Kl 002.104 Eng Student Guide v1.0

Kaspersky Lab www.kaspersky.com

I-1 Unit I. Deployment

Unit I. Deployment Introduction .................................................................................................................... 4 Basics of Kaspersky Endpoint Security for Business ................................................................................................... 4

Which products the course covers .......................................................................................................................... 4 What constitutes Kaspersky Security Center .......................................................................................................... 5 What constitutes Kaspersky Endpoint Security ...................................................................................................... 5 How Kaspersky Security Center manages computers ............................................................................................ 7 How the administrator manages protection via the Console ................................................................................. 9 How policies are applied to computers ................................................................................................................ 10 How policies work in groups................................................................................................................................ 10 How tasks are applied to the computers .............................................................................................................. 11 How tasks work in groups .................................................................................................................................... 12 How Kaspersky Endpoint Security for Business is licensed ................................................................................. 13 What This Course Is About ........................................................................................................................................ 15

What we will tell you in this course and what not ................................................................................................ 15 Where to learn more about what is out of the course scope................................................................................. 16 What the course includes ..................................................................................................................................... 17 Chapter 1. How to Deploy Kaspersky Endpoint Security for Business ....................... 18 1.1 What to Install and in What Order ........................................................................................................................ 18 1.2 How to Organize the Process ................................................................................................................................ 19

Chapter 2. How to Install Kaspersky Security Center ............ ............. ............. ........... 20 2.1 Requirements for the Administration Server ........................................................................................................ 20

Support for server versions of Windows .............................................................................................................. 20 Support for Windows workstations ...................................................................................................................... 21 Virtualization support .......................................................................................................................................... 22 Support for database management servers .......................................................................................................... 22 Additional software requirements ........................................................................................................................ 23 Minimum hardware requirements ........................................................................................................................ 23 2.2 Installation of the Administration Server .............................................................................................................. 24

Where to get Kaspersky Security Center distribution .......................................................................................... 24 Kaspersky Security Center installation shell........................................................................................................ 24 What you need to know before the installation .................................................................................................... 25 Setup Wizard ........................................................................................................................................................ 26 Additional consoles and plug-ins ......................................................................................................................... 37 Installation results................................................................................................................................................ 38

I-2

KASPERSKY LAB™

KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals

2.3 Quick Start Wizard ................................................................................................................................................ 40

What you need to know prior to configuring ........................................................................................................ 40 Installing the license............................................................................................................................................. 41 Configuring proxy server for Internet access ....................................................................................................... 43 Checking for new versions ................................................................................................................................... 43 Kaspersky Security Network ................................................................................................................................. 45 Configuring e-mail notification ............................................................................................................................ 46 Configuring vulnerability and patch management ............................................................................................... 47 Creating tasks and policies .................................................................................................................................. 47 Downloading updates to the repository................................................................................................................ 49 What to do next..................................................................................................................................................... 50 2.4 What Is T here in the Administration Console? ..................................................................................................... 50

Chapter 3. How to Install Kasp ersky Endpoint Security on Computers ............. ......... 52 3.1 Requirements for the Computers........................................................................................................................... 52

Kaspersky Endpoint Security requirements for the operating system .................................................................. 52 The virtual platforms supported by Kaspersky Endpoint Security ....................................................................... 53 Minimum hardware requirements ........................................................................................................................ 54 Requirements for Network Agent.......................................................................................................................... 54 3.2 Installation Methods .............................................................................................................................................. 55

What to do prior to the installation ...................................................................................................................... 55 Available installation methods ............................................................................................................................. 56 3.3 How to Remotely Install KSC Agent and Kaspersky Endpoint Security .............................................................. 57

Remote installation wizard ................................................................................................................................... 57 Installation packages............................................................................................................................................ 58 Selecting the installation package ........................................................................................................................ 59 Selecting the computers........................................................................................................................................ 60 Installation method............................................................................................................................................... 62 Selecting the key ................................................................................................................................................... 63 Uninstalling incompatible applications ............................................................................................................... 64 Where to place computers after the installation ................................................................................................... 65 Administrator account.......................................................................................................................................... 66 Where to monitor the installation ......................................................................................................................... 66 Installation result ................................................................................................................................................. 68 3.4 How to Install the Network Agent via Active Directory ....................................................................................... 69

How to install applications via Active Directory ................................................................................................. 69 How to publish the Network Agent package in Active Directory using a task ..................................................... 70 What the task changes in Active Directory ........................................................................................................... 70 3.5 How to Simplify Local Installation ....................................................................................................................... 72

Why install locally ................................................................................................................................................ 72 Standalone installation packages ......................................................................................................................... 72 How to create a standalone package.................................................................................................................... 73 What to do with standalone packages .................................................................................................................. 75 3.6 How to Select Which KES Components to Install ................................................................................................ 77

Installation packages............................................................................................................................................ 77 Settings of a Kaspersky Endpoint Security package ............................................................................................. 78 Network Agent package parameters..................................................................................................................... 83 3.7 How to Create an Installation Package ................................................................................................................. 85

Why create installation packages ......................................................................................................................... 85 Package creation wizard ...................................................................................................................................... 86 Package types ....................................................................................................................................................... 86 Package settings ................................................................................................................................................... 87 How to download a new version .......................................................................................................................... 89 How to find out that new versions are available .................................................................................................. 92


3.8 How to Uninstall Incompatible Applications........................................................................................................ 92

Which programs are incompatible and why uninstall them ................................................................................. 92 What if there are incompatible applications? ...................................................................................................... 93 How to find out whether there are any incompatible applications ...................................................................... 95 How to uninstall incompatible applications that have not been found ................................................................ 96 How to display computers with an incompatible application .............................................................................. 98 How to uninstall incompatible applications using a task ................................................................................... 101 Chapter 4. How to Organize Comp uters into Groups ............ ............. ............. ........... 106 4.1 How to Understand That the Deployment Has Been Completed ........................................................................ 106

Where to look for information about the deployment ......................................................................................... 107 Global statuses ................................................................................................................................................... 108 Computer selections ........................................................................................................................................... 108 Reports ............................................................................................................................................................... 109 4.2 How the Administration Server Discovers Computers ....................................................................................... 111

Polling types....................................................................................................................................................... 111 Where to configure polling ................................................................................................................................. 112 Windows network polling ................................................................................................................................... 113 Active Directory polling ..................................................................................................................................... 116 IP subnet polling ................................................................................................................................................ 118 Where to monitor network polling ..................................................................................................................... 120 How to find out that the Server has discovered new computers ......................................................................... 121 4.3 How to Create or Import Groups ........................................................................................................................ 122

Why create groups ............................................................................................................................................. 122 How to add a group ........................................................................................................................................... 123 How to add a computer to a group .................................................................................................................... 124 How to import a group structure........................................................................................................................ 125 4.4 How to Add Computers to Groups Automatically .............................................................................................. 128

Computer relocation rules ................................................................................................................................. 128 Configuring relocation rules .............................................................................................................................. 129 Conditions in relocation rules............................................................................................................................ 130 How to synchronize groups with Active Directory ............................................................................................. 132 Rule application order ....................................................................................................................................... 133

I-4

KASPERSKY LAB™


Introduction

First of all, let us introduce the course and tell which topics it covers and which omits. You will also learn which solutions and products are studied in this course, what they consist of, how interact and how are licensed.

Basics of Kaspersky Endpoint Security for Business

Which products the course covers


The course describes the Kaspersky Endpoint Security for Business solution that includes various Kaspersky Lab products. The course does not try to cover all products; it tells only about those that can help to protect a not-toolarge Windows network. A not-too-large network in our course means approximately up to 1000 endpoints in a single location. Endpoints in this course are servers and workstations running Windows. To protect such a network, two Kaspersky Endpoint Security for Business products are necessary:

— Kaspersky Endpoint Security for Windows—protects computers against threats — Kaspersky Security Center 10—centrally manages the protection Kaspersky Endpoint Security is an application that not only protects against malware and hackers, but also can control the users’ actions and encrypt files and drives.

What constitutes Kaspersky Security Center Kaspersky Security Center consists of several programs:

— Kaspersky Security Center Administration Server stores all the settings, collects events, draws up reports, etc. It is the Server that manages protection on the administrator’s command.

— The database server maintains the Administration Server’s database, where the Server stores events and some of the settings. Other Server settings are stored in files on a drive.

— Kaspersky Security Center Network Agents connect Kaspersky Endpoint Security to the Administration Server: receive settings for Kaspersky Endpoint Security from the Server, and send events to the server

— Kaspersky Security Center Administration Console is a management system interface for the administrator; the administrator configures parameters in the console, consults reports and events and manages protection in general

What constitutes Kaspersky Endpoint Security

I-6

KASPERSKY LAB™


Kaspersky Endpoint Security is a single application that includes numerous components:

Protection components File Anti-Virus

Scans files whenever the user or a program creates, changes, copies or starts one. Blocks operations with malicious files, and quarantines these files

Mail Anti-Virus

Intercepts e-mail messages, scans their text and attachments, deletes malicious files from messages

Web Anti-Virus

Scans web pages and files that the user or programs download from the Internet. Blocks dangerous and phishing web sites, prohibits downloading malicious files

Network Attack Blocker

Scans network packets that the computer receives. Blocks a connection if detects indications of a network attack

Firewall

Controls the connections established by the programs running on the computer, and the packets they receive or send. Blocks packets according to the configured rules. Does not allow an unknown program or a program that has bad reputation to establish connections

Application Privilege Control

Monitors the programs’ activities on the computer. Does not allow programs that have bad or unknown reputation to change system settings and user’s files. Does not allow them to fiddle around with the operating system and other software

System Watcher

Also monitors what applications do, but analyzes what a program does in general rather than its individual actions. Stops the applications that behave as malware. In particular, stops programs that try to encrypt files

BadUSB Attack Prevention

Does not permit connecting new input devices (keyboards, etc.) to the computer without the user’s consent. Protects against USB devices that pretend to be keyboards and send malicious commands to the computer

Kaspersky Security Network

Requests the reputation of programs and web pages from Kaspersky Lab servers, provides the latest information about threats, protects against zero-day attacks and false positives

Control components Application Startup Control

Blocks program start according to the configured rules. Can freeze a computer status and block any new application.

Device Control

Blocks access to devices according to the configured rules. The administrator can prohibit access to all or some of removable drives, Wi-Fi adapters or modems

Web Control

Blocks access to web pages according to the configured rules. The administrator can prohibit access to social networks, job search and news web sites, torrent trackers, etc.

Encryption components Encryption of hard drives

Encrypts all drives’ contents. Protects files on notebooks, which may be lost or stolen

Encryption of Files and Folders

Encrypts individual files and folders according to the rules. Protects files on notebooks, which may be lost or stolen

Microsoft BitLocker Management

Manages disk encryption via Microsoft BitLocker. Protects files on notebooks, which may be lost or stolen


Other components and tasks Virus Scan

Scans files on the specified schedule. Performs this more thoroughly than File AntiVirus.

Update

Downloads descriptions of threats and file reputations to the computers, provides protection when Kaspersky Security Network is inaccessible

Sensor of Kaspersky Anti Targeted Attack Platform

Informs the Central Node of Kaspersky Anti-targeted Attack Platform about the programs’ activities on the computers, helps to detect Advanced Persistent Threats

Integrity Check

Ensures that nobody can modify Kaspersky Endpoint Security files

Find Vulnerabilities

A local task that scans computers for vulnerabilities in applications and operating system files against a database of vulnerabilities. It is not used, because the same task is performed by Network Agent

IM Anti-Virus

Scans non-encrypted messages within some messengers

For more details about components and their settings, refer to Units II and III.

How Kaspersky Security Center manages computers

Let’s see how all components of Kaspersky Endpoint Security for Business interact. In a protected network, two programs are installed on each computer:

— Kaspersky Endpoint Security, which protects — Kaspersky Security Center Network Agent, which manages Network Agent connects to the Administration Server on the specified schedule, and also if necessary. By default, a so-called synchronization takes place every 15 minutes.

I-8

KASPERSKY LAB™


What Server receives from computers For the administrator to see what’s happening in the network, Network Agent sends the following data to the server: Events

As soon as logged

When Kaspersky Endpoint Security finds malware, or cannot download updates, or cannot start components, etc.

Statuses

As soon as registered

Kaspersky Endpoint Security is not running Databases are out of date KSN is inaccessible There are dangerous unprocessed objects

Lists

Once per synchronization interval

List of known executable files List of vulnerable programs List of quarantined malicious objects List of unprocessed threats List of hardware List of installed software

Kaspersky Endpoint Security settings

During a synchronization

Typically, Agents send only changes in the lists to the server. Once every several hours (3 hours for some lists, 12 for others) the Server completely synchronizes the lists with the computers. Administration Server accepts connections from the Network Agents on TCP port 13000. Agents compress and encrypt data with the Administration Server certificate using SSL/TLS.

What computers download from the Server For Kaspersky Endpoint Security to protect a computer in a way the administrator wants, the Network Agent downloads settings for Kaspersky Endpoint Security in the form of policies and tasks from the Server. During a synchronization, Network Agent compares tasks and policies on the computer with those of the Administration Server, and if the administrator has changed something on the server, the Agent downloads new tasks and policies. Usually, computers receive tasks and policies earlier than at a planned synchronization. Network Agents accept packets on UDP port 15000. If the Server wants an Agent to urgently connect to the Server, it sends a special signal to this port. When the administrator modifies a task or policy, the Administration Server contacts Agents on all computers to which this task or policy pertains. During a synchronization, policies are downloaded only by those computers that have not received the signal from the Server. The administrator can also send a synchronization request manually, via a computer’s shortcut menu in the Administration Console. Additionally, Agents connect to the Server to download updates for Kaspersky Endpoint Security. For this purpose, they also connect to port 13000 over an SSL connection.


How the administrator manages protection via the Console

The events and statuses sent by Network Agents help the administrator understand what is happening in the network. The Administration Server summarizes statuses of individual computers and displays them on the main page of the Administration Console—the Monitoring tab of the Administration Server node. To better understand what is happening, the administrator can receive reports, which the Administration Server draws up based on events. There are many search and filter tools in the console that help to arrange events and computers according to various parameters. To specify settings for computer protection, the administrator creates tasks and policies in the console:

— Tasks—for operations that have a logical termination, for example, update completes when Kaspersky Endpoint Security receives all new threat descriptions, virus scanning completes when all files in the scan scope have been scanned. That is why updates and virus scanning are configured as tasks, which have schedules

—

Policies all thehow other how toby scan files that the user downloads from the Internet receives— byfor e-mail, toparameters: scan files opened programs, which network connections to allow andorwhich to block. These settings are to be applied permanently to permanently protect the computer, and that is why they are specified in a policy.

If different computers need different settings, the administrator organizes computers into groups and creates individual policies or tasks within each group. For example, to perform virus scanning on servers at weekends, and on workstations in the background mode during a business day, the administrator can create two groups (for servers and workstations) and create virus scan tasks with different schedules for them.

I-10

KASPERSKY LAB™


How policies are applied to computers

A policy contains the same parameters as the local settings of Kaspersky Endpoint Security. When the administrator configures a policy, the local protection settings are changed. In a policy, each parameter or a group of parameters has a lock button. If the button appears pressed and the lock is closed, the parameters are applied to the computers where the policy is enforced. The user cannot modify the values of these parameters in the local interface of Kaspersky Endpoint Security. If the button appears released and the lock is open, the computer considers that this parameter has not been specified in the policy. The user can change these parameters in the local interface. The settings whose lock is closed are compulsory.

How policies work in groups


Policies are applied to computer groups. Even if the user has not created any groups, there is the root group on the Administration Server, which is named Managed devices. If the user wants to create custom groups, they are created as subgroups within the Managed devices group. Policies conform to the following rules: may be policies for different applications in a group, for example, the Network Agent policy and the — There Kaspersky Endpoint Security policy

— There can be a few policies for the same application in a group, but only one of them can be active. The Active policy is the policy that the Administration Server sends to the computers. An Inactive policy does not influence anything, but the administrator can make it active and thus quickly adjust settings on all computers. If the administrator makes a policy active, the policy that has been active so far becomes inactive automatically.

— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where there is no Kaspersky Endpoint Security policy, the parent group’s policy is applied to the subgroup’s computers as well

— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where another Kaspersky Endpoint Security policy is configured, the subgroup’s computers receive the policy configured within this subgroup. However, required (locked) parameters from the parental policy are enforced on the subgroup’s policy, and the administrator cannot modify them. In a child policy, the administrator can edit only the parameters that are not locked in the parent group’s policy

— The administrator can choose not to apply a group policy to subgroups: in the subgroup’s policy, clear the check box that regulates inheriting parameters from the parental policy. After that, the administrator will be able to edit all parameters in the child policy

How tasks are applied to the computers

The administrator manages update and virus scan settings via tasks rather than via the policy.

I-12

KASPERSKY LAB™


1

While there can be only one type of Kaspersky Endpoint Security policy , there are many various task types for Kaspersky Endpoint Security:

— — — — —

Virus Scan Updates Update rollback Inventory Key installation

— — — —

Integrity check Change application components Checking connection with KSN Managing Kaspersky PreBoot Agent Accounts

Each task type has its own characteristic settings. For example, a virus scan task has its scope and file scan settings, an update task has an update source and instructions which updates to download. Every task has a schedule. Unlike policies, tasks have no locks. All task settings are enforced on the computers and the user cannot modify them. Tasks can be created not only by the administrator on the Administration Server, but also by the user in the local interface. However, if a policy is configured on the Administration Server and enforced on a computer, it will use only the Administration Server’s tasks. Local tasks will be neither run nor even displayed in the interface. And the user will not be able to create new local tasks.

How tasks work in groups

The administrator creates tasks in groups for regular activities, such as virus scanning or downloading updates.

1

One for one or several product versions. For example, Kaspersky Endpoint Security 10 SP1 has its own policy type, and Kaspersky Endpoint Security 10 SP2 another one. However, two policies of a single Kaspersky Endpoint Security version contain the same parameters and only the values of these parameters differ.


Similar to group policies, group tasks have their rules:

— If there is a subgroup in a group, a group task is applied to the subgroup’s computers — There can be several tasks of each type in a group, for example, a few virus scan tasks. They may differ in the scope and schedule, for example, one of the tasks can scan the whole computer once a week, and another one, only critical areas but daily. you want to scan for viruses the same scope with different schedules on different computers, organize — If computers into respective groups and create individual tasks within each group. For example, to perform full scan on servers at weekends, and on workstations during business hours in background mode.

— If there is a task in a group, and there is a subgroup with a task of the same type, the subgroup’s computers will be running both tasks. Usually, this means that the administrator has not thought over thoroughly enough which tasks are really needed. You must be especially careful with update tasks. To update Kaspersky Endpoint Security on a computer, there must be one update task. If an update task is configured within a group and another one in its subgroup, both will be applied to the computers that comprise the subgroup. If an update task is running already, another one will return an error if started in the meanwhile. Consequently, the administrator will keep receiving update errors because of a configuration error while updates will work correctly

— Subgroups can be excluded from a task scope. Then the subgroup’s computers will receive only the subgroup’s task, and the parental task will not be used Unlike a policy, a task can be created not only for a group. The administrator can create a task for any list of computers, from a single computer to an arbitrary set of computers belonging to different groups.

How Kaspersky Endpoint Security for Business is licensed

Which licenses are available for Kaspersky Endpoint Security for Business We’ve studied how the components of Kaspersky Endpoint Security for Business interact, and how the administrator manages them.

I-14

KASPERSKY LAB™


Now let us find out which licenses are available for Kaspersky Endpoint Security for Business, and what makes them different. There are three levels of licenses in Kaspersky Endpoint Security for Business:

— Core (this license is not available on some markets) — Select — Advanced Different licenses permit using different Kaspersky Lab products and different functions within these products. KESB Core allows a customer to use Kaspersky Lab products for workstations only; servers cannot be protected under this license. This means that a KESB Core license can activate Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Mac and Kaspersky Endpoint Security for Linux Workstations.

What the licenses activate in Kaspersky Endpoint Security for Business KESB Core activates only the protection functions of Kaspersky Endpoint Security for Windo ws rather than its complete functionality. Control components and encryption components do not work under this license. You do not need to activate Kaspersky Security Center to use it. Everything which is necessary for managing workstation protection is available without a license. KESB Select permits protecting workstations, servers and mobile devices. In Kaspersky Endpoint Security, a KESB Select license activates the protection and control components. In Kaspersky Security Center, a KESB Select license activates the mobile device management functionality. You do not need to activate Kaspersky Security Center to be able to manage only the protection and control on workstation and servers. KESB Advanced permits protecting the same types of endpoints: workstations, servers and mobile devices, but activates more functions. In Kaspersky Endpoint Security for Windows, a KESB Advanced license permits using encryption. In Kaspersky Security Center, a KESB Advanced license allows the customer to use Systems Manage ment; specifically, automatically download and install software fixes and updates, create and deploy images of operating systems with pre-installed applications, etc.

Targeted licenses If a customer does not need all KESB Advanced functions, licenses for i ndividual functions are also available:

— Encryption — Mobile Device Management — Systems Management Except for the functionality, these licenses have a limitation on the number of endpoints to be protected. For example, a customer purchases a license for 100 nodes, and if later wants to protect more devices, purchases a new license for, say, 150 or 200 nodes. All the abovementioned licenses are usually valid for a year. After that, the customer renews the license for another year, and so on.


Subscription licenses Additionally, Kaspersky Lab supports subscription licenses. These licenses are purchased from special partners, and the customer pays monthly. The customer can suspend a subscription and resume it later. With a subscription license, the customer can select which functionality level to use and change the number of nodes every month if necessary: expand or cut down depending on the current needs.

What This Course Is About

What we will tell you in this course and what not

I-16

KASPERSKY LAB™


Kaspersky Endpoint Security for Business includes many products and capabilities. This course does not try to cover all of them. It only tells how to protect a not-too-large network of computers running Windows operating systems. That is why our course does not describe all the products that belong to Kaspersky Endpoint Security for Business; instead, it focuses on:

— Kaspersky Endpoint Security for Windows — Kaspersky Security Center The following products are out of the course scope:

— — — — — — —

Kaspersky Endpoint Security for Linux Kaspersky Endpoint Security for Mac Kaspersky Security for Windows Server Kaspersky Embedded Systems Security Kaspersky Endpoint Security for Android Safe Browser for iOS Kaspersky Security for Virtualization

For the same reason, the course does not tell about all the capabilities of Kaspersky Endpoint Security for Windows and Kaspersky Security Center, but concentrates on how to:

— — — —

Install protection on the computers Manage computer protection Manage the Control components Use a single Kaspersky Security Center Administration Server

The following topics fall outside the framework of our course:

— — — —

Encryption management Third-party vulnerability and patch management Creation and deployment of disks with computer images Protection of large, complex and distributed networks using Update Agents, Connection gateways or several Kaspersky Security Center Administration Servers

Where to learn more about what is out of the course scope


The following courses are available, which are devoted to other products and technologies: How to protect Linux workstations

KL 013.80

1 day

How to protect Linux servers

KL 007.80

1 day

How to protect Mac workstations

KL 011.80

1 day

How to protect Windows servers using Kaspersky Security for Windows Servers How to protect devices running embedded versions of Windows

KL 005.10 KL 037.10

1 day 1 day

How to manage mobile devices

KL 010.10

1 day

How to manage encryption

KL 008.10

1 day

How to fix vulnerabilities and install updates on third-party software

KL 009.10

1 day

How to manage protection in large, complex and distributed networks

KL 302.10

2 days

How to protect virtual machines using Kaspersky Security for Virtualization. Agentless

KL 014.40

1 day

How to protect virtual machines using Kaspersky Security for Virtualization. Light Agent

KL 031.40

1 day

Troubleshooting

KL 016.30

1 day

How to implement a Default Deny policy

KL 032.10

1 day

What the course includes

The course consists of presentations and labs, which alternate. The instructor first explains every topic with slides, and then the students put theory into practice in lab experience. The Student Guide includes all slides and elaborates on all the topics and product settings. What to do during the labs is described in detail in the Lab Guide. The students complete hands-on exercises using virtual machines. The virtual environment depends on the class: it can be VMware Workstation, VMware vSphere, Microsoft Hyper-V, etc. The Lab Guide is designed for VMware Workstation.

