed and run in normal mode
Status
Status
1127
Status
Status
Status
1128
Status
Status
The application works and processes data under relevant laws and uses the appropriate infrastructure
Status
1129
Status
Status
Status
1130
Status
Status
1131
Status
Status
Object renamed
Status
1132
Object processed
Status
Object skipped
Status
Archive detected
Status
1133
Packed object detected
Status
Link processed
Status
Status
1134
Status
Component Update
Status
Component Update
Status
1135
Status
Status
Status
File restored
1136
Status
Status
Status
1137
Status
Event parameters
GNRL_EA_PARAM_1 is the name of the Adaptive Anomaly
Control rule.
Keyboard authorized
Status
1138
Status
Component Firewall
Status
1139
Status
Event parameters
GNRL_EA_PARAM_2 is the name of the session user.
Status
Status
Event parameters
GNRL_EA_PARAM_1 is the le operation (write or
delete).
No available updates
Status
Component Update
Status
Component Update
1141
Downloading les
Status
Component Update
File downloaded
Status
Component Update
File installed
Status
Component Update
File updated
1142
Status
Component Update
Status
Component Update
Updating les
Status
Component Update
Distributing updates
1143
Status
Component Update
Status
Component Update
Status
Component Update
Downloading patches
1144
Status
Component Update
Installing patch
Status
Component Update
Patch installed
Status
Component Update
1145
Status
Component Update
Status
Component Update
Status
1146
Status
Status
Status
1147
Status
Status
Status
1148
Status
Status
Status
1149
Status
Status
Status
1150
Status
Status
Status
1151
Status
Status
Status
1152
Status
Hard drive accessed using the procedure of requesting access to encrypted devices
Status
Failed attempt to access the hard drive using the procedure of requesting access to encrypted devices
Status
1153
Status
Account was not modi ed. This account does not exist
Status
Status
1154
Status
Status
Failed to uninstall Kaspersky Disk Encryption drivers from the WinRE image
Status
1155
Status
Status
Status
Processing of tasks from the Kaspersky Anti Targeted Attack Platform server is inactive
1156
Status
Status
Status
Tasks from the Kaspersky Anti Targeted Attack Platform server are being processed
1157
Status
Object deleted
Status
Status
Status
1158
Object quarantined (Kaspersky Sandbox)
Status
Status
Status
1159
Status
Status
Status
1160
Status
Status
Status
Status
1161
Status
Status
Status
The Administration Server that your device is connected to is no longer set as trusted
1162
Status
Status
Device is connected
1163
Status
Event parameters
GNRL_EA_PARAM_1 is the Hardware ID (HWID).
Device is disconnected
Status
Status
1164
Status
Status
Status
Status
1165
Appendix 7. Supported le extensions for Execution prevention
Kaspersky Endpoint Security supports preventing the opening of o ice format les in certain applications. The
information about supported le extensions and applications is listed in the following table.
1166
Adobe Acrobat acrord32.exe pdf
Foxit PDF Reader FoxitReader.exe
STDU Viewer STDUViewerApp.exe
Microsoft Edge MicrosoftEdge.exe
Google Chrome chrome.exe
Mozilla Firefox refox.exe
Yandex Browser browser.exe
Tor Browser tor.exe
AutoHotkey.exe
AutoHotkeyA32.exe
AutoHotkeyA64.exe
AutoHotkeyU32.exe
AutoHotkeyU64.exe
InstallUtil.exe
RegAsm.exe
RegSvcs.exe
autoit.exe
cmd.exe
control.exe
cscript.exe
hh.exe
mmc.exe
msbuild.exe
mshta.exe
msiexec.exe
perl.exe
powershell.exe
1167
python.exe
reg.exe
regedit.exe
regedt32.exe
regsvr32.exe
ruby.exe
rubyw.exe
rundll32.exe
runlegacycplelevated.exe
wscript.exe
wwahost.exe
Execution prevention supports working with Java applications in the Java runtime environment (java.exe and
javaw.exe processes).
HKEY_CLASSES_ROOT\htafile
HKEY_CLASSES_ROOT\batfile
HKEY_CLASSES_ROOT\exefile
HKEY_CLASSES_ROOT\comfile
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NetworkProvider
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
1168
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\Software\Classes\piffile
HKEY_LOCAL_MACHINE\Software\Classes\htafile
HKEY_LOCAL_MACHINE\Software\Classes\exefile
HKEY_LOCAL_MACHINE\Software\Classes\comfile
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The application supports IOC les with the IOC and XML extensions in the open standard OpenIOC versions 1.0
and 1.1 for describing indicators of compromise.
If, when creating an IOC Scan task on the command line, you upload IOC les, some of which are not supported,
when the task is run, the application uses only the supported IOC les. If, when creating an IOC Scan task on
the command line, all of the IOC les that you upload turn out to be unsupported, the task can still be run, but it
will not detect any indicators of compromise. It is not possible to upload unsupported IOC les using Web
Console or Cloud Console.
Semantic errors and unsupported IOC terms and tags in IOC les do not cause task execution to fail. In such
sections of IOC les, the application detects no match.
The identi ers of all IOC les used in a single IOC Scan task must be unique. If there are IOC les with the
same identi er, it might a ect the task execution results.