I-18

KASPERSKY LAB™


Students use five virtual machines, which perform the following roles in the labs: DC Security-Center PC1 Laptop Spare-Security-Center

Provides AD domain services, DNS, file access It is Kaspersky Security Center Administration Server, where from the administrator manages protection Represents a typical desktop computer in a corporate network Represents a mobile computer, which may be taken outside the corporate network for some time Another Administration Server, to test the data restore functionality

Chapter 1. How to Deploy Kaspersky Endpoint Security for Business

1.1 What to Install and in What Order

In a deployment, all network computers must be protected, and the administrator must be able to manage protection centrally. To achieve this, it is necessary to install Kaspersky Security Center 10 (KSC 10) and Kaspersky Endpoint Security 10 for Windows (KES 10) on the computers. First, install the Kaspersky Security Center Administration Server. The Administration Server centrally manages protection, and helps to install other components. The Kaspersky Administration Console is installed automatically along with the Administration Server. To manage the server remotely, use remote desktop, or install Kaspersky Security Center Administration Console on the administrator’s computer. In order to protect the network, install Kaspersky Endpoint Security on every computer. Kaspersky Endpoint Security alone cannot interact with Kaspersky Security Center; install the Network Agent on every computer to make centralized management possible.


If you need to enforce different settings on different computers, organize the computers into groups. Do not create more groups than necessary. To be able to easily find computers, import the structure from Active Directory. To sum up, deploy protection as follows: 1. 2. 3.

Install the Kaspersky Security Center Administration Server Install Kaspersky Security Center Network Agent and Kaspersky Endpoint Security Organize computers into groups

1.2 How to Organize the Process

You do not need much time to install all components of Kaspersky Endpoint Security for Business. What consumes time is troubleshooting. To save time, do your homework. Try what you want to implement in a test environment. If issues are encountered, think how to solve them. Or find a workaround to use in case the issue arises on the network computers. However, you are unlikely to stumble upon every possible issue in a test environment. Therefore, in your real network, start with a small number of computers: 10 –20. Try to select different computers to come upon as many potential issues as possible. If you encounter new issues, return to the test environment, reproduce them and come up with a solution or a workaround. Stage the deployment: for example, 100 computers at a time. This way, you will discover new issues gradually, and the number of problem computers will always be small. To sum up, deploy as follows: 1. 2. 3.

Install software in a test environment Install software on 10-20 typical computers Install software on all computers, by stages, 100 computers at a time

At each step, plan some extra time for troubleshooting. Do not proceed to the following step until you decide how to solve or get round all issues. Solve issues in a test environment rather than on the network computers. Today, an IT test environment is usually made of virtual machines. If virtual machines appear to be a luxury, use the administrators’ computers for testing.

I-20

KASPERSKY LAB™


Chapter 2. How to Install Kaspersky Security Center

2.1 Requirements for the Administration Server To install Kaspersky Security Center Administration Server, prepare a computer that meets the system requirements. If there are fewer than 1000 endpoints in the network, the Administration Server and the data base server will easily share a single computer. If nodes are more numerous, use a more powerful computer or use an individual computer for the database server. The Administration Server computer can be either physical or virtual. If you are using a virtual Server, make sure that the virtual environment meets the system requirements.

Support for server versions of Windows

The complete list of supported server operating systems is as follows:

— — — — — — — — — — — — —

Microsoft Small Business Server 2008 Standard 64-bit Microsoft Small Business Server 2008 Premium 64-bit Microsoft Small Business Server 2011 Essentials 64-bit Microsoft Small Business Server 2011 Premium Add-on 64-bit Microsoft Small Business Server 2011 Standard 64-bit Microsoft Windows Server 2008 Datacenter SP1 32-bit / 64-bit Microsoft Windows Server 2008 Enterprise SP1 32-bit / 64-bit Microsoft Windows Server 2008 Foundation SP2 32-bit / 64-bit Microsoft Windows Server Server 2008 2008 Standard SP1 32-bit / 64-bit Microsoft Windows SP1 32-bit / 64-bit Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Server Core 64-bit Microsoft Windows Server 2008 R2 Datacenter 64-bit


— — — — — — — —

Microsoft Windows Server 2008 R2 Datacenter SP1 64-bit Microsoft Windows Server 2008 R2 Enterprise 64-bit Microsoft Windows Server 2008 R2 Enterprise SP1 64-bit Microsoft Windows Server 2008 R2 Foundation 64-bit Microsoft Windows Server 2008 R2 Foundation SP1 64-bit Microsoft Windows Server 2008 R2 SP1 Core Mode 64-bit Microsoft Windows Server 2008 R2 Standard 64-bit Microsoft Windows Server 2008 R2 Standard SP1 64-bit

— — — — — — — — — — — — —

Microsoft Windows Server 2012 Server Core 64-bit Microsoft Windows Server 2012 Datacenter 64-bit Microsoft Windows Server 2012 Essentials 64-bit Microsoft Windows Server 2012 Foundation 64-bit Microsoft Windows Server 2012 Standard 64-bit Microsoft Windows Server 2012 R2 Server Core 64-bit Microsoft Windows Server 2012 R2 Datacenter 64-bit Microsoft Windows Server 2012 R2 Essentials 64-bit Microsoft Windows Server 2012 R2 Foundation 64-bit Microsoft Windows Server 2012 R2 Standard 64-bit Windows Storage Server 2008 R2 64-bit Windows Storage Server 2012 64-bit Windows Storage Server 2012 R2 64-bit Microsoft Windows Server 2016 64-bit

Support for Windows workstations

It is better to use server hosts for the Administration Server. In small networks (up to a couple of hundred computers), a powerful workstation will do. Also, you can use a workstation in a test environment. The Administration Server can be installed on the following non-server versions of Windows:

— — — — — — — — —

Microsoft Windows 10 Pro 32-bit / 64-bit Microsoft Windows 10 RS2 32-bit / 64-bit Microsoft Windows 10 Enterprise 32-bit / 64-bit Microsoft Windows 10 Education 32-bit / 64-bit Microsoft Windows 10 Pro RS1 32-bit / 64-bit Microsoft Windows 10 10 Education Enterprise RS1 RS1 32-bit 32-bit // 64-bit 64-bit Microsoft Windows Microsoft Windows 8.1 Pro 32-bit / 64-bit Microsoft Windows 8.1 Enterprise 32-bit / 64-bit

I-22

KASPERSKY LAB™


— — — — —

Microsoft Windows 8 Pro 32-bit / 64-bit Microsoft Windows 8 Enterprise 32-bit / 64-bit Microsoft Windows 7 Professional SP1 32-bit / 64-bit Microsoft Windows 7 Enterprise SP1 32-bit / 64-bit Microsoft Windows 7 Ultimate SP1 32-bit / 64-bit

Virtualization support To install the Administration Server on a virtual machine, use one of the following virtualization platforms:

— — — — — — — — — — — — — —

VMware vSphere 5.5 VMware vSphere 6 VMware Workstation 12.x Pro Microsoft Hyper-V Server 2008 Microsoft Hyper-V Server 2008 R2 Microsoft Hyper-V Server 2008 R2 SP1 Microsoft Hyper-V Server 2012 Microsoft Hyper-V Server 2012 R2 Microsoft Virtual PC 2007 (6.0.156.0) Citrix XenServer 6.2 Citrix XenServer 6.5 Citrix XenServer 7 Parallels Desktop 11 Oracle VM VirtualBox 4.0.4-70112

A virtual machine must meet the operating system, software and hardware requirements.

Support for database management servers

Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers are supported:

— Microsoft SQL Server — Microsoft SQL Server 2008 Express 32-bit — Microsoft SQL 2008 R2 Express 64-bit — Microsoft SQL 2012 Express 64-bit


— — — — — — —

Microsoft SQL 2014 Express 64-bit Microsoft SQL Server 2008 (all editions) 32-bit / 64-bit Microsoft SQL Server 2008 R2 (all editions) 64-bit Microsoft SQL Server 2008 R2 Service Pack 2 64-bit Microsoft SQL Server 2012 (all editions) 64-bit Microsoft SQL Server 2014 (all editions) 64-bit Microsoft SQL Server 2016 (all editions) 64-bit

— Microsoft Azure SQL Database — MySQL — — — — — —

MySQL 5.5 32-bit / 64-bit MySQL Enterprise 5.5 32-bit / 64-bit MySQL 5.6 32-bit / 64-bit MySQL Enterprise 5.6 32-bit / 64-bit MySQL 5.7 32-bit / 64-bit MySQL Enterprise 5.7 32-bit / 64-bit

Microsoft SQL Server 2014 SP1 Express is included with the distribution of Kaspersky Security Center and is installed automatically during the standard installation. Remember that Express editions have their limitations and must not be used for managing a large number of computers (more than 5000). Detailed information about this is provided in course KL 302.10. SQL server can be installed either on the same computer as the Administration Server or on any other network computer. The Administration Server must have Read and Write access to the SQL database. If the Administration Server and SQL server are installed on the same computer, access issues do not arise.

Additional software requirements In addition to the operating system, the following software must be installed on the computer:

— — — — —

Microsoft .NET Framework 2.0 (is included in the distribution) Microsoft .NET Framework 3.5 (install as a Windows component) Microsoft Data Access Components 2.8 Windows Data Access Components 6.0 Windows Installer 4.5 (is included in the distribution)

Allocate a new computer for the Administration Server. If it is impossible, make sure that Kaspersky Security Center Network Agent is not installed on the computer. The installer automatically detects the Network Agent and prompts the administrator to uninstall it.

Minimum hardware requirements Minimum hardware requirements are as follows:

— 1 GHz or higher processor (1.4 GHz for 64-bit systems) — 4 GB of RAM — 10 GB of free hard drive space (if you plan to use the Systems Management functionality, 100 GB of free hard drive space will be necessary)

A more powerfulGuide. server Practical will be necessary forof any significant number Server of clients. Recommendations are available the Deployment experience using Administration in large networks is summarized in in course KL 302.10. Kaspersky Endpoint Security and Management. Advanced Skills.

I-24

KASPERSKY LAB™


2.2 Installation of the Administration Server

Where to get Kaspersky Security Center distribution

To install Kaspersky Security Center, run the installer. You can download the installer of Kaspersky Security Center 10 from Kaspersky Lab website (https://www.kaspersky.com/small-to-medium-business-security/downloads/security-center) or from the product page on the technical support website (http://support.kaspersky.com/ksc10#downloads). There are two installers:

— ksc_10sp2mr1_10.4.343_full_en.exe—the full distribution of Kaspersky Security Center 10 that includes a complete set of its own components, installation packages of Network Agent and Kaspersky Endpoint Security 10 for Windows, SQL Server 2014 SP1 Express, .NET Framework and other software, as well as the management plug-ins for all supported products. The size of this distribution is about 1.3 GB.

— ksc_10sp2mr1_10.4.343_lite_en.exe—the lite version of the distribution that lacks the installation packages of Kaspersky Endpoint Security 10 for Windows, SQL Server, .NET Framework and some other software; and as far as management plug-ins are concerned, only those of Kaspersky Security Center 10 components are included. The size of this distribution is about 140 MB. This distribution is useful when upgrading Kaspersky Security Center components.

Kaspersky Security Center installation shell When the full distribution version is run, the installation shell starts. The installation shell allows selecting the components to install, for example, the Administration Server or the Administration Console. You can also extract installation files of the selected components into the specified folder. The following products are available within the installation shell:

— — — —

Kaspersky Security Center Administration Server Kaspersky Security Center Administration Console Kaspersky Security Center Network Agent Kaspersky Security Center SHV (System Health Validator for Microsoft Network Access Protection)


— iOS MDM Server (a component of Kaspersky Security Center for managing mobile devices) — Exchange ActiveSync Mobile Device Server (a component of Kaspersky Security Center for managing mobile devices)

— Application management plug-ins — Kaspersky Endpoint Security for Windows (extract only) This course covers only Server, Console and Network Agent, and also Kaspersky Endpoint Security.

What you need to know before the in stallation

During the installation, the administrator selects:

— — — — — —

Kaspersky Security Center Components Installation folder SQL server type and connection parameters Path to the Administration Server shared folder Ports and connection address of the Administration Server Management plug-ins for the products

Almost all of these decisions can be changed after the installation. You cannot modify only the SQL server type. If you select Microsoft SQL, you will not be able to switch to MySQL without losing data. You can switch to another SQL server of the same type without losing data, but it is not easy. You will need to back up the Administration Server data, reinstall the Administration Server, select another SQL server, and after that, restore the data from the backup copy.

I-26

KASPERSKY LAB™


Setup Wizard Installation types

Installation of the Administration Server can be either custom or standard 2. During the standard installation, the administrator is prompted to:

— Accept the license agreement for Kaspersky Security Center — Specify the network size If you select Custom installation and leave all the default settings, the result will be exactly the same as after the Standard installation.

Components and installation paths

2

On Windows Server Core, only custom installation is available.


You can install the following components together with the Administration Server:

— SNMP Agent — Mobile devices support The SNMP agent is necessary for the Administration Server to be able to send notifications over SNMP. This component needs the SNMP service (a Windows component) to be installed on th e computer. If the SNMP service is absent from the computer, the SNMP agent will not be shown in the list of Administration Server components during the installation. The Mobile devices support option adds the components necessary for managing Kaspersky Endpoint Security for Mobile via Kaspersky Security Center. Detailed information is available in course KL 010.10. Under the list of components, you can change the location of Administration Server program files. If you want to move files because drive C: lacks space, consider moving only the shared folder of the Administration Server. It can be relocated independently of the program files, and it takes up much more space than the other program files. The path to the shared folder will be configured later in the installation wizard. Remember that the % ProgramData%\KasperskySC folder contains the backup copies of the Administration Server. These copies consume much space, up to several gigabytes, depending on the number of endpoints.

Network size

Four options are represented for the network size:

— — — —

Fewer than 100 computers on network 100 to 1,000 computers in the network 1,000 to 5,000 computers in the network More than 5,000 computers in the network

The following Administration Server parameters depend on the selected option: The number of computers in the network Fewer than 100 100 to 1,000 1,000 to 5,000 More than 5,000 Automatically randomize task start

–+

+

+

Display slave Administration Servers

–

–

+

+

Display security settings

–

–

+

+

I-28

KASPERSKY LAB™


Automatic randomization of the task start relates to the schedules of virus scan, update, vulnerability search, and other group tasks. If a task starts simultaneously on many computers, the load on the network and Administration Server drastically increases. To even out the peak, tasks can start on the computers with a random delay. The administrator can enable randomization and then specify the randomization range manually or select automatic randomization. On each computer, the delay is selected randomly within the specified or automatically chosen range.

How automatic randomization works If automatic randomization is used, the randomization range depends on the number of computers where the task starts: The number of computers

Randomization range

0–200

0 minutes

200–500

5 minutes

500–1,000

10 minutes

1,000–2,000

15 minutes

2,000–5,000

20 minutes

5,000–10,000

30 minutes

10,000–20,000

1 hour

20,000–50,000

2 hours

50000+

3 hours

Slave Administration Servers and security parameters are described in course KL 302.10. Kaspersky Endpoint Security and Management. Advanced Skills. These functions are rarely used in small and middle-size networks. The default settings are the same when the administrator selects either “From 1000 to 5000” or “More than 5000 computers on network.” If you select the “More than 5,000 computers on network” option, the installation wizard will recommend that you do not use the free version of Microsoft SQL server. Detailed information about large networks is provided in technical training KL 302.10. Kaspersky Endpoint Security and Management. Advanced Skills. The network size selection only influences a couple of interface settings, which can easily be modified after the installation. The threshold value that actually makes the difference is 1,000 computers. Administration Server operation parameters do not depend on the selected network size.


Administration Server service account

By default, the installer creates a new account named KL-AK- for starting the Administration Server service. It is a local account, which is not included in the computer administrators’ group, but has the same permissions as administrators. Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of the Administration Server. For security reasons, this account cannot log on to the system locally. If the administrator decides to use another account, he or she must grant it all the necessary permissions. The Administration Server service account must have administrator permissions on the computer selected for the installation. If the database is planned to be stored on a Micro soft SQL server installed on a remote computer, the account must have Read and Write permissions for the Administration Server database on the Microsoft SQL server. If the Administration Server account has domain administrator permissions, some operations are simplified, for example, remote installation. In other cases, permissions are not that important.

I-30

KASPERSKY LAB™


Account for accessory services

The KL-AK-* account starts only the Administration Server service: Kaspersky Security Center Administration

Server. The Administration Server also has other services:

— — — — —

Kaspersky Activation Proxy Kaspersky Lab Web Server Kaspersky Security Network Proxy Kaspersky Security Center Network Agent Kaspersky Security Center automation object

The first three services are started under another service account created by the installer: KlScSvc. This account has the same rights as KL-AK-*: the permissions equivalent to administrative less the right to log on locally. The Network Agent and the automation object operate under the Local System account. On some operating systems, the automation object operates under the Network Service account. The installation wizard allows selecting another account instead of KlScSvc. For example, if the company already has a service account for this purpose.


Selecting the SQL Server

The Administration Server stores events, information about computers and a part of the settings in the SQL database. The Administration Server can store the database in either of the following types of SQL servers:

— Microsoft SQL Server — MySQL The choice depends on the company’s and the administrator’s preferences. MySQL server has open source code and can run on a Linux operating system. That is why MySQL is sometimes preferred by state institutions. A MySQL server will have to be installed by the administrator manually. Microsoft SQL Server is an industry standard. Besides, it need not be installed beforehand. The distribution of Kaspersky Security Center includes Microsoft SQL Server 2014 SP1 Express, which can be installed automatically by the KSC installation wizard.

How to select an existing Microsoft SQL server

I-32

KASPERSKY LAB™


If you decided to use an already installed instance of Microsoft SQL server rather than install the Express version, specify the full name of the instance and the name of the database designed for the Administration Server. To find the necessary instance in the network, click the button Browse. If the instance you are looking for is absent from the list, make sure that SQL Server Browser service is running on the SQL server. It is disabled by default.

How to connect to Microsoft SQL server

The database for the Administration Server is created by the installer. Later, the Administration Server connects to the database to record and extract events. The installer needs the permission to create a database. The Administration Server needs the write and read permissions for the database. If the Microsoft Windows Authentication Mode is selected, the installer connects to the SQL server under the current Windows user account. Meanwhile, the Administration Server will connect to the database under the account of its service (KL-AK-<*>), which the administrator selected at a previous steps. Therefore, the current user must have the right to create a database on the SQL ser ver. To check whether the user’s permissions are sufficient, click the button Check connection. If the Kaspersky Security Center administrator cannot receive the permission to create a database on the SQL server, the SQL server administrator should create an empty database, and the Kaspersky Security Center administrator is to specify the names of the instance and database in the installation wizard. The KL-AK-<*> account (or another one specified by the administrator) must have the read and write permissi ons for the database. You cannot check this before the installation, but you can grant the selected account these permissions afterwards, or even select another account for the Administration Server service. If you select the SQL Server Authentication Mode , specify an SQL server account rather than a Windows account. Both the installer and the Administration Server will use this account to create the database and record events there. By default, the SQL Server Authentication Mode is disabled in all supporte d versions of SQL server. It is considered to be obsolete and unsafe. Microsoft and Kaspersky Lab recommend to use Microsoft W indows Authentication Mode. If the SQL server instance is located on another computer, make sure that SQL server allows remote connections, and that ports are not blocked by the firewall. Click the button Check connection.


How to specify a mySQL server

If you select a MySQL server, the installation wizard cannot install it and waits for connection parameters of an already existing server. Specify the computer address, MySQL server port (usually, 3306) and database name.

How to connect to a mySQL server

Specify the username and password to connect to MySQL server. These name and password will be used by both the installer to create the database, and by the Administration Server to write into it. In the latest versions of MySQL server, to enable an account to connect to the server, you need to allow a specific address or computer name to use it on the SQL server side. See the MySQL documentation for details. To check whether the selected account can connect to the selected server, click the button Check connection.

I-34

KASPERSKY LAB™


The shared folder of the Administration Server

The shared folder stores signature updates and the installation files for applications, specifically, Network Agent and Kaspersky Security Center. By default, the installer creates the shared folder of the Administration Server in the folder with program files. The local name of this folder is Share, and the network name is KLSHARE. Right after the installation and initial setup, the shared folder takes up about 400 MB. Its size may increase up to several gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place the shared folder of the Administration Server on a drive other than the system one. The location of the shared folder can be changed later via the Administration Console.

Connection ports of the Administration Server


Administration Server accepts connections from Network Agents on two TCP ports:

— 13000 for SSL connections — 14000 for non-SSL connections By default, all connections are encrypted in Kaspersky Security Center, so only SSL port 13000 is used. Port 14000 might be used only if the administrator disables connection encrypting for troubleshooting. If you want to use other ports, make this decision beforehand and specify them in the installation wizard. To modify the ports after the Administration Server has been installed, you will have to edit them in several places in the Console. And to modify the ports after Network Agents have been installed on the network computers, you will have to use a special task or reinstall the Agents. In older versions of Kaspersky Security Center, Administration Consoles connect to port 13000. In the recent versions, KSC Consoles connect on TCP port 13291. You cannot select this port in the installation wizard, but you can easily modify it later via the Administration Console. Web server and activation proxy server services use 4 more ports, which can also be reconfigured in the console. To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years during the installation. To save and restore the certificate after failures or after reinstalling the Administration Server, use the backup procedure (see Unit IV Maintenance).

Administration Server address for Network Agents

The client computers where the Network Agent is installed will connect to the Administration Server using the address and port specified during the installation. You can specify the Server address in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice depends on the network configuration. Even though an IPv6 address can’t be specified, Network Agents can connect to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name. If the Administration Server has a static IP address that will not be changed in the near future, it is the best choice. In this case, the ability to connect depends only on the routers, not on the name resolution system. If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection address, as you will have to modify the client connection settings often. In this case, it is better to specify the server name: either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS name as DNS name resolution is not usually blocked by local firewalls.

I-36

KASPERSKY LAB™


NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls. Therefore, the NetBIOS name should only be used for connections if the other methods cannot be used. After the installation, the Server connection address and ports can be changed in the properties of Network Agent installation package. The default Server connection address and ports, which will be automatically added to new Network Agent packages, is specified in the properties of the Advanced | Remote installation | Installation packages node.

Management plug-ins for the programs

The distribution kit of Kaspersky Security Center includes the management plug-ins for all current versions of Kaspersky Lab products. The custom installation enables the administrator to select the plug-ins of the products that are used or will be used in the network. The plug-ins can also be installed later from the Kaspersky Security Center installation shell. Plug-in installers are also included in the distributions of the corresponding products. Every plug-in is installed by its own short installation wizard. Some plug-ins are installed automatically, while others prompt the administrator to accept the license agreement. If a product has been upgraded to a new version with a new plug-in, the old plug-in can be uninstalled. The following knowledgebase article explains how to remove unnecessary plug-ins:

http://support.kaspersky.com/faq/?qid=208280749

During the typical installation, management plug-ins for Kaspersky Security Center 10 components and Kaspersky Endpoint Security 10 for Windows are installed. Plug-ins are installed in the very end of the Administration Server installation. After the Kaspersky Endpoint Security 10 plug-in is installed, the installation is finished. On the last page, the administrator may accept starting the Administration Console.


Completing the installation

On the last page, the wizard prompts to start the local Administration Console immediately and proceed with the installation in the Administration Server Quick Start Wizard. Usually, Administration Server needs a few minutes to start working and accept connections.

Additional consoles and plug-ins

If you need plug-ins for other Kaspersky Lab products, you can install them from the installation shell. To be able to manage the Administration Server remotely in a way other than via RDP, install the Administration Console. The console has a very simple installation wizard without settings. Plug-ins for the console can also be installed from the same installation shell. Plug-ins are to be installed on each console, rather than on the Administration Server. If the console lacks a plug-in, the administrator will not able to open tasks and policies of the corresponding program and the console will display an error message. To fix this, simply install the necessary plug-in.

I-38

KASPERSKY LAB™


Installation results

If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages, the result will be the same as with the Standard option: Components

Administration Server Network Agent Administration Console

Installation paths

%Program Files(x86)%\Kaspersky Lab\Kaspersky Security Center —program files %ProgramData%\KasperskyLab\adminkit—settings %ProgramData%\KasperskySC\SC_Backup—the folder for backup copies

Services

Kaspersky Security Center Administration Server Kaspersky Security Center Network Agent Kaspersky Security Center automation object Kaspersky Security Network proxy server Kaspersky Lab Web Server Kaspersky Activation Proxy

SQL server

A local instance of Microsoft SQL Server 2014 SP1 Express Instance name: KAV_CS_ADMIN_KIT Database name: KAV

Users groups

KLAdmins KLOperators (see course KL 302.10 for details)

Accounts

KL-AK-<*>—starts the service of Kaspersky Security Center Administration Server KlScSvc—starts the services of Kaspersky Activation Proxy, Kaspersky Security Network Proxy Server and Kaspersky Lab Web Server The KL-AK-<*> and KlScSvc accounts have the same permissions as the local ad ministrator, but are not included in the computer built-in administrators group KlPxeUser—a user account for PXE server (see course KL 009.10 for details)

Shared folder

KLSHARE Its local path is %Program Files(x86)%\Kaspersky Lab\Kaspersky Security Center\Share


Connection address

DNS name of the server

Connection ports

13000—for SSL connections of Network Agents 14000—for non-SSL connections of Network Agents and Administration Consoles 13291—for SSL connections of Administration Consoles and Web Consoles 8060—http port of Kaspersky Lab Web Server 8061—https port of Kaspersky Lab Web Server 13111—port of Kaspersky Security Network proxy server service 17000—port of Kaspersky Activation Proxy

Plug-ins

Kaspersky Security Center 10 Administration Server Kaspersky Security Center 10 Network Agent Kaspersky Endpoint Security 10 Service Pack 2 for W indows

Installation packages

Kaspersky Endpoint Security 10 for Windows Kaspersky Security Center Network Agent

Most of these settings can be modified either during the custom installation, or in the product settings after the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is installed; some others are very difficult to change. You should consider the following very carefully before the installation: 1.

The path to data files cannot be modified at all, which complies with Microsoft requirements

2.

The path to the program files, as well as the SQL server address, cannot be modified unless you reinstall Kaspersky Security Center

3.

The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way.

I-40

KASPERSKY LAB™


2.3 Quick Start Wizard

What you need to know prior to configuring

When the Console connects to the Server for the first time, the Quick Start wizard launches. It continues the setup and creates the default settings. The wizard prompts the administrator to:

— — — — — —

Add a license Configure the proxy server Download the latest versions of plug-ins and installation packages Enable Kaspersky Security Network Configure e-mail notification and reporting Specify vulnerability search and software update parameters

After that, the wizard:

— Creates primary tasks and policies — Downloads signature updates to the Administration Server


Installing the license

The first step of the Quick Start wizard is activating the product. Most Kaspersky Lab products require activation and some, particularly Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different levels of functionality. That is, depending on the license, some functions may be unavailable.

Activation keys and codes To activate a product, you need a key or a code. Both can represent the customer’s license with all relevant restrictions. A key is a file and its validity and restrictions can be verified locally by the product. A code is just a string and the product needs to connect to Kaspersky Lab Activation service online to verify its validity and restrictions. Old versions of Kaspersky Lab products can be activated only with a key. All recent versions can be activated with either a key or a code. Codes are more useful, because a code can activate all the purchased products. With key activation, a license often includes several different key files. A key designed for Kaspersky Security Center cannot activate Kaspersky Endpoint Security, and vice versa. Meanwhile, a single code can be used for activating both of them. Keys are indispensable when you need to activate a product on a computer without access to the Internet. If you have only a code rather than keys, add the code to the key store on the Administration Server ( Advanced \ Application management \ Kaspersky Lab licenses). The Server will automatically download the corresponding keys, which you will be able to export into files. If computers have no Internet access but are connected to the Administration Server, which does have access, the products on the computers can be activated with a code. The products will verify the code via the Administration Server service, Kaspersky Activation Proxy.

I-42

KASPERSKY LAB™


Activation with a code

In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all simple, just choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to connect to the Internet at this stage. You can select to install a code (or key) to the client computers automatically. For this purpose, select the check box Automatically deploy key to managed devices . If the Administration Server detects a managed computer where Kaspersky Endpoint Security is not activated, it will automatically send the key selected for automatic installation there. For more details about how to activate Kaspersky Endpoint Security on the client computers, refer to Chapter 3 of this Unit.

Activation with a key

If you have a key, than most probably you have more than one of them, and you need to decide which one to feed to the wizard.


It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be added later either in the properties of the Administration Server or in the Advanced | Application management | Kaspersky Lab licenses node.

Configuring proxy server for Internet access

The next step prompts to configure proxy server connection parameters for Internet access. The Administration Server connects to the Internet to download updates and communicate with KSN servers of Kaspersky Lab. Both features use common proxy server parameters. The settings are rather typical: the address, the port, optional user name and password for authorization, and an option to bypass proxy server for local addresses.

Checking for new versions

I-44

KASPERSKY LAB™


Kaspersky Security Center installer includes all the recent plug-ins as of the Kaspersky Security Center release. However, newer versions of products can also be issued later and newer versions of managed products and respective plug-ins may have appeared after the Kaspersky Security Center was released. The Quick Start Wizard can check whether new versions of managed products are available.

Downloading new plug-ins

First, the wizard checks whether newer versions are available for the plug-ins that the administrator selected to install together with the Administration Server. In the list of new plug-ins, the wizard shows the program version managed via the plug-in, the version of the installed plug-in, and the version of the latest available plug-in.

Downloading new versions of installation packages


After the plug-ins, the wizard checks whether new versions of managed products are available, for which it can download installation packages. The wizard shows only those products whose packages or plug-ins have already been added to the console. For some of the managed products, packages may not be available; the Kaspersky Endpoint Security package is always available though. If there is a newer version of Kaspersky Endpoint Security on the list, download it. For this purpose, select it on the list. To download the products that are not shown in the list, open the node Advanced, Remote installation, Installation packages in the console; click the button Additional actions and select View current version of Kaspersky Lab applications.

The wizard will download the selected packages and display them in the list. The administrator can configure them using the Properties button. Chapter 3 of this Unit tells about the settings of Network Agent and Kaspersky Endpoint Security packages.

Kaspersky Security Network

I-46

KASPERSKY LAB™


The wizard prompts the administrator to accept the Kaspersky Security Network (KSN) statement. KSN is the name of the cloud-assisted protection technologies of Kaspersky Lab. KSN provides extra protection for the computers by receiving the latest information about new threats before this information is added into the traditional anti-malware signatures. In return, Kaspersky Lab will receive anonymous information about the files and URL addresses processed on the client computers. The KSN service is described in detail in the Introduction and in Unit II Protection Management. If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are activated in the policy. If the administrator selects not to parti cipate in KSN, the use of KSN will be disabled in the Kaspersky Endpoint Security 10 policy; however, the use of KSN proxy will be enabled nevertheless. The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server. In the Administration Server, the KSN proxy function is implemented as a service named Kaspersky Security Network proxy server. By default, the use of KSN proxy is enabled in the Administration Server properties.

Configuring e-mail notification

The next step is to set up e-mail notification and delivery of reports. To receive notifications about important events by email, specify the administrator’s e-mail address and SMTP server parameters: address, port and, if necessary, authorization data. These parameters will be used when sending notifications and reports. By default, event notifications are not sent. To receive the information about events by e-mail, turn on notifications in the event properties. The parameters of Kaspersky Security Center events are configured in the Administration Server properties, and parameters of Kaspersky Endpoint Security events —in the Kaspersky Endpoint Security policy. If the notification parameters are left blank, the wizard will not create the Send reports task. If they are filled in, the wizard will create the task and configure it to send the report about protection status to the administrator on a weekly basis. The wizard does not check correctness of the specified settings, but allows the administrator to do it with the Send test message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to check the inbox and make sure that the message is actually there.


Configuring vulnerability and patch management

This step appears in the Quick start wizard only if the administrator specified a key or code that activates the Systems Management functionality of Kaspersky Security Center (or selected to add a key later). The choices define how software patches and Microsoft updates are installed. Kaspersky Security Center can automatically detect vulnerable programs and operating system modules on the computers, and automatically install the necessary updates and fixes. Additionally, Kaspersky Security Center can function as a local source of Microsoft updates (WSUS Server). Detailed information about this is provided in technical training KL 009.10. Systems Management.

Creating tasks and policies

After all parameters are specified, Start wizard creates the policies and tasks necessary for endpoint protection. The following policies the andQuick tasks are always created:

I-48

KASPERSKY LAB™


Policies Policy

Scope

Kaspersky Endpoint Security 10 Service Pack 2 for Windows

The “Managed devices” group

Kaspersky Security Center 10 Network Agent

The “Managed devices” group

Tasks Task

Scope

Schedule

Parameters

Install update

Managed devices

When new updates are downloaded to the repository

Source: Administration Server Installs only approved module updates

Quick Virus Scan

Managed devices

Friday at 7:00 p.m.

Scans critical areas with the recommended settings

Find vulnerabilities and required updates

Managed devices

Tuesday at 7:00 p.m.

Scans %SystemRoot% and %ProgramFiles% folders for all

Download updates to the repository

Administration Server

Hourly

Source: Kaspersky Lab update servers

Backup of Administration Server data


Daily at 4:00 a.m.

Stores the 3 latest copies, the password is not specified

Database maintenance


Saturday at 1:00 a.m.

Optimizes the database without shrinking it

known vulnerabilities

The following three tasks are created depending on the parameters specified in the wizard: Task

Scope

Schedule

Parameters

Deliver reports


Daily at 8:00 a.m.

Protection status report in HTML format

Install required updates and fix vulnerabilities

Managed devices

Daily at 1:00 a.m.

Fixes critical vulnerabilities, installs the updates approved by the administrator, security updates, and critical Microsoft updates

Perform Windows Update synchronization


Daily at 3:00 AM a.m.

Downloads Windows Update metadata (rather than the updates themselves) to the Administration Server


Exclusions in Kaspersky Endpoint Security policy

When the wizard creates the Kaspersky Endpoint Security policy, it prompts the administrator to confirm scan exclusions. There are two options that help to create recommended exclusions for workstations and servers according to Microsoft and Kaspersky Lab guidelines. They are enabled by default. Additionally, there are exclusion templates for remote management software. These templates should be enabled if the listed software is used at the company. Otherwise, remote management using this software may be partially disrupted by Kaspersky Endpoint Security.

Downloading updates to the repository

As soon as the tasks and policies are created, the Quick Start wizard starts downloading updates to the repository. The wizard displays the task progress, but you don’t need to wait for it to finish. If you proceed to the next page of the wizard, updating will still be going on in the background.

I-50

KASPERSKY LAB™


What to do next The last page of the Quick Start wizard displays the check box that allows starting the remote installation wizard for deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is preferable to adopt a deployment plan and stick to it rather than rush into action: 1. 2. 3.

Let the Server discover network computers Check the settings of installation packages to install exactly what is necessary Try various installation methods in a test environment

If necessary, the administrator can start the Quick Start wizard again from the shortcut menu of the Administration Server. In this case, the wizard will create only the tasks and policies that are missing.

2.4 What Is There in the Administration Console?


How the console is organized After the Quick Start wizard, the administrator gets in the Administration Console. Kaspersky Security Center Administration Console is based on Microsoft Management Console. The leftmost pane of the window contains the navigation tree, the right part displays the page of the selected node. The main node in the console is the Administration Server’s node. All the other nodes are within it.

Where to check what is going on To understand what is happening in the network, open the Administration Server node. Its four tabs contain global statuses, dashboards, reports and events.

Where to look for computers Managed computers are located in the Managed devices node. This node is a group where you can create tasks, policies and subgroups. All policies and some of the tasks that have been created by the Quick Start wizard are designed for the Managed devices group. If a computer is missing from the Managed devices node, look for it in the Unassigned devices node. None of the policies and tasks are applied to those computers; that is why you should not leave here any of the computers that need to be protected. Move them to the Managed devices. If a computer can be found neither in the Managed devices, nor in Unassigned devices, it means that the Administration Server has not discovered it yet. Make sure that the computer is powered on, and wait for an hour or two. If the Server cannot find a computer, install the Network Agent on it.

Where to look for the applications to be installed The installation packages to be installed on the computers can be found in the node Advanced, Remote installation, Installation packages. If necessary, modify the set of components or other installation settings here.

Where to check licenses The license that you specify in the Quick Start wizard gets in the node Advanced, Application management, Kaspersky Lab licenses. Here you can find the license limitations, when it expires, which computers use it, etc. You can also add a new license here when an old one expires.

Where to look for protection settings All tasks are gathered in the Tasks node. It contains the tasks that pertain to groups, and the Administration Server tasks, and tasks for sets of computers. In the Tasks node, you can create, delete or edit any task. A similar Policies node shows all policies from all groups. If you need to find computers that match some parameters, use the Search window, which can be started from the shortcut menu of the Administration Server. If you often look for computers using the same parameters, create a computer selection in the respective node. It already contains pre-configured selections of computers with typical issues.

I-52

KASPERSKY LAB™


Chapter 3. How to Install Kaspersky Endpoint Security on Computers

3.1 Requirements for the Computers

Kaspersky Endpoint Security requirements for the operating system

Kaspersky Endpoint Security can be installed on the following Microsoft Windows operating systems:

Client — — — — — — — — —

Windows 10 Pro x86 / x64 Windows 10 Enterprise x86 / x64 Windows 8.1 Pro x86 / x64 Windows 8.1 Enterprise x86 / x64 Windows 8 Pro x86 / x64 Windows 8 Enterprise x86 / x64 Windows 7 Professional x86 / x64 SP1 Windows 7 Enterprise x86 / x64 SP1 Windows 7 Ultimate x86 / x64 SP1

Server — Microsoft Windows Server 2016 x64 — Microsoft Windows Server 2012 R2 Standard x64 — Microsoft Windows Server 2012 Foundation / Standard x64


— — — — —

Microsoft Small Business Server 2011 Standard x64 Microsoft Windows Server 2008 R2 Standard x64 SP1 Microsoft Windows Server 2008 R2 Enterprise x64 SP1 Microsoft Windows Server 2008 Standard x64 SP2 Microsoft Windows Server 2008 Enterprise x64 SP2

An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky Security for Windows Server is designed for their protection. The list of operating systems includes most Windows versions from Windows 7 / Windows Server 2008 R2 to Windows 10 RS2 / Windows Server 2016.

The virtual platforms supported by Kaspersky Endpoint Security

Kaspersky Endpoint Security 10 Service Pack 2 for Windows can be installed on the following virtual platforms:

— VMware ESXi 6.0.03620759 — — — —

Microsoft Hyper-V 3.0 Citrix XenServer 7.0 Citrix XenDesktop 7.13 Citrix Provisioning Services 7.13

On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command line switch. In Kaspersky Endpoint Security 10 Service Pack 2 for Windows, this parameter can also be enabled in the installation package properties rather than only via the command line. To install Kaspersky Endpoint Security, administrative permissions are necessary.

I-54

KASPERSKY LAB™


Minimum hardware requirements General hardware requirements for Kaspersky Endpoint Security 10 Service Pack 2 are as follows:

— A 1 GHz processor (that supports SSE2 instructions) — 1 GB of RAM3 — 2 GB of free drive space

Requirements for Network Agent

The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint Security 10 for Windows. Hardware requirements for Network Agent installation are as follows:

— CPU: — 1 GHz or higher for 32-bit systems 1.4 GHz or higher for 64-bit systems — — RAM: 512 MB — Hard drive space: 1 GB RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less RAM.

3

The minimum RAM with which the application can be installed is 768 MB


3.2 Installation Methods

What to do prior to the installation

Prior to installing Kaspersky Endpoint Security on the computers, prepare the following: What to do

Why

Let the Administration Server discover network computers

You will not have to look for and enter names or addresses

Prepare an independent list of computers

The server may fail to discover all of the computers; you had better have a reference list at hand, where you will be able to check the progress

Find out computer addresses

If the Administration Server has not discovered a computer, but you know its address, you will be able to start remote installation nevertheless

Find out usernames and passwords of the administrators

If there is a domain, the domain administrator password is sufficient For non-domain computers, you need to know the administrator’s password regardless of whether the installation is remote or local

Find out whether there are third-party antiviruses on the computers, and which ones

Kaspersky Endpoint Security may fail to detect and uninstall antiviruses by other manufacturers, and then you will have to remove them manually

If there are many computers, phase the installation

The more computers, the more issues you will encounter, the longer you will solve them, and the longer will be the total downtime

Try to test various installation methods in a test environment

You will encounter at least some of the issues that will then arise in the network, and you will be able to decide how to avoid or quickly solve them Select the installation methods that make less trouble

Start

I-56

KASPERSKY LAB™


Available installation methods

Kaspersky Endpoint Security can be installed in various ways, each with its own specifics and advantages. Remote installation using Kaspersky Security Center

You need not go to each computer, you can run the installation on many computers simultaneously, which saves time Installation can be started at any time and you will start receiving results in mere minutes. However, you need to know the administrators’ passwords on the computers, and the computers’ shared folders must be accessi ble over the network. Often, firewalls or Windows security settings block access to shared folders

Installation via Active Directory

Again, you need not go to the computers and the installation can be run on many computers simultaneously. Moreover, you do not need to ensure access to the computers’ shared folders or know the computer administrators’ passwords. The computers will download and install the programs themselves. On the other hand, the computers must be joined to the domain and the administrator must have enough permissions within the domain to be able to publish the package. Computers do not begin the installation immediately; everything starts only when the computers connect to the domain next time, meaning, after a restart.

Installation using third-party tools

The administrators install not only Kaspersky Endpoint Security, and they may have third party software installation and management tools. Specifics depend on the tool, but usually the administrator can install applications remotely on many computers at a time.

Local installation from a standalone package

None of the remote installation methods guarantees 100% success. Computers may not be joined to the domain, their shared folders may be blocked by the firewall, and the administrator may have no third-party computer management tools. Sometimes, it is easier to go to the computer and install an application locally than troubleshoot a remote installation. Standalone packages that can be generated in Kaspersky Security Center save time during a local installation: the administrator does not need to pass through the installation wizard and configure parameters. All he or she is to do is to simply run the installer and wait

For remote installation, use a method that fits your network best. On the computers where remote installation fails, install the products locally using standalone packages.


3.3 How to Remotely Install KSC Agent and Kaspersky Endpoint Security

Remote installation wizard

There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on the same mechanism. The difference is in the location of their starting points in the Console and the number of available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard. Its typical use is described below. The Administration Server detects computers where protection tools are not installed. This information is displayed on the Monitoring tab of the Administration Server node, in the Deployment area: the indicator is yellow and a warning is shown. To fix this, the administrator can click the Enable protection link.

I-58

KASPERSKY LAB™



The Advanced | Remote installation node opens, where the administrator can start the remote installation wizard. The deployment wizard prompts the administrator for the installation package to be installed, target computers and the installation method. The wizard does not prompt the administrator for all the installation parameters. For example, the wizard does not prompt which components of Kaspersky Endpoint Security to install. If you need to enable the Citrix Provisioning Services compatibility mode, the remote installation wizard does not allow that either. That is why, before you start the remote installation wizard, open the list of installation packages and check their settings. If necessary, change the packages’ settings, or create new packages with the necessary settings. You can manage installation packages, delete or create new ones in the Installation Packages repository (in the Advanced | Remote Installation node). Which settings are available in installation packages and how to create new packages, is described in sections How

to change KES components and How to create a new installation package at the end of this chapter.


Selecting the installation package

The product to be installed is selected from the list of available installation packages. The standard distribution of Kaspersky Security Center contains the installation packages of the current versions of Network Agent and Kaspersky Endpoint Security for Windows. If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network Agent. The wizard not only installs the selected package, but also connects the computers to the Administration Server by installing the Network Agent on them. If the computers are already connected, the Network Agent is not reinstalled. Installation packages of Kaspersky Endpoint Security 10 for W indows and Network Agent can be installed on any supported operating system: server, workstation, 32-bit or 64-bit. Due to this universality, the installation package of Kaspersky Endpoint Security 10 is relatively large: just under 300 MB. There are no supported ways to reduce this size. The Network Agent package is much smaller: about 40 MB.

I-60

KASPERSKY LAB™


Selecting the computers

After the package, select to which computers to install it. In the wizard, you can select computer groups (the upper button) or individual computers (the lower button). If you start the wizard right after the Administration Server has been installed, there is only one computer in the groups, the Administration Server itself. All the other computers discovered by the Administration Server are in the Unassigned devices node. The Administration Server may fail to detect some computers: they will be absent from the console. Why does the wizard suggest selecting groups if there are n o computers there? For example, if prior to deploying protection you’ve imported the computers’ structure from Active Directory. Then you already have groups filled with computers, and you can install Kaspersky Endpoint Security by groups. How to import groups and computers from Active Directory is explained in the 4 th chapter of this Unit. Let’s now get back to the scenario when you have no groups. To select computers in the Unassigned devices node, or specify addresses of undiscovered computers, click the lower button. As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If a group is selected, the wizard will create a group task; if computers, a task for specific computers.