A single IOC le must not exceed 2 MB in size. Using larger les will cause IOC Scan tasks to terminate with an
error. The total size of all les added to the IOC collection should not exceed 10 MB. If the total size of all les
exceeds 10 MB, you need to split the IOC collection and create several IOC Scan tasks.
1169
It is recommended to create one IOC le per threat. This makes it easier to analyze the results of the IOC Scan
task.
The le that you can download by clicking the link below, contains a table with the full list of IOC terms of the
OpenIOC standard.
Features and limitations of the application’s support for the OpenIOC standard are shown in the following table.
Features and limitations of support for OpenIOC version 1.0 and 1.1.
is
contains
starts-with
ends-with
matches
greater-than
less-than
Supported AND
operators OR
Features of data The "boolean string", "restricted string", "md5", "IP", "sha256" and
type interpretation "base64Binary" data types are interpreted as string.
The application supports interpretation of the Content setting for the int and date
data types when it is set in the form of intervals:
OpenIOC 1.0:
Using the TO operator in the Content eld:
<Content type="int">49600 TO 50700</Content>
<Content type="date">2009-04-28T10:00:00Z TO 2009-04-
28T16:00:00Z</Content>
<Content type="int">[154192 TO 154192]</Content>
1170
OpenIOC 1.1:
Using the greater-than and less-than conditions
Using the TO operator in the Content eld
The application supports interpretation of the date and duration data types if the
indicators are set in ISO 8601, Zulu Time Zone, UTC format.
Application Control.
Web Control.
Device Control.
Log Inspection.
In Kaspersky Endpoint Security for Windows 12.5, now you can select users not only from Active Directory, but also
from the list of users in Kaspersky Security Center. You can also enter local user account data manually. This
means you can add users in the following ways:
Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user
accounts. For details about the security risks of using local accounts, see the Microsoft Knowledge Base . You
bear full responsibility for the security of a computer if local user accounts are used; in particular this includes the
responsibility for controlling and restricting access to Kaspersky Endpoint Security settings.
The application uses the SID (Security Identi er) of the user to identify users. When using user accounts from
Active Directory or from the Kaspersky Security Center user list, the application determines the SID on the
Administration Server. This means the application does not place extra load on the computer to identify a user. If
you added more than 1000 local user accounts to an application rule, the applications contacts the domain
controller to identify the user. This means the load on the computer is increased. To optimize the performance
impact on the computer, we recommend using user accounts from Active Directory or the Kaspersky Security
Center user list.
1171
Information about third-party code
Information about third-party code is contained in the legal_notices.txt le, located in the application installation
folder.
1172
Trademark notices
Registered trademarks and service marks are the property of their respective owners.
Adobe, Acrobat, Flash, Reader and Shockwave are either registered trademarks or trademarks of Adobe in the
United States and/or other countries.
Amazon, Amazon Web Services, AWS are trademarks of Amazon.com, Inc. or its a iliates.
AutoCAD is a trademark or registered trademark of Autodesk, Inc., and/or its subsidiaries and/or a iliates in the
USA and/or other countries.
The Bluetooth word, mark and logos are owned by Bluetooth SIG, Inc.
Android, Google Public DNS, Google Chrome, Chrome are trademarks of Google LLC.
Citrix and Citrix Provisioning Services, and XenDesktop are trademarks of Citrix Systems, Inc. and/or one or more
of its subsidiaries, and may be registered in the United States Patent and Trademark O ice and in other countries.
Cloud are, Cloud are Workers, and the Cloud are logo are trademarks and/or registered trademarks of
Cloud are, Inc. in the United States and other jurisdictions.
Dell Technologies, Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or
other countries. Docker, Inc. and other parties may also have trademark rights in other terms used herein.
ESET is a trademark or registered trademark of ESET spol. s r.o. or respective ESET entity.
IBM is a trademark of International Business Machines Corporation, registered in many jurisdictions worldwide.
Cisco, Cisco AnyConnect are registered trademarks or trademarks of Cisco Systems, Inc. and/or its a iliates in
the U.S. and certain other countries.
Lenovo, Lenovo ThinkPad are trademarks of Lenovo in the United States and/or elsewhere.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Logitech is either a registered trademark or trademark of Logitech in the United States and/or other countries.
1173
Mail.ru is a registered trademark of Mail.Ru, LLC.
McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other
countries.
Microsoft, Microsoft Edge, Access, Active Directory, ActiveSync, Bing, BitLocker, Excel, Internet Explorer, LifeCam
Cinema, MSDN, MultiPoint, Outlook, PowerPoint, PowerShell, Visual Basic, Visual FoxPro, Windows, Windows
PowerShell, Windows Server, Windows Store, Windows Live, MS-DOS, Skype, Surface, Hyper-V, SQL Server,
JScript are trademarks of the Microsoft group of companies.
Mozilla, Firefox and Thunderbird are trademarks of the Mozilla Foundation in the U.S. and other countries.
NetApp is the trademark or the registered trademark of NetApp, Inc. in the United States and/or other countries.
Java and JavaScript are registered trademarks of Oracle and/or its a iliates.
VERISIGN is a registered trademark in the United States and elsewhere or an unregistered trademark of VeriSign,
Inc. and its subsidiaries.
VMware, VMware ESXi and VMware Workstation are registered trademarks or trademarks of VMware, Inc. in the
United States and/or other jurisdictions.
Thawte is a trademark or registered trademark of Symantec Corporation or its a iliates in the U.S. and other
countries.
1174