If you click the upper button, the wizard prompts to select the group. It does not show its contents, so the administrator must remember which group the target computers are in.

If you click the lower button, the wizard shows all discovered computers: those that have already been added to the Managed devices groups, and those that are in the Unassigned devices node so far. In the Unassigned devices node, computers are grouped by domains and workgroups. Select the target computers. If you select a group, domain or a top -level node, you will select all computers within that group, domain or node.

I-62

KASPERSKY LAB™


To install Kaspersky Endpoint Security on the computers that the Administration Server failed to discover, click the button Add. In the window that opens, type computers’ addresses or names. To quickly enter numerous addresses, specify a range or import the list from a text file. In the file, each address or name must be specified on an ind ividual line. The wizard will add all the addresses you’ve entered, and select them automatically.

Installation method

At the following step, the wizard prompts how to perform remote installation. There are two methods: Using Network Agent

Network Agent must already be installed on the computer and must be connected to the current Server The Server sends a command to the Agent, the Agent downloads packages to a temporary folder and the installation the Local account access to the computer’s shared The performs administrator ’s name andunder password need System not be specified, folders is not required


Using operating system tools

Network access to the computer’s shared folders is required The Administration Server copies package files to the system shared folder \\\admin$. Then the server uses Remote Procedure Call (RPC) protocol to remotely start a service process that will perform the installation and inform the server of the result. To copy files and start the installation, you need to specify the username and password of the computer administrator

The wizard always tries tousing installWindows productstools usingisthe Network Agent. If the Network Agent is not yet installed on the computer, installation tried. If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 10 using Network Agent.

Selecting the key

Kaspersky Endpoint Security, unlike the Network Agent, needs to be activated to operate properly. In the installation wizard, you can explicitly select which code or key should be used to activate the product from the list of codes and keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary, you can add another code or key to the repository without quitting the wizard. Select a key. The wizard will not just use the selected key for this installation, but also save it in the properties of Kaspersky Endpoint Security package. The plug-in of Kaspersky Endpoint Security does not support activation codes in the installation package properties. To activate Kaspersky Endpoint Security with a code rather than key, do not select anything in the inst allation wizard. Instead, in the node Advanced, Application management, Kaspersky Lab licenses, open the activation code properties and select the check box Automatically deployed key.

I-64

KASPERSKY LAB™


The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky Endpoint Security 10 installation requires restarting the computer. The Network Agent installation almost never requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection program has been installed on the computer. The default choice, Prompt user for action, is all right for workstations. When installing the product on servers, we recommend selecting Do not restart the computer . At a server, a user is unlikely present and no one will react to the prompt. For the user not to postpone the restart for too long, the task displays a warning every 5 minutes by default and forces computer restart in 30 minutes. The administrator can modify these settings and the message text.

Uninstalling incompatible applications

The Kaspersky Endpoint Security 10 installer can detect and uninstall incompatible applications (various protection tools, including Anti-Viruses, firewalls, etc.), which are not recommended to be used concurrently with Kaspersky Endpoint Security, because this may result in serious problems for users and computers.


The administrator usually knows which potentially incompatible protection tools are installed in the network and should uninstall them beforehand. The programs are recommended to be uninstalled either by their built-in uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer should be regarded only as a contingency measure. Detection of incompatible applications cannot be disabled 4, since it is intended to prevent conflicts. You can modify uninstallation settings in the remote installation wizard; this is described in detail at the end of this chapter.

Where to place computers after the installation

As a result of installing the Network Agent and protection software, computers should become manageable: use the settings of policies and tasks specified on the Administration Server. T o actually achieve this, computers must belong to the Managed devices node rather than the Unassigned devices node. If a computer has the Network Agent installed, but is not included in an administration group, it will neither send its events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified by the administrator. It is manageable only nominally. De facto it is not. If the administrator selects computers rather than groups, the wizard will ask whether it is necessary to relocate the computers to an administration group, and if yes, into which one. The selection affects only unassigned computers. If both unassigned and managed computers are on the installation list, the managed ones will remain in their srcinal groups. This step is displayed only if Network Agent is installed together with Kaspersky Endpoint Security 10.

4

Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible programs; if necessary, it can be added to the package description file for remote installations.

I-66

KASPERSKY LAB™


Administrator account

Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers. The deployment wizard allows you to specify several accounts, in case different administrator passwords are used on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges, the next one is tried, and so on. Before trying the specified accounts, the installer attempts to act under the Administration Server service account, which you don’t actually see on the list. However, if the administrator used the default settings when installing the server, the server service account cannot be used for remote installation. As a result of installation with default settings, the server service starts on behalf of the KL-AK-* account that is created automatically and receives the rights of a local administrator (not literally, but effectively the same). It has no rights on remote computers. So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain environment, a domain administrator account is the best choice for remote installations. In large companies, there is usually a special account for remote installations, or the IT personnel accounts have the necessary rights.

Where to monitor the installation


Installation task The installation wizard uses the settings specified by the administrator to create and immed iately start the product installation task on the selected computers. After that, it automatically opens the task page in the Administration Console. The task page displays the task progress on the selected computers. An installation can be ready for execution, running, wait for reboot, complete successfully or return an error. The number of computers in every status is displayed on the pie chart and in the table.

Task log To view the task log, click the View results link under the statistics on the task page.

The upper part of the results window contains the list of all target computers and the current task status for every one of them; and the lower part shows the task log for the selected computer. The task log contains the history of each task status changing on the computer. The status can be the same, while its description may vary. For example, an installation task log usually contains several records of the Running status, where the first one informs of starting file copying to the remote computer, the second one —of starting the installer, and the third one—of the installation completion. The typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer. After the Agent is installed, the Administration Server waits for it to connect and start the installation of Kaspersky Endpoint Security.

I-68

KASPERSKY LAB™


Installation result

Although a single Kaspersky Endpoint Security package fits all Windows versions, installation results differ on the servers and workstations.

— On workstations, all components selected in the installation package properties are installed. — On servers, only the following components (if selected in the package): — — — — — —

Application Startup Control File Anti-Virus Firewall Network Attack Blocker BadUSB Attack Prevention Microsoft BitLocker Management


3.4 How to Install the Network Agent via Active Directory

How to install applications via Active Directory

You can also install programs using Active Directory group policies without Kaspersky Security Center. The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to a group policy that is applied to the domain computers. When a client computer starts and logs in the domain, the policy is applied and the installation package is installed automatically, even before the user logs on to the system. This installation method can be comparatively easy when implemented manually. Kaspersky Security Center makes it even more convenient.

I-70

KASPERSKY LAB™


How to publish the Network Agent package in Active Directory using a task

To publish the Network Agent package to a domain group policy, in the task (or in the installation wizard), select to Assign Network Agent installation in the Active Directory group policies . For the task to complete successfully, run it under a do main administrator account. For this purpose, add the domain administrator account to the Account section of the task settings. The method is applicable to the Network Agent only, because after the Agent is installed, other programs are supposed to be installed using the Agent.

What the task changes in Active Directory The group of target computers


If the above mentioned option is selected, the Administration Server creates a new group named Kaspersky_AK{GUID} in Active Directory and includes within it the accounts of the computers to which the task applies.

Group policy object

Also, the Administration Server creates a new group policy object of the domain level that is named Kaspersky_AK{the same GUID} in Active Directory and assigns within it the installation o f the Network Agent MSI package located in the shared folder on the server. The permission to apply the policy is granted only to the created group which contains the accounts of the target computers. So, the domain level policy will be applied to the selected domain computers, not all domain computers.

Group policy object parameters

After this, the installation is performed as per usual. The policy eventually applies to the computers. At the next restart, computers download the Network Agent MSI package from the shared folder on the Administration Server

I-72

KASPERSKY LAB™


and install it. The installation parameters, which include server address and ports, are taken from the answer file located in the same folder as the MSI package. Thus computers automatically connect to the Administration Server. If the task is configured to install not only the Agent, but also another program, for example, Kaspersky Endpoint Security, the installation will resume after the Agent connects to the Server. The security group and group policy object created by the task persist in the Active Directory until the task is removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory group policies option is cleared in the task properties.

3.5 How to Simplify Local Installation

Why install locally If remote installation fails, it often makes sense to simply go to the computer and install the applications locally instead of troubleshooting. Especially if such computers are comparatively few. If you use an ordinary installer, you have to complete the installation wizard. Although it doesn’t take long, it is boring, and you may easily mistype the Administration Server address. You had better prepare a standalone package with all the settings on the Administration Server, and install from it.

Standalone installation packages

A standalone package in Kaspersky Security Center is a single setup.exe file that includes the installation files and installation parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can include Network Agent installation files and the Administration Server connection parameters. This package is designed for local installation by the IT employees, administrators or users who have sufficient rights. It saves time and reduces the number of errors.


An extremely simple installation procedure is an advantage of standalone packages. No parameters need to be specified during the installation, as they are already included in the package. This helps to save time and prevent errors, for example, when specifying the Server connection address. Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This eliminates the risk of missing some files, and reduces the overall time necessary.

How to create a standalone package

Standalone or ‘1–click’ packages are created from regular installation packages available in the Advanced, Remote installation, Installation packages node of the Administration Server. A special wizard is used that prompts for the installation parameters.

When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include the Network Agent, so that the target computer could immediately connect to the Administration Server.

I-74

KASPERSKY LAB™


Just like with a remote installation, computers can be moved into the managed category right after the installation. Leaving protected computers in the unassigned category does not make any sense. This step appears in the wizard if the Network Agent is installed together with the main package. If it is necessary to modify the default settings of Kaspersky Endpoint Security or select specific components to be installed, it needs to be done within the properties of the regular installation package, before starting the standalone installation package wizard. The parameters of the installation packages are described later in this chapter.

After that, the wizard prompts for the package name. If you’ve changed some settings of the standard package of Kaspersky Endpoint Security, specify it in the package name prior to creating a standalone package, for example, KES 10 SP2 without Firewall. This way, you will be able to understand what is the difference between similar standalone packages in the shared folder of Administration Server. After all the parameters are specified, the wizard generates the setup.exe installation file and places it in t he PkgInst subdirectory of the shared folder on the Administration Server. The name of the folder that contains the setup.exe file coincides with the package name. You can find the package later at the following network path: \\\KLSHARE\PkgInst\\setup.exe.


The Administration Server signs standalone packages with its certificate by default. This certificate is self -signed, and Windows will display a warning when the package is run. The administrator can select to sign packages with another certificate. Specify the necessary certificate in the properties of the Advanced | Remote installation | Installation packages node, in the Signing stand-alone packages section.

What to do with standalone packages

The wizard suggests that the administrator takes one of the following actions:

— Open the folder containing the package—for example, to copy it to a flash drive — Place a link to the package on a web resource —a text window opens, which contains HTML code of the link to the package that can be added to a web page

users an invitation to run the package —Administration Server starts the default e-mail client and — E-mail automatically fills in the message subject and body providing a link to the package located in the shared folder; the only thing the administrator has to do is to specify the recipients’ addresses

I-76

KASPERSKY LAB™


Later, the list of created standalone packages can be opened from the Installation packages node within the Advanced, Remote installation container. You can delete unnecessary packages or send another e-mail message to the users. The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server. If non-domain users whose accounts have not been added to the Administration Server try to click it, they will not be able to access the resource. The link to the network folder should be replaced with an http link to the package that can be copied from its properties. There is a built-in web server on the Administration Server where from any user can download the package. Each standalone package gets a unique http link based on the package id. The administrator can find the link in the package properties in the list of all standalone packages. If standalone package creation wizard is started for a package repeatedly, the administrator can select whether to re create the standalone package or create another one.


3.6 How to Select Which KES Components to Install


Installation packages in Kaspersky Security Center represent the products ready to be installed. A package includes installation files along with the installation parameters and some product setup parameters. Installation package parameters in a sense replace the local installation wizard and local setup wizard. Every product has its own settings. As you know, installation packages are used in the remote installation wizards and tasks, and for creating standalone installation packages. Kaspersky Security Center includes all packages necessary for deploying the protection system:

— Network Agent — Kaspersky Endpoint Security for Windows Available packages are stored in the Advanced, Remote installation, Installation packages repository. This node shows the following information on each package: name, language, and version of the product, as well as the unique name of the package. The package description area also displays its size, which is the total size of all its files. Packages can be created, modified and removed. If a package is used in an installation task, it cannot be removed until the associated task is deleted. First, delete all tasks that use the package, and then delete the package. You can create and use various installation packages in Kaspersky Security Center. You can use them to install operating systems, third-party programs, updates and critical fixes for third-party applications, and also start various scripts and utilities on the computers. This is described in more detail in KL 009.10: Systems Management course. Within the framework of this chapter, we describe only the installation packages created for Kaspersky Lab programs.

I-78

KASPERSKY LAB™


Settings of a Kaspersky Endpoint Security package

General properties Each package has general properties and settings that depend on the program for which the package was created. To be able to review the package settings, the application plug-in must be installed in the console. If the necessary plugin is missing, the console will prompt to nstall it. A plug-in can be installed from the installation shell of Kaspersky Security Center or downloaded from the application page on the Kaspersky Lab support web site. The General section of the package properties shows the program version and file size, and also the path to the package file in the shared folder of the Administration Server. If necessary, an IT employee can download the installation files over the network and install the application locally.

How to update databases in a package There is the button Update databases in the general properties of a Kaspersky Endpoint Security package. It updates the signature database within the package. For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky Endpoint Security is installed, the update task starts and downloads the new databases. Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more important, since it may constitute tens of megabytes if the package contains outdated databases. In this case, databases can be updated in the package prior to the installation. The date of the last update is also shown in the general package properties, in the Databases updated field. The Update databases button copies a complete set of databases from the Server storage to Kaspersky Endpoint Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After an update using the Update databases button, the archive is replaced with a folder named bases. The folder’s volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed.


Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to the repository. However, this is performed only once for each package. If databases have ever been updated automatically in a package, they will not be updated automatically any more. Automatic update is performed for the Kaspersky Endpoint Security package that is added to the storage during the installation (which is updated shortly after the installation), and for any other newly created Kaspersky Endpoint Security package soon after it is created.

How to select components in a package

Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters. The main parameters are the list of components and the program files folder. The set of components depends on the Installation type parameter. The administrator can select one of the two preset installation types:

— Basic installation: — File Anti-Virus — — — — — — — —

Mail Anti-Virus IM Anti-Virus Web Anti-Virus Firewall Network Attack Blocker System Watcher Vulnerability Monitor Application Privilege Control

— Standard installation: — — — —

All components of Basic installation Application Startup Control Web Control Device Control

If you need some other configuration, choose the Custom installation type and select the components you want to be installed. Some components can only be installed through Custom installation:

— Encryption of hard drives — Encryption of files and folders

I-80

KASPERSKY LAB™


— Microsoft BitLocker Management — BadUSB Attack Prevention — KATA Endpoint Sensor By default, the standard installation components are selected. The administrator may switch between the preset installation types, or choose Custom installation and select individual components on the list. Remember that some of the components only work on workstations, while a package can be installed on any supported operating system. On server systems, only the following components can be installed:

— — — — — — —

File Anti-Virus Firewall Network Attack Blocker Application Startup Control BadUSB Attack Prevention Microsoft BitLocker Management KATA Endpoint Sensor

Although Application Privilege Control settings will also show up in Kaspersky Endpoint Security on servers, the component is not actually installed. Kaspersky Endpoint Security won’t control application privileges on servers, e.g., it won’t block Untrusted applications on servers. The reason why Application Privilege Control settings are visible on servers is that a part of these settings are also used by the Firewall component. Application Privilege control and Firewall are described in more detail in Unit II of t his course. In addition to the components, local tasks are installed. They cannot be deselected in the package properties and are installed on all operating systems:

— Update — Update rollback — Virus Scan tasks — Full scan — Critical Areas Scan — Custom Scan — Background scanning — Scan removable drives on connection — Integrity check — Find Vulnerabilities

Compatibility settings

By default, the Kaspersky Endpoint Security components are installed to:


%ProgramFiles%\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2 If necessary, the administrator can modify this path. Those administrators who often use the command line interface can select to automatically add the installation folder to the %PATH% environment variable. Then they will be able to carry out product management commands via avp.com, without specifying the complete path. The package has two additional parameters that provide compatibility settings. One of them, Do not protect the installation process, disables self-defense during the installation. Self-defense does not allow programs by other manufacturers, primarily malicious, to modify installation files. It also blocks access to the folder where Kaspersky Endpoint Security files are installed, and to the registry keys of Kaspersky Lab software. Sometimes, self-defense conflicts with third-party applications, for example, with backup agents. That is why it can be disabled. The other parameter provides compatibility with Citrix Provisioning Services. If you want to install Kaspersky Endpoint Security on a virtual machine image in Citrix PVS environment, enable this option.

How to add a configuration file to a package

One more parameter is the Configuration file. This file defines the configuration settings used by Kaspersky Endpoint Security after the installation. The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If the configuration file is not specified, the product will work using the default settings. However, as soon as the Network Agent connects to the Server, the Kaspersky Endpoint Security policy will be enforced which will override the protection settings. So, the configuration file is necessary if the policy does not affect some of the product settings, or for unmanaged devices.

I-82

KASPERSKY LAB™


To create a configuration file, install Kaspersky Endpoint Security on a computer, but do not connect it to the Administration Server; otherwise, the group policy will not allow you to modify local settings. Configure Kaspersky Endpoint Security via the local interface as necessary, and save these settings into a file. The Save button is located on the Settings tab, in the Advanced Settings section.

How to add a key to a package

Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed product. One of them is to specify the key file in the installation package properties. In the package properties, you can add only a key, a code cannot be added. Also, a key or code can be distributed to the selected computers by a special task. The third option is to select the check box Automatically deployed key in the properties of key or code in the Kaspersky Lab licenses node of the Administration Console. As a last resort, a code or key can be added via the local interface of Kaspersky Endpoint Security.


How to disable uninstallation of incompatible applications

By default, Kaspersky Endpoint Security installer looks for and uninstalls incompatible applications: third-party antiviruses and firewalls. The list of programs that Kaspersky Endpoint Security can uninstall is rather large, but it is not exhaustive. Usually, it does not include the most recent versions of protection tools by other manufacturers, or uncommon software. How to uninstall applications that Kaspersky Endpoint Security failed to detect is described at the end of this chapter. If Kaspersky Endpoint Security uninstalls an incompatible application incorrectly, disable automatic uninstallation and remove the program manually.

Network Agent package parameters

I-84

KASPERSKY LAB™


Installation path The General section of the Network Agent package is the same as that of Kaspersky Endpoint Security, but without the button Update databases. The Network Agent has no databases. The Settings section allows changing the installation folder and also setting the uninstallation password. If the Network Agent installation folder is not specified explicitly, the standard path is used:

%ProgramFiles%\Kaspersky Lab\NetworkAgent

Password protection Agent uninstallation can be protected with a password that can be specified in the package properties. Even users with administrator permissions will not be able to uninstall the Agent using regular tools unless they know the password. However, users with administrator permissions can make the Agent inoperative if they really want to. If you have not enabled password protection in the Network Agent installation package, enable it in the Agent policy, where it is also available.

Administration Server connection parameters

The Connection section of the Network Agent installation package properties contains the Administration Server connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive installation. The main connection parameters are the Administration Server address and ports. Initially, they take the values specified during the Administration Server installation. If the client computers and Administration Server belong to different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation package properties. These standard parameters include the proxy server address and port, and also the user name and password for authentication. Remember that these parameters will be used by Network Agents when connecting to the Server, not the other way round. When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP port. To prevent Windows Firewall from blocking requests on this port, the Network Agent can automatically create the necessary exclusions. To modify this behavior, clear the Open Network Agent ports in Microsoft Windows Firewall check box. By default, Network Agent accepts connections on UDP port 15000. This value can be changed both in the package properties and later in the Network Agent policy.


Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted connections to the Server. By default SSL is enabled. Network Agents automatically download and use the Administration Server certificate. The certificate can be specified manually in networks with strict security requirements to exclude the possibility of Administration Server substitution. The advanced parameters of the Network Agent installation package are useful in networks with complicated infrastructure. These are described in KL 009.10. Systems Management and KL 302.10. Kaspersky Endpoint Security and Management. Advanced Skills.

3.7 How to Create an Installation Package

Why create installation packages

Installation packages included in Kaspersky Security Center are usually enough for protecting most networks. Additional packages can be necessary in the following cases:

— A new version of Kaspersky Endpoint Security has been released. For an upgrade, just like for the initial installation, an installation package is necessary. The administrator can either create the package manually or download the new version of Kaspersky Security Center that includes new package version and reinstall Administration Server over the old one (all settings will be saved).

— It is necessary to remotely install a Kaspersky Lab product that is not included in the distribution of Kaspersky Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to be created manually.

— Different parameters are needed in several network parts. For example, according to the deployment plan, some computers do not need Web Anti-Virus and Mail Anti-Virus components. To be able to deploy the system simultaneously on both categories of computers, create an additional installation package with those non-standard settings.

I-86

KASPERSKY LAB™


Package creation wizard To create an installation package, in the node Advanced \ Remote installation \ Installation packages, click the button Create installation package. The wizard will ask for the package type, installation files’ location, and some installation parameters depending on the application. It may also ask to accept the license agreement of the application. Creating a package requires the management plugin for the same application to be installed in the Kaspersky Security Center console. The plugin installation file is usually found among the installation files of the application and sometimes the wizard detects the plugin installer and installs it automatically. If this is not the case, you will need to install the plugin before creating the package.

Package types

The wizard starts with a choice of the package type. There are three (or four, depending on the Kaspersky Security Center interface settings), options: package for a Kaspersky Lab application. This package type requires a special package description file, — A which is included in the distribution of most Kaspersky Lab applications. A description file can be created manually, but this is an advanced topic outside the scope of this course.

— A package for an executable file. This package type allows running the specified file (not necessarily an installer, it could be a script or a utility) on remote computers.

— A package for a 3rd-party application based on Kaspersky Lab application database. This allows installing 3rd-party applications without the need to look for and manually download their installation files. The feature is described in course KL 009.10 Systems Management. The fourth option which may not be visible depending on the settings is a package for operating system deployment based on a disk image. It is also explained in the course KL 009.10 Systems Management.


Package settings Package name

Now, we are interested in the first option. After you select it, the wizard prompts for the package name and path to the folder that contains the installation files and the package description file.

Installation files

Installation files may be unpacked (this is how they are usually supplied on CD), or packed into a self-extracting archive (in this form they are available for downloading from Kaspersky Lab website). The package creation wizard supports both formats. If a self-extracting archive is specified, the wizard will automatically unpack it into a temporary folder and extract all necessary files. Installation packages for Kaspersky Lab products are created based on description files having a .kpd or .kud extension. The files are identical, except for the character encoding: .kpd files use ANSI encoding, while .kud files

I-88

KASPERSKY LAB™


are in Unicode. The files contain the product version, the name of the installer, installation parameters, error descriptions and additional options depending on the application. A .kpd/.kud file alone is not enough to create a package. It i s just a description, not an archive. The description files are located within the distribution package, and must not be separated from it. To create an installation package correctly, select the .kpd/.kud file located within the corresponding distribution package. It is a common mistake to copy just the description file into a separate folder and try to create a package from it. A way to avoid this mistake is to point the wizard to the self-extracting installer of the application downloaded from the Kaspersky Lab website. This option is not apparent in the wizard though. What you need to do is when prompted for the description file, change the file type from .kpd/.kud to Self-extracting archive. And then point to the downloaded installer. The package creation wizard will automatically unpack the specified file to a temporary folder and extract the description file from it. After the package description file is selected, the wizard will show the application name and version for you to check that it is exactly the application you want.

License agreement

At the next step, the wizard may ask to accept the license agreement.


Application settings

Then, depending on the application, the wizard may ask for some installation parameters. In the case of Kaspersky Endpoint Security, the wizard prompts the ainstallation type: Basic or Standard. This can be modified later in the package properties, especially if youfor need custom selection of components.

How to download a new version Where to find newer versions

To create an installation package for a Kaspersky Lab program, the administrator does not need to search for and download the installation files. Kaspersky Security Center monitors current versions of Kaspersky Security Center, Kaspersky Endpoint Security and Kaspersky Security for Windows Server and allows the administrator to create installation packages right from the distributions available on Kaspersky Lab servers. In the Installation packages node, there is the Additional actions button, and the View current version of Kaspersky Lab applications link beneath.

I-90

KASPERSKY LAB™


It opens the list of available distributions for various versions and localizations 5. The administrator just selects the necessary distribution and clicks the Download distribution package button; and the Administration Server automatically completes the job: downloads the files and creates an installation package from them.

How to find the necessary product or update

Kaspersky Security Center manages numerous programs by Kaspersky Lab. And the list of updates contains not only new program versions, but also updates for them, new versions of plug-ins, various localizations of the sa me applications. As a result, the list is rather long.

5

English, French, German and Russian localizations of Kaspersky Secur ity Center, Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server are displayed.


To find what you need, use a filter. In the filter, you can select:

— Components: — Controls—Kaspersky Security Center components — Workstations—applications for workstation protection, including Kaspersky Endpoint Security for Windows

— File Servers and Storage—programs for protecting servers and storages, for example, Kaspersky Security for Windows Server

— Virtualization—various versions of Kaspersky Security for Virtualization — Mobile—applications by Kaspersky Lab for Android and iOS smartphones and tablets — Embedded Systems—Kaspersky Embedded Systems Security (protection for ATMs and POS systems) — Update type: — Application distribution packages — Management plug-ins — Patches

— Updates to display: — Only the latest versions — Only updates for software versions in use — Only updates for software with plug-ins installed in Administration Console — Language — All languages — Administration Console language or basic set (English, German, French) — Administration Console language and the language selected on the list After you apply the filter, the window will show only the updates that meet the specified conditions. You can also sort the contents by name, type, language and other parameters.

I-92

KASPERSKY LAB™


How to find out that new versions are available

Kaspersky Security Center notifies the administrator about new versions of distributions. When they are issued, the corresponding message appears on the Monitoring tab of the Administration Server node, in the Deployment area.

3.8 How to Uninstall Incompatible Applications

Which programs are incompatible and why uninstall them

Kaspersky Endpoint Security is not compatible with other protection tools. Before the installation, the conflicting programs must be uninstalled. If you do not do this, the computer may operate slowly and unstably. In the worstcase scenario, which is rare though, the computer may hang, restart spontaneously and display a blue screen.


Protection tools co-exist poorly because of the drivers that they install to intercept file operations, network connections and system calls. The Network Agent does not install any drivers, and therefore does not conflict with third-party protection tools.

How to uninstall incompatible applications To uninstall protection tools by other manufacturers, you had better use regular tools:

— The applications that have their own centralized management system should be removed via this system — If possible, uninstall third-party protection using Windows tools If the incompatible applications cannot be uninstalled using regular tools, the administrator may use Kaspersky Security Center functionality for this purpose:

— The Uninstall incompatible applications automatically option in the installation package of Kaspersky Endpoint Security, or

— The Administration Server’s task Uninstall application remotely The former option is always enabled in the installation package and reliably uninstalls many widespread versions of third-party antiviruses and firewalls. However, if you have an uncommon antivirus or a recently released version, Kaspersky Endpoint Security installer may fail to detect it. Besides, some of the incompatible applications can be detected by the installer, but cannot be uninstalled.

What if there are incompatible applications? Kaspersky Endpoint Security found and uninstalled incompatible applications

If the installer has detected and uninstalled incompatible applications, it will require restarting the computer to complete the installation of Kaspersky Endpoint Security. It is the only differen ce compared to a typical installation. If there are no incompatible applications on the computer, the installer will install everything without a restart. The installation task has restart parameters for such cases. By default, the task will show the user a message that the computer needs to be restarted every 5 minutes, and will force a restart in 30 minutes. The administrator can adjust all these intervals in the remote installation task properties.

I-94

KASPERSKY LAB™


Kaspersky Endpoint Security found incompatible applications, but failed to uninstall them

If uninstallation of incompatible applications is disabled and a conflicting application is found during Kaspersky Endpoint Security 10 installation, the installer returns an error. T he error description explains that the product cannot be installed if incompatible applications are installed on the computer. The administrator needs to uninstall the conflicting programs and re-start the installation. If it is a task that installs Kaspersky Endpoint Security together with Network Agent, it will install the Network Agent and only after that inform about the error. It is handy, because you can use the Agent to uninstall incompatible applications by a special task.

Kaspersky Endpoint Security failed to find the installed incompatible applications

If there are incompatible applications on the computer, but the installer fails to detect them, it will complete the installation as if they did not exist. In this case, the administrator may not know for quite a while about the confl ict.


Eventually, the users will complain that a computer works slowly or malfunctions. When investigating what is the matter, the administrator will discover that there are several protection tools on the computer.

How to find out whether there are any incompatible applications

The administrator can learn that there are third-party protection tools on the computers from the Administration Console. Network Agents send lists of installed software to the server, and the aggregate list can be found in the console in the node Advanced, Application management, Applications registry. If the administrator suspects that there may be protection tools by other manufacturers in the network, it makes sense to search for them on the list by the manufacturer name. For example, Symantec, McAfee or MalwareBytes. The list of computers where the program is installed is available in its properties. After that, the administrator will only need to uninstall it. There is an Administration Server’s task that serves this purpose: Uninstall application remotely . However, it will not be of any help immediately. The list of applications that the Agent can uninstall usually coincides with the list of programs that can be removed by the installer of Kaspersky Endpoint Security. This list is updated only when a new version or service pack is released, and new versions and service packs for Kaspersky Endpoint Security and Kaspersky Security Center are almost always released simultaneously.

I-96

KASPERSKY LAB™


How to uninstall incompatible applications that have not been found What to do

For each programs on the list, there is an INI file, which tells how to detect and uninstall it. To uninstall an application that is not included in the list, send the program distribution to KL technical support and request an INI file for it. Kaspersky Lab experts will need some time to study the application and develop an INI file for it. This service is available only for comparatively large customers. Copy the received INI file to the folder with other INI files on the Administration Server:

%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Data\Cleaner. After that, restart the Administration Server service. Now the Network Agent’s “Uninstall application remotely” task will be able to remove this program. Run the task to uninstall all incompatible applications on all computers. Or, to save resources, make a selection of only those computers where the incompatible application is installed, and run the uninstallation task there only for this particular incompatible application.


How to contact technical support

To contact the technical support, use the companyaccount.kaspersky.com portal. To sign up, specify your e -mail address and license: activation key or code.

To request an INI file, create a new request and select the category Make a request for Tech Support.

I-98

KASPERSKY LAB™


In the request, select

— Scope—for workstations — Product name and version—Kaspersky Endpoint Security 10 for Windows 10.x.x.xxxx — Request type and subtype —installation and incompatible software Then describe the situation and do not forget to attach to the request the installer of the third-party program that you want to uninstall.

How to display computers with an incompatible application

Computer selections To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where these programs are installed.


To display computers where an incompatible application is installed, create a computer selection (in the respective node). The Device selections node contains the following pre-configured selections:

— — — — —

Update agents Databases are out of date Virus Scan has not been performed for a long time Not connected for a long time There are unprocessed objects

— — — — — — — — — —

Many viruses detected Protection is off No security application installed Unassigned devices with Network Agent New networked devices found Data encryption errors Device connection lost Devices with the Critical status Devices with the Warning status Devices with the Warning and Critical statuses due to vulnerabilities

These selections are hard-coded: they can neither be modified, nor deleted. There is no selection of computers with incompatible software among them.

How to create a selection To create a selection, click the Advanced button and choose Create a selection.

In a selection, you can select to search

— Among all computers — Only among managed — Only among unassigned Unassigned devices do not transfer lists of installed programs to the server. That is why you should search for computers with incompatible applications either among managed, or among all computers. By default, a selection does not have any conditions, and it finds all the computers within the specified scope.

I-100

KASPERSKY LAB™


Selection parameters

To find computers with an incompatible application, change the conditions. By default, each selection has a macrocondition with numerous microconditions. All microconditions within the macrocondition are combined with logical AND. Macroconditions are combined with logical OR. To find computers with an incompatible application, one macrocondition is enough. Open its properties and switch to the Applications registry section. Select the program name in the list “Incompatible security application name”. Save the condition and the selection. The computer selection results will contain only the computers where this program has been detected. To display computers with various incompatible applications in a single selection, add macroconditions and specify the other incompatible applications there.


How to uninstall incompatible applications using a task Where to create tasks in the console

Now, create an uninstallation task for this selection. Start the task creation wizard in the Tasks node, and when prompted for the target computers, choose the created selection. Every time the task runs it will check the contents of the selection and update the target computers list accordingly.

Task types

The wizard shows all tasks you can create. Each plug-in installed in the console adds tasks of the respective application to the list. After standard installation of Administration Server, you will be able to create tasks for Kaspersky Security Center and Kaspersky Endpoint Security 10 SP2. The remote installation and uninstallation tasks are the tasks of Kaspersky Security Center. To uninstall incompatible applications, select Kaspersky Security Center Administration Server | Advanced | Uninstall application remotely in the task creation wizard.

I-102

KASPERSKY LAB™


Uninstallation task subtypes

This task is used in various scenarios concerning uninstallation of programs and service packs.

— Uninstall incompatible applications — Uninstall programs by Kaspersky Lab (for example, to reinstall them then) — Uninstall an application that is listed in the applications registry (usually, you need to know the uninstallation command)

— Delete an update or a program listed in the database of third-party software (see course KL 009.10 for details) Here, we are interested in the Uninstall incompatible application option.

Selecting the program

After that, specify the name of the incompatible application to be uninstalled. You can select several programs or even all the applications that are included in the list. Selecting more than one program increases the task run time though, because such a task executes, step by step, the uninstall scripts for all the selected programs.


Restart parameters

Selecting the computers The uninstallation task has computer restart parameters. The restart is often necessary to finish the uninstallation. By default, the user is prompted to restart the computer. If he or she chooses to postpone the restart, the prompt will reappear every 5 minutes, and the restart will be forced in 30 minutes. The administrator can modify these intervals and the message text. If the administrator selects a forced restart, the user’s data may be lost. Another alternative is to wait for a regular restart; however, the task will remain uncompleted for a while.

Finally, select computers for the task. The available options include:

— — —

Picking computers from the Managed devices group and the Unassigned devices node Typing the names or addresses of the computers Specifying a computer group name Specifying a computer selection name

I-104

KASPERSKY LAB™


The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers where incompatible applications have been detected.

Account

The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because Network Agent is already installed on the computers and will run the uninstallation task under the local system account. The account must be specified if the task is run either on computers without a Network Agent, or on computers where the Network Agent has no administrator permissions.


Finishing the wizard

At the last steps of the wizard, select the schedule, task name, and whether to start the task immediately. The uninstallation task is to run once. Once the incompatible applications are uninstalled, Kaspersky Endpoint Security can be deployed by running the remote installation wizard or a remote installation task, which can be created using the wizard in the Tasks node. The parameters of a remote installation task are almost the same as those specified in the remote installation wizard.

By default, the wizard offers the task name that coincides with the task type: Uninstall application remotely . If you are uninstalling a single program, specify its name in the task name. This way, you will be able to quickly understand in future whether this task is still necessary, or you can delete it.

I-106

KASPERSKY LAB™


At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are goi ng to do. To start the task, select the check box Run task after Wizard finishes .

Chapter 4. How to Organize Computers into Groups

4.1 How to Understand That the Deployment Has Been Completed Now you know everything to be able to install protection on all network computers:

— — — — — —

How to select components and installation parameters for Kaspersky Endpoint Security How to install Kaspersky Endpoint Security and Network Agent remotely How to install Kaspersky Endpoint Security and Network Agent using Active Directory How to create a standalone package for local installation How to create several different packages with different parameters How to install on discovered and undiscovered computers

Handy monitoring tools supplement this list:

— How to understand which programs are installed on which computers — How to understand that installation has been completed in the network For this purpose, you can use the installation task results, as well as reports, computer selections and event selections.


Where to look for information about the deployment

Task results and the information available on the Managed devices group do not always provide comprehensive information on the protection deployment in the network. Deployment by a single task on all computers, as well as managing all computers within one group, is characteristic of small networks only. For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are:

— Incompatible applications report — Kaspersky Lab software version report — Protection Deployment Report The following selections are also very useful at the deployment stage:

— New computers found — Kaspersky Anti-Virus is not installed — Unassigned devices with Network Agent

I-108

KASPERSKY LAB™


Global statuses

Information about protection deployment is also available on the Monitoring tab of the Administration Server node. The Deployment area contains the number of managed computers where Kaspersky Endpoint Security is not installed. If it is non-zero, a link to the selection that includes all these computers is also displayed. If there are any computers with Network Agent in the Unassigned devices node, this will be reflected in the Computer management area with another link to the corresponding selection of computers.

Computer selections

Computers with Network Agent must be located within the Managed devices node. If they are located in the Unassigned devices node, they neither send events to the Administration Server nor receive tasks and policies from the Server. That is why the Administration Server displays such computers on the Monitoring page and in the corresponding selection.


Reports Where to look for reports

Reports are available on the corresponding tab of the Administration Server node.

Kaspersky Lab software version report

The software version report shows the number of Kaspersky Lab programs installed on managed computers. In particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security instances. Various versions (builds) of the products are represented separately, which is convenient when upgrading the products. The report shows how many computers use the current versions of the programs, and how many run older versions.

I-110

KASPERSKY LAB™


The graphic part of the report illustrates the statistics table, which lists all versions of managed products and the number of installations for each of them. The Details table gives information on every computer: which products are installed, which versions, etc.

Protection deployment report

This report shows three categories:

— Computers with Network Agent and protection tools — Computers with Network Agent, but without protection tools — Computers without Network Agent Computers with protection tools, but without the Network Agent are included in the last category. If the Network Agent is not installed, the Administration Server does not know whether protection tools are installed on the computer. This category also includes the computers where the Network Agent is installed, but is not connected to the Administration Server. For example, computers where Agents use an incorrect server address. The chart and the Summary table show the number of computers in every category. The Details table, just like in the software version report, shows the version of Network Agent and Kaspersky Endpoint Security on every computer. This report is especially useful if the administrator first moves all of the computers into the Managed devices group, and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed computers are not connected to the server, and how many of those connected are not yet protected with Kaspersky Endpoint Security. If the administrator uses the remote installation wizard for the deployment and always selects the computers from unassigned devices area, this report is less useful as it does not cover unassigned devices.


4.2 How the Administration Server Discovers Computers

Polling types

In the deployment wizard or when creating a deployment task, the administrator can select computers from a list. The Administration Server makes up this list by polling the network. Polls are performed periodically in several different ways:

— Windows network polling — Active Directory polling — IP subnet polling The network is polled by the service of the Network Agent installed on the Administration Server rather than by the Administration Server service. The Network Agents installed on ordinary network computers do not poll the network.

I-112

KASPERSKY LAB™


Where to configure polling

Polling results are shown in the Advanced | Network poll node separately for each discovery method:

— Domains—computers detected during Windows network polling; workgroups and domains are represented as folders containing computers

— Active Directory—domains and organizational units are represented as folders containing computers — IP subnets—IP subnets are represented as folders The discovered computers are also displayed in the Unassigned devices node. A computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in the corresponding folders. To modify the poll settings for every method, select the Advanced \ Network poll node and then click Configure polling in the corresponding section. You can also start any t ype of polling manually on this page.


Windows network polling What a quick poll does

The Administration Server collects the list of Windows network computers just like the operating system itself. When a user opens the computer’s network places, the list of neighborhood computers grouped by domains and workgroups is shown. The Administration Server can acquire the same list. This polling method is called quick Windows network polling. It hardly places any extra load on the network. The Computer Browser service is responsible for making up and representing the list of computers. In every network segment there is the main computer that stores the general list and provides it when requested. To receive the list, Administration Server only needs to send a request. In Windows Vista/Server 2008 and later versions, the Computer Browser service is disabled by default. If the Administration Server cannot receive the list of computers from the Computer Browser service, it sends a request to Active Directory and tries to receive a list of computers from it. Certainly, only if the Administration Server is on an Active Directory domain. Quick poll is performed every 15 minutes. After a quick poll, the Server receives the list of NetBIOS names of computers, domains and workgroups.

I-114

KASPERSKY LAB™


What a full poll does

During a full poll, the Administration Server tries to receive as much information as possible about each computer from the quick poll results. For each name, the Server resolves the name into the IP address using NetBIOS, DNS and LLMNR protocols. For the received addresses, the server performs a reverse resolution into the name, and if this name does not coincide with the srcinal one, receives the IP address for the new name. The Server checks whether the IP addresses are accessible using ICMP requests and finally tries to connect to the computers using SMB and RPC protocols to find out the operating system. All these numerous requests are necessary because names and addresses of the computers may change. The Administration Server uses direct and reverse resolution of names and IP addresses to distinguish new network computers from the old ones that just changed the name or IP address. As the number of requests is proportionate to the number of computers, the network activity is much higher than with a quick poll. That is why full poll is performed hourly by default.


How the server displays polling results

In polling results, the Server shows everything it was able to find out about a computer: its name, address, operating system, etc.

Windows network polling parameters

For each poll type, the administrator can:

— Enable or disable polling completely — Enable or disable polling for a part of the network (what “a part of the network” is depends on the polling type)

— Select the polling schedule — Select when polling data becomes obsolete Polling schedule is defined as a start time and a timespan. A timespan can be as small as a few minutes or as large as several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but will be useful if polling is performed once a week or a month.

I-116

KASPERSKY LAB™


Additionally, for Windows network polling the administrator can specify the life span for the information on the discovered computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by Windows network polling, the information about this computer is deleted from the server database. This interval can be specified independently for every domain or workgroup. Also, you can specify a common life span and use it for the whole W indows network. Additionally, you can disable polling of a domain or a workgroup in its properties.

Active Directory polling What Active Directory polling does

Administration Server requests from Active Directory the structure of containers (units) and the list of computers for each of them. Additionally, the Administration Server requests the list of users and security groups. Work with AD users falls outside the scope of this course. See courses KL 010.10 and KL 302.10 for details.


In a large network, the total volume of all lists (computers, users, groups) may be very large, and that is why Active Directory polling is performed every 60 minutes by default.

Active Directory polling parameters

Polling parameters for Active Directory are similar to those for Windows net work polling. There is an option to turn off this polling method entirely and a schedule. There is no explicit lifetime parameter for the polling results. Each polling replaces the previous results:

— Adds missing units and computers — Deletes the computers and units that have been removed from Active Directory

In the Advanced polling parameters, the administrator can select the polling scope:

— The Active Directory domain to which the Administration Server belongs (the default choice) — The domain forest to which the Administration Server belongs — The specified list of Active Directory domains

I-118

KASPERSKY LAB™


To add a domain to the polling scope, specify the address of the domain controller, and the name and password of the account for accessing it. You can selectively disable polling for some organizational units in their properties. When the administrator changes the polling scope, after the next polling, the Server will show only the new scope contents. For example, if the administrator has disabled polling within a unit, after the next polling, the Administration Server will delete all the information about the contents of this unit from its database. Also, if the Server scanned several domains previously and the administrator deletes one of the domains from the list, after the next polling, the Server will delete all data about this domain from its database.

IP subnet polling What IP subnet polling does

IP range polling works similarly to full Windows network polling. However, the srcinal list of computers is not received as a result of quick polling; it is the list of IP addresses from the IP ranges specified by the administrator. The server tries to resolve each address into a name, and the name into an address again; then checks whether the address answers ICMP ECHO REQUESTs, etc. To find out the device type, the Server also sends SNMP requests. The polling results include only those computers that answered the ICMP request.


IP subnet polling parameters

Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is installed. If, for example, computer address is the and thesubnet subnettomask is 255.255.255.0 192.168.0.1 the Administration Serverthe automatically includes the scan list and polls, all addresses 192.168.0.0/24 from 192.168.0.1 to 192.168.0.254. IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When this polling method is enabled, the default period is 420 minutes (7 hours). Life span for the polling results is 24 hours by default. If an IP address is not verified by polling in 24 hours, it is removed from the results. Such a short life span tries to account for dynamic IP addresses (assigned over DHCP protocol), which can change frequently. When modifying the settings, make sure that the information life time exceeds the polling interval.

How to add a network to be polled

In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually. You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also, the name of the subnet should be specified.

I-120

KASPERSKY LAB™


How to modify ranges in an IP subnet

One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. W hereas named subnets are not allowed to overlap, Ranges may overlap within a subnet. You can enable and disable scanning independently for every subnet.

Where to monitor network polling

When the network is being polled, the Advanced | Network poll page displays the progress. Detailed information is available in the Administration Server statistics. There you can find the time of the last poll performed by each method, polling progress percentage and the name of the polled domain for Windows network polling.


How to find out that the Server has discovered new computers

The administrator can configure notifications about new computers found in the network. The corresponding event is available in the properties of the Administration Server, and you can enable e-mail notification in the event properties. To receive information about new computers, open the Event notification section in the Administration Server properties. Find the event New device found on the Info tab. Open the event properties and select the check box Notify by e-mail. For notifications, the Server uses the parameters that you specified in the Quick Start wizard when installing the Administration Server. If you are not sure that correct parameters have been specified, check them in th e Notification delivery settings section of the server properties.

I-122

KASPERSKY LAB™


4.3 How to Create or Import Groups

Why create groups

After the initial installation, there is only one group on the Administration Server —Managed devices. With a single group, the same protection policy and task schedule is applied to all computers, which is not always preferred. Even in small networks, it may be necessary to use different protection settings for servers and workstations. In large networks, where different groups of users need various types of software, the capability to create policies with different exclusions for different users is extremely useful. The computers must be placed into different groups to be 6 able to apply different policies . From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. This way, the administrator can quickly understand where the computer is located to send an IT employee there. There are also other examples of group use. Often, especially in large networks, the administrators create groups to organize the deployment process. Computers without the Agent or protection tools are placed into the Deploy Agent group, where the Network Agent automatic installation task is created. The computers with installed Agent are moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible applications is configured. The computers without incompatible applications are moved into the Deploy KES group, where the task of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected computers are moved into the permanent management structure.

6

Kaspersky Security Center 10 Service Pack 1 provides the capability to apply different policies (to be more precise, different configuration profiles) to different computers within the same group. For more details, refer to course KL 302.10.


How to add a group

Creation of groups in the Administration Console is as simple as folder creation in Windows Explorer. First, groups are created within the Managed devices node. Then you can create new groups either in the sa me node or inside the created groups. In the Administration Console interface, you can use any of the following methods to create a new group:

— Select the Managed devices node or an existing group and click the New group button on the Devices tab; — On the shortcut menu of the necessary node, click New, Group Enter the name of the group in the displayed dialog window: it will then appear as a subfolder in the structure of managed devices. Each group page contains tabs for managing the hosts included into the group, group tasks and group policies. If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or subgroups. Groups can be moved within the hierarchy of managed devices. For example, if the structure of groups reflects physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup can be easily relocated together with its computers from the group Building 1 to the group Building 2. The task can be accomplished using traditional Cut and Paste or Drag and Drop methods.

I-124

KASPERSKY LAB™


How to add a computer to a group

In the Administration Console, you can use any of the following methods to move computers:

— Drag and drop—select a computer among the managed or unassigned hosts and drag it with the mouse to the necessary group. You can move several computers at once

— Cut and paste—the procedure is almost the same, but you cut the selected computers (using the shortcut menu or CTRL+X keyboard shortcut) and then paste them into the necessary group (once again using the shortcut menu or CTRL+V keyboard shortcut)

— Select one or several computers in the Unassigned devices node or a selection of computers (the method does not work within the groups), open the shortcut menu, select the Move to Group command and specify the necessary group

Add Devices Wizard


— Select the destination group, switch to the Devices tab, and click the Add devices link to launch the Add Devices Wizard. In the wizard, you can either select the computers using the polling results or specify their names or addresses manually

If you specify a name or an address of a computer that is missing from the Administration Server polling results, the wizard will inform that it cannot be added. If a computer exists in the network but cannot be discovered —for example, its firewall allows only outbound connections—install Network Agent there. As soon as the Network Agent connects to the Server, the computer will be added to the database and appear in the network polling results.

How to import a group structure

If the network is large enough and the planned structure of managed devices requires a large number of groups, creating a hierarchy using methods described cana be a group structure from the the network polling resultsabove or from textvery file.labor-intensive. Sometimes it is easier to import

I-126

KASPERSKY LAB™


If administrators want to arrange the managed devices in the exact same order as their network, to combine them into the same workgroups or domains and subdivisions, they can use the structure import functionality. You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In the first two cases you may import either the entire structure (groups including computers) or just groups. When importing the topology from a text file, only groups can be created. Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit that is being imported are already present in a group of managed devices, the wizard will not relocate them. To start the wizard, on the shortcut menu of the Managed devices group, select All tasks, Create groups structure. In the wizard, specify the structure to be imported and the destination group. You can also import only a structure from Windows network or Active Directory, and disable importing the computers.

Windows network topology and a structure defined in a text file are always imported completely. When importing an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be ignored.


The structure creating wizard is designed for initial creation of the struct ure of managed devices. It is not intended for regular synchronization of structures of Kaspersky Security Center, with, for example, Active Directory. If you need to synchronize, configure the computer relocation rules.

A structure import via a text file must be prepared manually. Every group or subgroup must be specified on a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters, for example:

Office1\Subdivision1\Department1 Office1\Subdivision1\Department2 Office2 Office3\Subdivision1 If a subgroup path contains groups that do not exist yet, they are created. Groups created during the import procedure are completely identical to the groups created manually. You can rename, move, delete them, etc.

I-128

KASPERSKY LAB™


4.4 How to Add Computers to Groups Automatically

Computer relocation rules

If groups in Kaspersky Security Center correspond to IP subnets or Active Directory units, the administrator can easily automate the computers’ distribution into the groups. Computer relocation rules serve this purpose. To open the list of relocation rules, click Properties on the shortcut menu of either the Unassigned devices or Advanced | Network Poll node. Alternatively, you can click the button Configure rules in the Unassigned devices node, or follow the Set up rules of device moving to administration groups link in the bottom of the Advanced | Network Poll page.

Rules created by tasks


In some cases, computer relocation rules are created automatically in the Kaspersky Security Center. For example, when the administrator selects to move unassigned devices into a group in the remote installation wizard or when creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can be viewed on the list and can be disabled, but cannot be deleted or edited. The server deletes them automatically when the corresponding task or standalone package is deleted.

Configuring relocation rules

A relocation rule consists of the following basic settings:

— What to move—a set of conditions a computer must meet to be relocated — Where to move—the name of the group in the structure of managed devices where the hosts matching the rule conditions will be relocated

— When to move—the conditions that will trigger automatic relocation When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on the rule list. Also, you will need to select the destination group—where to move the computers.

When to apply the rules Afterwards, decide when to apply the rule to the computers. Three capabilities are available:

— Run once for each computer —as soon as the rule is created, it will be applied to all computers in the server database, and then it will be applied only to new computers when they are discovered

— Run once for each computer, then at every Network Agent reinstallation on computer—is similar to the previous option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such a host

— Rule works permanently—the rule is permanent; if a computer matching its conditions is manually moved to another group, the Administration Server will immediately return it to the location specified in the rule. If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will not The rules created by the Administration Server for installation tasks and standalone packages are Run once for each computer, then at every Network Agent reinstallation on computer .

I-130

KASPERSKY LAB™


Permanent rules are more convenient in a sense, but create a persistent computational load on the Administration Server.

Conditions in relocation rules Move managed devices Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is located in the General section and is named Move only computers not added to administration groups . With this option selected, a rule —even a permanent one —will not hamper the administrator to manually move computers in the groups. It affects only unassigned devices. To apply such a rule to a computer within a group, just delete the computer from the group. When deleted from the managed devices structure, the computer becomes unassigned and the rule will apply to it. If the Move only computers not added to administration groups check box is cleared, the rule applies to all computers in the server database and the corresponding computers are moved into the specified group no matter what happens. This does not prevent the administrator from deleting these computers from the Administration Server database, though. Other conditions are located in additional sections in the rule properties.

Move computers by names and IP addresses

Many of the relocation conditions are related to the network attributes of the computers:

— — — — — —

NetBIOS name Name of the domain or workgroup DNS name DNS domain IP address Server connection IP address (if a computer is behind a NAT gateway, the connection address is the gateway address)

To apply a rule to several computers, you can specify IP addresses as ranges, and names can be specified as masks with “*” and “?” wildcards. If these options are insufficient, you can always create several rules with different conditions that will move computers to the same group.


If the rule is to be applied to unassigned devices, the conditions can be specified in the terms of unassigned computer representation in Kaspersky Security Center:

— IP subnets specified in the Advanced \ Network poll node — Subgroups in the Domains structure of the Advanced \ Network poll node—these are names of the domains and workgroups discovered by the Administration Server when polling the network

Move computers by ope rating systems

Conditions for computers may include operating system version, architecture and currently installed Service Pack. Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions used in the network. For example, Windows Server 2008 R2 and Windows Server 2012 R2. Also, there is the Network Agent is running condition. This condition can separate the computers already connected to the Administration Server from those that need to be connected.

Other conditions A relocation rule has a condition for virtual machines. Virtual machines running on different virtualization platf orms can be moved into different groups. Protection of virtual machines is described in courses KL 014.40 Kaspersky Security for Virtualization. Agentless and KL 031.40 Kaspersky Security for Virtualization. Light Agent. If these conditions are not enough, computers can be tagged and you can configure conditions using the tags. For more details, refer to course KL 302.10.

I-132

KASPERSKY LAB™


How to synchronize groups with Active Directory

There are similar conditions for the computers within the Active Directory structure:

— Active Directory unit name — Active Directory group name Relocation rules allow configuring synchronization with Active Directory. For this purpose, enable additional options under the condition Apply the rule to Active Directory organization unit :

— Including child organization units—if the selected unit has child units, computers within them will be moved into the destination group

— Move computers from child organizational units to corresponding subgroups —if the selected unit has child units, and the destination group has the corresponding subgroups, computers from the child units will be moved into the corresponding subgroups

— Create missing subgroups —if the selected unit has child units, and the destination group has no corresponding subgroups, the Administration Server will create these subgroups and move the computers of the child unit there

— Delete subgroups that are not present in the Active directory —the opposite of the previous option. When an organizational unit is deleted from the Active Directory, this option will remove the respective group from the Kaspersky Security Center. If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another, Kaspersky Security Center will automatically repeat these changes in its group structure. In addition to units, Active Directory has groups, which may contain computer accounts. To move computers into groups according to the domain groups, select the condition The device is member of Active Directory group and specify the group name.


Rule application order

The created rules are organized into a list where their order makes a difference. Permanent rules have a higher priority than the others. Among rules of the same type, the higher the rule is on the list, the higher its priority. In other words, if a computer meets the conditions of several rules, only the top one is applied. Rule order can be changed by arrows on the right. Also, a rule can be applied manually using the Force button at the bottom of the window. This allows re-applying a non-permanent rule. For the permanent rules, the button does nothing, since permanent rules are constantly forced anyway. The Rule execution wizard prompts for the group where the rule is to be applied, and moves the computers that meet the rule conditions from the selected group to the group specified in the rule. There is an option that allows skipping the computers to which this rule has already been applied and only force the rule on new computers.

I-134

KASPERSKY LAB™


II–1 Unit II. Protection Management

Unit II. Protection Management Chapter 1. How Kaspersky Endpoint Security 10 Protects Computers ........................ 4 1.1 How Criminals Attack a Computer ......................................................................................................................... 4

How malware gets on a computer.......................................................................................................................... 4 How malware causes harm .................................................................................................................................... 7 1.2 How Kaspersky Endpoint Security Counters Attacks............................................................................................. 9 How Kaspersky Endpoint Security repels threats .................................................................................................. 9 How Kaspersky Security Network helps to repel threats ..................................................................................... 10 Where are Kaspersky Endpoint Security settings located .................................................................................... 11 Chapter 2. How to Configure File Protection ............................................................... 12 2.1 How Does Kaspersky Endpoint Security Protect Files? ....................................................................................... 12 2.2 What and How to Configure in File Anti-Virus .................................................................................................... 14

File Anti-Virus settings ........................................................................................................................................ 14 2.3 What to Do If File Anti-Virus Slows down the Computer ................................................................................... 21

How to exclude an application’s folder ............................................................................................................... 22 How to exclude files that a process accesses ....................................................................................................... 23 How not to scan network drives ........................................................................................................................... 23 How to temporarily stop File Anti-Virus.............................................................................................................. 24 How to apply settings to computers ..................................................................................................................... 24 2.4 Standard File Antivirus Protection Levels ............................................................................................................ 25 2.5 How and Why Configure Scheduled File Scanning ............................................................................................. 26

Why search for viruses after the File Anti-Virus .................................................................................................. 26 What and how to scan for viruses ........................................................................................................................ 27 Standard virus scan security levels ...................................................................................................................... 28 How to select an optimal schedule ....................................................................................................................... 29 2.6 What to Do with False Positives ........................................................................................................................... 31

How to configure an exclusion for an incorrect verdict....................................................................................... 31 Exclusion by certificate ........................................................................................................................................ 32 2.7 File Protection: Summary ..................................................................................................................................... 32

II–2

KASPERSKY LAB™ KL 002.104. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 3. How to Configur e Protection Against Network Threats ............ ............. ... 33 3.1 How Network Protection Works ........................................................................................................................... 33

What network components do ............................................................................................................................... 33 How Kaspersky Endpoint Security intercepts traffic ............................................................................................ 34 3.2 Mail Anti-Virus ..................................................................................................................................................... 35

What Mail Anti-Virus does ................................................................................................................................... 35 Mail Anti-Virus settings........................................................................................................................................ 35 Attachment filter ................................................................................................................................................... 36 Standard security levels........................................................................................................................................ 37 Exclusions for false positives ............................................................................................................................... 37 3.3 Web Anti-Virus ..................................................................................................................................................... 38

What Web Anti-Virus does ................................................................................................................................... 38 Web Anti-Virus settings ........................................................................................................................................ 39 How to make a web site trusted ............................................................................................................................ 40 3.4 How Not to Intercept the Whole Traffic of a Program ......................................................................................... 41 3.5 Protection for Network Connections: Summary ................................................................................................... 42

Chapter 4. How to Co nfigure Protection Against Sophis ticated Threats ............. ....... 43 4.1 How Kaspersky Endpoint Security Protects Against New Threats ....................................................................... 43 4.2 What System Watcher and Application Privilege Control Do .............................................................................. 44

How System Watcher protects against new threats .............................................................................................. 44 How Application Privilege Control stops new threats ......................................................................................... 46 How to configure Application Privilege Control to stop ransomware ................................................................. 49 4.3 How to Exclude a Program from Monitoring ....................................................................................................... 50

What to do if KES hampers a program ................................................................................................................ 50 How to modify a program’s trust category .......................................................................................................... 51 How to make a program trusted by System Watcher and Application Privilege Control .................................... 54 4.4 Protection Against New and Sophisticated Threats: Summary ............................................................................. 55

Chapter 5. How to Control Network Connections ............ ............. ............. ............. ..... 56 5.1 How Firewall Protects Against Threats ................................................................................................................ 56 5.2 How Firewall Works in Kaspersky Endpoint Security ......................................................................................... 57

How Firewall analyzes packets and connections ................................................................................................. 57 How does networks are local? ................................................................................... 59 How does the the Firewall Firewall decide restrictwhich programs?........................................................................................................... 60 5.3 What Firewall Does Under Default Settings ......................................................................................................... 61

Default network packet rules................................................................................................................................ 61 What it means for applications on the computer .................................................................................................. 62 What if the Firewall impedes an application........................................................................................................ 63 5.4 Why Is the Network Attack Blocker Necessary? .................................................................................................. 64

What the Network Attack Blocker does ................................................................................................................ 64 How to unblock a blocked computer .................................................................................................................... 65 5.5 Network Protection: Summary .............................................................................................................................. 66


Chapter 6. How to Protect a Computer Outside the Network ..................................... 67 6.1 Which Local Networks to Trust ............................................................................................................................ 67 6.2 How to Create a Policy for Computers Outside the Office ................................................................................... 67

How to create a policy for computers outside the office ...................................................................................... 68 When computers switch to the out-of-office policy............................................................................................... 69 How to set conditions for switching to the Out-Of-Office policy ......................................................................... 70 6.3 Which Settings Computers Should Use Outside the Office .................................................................................. 71 6.4 Out-of-Office Policies: Summary ......................................................................................................................... 72

Chapter 7. What Else Is There in Protection and Why? ............................................... 73 7.1 What Self-Defense Does and Why It Is Necessary ............................................................................................... 73

What self-defense does ......................................................................................................................................... 73 How to manage KES over Remote Desktop ......................................................................................................... 74 7.2 How to Protect Kaspersky Endpoint Security from the User ................................................................................ 75

How the user can stop protection......................................................................................................................... 75 How to enable password protection ..................................................................................................................... 76 Configuring password protection for Network Agent .......................................................................................... 77 7.3 Which Other Protection Settings Are Available ................................................................................................... 77

Actions.................................................................................................................................................................. 78 Other settings ....................................................................................................................................................... 78 Computer protection: summary ........................................................................................................................... 80

II–4


Chapter 1. How Kaspersky Endpoint Security 10 Protects Computers

1.1 How Criminals Attack a Computer

How malware gets on a computer

Malware get on a computer via everything that connects the computer to the external world. Specifically, via network connections and removable media. Let us examine typical scenarios of how malware penetrates a computer, and how to prevent this.

Via a browser A vulnerable web browser The user has installed a vulnerable browser. A web page may use a vulnerability to make the browser download and run any software on the computer. The user opens a dubious web site, and the web site starts malware on the user’s computer. Malicious code can reside in the ad blocks that the web site receives from other sites rather than on its own pages. To protect against such an attack:

— Install updates for web browsers — Do not allow the users to start whichever browsers — Do not allow the users to open whichever web pages not allow the users to open known infected web sites — Do — Do not allow web browsers to start child processes


An infected file The user looks for free software in the Internet. For example, a handy free utility, or a pirate version of an expensive program, or a key generator for an expensive application. Finds, downloads and starts on the computer. The program turns out to be malicious. Maybe the user has downloaded a seemingly appropriate file from an “Internet garbage”. Or maybe criminals have altered freeware code or cracked the site and replaced the program. To protect against such an attack:

— Do not allow the users to open whichever web pages — Do not allow the users to open web sites that are known of distributing malware — Scan the files that the users download from the Internet by an antivirus program

Via e-mail The user receives an e-mail message that looks like a message from a bank, shop, delivery service, from a partner, acquaintance, etc. The message prompts to click a link or open an attachment. The link leads to a malicious or phishing web site. The attachment contains malware or a document with embedded malware. To protect against such an attack:

— — — —

Filter e-mail by antispam tools (software that protects against anonymous bulk unsolicited e-mailing) Scan the files attached to e-mail messages by an antivirus program Do not allow the users to save executable files from e -mail messages to the drive Protect against links in the messages the same way as against attacks via web browsers

From other computers over the network From a shared folder The user copied a program from a shared folder on another computer and started it. T he program turned out to be malicious. The user opened a document from a shared folder on another computer. The document contained malicious code. To protect against such an attack:

— Install protection tools on all computers — Scan the files that the users copy, open or start A network attack There is a vulnerability in the operating system on the user 's computer. If a special sequence of packets is sent to a specific port, one can make the vulnerable service run the code within these packets. An infected computer will also attack the vulnerable service on all other network computer and infect them. To protect against such an attack:

— Install security updates for the operating system — Prohibit connections to the ports that the users do not need for their work — Use antivirus software to scan inbound packets for network attacks

II–6


From external media A user’s USB memory drive The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains malware that uses a vulnerability in the operating system to automatically run on the computer. Or the user simply connected a USB flash drive to find out what it contains, found a document or an executable file with an intriguing name and decided to open it. The file turned out to be infected. To protect against such an attack:

— Do not allow the users to connect unknown (or all) USB flash drives to the computers — Scan files on USB flash drives by an antivirus program — Install security updates for the operating system BadUSB The user connected a USB device that looks like a USB flash drive to the computer. The device registered with the operating system as a USB flash drive and as a keyboard. After a while, the device started to execute commands on the computer by sending keystrokes. To protect against such an attack:

— Use protection against BadUSB attacks

How to protect against threats All threat prevention methods can be grouped as follows: Eliminate potential attack targets

Install security updates for the operating system Install updates for web browsers and other programs Do not allow the users to start whichever browsers Do not allow the users to open whichever web pages Do not allow web browsers to start child processes Do not allow the users to save executable files from e -mail messages to the drive Prohibit connections to the ports that the users do not need for their work Do not allow the users to connect unknown (or any) USB flash drives to the computers Use protection tools to detect attacks

Install protection on all computers Scan the files that the users copy, open or start Scan files on USB flash drives by an antivirus program Scan the files attached to e-mail messages by an antivirus program Scan the files that the users download from the Internet by an antivirus program Do not allow the users to open known infected web sites Do not allow the users to open web sites that are known of distributing malware Use antivirus software to scan inbound packets for network attacks Use protection against BadUSB attacks


How malware causes harm

None of protection tools can protect against 100% of threats. Criminals may always be half a step ahead since they

— Register new domains and web sites — Write new malware — Use zero-day vulnerabilities for which updates have not been issued yet Even if protection works properly, there is always risk that a computer may be infected with a new malware. If protection is not installed on some computers, if databases are outdated on computers, if important protection components are disabled, the risk grows. Let us study the harm that malware can cause and how it can be decreased.

Ransomware Ransomware encrypts documents and other files on the computer and in shared folders, and demands money in return for the encryption key. The key is stored on the criminals’ server. Malware either downloads the key from the server, encrypts files and deletes the key; or generates a random key, sends it to the server, encrypts files and deletes the key. Anyway, ransomware connects to its server over the network. To protect against such an attack:

— Regularly back up all important files — Do not allow unknown programs to establish and accept network connections — Use protection tools that detect encryption heuristically

Spyware Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on the drive. Malware intercepts everything the user enters, takes screenshots and shoots through the web camera. The program sends all this to the criminals’ server. To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections — Use protection tools that detect spying heuristically

II–8


Network viruses Malware writes itself to the USB flash drives connected to computer and to shared folders over the network. Malware infects neighbor computers via vulnerable services. Malware sends spam and participates in DDOS attacks at a control center’s command. To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections — Use protection tools that heuristically detect dangerous activities

Loaders Criminals often use very simple files, which do not impose any direct threat, to get round protection tools and infect a computer. But these files may download additional malicious files, which can encrypt documents, steal passwords, etc. To protect against such an attack:

— Do not allow unknown programs to establish and accept network connections

Low-grade malware Malware makes other programs hang or malfunction, the computer runs really slow, spontaneously restarts or displays a blue screen. To protect against such an attack:

— Regularly scan files on the computer by antivirus software

How to reduce losses The loss reduce methods may be grouped similarly to attack prevention methods: Eliminate potential attack targets

Do not allow unknown programs to establish and accept network connections Use protection tools to detect attacks

Use protection tools that heuristically detect dangerous activities Regularly scan files on the computer by antivirus software


1.2 How Kaspersky Endpoint Security Counters Attacks

How Kaspersky Endpoint Security repels threats

Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect against attacks and prevent losses: Eliminate potential attack targets

Install security updates for the operating system

Kaspersky Security Center (see course KL 009.10)

Install updates for web browsers and other programs

Kaspersky Security Center (see course KL 009.10)

Do not allow the users to start whichever browsers

Application Startup Control

Do not allow the users to open whichever web pages

Web Control

Do not allow web browsers to start child processes

System Watcher

Do not allow the users to save executable files from e-mail messages to the drive

Mail Anti-Virus

Prohibit connections to the ports that the users do not need for their work

Firewall

Do not allow the users to connect unknown (or any) USB flash drives to the computers

Device Control

Do not allow unknown programs to establish and accept network connections

Firewall

Use protection tools to detect attacks

Install protection on all computers

Kaspersky Security Center (see Unit I)

II–10


Scan the files that the users copy, open or start

File Anti-Virus Application Privilege Control

Scan files on USB flash drives by an antivirus program

Virus Scan

Scan the files attached to e-mail messages by an antivirus program

Mail Anti-Virus

Scan the files that the users download from the Internet by an antivirus

Web Anti-Virus

program Do not allow the users to open known infected and phishing web sites

Web Anti-Virus

Do not allow the users to open web sites that are known of distributing malware

Web Anti-Virus

Scan the packets that a computer receives for network attacks by an antivirus program

Network Attack Blocker

Use protection against BadUSB attacks

BadUSB Attack Prevention

Use protection tools that heuristically detect dangerous activities

System Watcher Application Privilege Control

Regularly scan files on the computer by antivirus software

Virus Scan

This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack surface, or actively scan, detect and block threats. Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To protect against spam, use Kaspersky Lab products for mail systems:

— Kaspersky Security for Microsoft Exchange Servers — Kaspersky Secure Mail Gateway

How Kaspersky Security Network helps to repel threats

To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to regularly update signature databases. It is also important to allow Kaspersky Endpoint Security to use Kaspersky Security Network.


Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all protection components. Kaspersky Security Network servers collect information about files on the protected computers, analyze it using machine learning technologies, consider when a file was detected for the first time, whether it is widespread, in which regions, whether the users of personal versions of Kaspersky Security trust the file, whether the file is signed with a certificate and which one, etc. Suspicious files are additionally analyzed by Kaspersky Lab experts. After that, Kaspersky Security Network assigns a trust group to the file:

— — — —

Trusted Low Restricted High Restricted Untrusted

This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to the network, which programs may install drivers, and which of the trusted programs are to be scanned especially thoroughly, because they may contain vulnerabilities. Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky Lab rec eives checksums of reference files from many known software manufacturers, such as Microsoft, Adobe, Google, etc. That is why Kaspersky Endpoint Security components know which files are not infected for sure and do not hamper the respective programs. Except for files, Kaspersky Security Network forms reputation for web pages and software activity patterns. If Kaspersky Lab detects a new threat, checksums of all malicious files and web pages get to Kaspersky Security Network in a split second and are available to all products that use Kaspersky Security Network. Products learn about new threats via Kaspersky Security Network a few hours earlier than threat signatures are downloaded with updates. The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and anonymous. The complete list can be found in the Kaspersky Security Network agreement that the administrator must accept prior to enabling Kaspersky Security Network in the Kaspersky Endpoint Security policy. To be able to use Kaspersky Security Network without sending anything to Kaspersky Lab, there is the Kaspersky Private Security Network service.

Where are Kaspersky Endpoint Security settings located

II–12


In this chapter, we will study which settings are available in Kaspersky Endpoint Security components:

— The default values — How the parameters influence the components’ behavior — When and how to modify settings to improve computer protection or user experience Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example, scheduled virus scan or update settings, are set up in tasks. Policies (all) and tasks (mostly) are configured within groups. Also, they can be found in the first -level tree nodes: Policies and Tasks. In these nodes, you can see to which group each policy and task belongs.

Chapter 2. How to Configure File Protection

2.1 How Does Kaspersky Endpoint Security Protect Files?

File Anti-Virus intercepts all file operations (such as reading, copying, executing) using the klif.sys driver and scans the files being accessed. By default, if the file is infected, the operation will be blocked, and the file will be either disinfected or deleted. Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malic ious files on the computer drive. And even those attacks that start with executing code in the memory, can load only small amount of code there and use it as the first step of the attack, which then downloads additional modules in files and saves them to the drive. Even if Mail Anti-Virus and Web Anti-Virus are disabled, the user will not be able to start an infected file received by e-mail or downloaded from the Internet, because a file cannot be started either from an attachment or from a web


page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and blocked by the File Anti-Virus. This makes File Anti-Virus one of the most important components of Kaspersky Endpoint Security. File Anti-Virus scans for malware using:

— Malware signatures—a signature database is a “black list” of known malicious files. If a file does not match any of the database records, it is not malicious. A complete black list, where each known malicious or infected file is described thoroughly, requires too much space; that is why a signature database is optimized and narrowed down to a size that can be easily downloaded to a computer. Each record identifies a family of similar threats.

— Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which change their code during the execution, and which are therefore difficult to detect using signatures. File Anti -Virus starts executable files in a special isolated environment and waits whether code changes in the memory to match a signature.

— KSN checks—File Anti-Virus sends the file checksum to KSN and receives an answer: whether such a file is found in the KSN database, and which reputation it has. KSN database is a huge list of all files (to be more exact, their checksums) known to Kaspersky Lab. This list includes files with untrusted reputation. It is a black list, and File Anti-Virus blocks such files. There are also files with trusted reputation. It is a white list, which includes known harmless files of operating systems and widespread software. File Anti-Virus does not block these files even if they match malware signatures. KSN verdict has higher priority, because KSN contains more information than a local signature database. To receive a verdict from KSN, a computer needs connection to the Internet, which may be unreliable. For this reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature database and emulation. KSN verdicts may change with time. A file that has just appeared in the Internet has no reputation at first. Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes and may become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the KSN verdict at each file operation. But it would scale up the computer’s network traffic. Besides, sending a request and receiving an answer takes time, which depends on the quality of communication channel. To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN verdicts in the local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky Endpoint Security recheck the verdict often. For the files that have long been known, this time is large. To avoid slowing down the computer, File Anti-Virus does not scan all files; it scans only those files that may infect a computer. For example, File Anti-Virus does not scan archives, because s file must be extracted prior to be started. It is either the user who extracts the file from the archive, or the operating system does this for the user. Anyway, File Anti-Virus will scan the extracted files (and block them if necessary). Scan the files that are not scanned by File Anti-Virus by virus scan tasks. Virus scanning checks files within the specified scope and uses the same methods as File Anti-Virus.

II–14


2.2 What and How to Configure in File Anti-Virus

File Anti-Virus settings File Anti-Virus, as well as Kaspersky Endpoint Security in general, sol ves two tasks:

— Prevent malware from causing harm — Not to hamper the user or legitimate software The more files File Anti-Virus scans, the better it solves the former task, and the worse the latter, and vice versa. The default settings balance protection and performance. By adjusting the settings, the administrator can tilt the balance one way or the other. You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are located in the respective sections: File Anti-Virus settings, in the File Anti-Virus section. To adjust its para meters, click the Settings button in the Security level area. Let us first tell about the parameters that should not be changed and explain why.

File Anti-Virus does not scan all file types General \ File types

All files

File Anti-Virus scans all files belonging to the Protection scope that the user or programs access

Files scanned by format (by default with the Recommended security level)

File Anti-Virus checks the extension and file header to decide which format the file has. If files of this format may harm the computer, File Anti-Virus scans the file

Files scanned by extension

File Anti-Virus checks only the file extension and decides on the format based on the extension only. If files of this format may harm the computer, File Anti-Virus scans the file


Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may contain executable code (macros), which can be malicious. Even documents without code, some graphic files for example, may use vulnerabilities of the applications that open them and make these programs run a part of the file as code. By default, File Anti-Virus scans files by format. This way, Kaspersky Endpoint Security reliably protects the computer, because scans all dangerous files, but does not slow down the computer, since does not scan all the files . Scanning files by extension only is dangerous. For example, a malicious Word document may have extension .123, which is not included in the scan list, but the user can open it nevertheless via its shortcut menu ( Open with). Also, scanning by extension is not significantly faster than scanning by format. The user will not perceive any difference in performance. If the administrator wants to improve performance of slow computers, better start with exclusions for the programs with which users work. How to create exclusions is explained at the end of this section. The list of scanned extensions: com exe sys prg bin bat cmd

Program executable file whose size does not exceed 64 KB Executable file, self-extracting archive System file of Microsoft Windows Text of the dBase™, Clipper or Microsoft Visual FoxPro® application, a program from WAVmaker suite Binary file File that contains one or more commands Command file of Microsoft Windows NT (a counterpart of a bat file for DOS), OS/2

dpl dll scr cpl ocx tsp drv vxd pif lnk reg ini cla vbs vbe js, jse

Packed Borland Delphi library Dynamic-link library Microsoft Windows screen saver file Control panel module in Microsoft Windows Microsoft OLE object (Object Linking and Embedding) Time-shared program Device driver Driver of a Microsoft Windows virtual device File with information about a program Link file in Microsoft Windows File for importing and exporting Microsoft Windows registry keys Configuration file that contains settings for Microsoft Windows, Windows NT and some other software Java class Visual Basic script Video BIOS Extension JavaScript sourse text

htm htt hta asp chm pht php wsh wsf the hlp eml nws msg plg mbx

Hypertext document Microsoft Windows hypertext template file Hypertext program for Microsoft Internet Explorer Active Server Pages script Compiled HTML file HTML file with built-in PHP scripts Script built into an HTML file Microsoft Windows Script Host file Microsoft Windows script Screensaver file for Microsoft Windows 95 desktop Help file in Win Help format Microsoft Outlook Express message Microsoft Outlook Express news message file Microsoft Mail e-mail message E-mail message Extension for a saved message of Microsoft Office Outlook

doс* doс docx docm

Microsoft Office Word document, such as: Microsoft Office Word document XML-based Microsoft Office Word 2007 document Macro-enabled Microsoft Office Word 2007 document

II–16


dot* dot dotx dotm fpm rtf shs dwg

Microsoft Office Word 2007 document template Microsoft Office Word document template Microsoft Office Word 2007 document template Microsoft Office Word 2007 macro-enabled document template Database program, a startup file of Microsoft Visual FoxPro Document in the Rich Text Format Windows Shell Scrap Object Handler file AutoCAD drawing database

msi otm pdf swf jpg, jpeg emf

Microsoft Windows Installer package VBA project for Microsoft Office Outlook Adobe Acrobat document Shockwave Flash object Graphic file for storing compressed images

ico ov? xl* xla xlc xlt xlsx xltm

Enhanced Metafile. The next generation of Microsoft Windows operating system metafiles. EMF files are not supported in 16-bit Microsoft Windows Icon Microsoft Office Word executable files Microsoft Office Excel documents and files, such as: Microsoft Office Excel add-in Microsoft Office Excel chart Microsoft Office Excel template Microsoft Office Excel 2007 workbook Microsoft Office Excel 2007 macro-enabled workbook

xlsb xltx xlsm xlam pp* pps ppt pptx pptm potx potm ppsx ppsm ppam md* mda

Microsoft Office Excel 2007 workbook in binary (non-XML) format Microsoft Office Excel 2007 template Microsoft Office Excel 2007 macro-enabled template Microsoft Office Excel 2007 macro-enabled add-in Microsoft Office PowerPoint documents, such as: Microsoft Office PowerPoint slide Microsoft Office PowerPoint presentation Microsoft Office PowerPoint 2007 presentation Microsoft Office PowerPoint 2007 macro-enabled presentation Microsoft Office PowerPoint 2007 presentation template Microsoft Office PowerPoint 2007 macro-enabled presentation template Microsoft Office PowerPoint 2007 slide show Microsoft Office PowerPoint 2007 macro-enabled slide show Microsoft Office PowerPoint 2007 macro-enabled add-in Microsoft Office Access documents, such as: Microsoft Office Access workgroup

mdb sldx sldm thmx

Microsoft Office Access database Microsoft Office PowerPoint 2007 slide Microsoft Office PowerPoint 2007 macro-enabled slide Microsoft Office 2007 theme

File Anti-Virus uses the lowest heuristics level Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment and watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can change its code during the execution. When criminals e-mail new malware, or upload a new version of a malicious module to an infected computer, they may generate a file with a unique checksum for each computer or addressee. Signatures and even Kaspersky Security Network will not help in this case. But heuristic analysis clearly shows that all these versions restore the same malicious code when running. That is why you should not turn off Heuristic analysis in File Anti-Virus.


On the other hand, Heuristic analysis delays file start. Heuristics levels —Light, Medium or Deep—define the period of observing the object in the virtual environment. In the context of the File Anti-Virus operation this means an increased delay when a program is run. To avoid slowing down the computer, the lowest level is selected in the settings by default.

File Anti-Virus does not scan files that have already been scanned Performance \ Scan optimization \ Scan only new and changed files

Enabled (by default)

File Anti-Virus does not scan files that have already been scanned if they have not been modified since then

Disabled

File Anti-Virus scans a file every time when the user or a program accesses it

Most of the files a rarely changed on the computer, and if File Anti-Virus scans only new and changed files, it almost does not load the computer. In the first few days, while all files are new for Kaspersky Endpoint Security, the user may feel that the computer works slower. But File Anti-Virus stops influencing performance soon. Do not turn off the option Scan only new and changed files in File Anti-Virus, it will slo w down the computer.

How does Kaspersky Endpoint Security learn which files have been changed and which have not? The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of these records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file modification date. FAT32 file system cannot log the modification date; neither can it protect the modification date against unsolicited changes. Malware may modify a file, and then assign any modification date to it. For this reason, Kaspersky Endpoint Security saves checksums of scanned files into a special database for FAT32 drives. When the file is accessed next time, Kaspersky Endpoint Security re-calculates the checksum and compares it with that saved. If the sums differ, the file has been changed, and File Anti-Virus scans it. Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint Security receives its signatures, File Anti-Virus will scan it, consider to be clean, and will not scan at the next start. To prevent this, even if the option Scan only new and changed files is enabled, File Anti-Virus scans all new files repeatedly, at least twice, or even several times. For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file was scanned fist and last. If a file has been scanned only once, or if the current version of signatures was issued less than 24 hours after that with which the file was scanned for the first time, File Anti-Virus re-scans the file. What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides, except for signatures, Kaspersky Endpoint Security uses information from Kaspersky Security Network, whereto information about threats gets without delays. To further reduce the risk, use a virus scan task to check all files on the computer, including those that have not been changed, and which File Anti-Virus scanned already.

iSwift and iChecker Additional \ Scan technologies \ iSwift Technology


If the option Scan only new and changed files is disabled, File Anti-Virus uses a special algorithm to scan files in the NTFS file system not every time they are accessed

Disabled

If the option Scan only new and changed files is disabled, files in the NTFS file system are scanned every time they are accessed

II–18


Additional \ Scan technologies \ iChecker Technology


If the option Scan only new and changed files is disabled, File Anti-Virus uses a special algorithm to scan files in the FAT32 file system not every time they are accessed

Disabled

If the option Scan only new and changed files is disabled, files in the FAT32 file system are scanned every time they are accessed

iSwift and iChecker scanning technologies are responsible for collecting data about the changes made to files. The iSwift technology extracts the data about changes from the NTFS and ReFS file systems. The iChecker technology is used for executable files located on the drives with other file systems, for example, FAT32. For this purpose, iChecker calculates and saves the checksums of the scanned executable files. If the checksum remains the same during the next check, this means that the file has not been changed. Both technologies save the file scan time and the version of signatures used for scanning into a special database. If the Scan only new and changed files checkbox is selected, the iSwift Technology and iChecker Technology check boxes are of no importance. Even if they are cleared, Kaspersky Endpoint Security will still monitor whether files have been changed, and will log the versions of signatures used for scanning files in the iSwift and iChecker databases. Why are the iSwift Technology and iChecker Technology parameters necessary? Suppose the administrator believes that scanning new files only the first 24 hours is too dangerous, and disables the option Scan only new and changed files. However, he or she does not want to scan files at each access either, because it will slow down the computer. The iSwift Technology and iChecker Technology parameters enable the mode when File Anti-Virus does not scan filesItatworks each as access, but never completely trusts already scanned files; it re-scans them sometimes with newer databases. follows. Kaspersky Endpoint Security does not trust new files, and scans them at each access, if the signatures’ version has changed since the last scanning. It does not make any sense to scan a file with the same signatures. It goes on like that for several days. If the file does not change and is found to be clean at each scanning, Kaspersky Endpoint Security assigns a trust period to the file. During the trust period, if the file does not change, File Anti-Virus does not scan it. When the trust period is over, File Anti-Virus rescans the file at the next access with the latest signatures. If the file is still clean, it receives a new trust period, longer than the previous. This way, files that are stored on the computer for a long time without being changed are eventually scanned rarer and rarer. Using the parameters iSwift Technology and iChecker Technology instead of Scan only new and changed files is safer. With the lapse of time, File Anti-Virus will load the computer almost as little as with the option Scan only new and changed files. However, performance improves considerably longer. Do not disable the iSwift and iChecker technologies in File Anti-Virus. This will either have no effect (if the Scan only new and changed files feature is enabled) or will lead to more scans and slow down the computer.

File Anti-Virus does not scan compound files (archives, etc.) Performance \ Scan of compound files \ Scan archives

Enabled

File Anti-Virus scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE archives. For this purpose, File Anti-Virus unpacks an archive into a temporary folder or into the memory

Disabled (by default)

File Anti-Virus neither unpacks archives nor scans files within them

To scan archived files, File Anti-Virus unpacks the archive, which consumes considerable computer resources. Archives are not dangerous as they are. A malicious file cannot be started from the archive. The user either unpacks


the archive manually, or the operating system does this for the user. Anyway, a malicious file gets on a drive prior to run, and File Anti-Virus scans it as any other file. Do not enable the Scan archives option in File Anti-Virus. It will slow down the computer, but will not improve protection Performance \ Scan of compound files \ Scan installation packages

Enabled

File Anti-Virus scans files within self-extracting archives and installation packages, such as MSI. For this purpose, File Anti-Virus extracts files into a temporary folder

Disabled (by default)

File Anti-Virus does not scan self-extracting archives and installation packages

Installation packages are executable files, and File Anti-Virus scans their executable part anyway. However, a large part of data within an installation package consists of archived files of the program to be installed by the package. To scan them, File Anti-Virus extracts them from the package, similar to archives. Installation packages need not be scanned by File Anti-Virus. If the user copies a package, it cannot infect the computer. If the user starts a package, it will extract files itself and save them on the drive, where they will be scanned by File Anti-Virus. Performance \ Scan of compound files \ Scan Office formats


File Anti-Virus scans executable parts not only within Microsoft Office documents, but also in the objects embedded into them

Disabled

File Anti-Virus scans executable parts only within Microsoft Office documents, and skips embedded objects

Microsoft Office files have a complicated structure. We can even say that there is a file system with additional files within a Microsoft Office document. When the user pastes an Excel chart into a W ord document, Microsoft Office can add the whole Excel document to the Word document, with all its data, formulas and macros. Do not disable scanning for office documents. Not scanning objects embedded in office documents is dangerous. They may contain malicious macros, which Office programs can start without saving to the drive.

New and changed archives If you disable the option Scan only new and changed files , you receive the capability to scan only new and changed archives, installation packages and office files.

Archive scan settings If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the operation will not start until File Anti-Virus unpacks the archive and scans all files within it. Meanwhile, the user cannot do anything with the archive. If the administrator wants to scan archives, the user experience can be improved by changing additional archive scan settings. Performance \ Scan of compound files \ Additional \ Background scan

Unpack compound files in the background mode

File Anti-Virus will detain operations with small archives only. If the user opens a large archive, File Anti-Virus will allow access, but at the same time will unpack the archive and scan the files. The user will not have to wait. Large archives are those that are larger than the Minimum file size value

II–20


Minimum file size

By default, is not specified. Meaning, if you select to unpack compound files in the background, File Anti-Virus will scan all archives in the background mode

Performance \ Scan of compound files \ Additional \ Size limit

Do not unpack large compound files

File Anti-Virus will scan only those archives that are less than the Maximum file size

Maximum file size

8 MB by default.

File Anti-Virus scans files not at each read or write operation The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse order of their appearance: Additional \ Scan mode

On execution

File Anti-Virus scans a file before it is started. When the user or an application copies or edits a file, File Anti-Virus does not scan it

On access

File Anti-Virus scans a file before a read operation. To copy or start a file, it must be read, meaning, File Anti-Virus scans executable files before they are started and all potentially dangerous files before they are copied. When the user or a program edits a file, File Anti-Virus does not scan it

On access and on modification

File Anti-Virus scans files at every read or write operation. This is the safest mode, yet the most resource-consuming

Smart mode

File Anti-Virus analyzes file operations. If a file is opened for writing, the scan will be performed after it is closed and all changes to it are made. Intermediate changes made to the file are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not be rescanned on intermediate read operations until the file is closed

Smart mode ensures the same protection as On access and modification, but consumes less resources. It is the best choice for most computers.

You can use the modes On access and On execution on the computers where performance is more important than security at your peril.

File Anti-Virus deletes malware Malware detected by File Anti-Virus should not be left unprocessed, and the settings that regulate File Anti-Virus 1 actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected files . Most of the malicious files cannot be disinfected, because they contain nothing but t he infected code. Before a file is disinfected or deleted, its copy is placed into the Backup repository or Quarantine, depending on the verdict. In case a file contains important information or is deleted because of a false positive, it can be recovered. If the Roll back malware actions during disinfection option is enabled within the properties of the S ystem Watcher component, Kaspersky Endpoint Security not only deletes malicious files, but also rolls back their actions2.

1 2

The Select action automatically option is equivalent to the Disinfect. Delete if disinfection fails option. The rollback procedure is described in Chapter 4 of this Unit.


2.3 What to Do If File Anti-Virus Slows down the Computer

First, find out whether File Anti-Virus actually slows down the computer (or a program):

— — — —

Find the computer that works slowly Disable the policy on it (see the section How to Protect Kaspersky Endpoint Security from the User) Stop (disable) File Anti-Virus Check whether the computer (program) works any faster

Even if programs work faster on the computer without File Anti-Virus, do not disable File Anti-Virus entirely. Configure exclusions for applications. Try various exclusion types:

— If all program files are located in a single folder, exclude the program’s folder from scanning — If the program works with files in various folders or in a temporary folder, make the executable file of the program trusted Never exclude the operating system’s temporary folder from scanning. Malware is often started from it.

— If the program works with files in shared folders, try to disable scanning of network drives — For the programs that start on the specified schedule during off business hours, pause File Anti-Virus while the program runs

II–22


How to exclude an application’s folder

Exclusions are configured in Kaspersky Endpoint Security policy: in the General Protection Settings section, click the Settings button in the Scan exclusions and trusted zone area. Exclusions for folders are located on the tab Scan exclusions and are applied to all protection components. A scan exclusion consists of three attributes:

— File or folder —the name of the file or folder to which the exclusion applies. The name of the object may include environment variables (%systemroot%, %userprofile% and others) and also “*” and “?” wildcard characters

— Object name—the name of the threat to be ignored (usually corresponds to a malware name), which can also be specified using wildcard characters

— Protection components—the list of protection components to which the rule applies Of the three attributes, any of the first two and the third one must be specified. You can create a scan exclusion for a file or folder without specifying the threat type; then the selected components will ignore any threats in the specified file or folder. Alternatively, you can create a scan exclusion for a threat type, for example, for the UltraVNC remote administration tool, so that the selected protection components would not respond to this threat regardless of where it is detected. All three attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object (typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from another folder, Kaspersky Endpoint Security would consider it a threat.


How to exclude files that a process accesses

If the computer runs resource-consuming programs, their operation can be slowed down by the File Anti-Virus. This is especially true for the programs that perform numerous file operations, for example, backup copying or defragmentation. To avoid slowdowns, make these applications trusted. For this purpose, in the exclusion settings window, add the executable file to the list on the tab Trusted applications. Within the Scan exclusions for application window, specify the path to the executable file and select the Do not scan opened files action. The path may contain environmental variables and “*”, “?” wildcards.

How not to scan network drives

Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that protection tools are installed on all network computers. Do not disable network drive scanning “just in case”; do it only if it solves the users’ issues To exclude network drives from scanning, edit the protection scope in the security level settings.

II–24


By default, Protection scope of the File Anti-Virus includes:

— All removable drives — All hard drives — All network drives In other words, all drives from which malware can be run. A protection area allows adding individual drives and folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection level.

How to temporarily stop File Anti-Virus

If the desired effect is not achieved by setting up exclusions, as a last resort, configure pausing File Anti -Virus while the program runs (in the Security Level settings, on the Additional tab). File Anti-Virus can be paused while a resource-consuming operation is performed using the settings in the Pause task area:

— By schedule—the schedule (daily only) is set by specifying the time when the File Anti-Virus is to be paused and when it is to resume its normal operation. The time is specified in hours and minutes

— At application startup—File Anti-Virus will pause when the specified program loads in the memory and will resume its operation when this program is unloaded from the memory

How to apply settings to computers Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers. Since all locks are closed in a policy by default, the administrator may not even notice them. While you edit settings without touching the locks, all settings remain required and are enforced on the computers. However, you should remember that if locks are open, the configured settings are not applied. If you have changed settings in a policy, and they have not changed on the computers, check the locks in the policy.


2.4 Standard File Antivirus Protection Levels The security levels can be managed using the three-position switch: Low, Recommended and High. Depending on the switch position, the File Anti-Virus settings adopt the following values: Low

Recommended

High

File types

Files scanned by extension

Files scanned by format

All files

Protection scope

All removable drives All hard drives All network drives



Heuristic analysis

Light scan

Light scan

Medium scan

Scan only new and changed files

+

+

—

Scan Office formats Do not unpack large compound files: 8 MB

Scan new archives Scan new installation packages

Scan of compound files

Scan all Office formats Unpack compound files of any size Scan mode

Smart

Smart

Smart

Scan technologies

iSwift technology iChecker technology



Pause task

—

—

—

If any setting is modified, the security level is changed to Custom. In order to return to the Recommended level, click the By default button.

II–26


2.5 How and Why Configure Scheduled File Scanning

Why search for viruses after the File Anti-Virus

How can virus scanning help if File Anti-Virus scans all dangerous files anyway? Virus Scan:

— Prevents users from spreading archived malware — Updates caches of KSN, iSwift and iChecker, after which File Anti-Virus can scan fewer files — Scans files that have not been changed. The File Anti-Virus does not scan such files, which may be dangerous Virus scan tasks check objects using the same methods as File Anti-Virus: signature and heuristic analysis and KSN. The difference is that File Anti-Virus checks files on-the-fly when they are accessed while virus scan tasks inspect the files by schedule or on demand. File Anti-Virus works with the user. The more actively work the user’s applications, the more files are scanned by the File Anti-Virus and the more resources it consumes. Therefore, the File Anti-Virus settings are optimized to ensure protection against immediate threats only. If the user copies an archive, there is no immediate infection risk and the archive need not be scanned. Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be performed. That is why the scan task will wait for the answer from KSN before returning the final verdict, regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from the scan scope of the File Anti-Virus —archives, installation packages, files in non-infectable formats, etc. A virus scan task can be configured to check the processes in the memory and be scheduled to run after each successful database update.


What and how to scan for viruses

Configure virus scan settings in virus scan tasks. The Quick Start wizard creates one of these tasks in the Managed devices group. Adjust this task until you decide that you need more task s.

Scan scope Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select whether to scan all the contents, including subfolders, or just the folder itself without subfolders. If subfolders are not selected to be scanned, the object icon is marked with the little red "minus" sign. In addition to files and directories, the following scan objects can be specified:

— My email—Outlook data files ( .pst and .ost) — Kernel Memory—the kernel memory of the operating system — Running processes and Startup Objects—the memory area allocated for processes and executable files — — — — — —

of applications that start at the operating system start. Additionally, if this object is selected in the task properties, rootkit scanning will also be performed (rootkits are hidden objects of the file system) Disc boot sectors—boot sectors of hard and removable drives System Backup—System Volume Information folders All removable drives—the removable drives connected to the computer at the moment All hard drives—computer hard drives All network drives—all network drives connected to the computer Computer—all the above objects, except for My email and All network drives

Create a task that scans the whole computer weekly or every other week. If you cannot find proper time for such a task, scan at least critical areas:

— — — — —

Kernel Memory Running processes and Startup Objects Disk boot sectors %systemroot%\ %systemroot%\system\

— — —

%systemroot%\system32\ %systemroot%\system32\drivers\ %systemroot%\syswow64\ %systemroot%\syswow64\drivers\

II–28


Security level Security level parameters in virus scan tasks are almost identical to the security level parameters specified for File Anti-Virus. There are only a few virus scan parameters in the tasks that are not available in File Anti-Virus:

— Skip files that are scanned for longer than N s. —on the Scope tab in the Scan optimization area. Enable this parameter if virus scanning takes long and does not complete within the allocated time

— Parse email formats—on the Scope tab in the area Scan of compound files. It is disabled by default, because mail formats also include mailbox files, whose scanning takes too much time Some malicious files are spread within office documents with an embedded mail file, which contains an executable attachment. To completely prevent running such a file, enable scanning for office documents and mail formats

— Password-protected archives—when scanning these, Kaspersky Endpoint Security will prompt the active user for the password to unpack the archive. Since scheduled scans usually run in off hours when there is no user, this option should be reserved for manual scans performed locally. Virus scan tasks are also used to check archives. This is important because the File Anti-Virus usually does not scan archives. A virus scan task can check the same types of compound objects as the File Anti-Virus. Processing of compound objects is regulated by another option that becomes available after clicking the Additional button—Do not unpack large compound files . The other security level parameters are identical to those of File Anti-Virus. Since the objective of virus scanning is to scan the files that have not been scanned by File Anti-Virus, and update caches of KSN, iSwift and iChecker, use the following settings for File Anti -Virus to scan fewer files:

— Scan all files — Do not scan only new and changed files — Scan all archives, installation packages and Office files If time permits, on the Additional tab:

— Set the deep heuristic analysis level — Disable iSwift and iChecker technologies to make the task really scan all the files

Account By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem, specify an account that has the necessary rights within the task properties.

Standard virus scan security levels You can also change the scan settings using the Security level slider. In that case the following settings will be used:

File types Scan only new and changed files Skip files that are scanned for longer than

Low

Recommended

High

Files scanned by format +

All files –

All files –

180 sec

–

–


Scan archives

New

All

All

Scan installation packages

New

All

All

Scan embedded OLE objects

New

All

All

Parse email formats

–

–

+

Scan password-protected archives

–

–

–

Do not unpack large compound files

–

–

–

Light scan

Medium scan

Deep scan

iChecker technology

+

+

+

iSwift technology

+

+

+

Heuristic analysis

How to select an optimal schedule

Virus scan tasks may use any regular schedule: every N minutes, every N hours, every N days, weekly, monthly. They can also be started once: either automatically at the specified time, or manually. In addition, special schedule types are available:

— After application update—the task will start after new threat signatures are downloaded and applied. This is convenient for the scanning of memory and other locations where active threats may appear

— At application start—the task will start immediately after the launch of Kaspersky Endpoint Security (or in a few minutes). This is another opportunity for the scanning of the most vulnerable computer areas

— On completing another task—a universal schedule that allows arranging tasks into a chain. From the practical viewpoint, the best approach would be to link virus scan to update completion, but there is already a special schedule option for that purpose

— On virus outbreak—when the Virus outbreak event is registered on the Administration Server There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task will start as soon as the computer is switched on. Use this option cautiously. If virus scanning starts in the morning when the user turns on the computer, scanning will hamper the user.

II–30


The mode Define task launch delay automatically makes more sense for an update task than for a virus scan task. See Unit IV for details. The Advanced window contains a few other useful settings:

— Activate computer before the task is launched by the Wake On LAN function (min) —the option allows you to schedule scan start for the night time or weekends without needing to worry whether the computer is on. However, to use this feature, you need to enable its support in the BIOS settings o f the target computers

— Turn off computer after task is complete —the option may supplement the previous one. If a scan is scheduled for the night or a weekend, the computer can be turned off after its completion

— Stop if the task is taking longer than (min) —the option allows guaranteed task completion before the working day begins, so that the running scan does not interfere with the user activity On servers, perform virus scanning on weekends, when they are less loaded. On workstations, try to find such a time when computers are on, but virus scanning will not hamper the users:

— Quick virus scanning can be performed during the lunchtime — Full scanning should run at night. Explain the users which day of the week they should not shut down their computers

What if none schedule is optimal

If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the computers at night and run the virus scan task. If this capability cannot be used either, use so-called idle scanning. To enable idle scanning, open the Properties section in the task and select the check box Pause scheduled scan when the screensaver is inactive and the computer is unlocked (in the Run mode area). In this mode, virus scanning will be performed only when the computer is not used (locked or a screensaver is active), otherwise, the task will be Paused. Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than not to scan a computer at all.


2.6 What to Do with False Positives

How to configure an exclusion for an incorrect verdict

If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false positive. False positives hamper work considerably. Kaspersky Lab very thoroughly tests new signatures on a huge number of files of operating systems and popular software to prevent false positives. During a scanning, Kaspersky Endpoint Security checks files against Kaspersky Security Network and ignores threats in the files which KSN considers to be trusted. False positives happen extremely rarely, and usually concern files of infrequent software: for example, homeware. If File Anti-Virus or a virus scan task finds a threat in a clean file, create an exclusion for it: 1.

Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Protection Settings | Scan exclusions and trusted zone | Settings

2.

Add the file that gets a false positive to the list on the Scan exclusions tab. Select the File or folder check box. Click the link select file or folder in the lower part of the window to specify the complete path to the file. Use environmental variables, for example, %ProgramFiles%

It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected erroneously rather than exclude the file entirely. For this purpose: 3.

Select the check box Object name in the exclusion window. Click the link enter object name in the lower part of the window to specify the threat name. The threat name can be found in the event about detected threat by Kaspersky Endpoint Security in the Result \Name field.

II–32


Exclusion by certificate What to do if you configured an exclusion, but a new program version has been issued with new names of the folder and executable file, which also gets a false positive? If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of symbols, and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask matches all files whose names start with “file” and have the .exe extension. If file names are entirely different, but all files are signed by a certificate, place the certificates to the certificate store on the computers where the program is used and configure Kaspersky Endpoint Security to trust these certificates: 1.

Open the trusted zone settings in the Kaspersky Endpoint Security policy: General Protection Settings | Scan exclusions and trusted zone | Settings

2.

Switch to the tab Trusted system certificate store, select the check box Use trusted system certificate store and select a store. The default choice is Enterprise Trust

3.

Place the certificate(s) with which program files are signed to the selected store on the client computer. You can use, for example, Active Directory group policies for this.

Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint Security trusts only the certificates that are located in the computer’s repository For homeware, you can use even self-signed certificates.

2.7 File Protection: Summary

File Anti-Virus scans files on the drive that the user, operating system, and programs access. To avoid slowing down the computer, File Anti-Virus scans only those files that pose an immediate threat. However, it does not prevent the user from copying archived malicious files. Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for example, archived malicious files.


If you cannot figure out a suitable schedule for running the scan task, use idle scanning. If File Anti-Virus slows down the computer or programs:

— Schedule virus scanning. It updates the cache of scanned files and permits File Anti-Virus not to scan them repeatedly if they have not been changed

— Configure exclusions for applications: for folders, executable files or certificates — If files (for example, user profiles) load slowly over the network, and protection is installed on network servers, do not scan network drives

— As a last resort, pause File Anti-Virus while a resource-intensive program runs Do not disable File Anti-Virus. Schedule virus scanning on computers

Chapter 3. How to Configure Protection Against Network Threats

3.1 How Network Protection Works

What network components do

A networkare is so oneimportant of the main of spreading That isEndpoint why network protection and network traffic scanning for ways computer security. aInvirus. Kaspersky Security, Mail Anti-Virus, Web Anti-Virus and IM Anti-Virus components are responsible for anti-malware scanning of network traffic:

II–34


Mail Anti-Virus

Deletes malicious code from e-mail messages and attachments Renames potentially dangerous attachments

Web Anti-Virus

Does not allow malicious files to download Does not permit visiting malicious and phishing web sites

IM Anti-Virus

Deletes links to malicious and phishing web sites from messages

How Kaspersky Endpoint Security intercepts traffic

Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts outbound connections from the computer programs and transfers packets to the network antivirus components. Kaspersky Endpoint Security detects the connection protocol and transfers packets to the corresponding component: HTTP, FTP

Web Anti-Virus, Web Control

SMTP, POP3, IMAP, NNTP

Mail Anti-Virus

Instant messaging protocols

IM Anti-Virus

Other packets are sent directly to the programs and applications for which they are destined. Kaspersky Endpoint Security does not scan data in secure connections (SSL/TLS) Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the outbound connections. To achieve this, in the Kaspersky Endpoint Security policy, select General Protection Settings and in the Monitored ports area, select Monitor only selected ports. Click the Settings button and specify the ports which need to be controlled. If you do not know which ports a program uses, select the check box Monitor all ports for specified applications , and add the path to program’s executable file to the list. Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or programs are used, add them to the list.


3.2 Mail Anti-Virus

What Mail Anti-Virus does

The Mail Anti-Virus protects from e-mail threats. Messages are intercepted at the protocol level (POP3, SMTP, IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI). Mail Anti-Virus detects and deletes malware using virus signatures, heuristic analysis and Kaspersky Security Network. Additionally, Mail Anti-Virus can block or rename e-mail attachments that match the specified masks. Mail Anti-Virus changes the subject of infected messages. The action taken is described in the message subject.

Mail Anti-Virus settings Protection scope Security settings, among other options, determine the Protection scope. Mail Anti-Virus can scan either

— Incoming and outgoing messages, or

— Only incoming messages To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing messages can prevent inadvertent sending of an archived infected file and save the embarrassment. Additionally, you can select to scan outgoing messages if you want to block attachments of certain types, for example, music or videos.

II–36


Connectivity The Connectivity group of settings more precisely defines the protection scope:

— POP3/SMTP/NNTP/IMAP traffic—enables scanning of mail and news messages transferred over the specified protocols 3

Microsoft Office Outlook extension —scan objects when they are received, read and sent at — Additional: the level of Microsoft Office Outlook client.

If Mail Anti-Virus slows down the Microsoft Outlook mail client, try disabling scanning when a message is read. Click the Settings button and clear the check box Scan when reading. Scanning at the protocol level operates independent of the mail clients used. However, messages transferred over unsupported protocols (for example, through Microsoft Exchange or Lotus Notes servers) will not be scanned. Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of supported mail clients is rather limited.

Scanning methods These settings concern attached compound files. If archives are attached, they can be unpacked and scanned. This behavior is controlled with the following settings:

— Scan attached archives—this setting allows the administrator to fully disable archive scanning. As a rule, it is better to leave this check box selected and to scan archives “on the fly” using Mail Anti-Virus. It is much easier not to allow any infected archive to penetrate into the mail database than to remove it from the database later using an on-demand scan task

— Scan attached Office formats Do not turn off these parameters. Malicious files are often spread in attached archives and office documents

— Do not scan archives larger than NN MB—limits the volume of archives or office files to be scanned. Malware is rarely spread in big files. Enable this limitation to avoid waiting too long when receiving large compound files

— Do not scan archives for more than NN sec.—this option implements protection against “archive bombs” whose scanning requires a very long time and a lot of resources, which slows down the computer.

Attachment filter These settings concern only attached files. You can:

— Disable filtering—let through all kinds of non-malicious attachments — Rename specified attachment types4—is used by default and renames attachments of executable types (.exe, .bat, .cmd, etc.) This is a preventive measure against unknown malware. The user will not be able to start the attached file without consciously renaming it.

3

Not only mail messages are sca nned, but also the objects within Public folders and Calendar: any objects received over MAPI from the Microsoft Exchange storage. 4 Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g.,file.exe becomes file.ex_


If archive scanning is enabled, Mail Anti-Virus will also rename attached archives that contain files with the specified extensions. This option can also be used to fight outbreaks of new viruses. If names of the attachments used by the virus are known, they can be added to the list and then renamed so that the users are unable to open these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless attachment matches the specified mask, renaming would not cause any serious problems. The user can consult the administrator and receive instructions on how to rename the file back

— Delete specified attachment types is a safe way to prevent infections, which can also be used to prevent exchange of files of certain types: for example, music or video files If archive scanning is enabled, Mail Anti-Virus will delete files of the specified types from attached archives The list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-defined masks can contain parts of names. “*” and “?” wildcard characters can be used. The added masks will go to the beginning of the list and will be enabled immediately.

Standard security levels Low

Recommended

High

Incoming messages only

Incoming and outgoing messages

Incoming and outgoing messages

POP3 / SMTP / NNTP / IMAP traffic

+

+

+

Additional: Microsoft Office Outlook extension

+

+

+

Scan attached archives

–

+

+

Scan Office formats

+

+

Do not scan archives larger than 8 MB

+

–

–

Do not scan archives for more

+

–

–

Attachment filter

Rename specified attachment types



Heuristic analysis

Light scan

Medium scan

Deep scan

Protection scope

than 5 sec

Exclusions for false positives Exclusions for Mail Anti-Virus are configured the same way as in File Anti-Virus: in the General Protection Settings, Scan exclusions and trusted zone. In the scan exclusion settings, specify the file name only (wildcards are allowed) to exclude all attachments with matching names from scanning. The same exclusion must be configured for File Anti-Virus, or else the received attachments will not be saved or opened.

II–38


3.3 Web Anti-Virus

What Web Anti-Virus does

The Web Anti-Virus component performs two important functions:

— Analyzes addresses of web pages opened by the user or applications, and blocks access to phishing and malware-spreading sites

— Scans the objects downloaded over HTTP and FTP (the objects downloaded over HTTPS are not scanned) and blocks malicious files Four technologies are used for scanning the links:

— Check against the database of suspicious sites —compare the address of the site to be opened with the addresses of the web resources, which are known for hosting malware, attacking computers or other harmful activities

— Check against the database of phishing sites—is similar to the previous check, but against the database of sites on which phishing pages have been detected

— Heuristic analysis for detecting phishing sites —analysis of the site contents for HTML code characteristic of phishing

— KSN check—addresses of the opened sites are checked against KSN. Dangerous links are blocked. The received answer is saved in the local cache and is used for further checks. Downloaded files are scanned using all the available methods: signature and heuristic analysis as well as KSN.


Web Anti-Virus settings Actions You can select the action to be taken against all detected dangerous objects: 5 — Block download — Allow download

You should select the Block download action in the policy and lock it so that the users are not able to download hazardous objects or visit hazardous websites. When the user attempts to open a black-listed web resource or download an infected object, a notification will be displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.

Security level Web Anti-Virus behavior is regulated by only a few settings:

— Check if links are listed in the database of malicious URLs —we recommend that you do not disable this setting. If a website was added to the list of malicious web addresses by mistake, create an exclusion for it

— Heuristic analysis for detecting viruses —enables heuristic analysis. This is the same analysis as in the File Anti-Virus: executable files are started in the virtual environment and their operations are supervised. The depth of the analysis defines the monitoring time

— Check if links are listed in the database of phishing URLs —this setting is similar to the first parameter and should also remain enabled

— Heuristic analysis for detecting phishing links—enables the use of heuristics when detecting phishing sites. Web Anti-Virus settings can be modified using the Security level switch. The table below explains how the settings’ values change depending on the level selected:

Heuristic analysis for detecting viruses

Low

Recommended

High

Light scan

Medium scan

Deep scan

–

+

+

Scan archives

Scan archives is a hidden setting. If the Security level is switched into the Low position, in addition to the visible parameter changes, archive scanning is disabled.

The following parameters:

— Check if links are listed in the database of malicious URLs — Check if links are listed in the database of phishing URLs — Heuristic analysis for detecting phishing links (as well as the depth of the analysis) do not depend on the Security level and do not change the position of the Security level when modified.

5

The Select action automatically option is the same as Block download.

II–40


How to make a web site trusted

If Web Anti-Virus erroneously considers a web site to be malicious or phishing, add its address to the trust list: 1. 2. 3.

In the security level settings, open the tab Trusted web addresses Select the check box Do not scan web traffic from trusted web addresses Add the web site address to the list. To specify a mask, use “*” and “?” wildcards

The listed sites and the objects downloaded from them will not be scanned by Web Anti-Virus. If Web Anti-Virus erroneously considers a file that a user downloads from a web site to be malicious, make an exclusion for the file in General Protection Settings. Apply the exclusion at least to W eb Anti-Virus, File Anti-Virus and Virus scan.


3.4 How Not to Intercept the Whole Traffic of a Program

In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2) the driver that intercepts connections for network antiviruses acts as a local proxy. When a program establishes connection to a remote server, Kaspersky Endpoint Security replaces the server address with its own address to receive the packets, and then establishes another connection to the remote server to send the scanned packets. The answer packets from the server are processed in a similar manner: first through the connection established by Kaspersky Endpoint Security, and then from Kaspersky Endpoint Security to the program. Some network programs are incompatible with this interception method. To ensure that they operate properly, the administrators disable traffic interception for the program. Kaspersky Endpoint Security 10 SP2 uses a driver that does not disrupt the connection; it uses the operating system functions to receive access to all packets. The programs that are incompatible with the old interception method are likely to be compatible with the new one. If you have a program that conflicts with the new interception method too, disable traffic interception for it: 1.

Open the list of trusted processes in the Kaspersky Endpoint Security policy: in the General Protection Settings section, click the Settings button in the Scan exclusions and trusted zone area.

2.

Add the application executable file to the list of Trusted applications: specify the full path to the file. You can use environmental variables, such as %SystemRoot%

3.

In the properties of a trusted program, select the check box Do not scan network traffic and clear the other check boxes

4.

If servers with which a program works have permanent addresses (or a range of addresses) and ports, specify them in the lower part of the window: it is safer this way

This exclusion applies to the Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus and Web Control components

II–42


3.5 Protection for Network Connections: Summary

The network components Mail Anti-Virus and Web Anti-Virus do not consume much resources. On the contrary, they enable File Anti-Virus to scan fewer files, and improve computer performance. Web Anti-Virus is the only component that protects against phishing. It also protects against new threats that are spread through known malicious web sites. Do not turn off network antiviruses, it will not improve performance, but will affect protection If Web Anti-Virus or Mail Anti-Virus erroneously delete files, block safe web sites or hamper network programs, configure exclusions:

— Exclusions for web sites in the Web Anti-Virus settings — Exclusions for programs in General Protection Settings — Exclusions for ports in General Protection Settings


Chapter 4. How to Configure Protection Against Sophisticated Threats 4.1 How Kaspersky Endpoint Security Protects Against New Threats

Criminals continually create new malicious files. Kaspersky Lab is famous for detecting new threats and adding their signatures to the database very quickly. Checksums of malicious files get to Kaspersky Security Network even more promptly. However, criminals are still half step ahead. How does Kaspersky Endpoint Security protect against new threats and especially against ransomware? Ransomware that encrypts documents and demands money in return for the key cause immediate and direct harm Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack: Criminals publish malware on web sites. Often these web sites have also been used previously

Web Anti-Virus uses the database of known malicious web sites and web sites’ reputation in KSN and prevents the users from opening them

Criminals e-mail new malware

Mail Anti-Virus renames executable attachments, including archived ones

New malware have different code to get round signature scanning, but behave similarly to other malware

System Watcher monitors what a programs does, and detects new malware by behavior

Encrypted data are statistically homogeneous, as if produced by a random-number generator. This makes them different from most ordinary files

System Watcher uses heuristic and statistical analysis to detect encryption in files

New malware do not have any reputation in KSN

Application Privilege Control does not allow the programs without a reputation to use many of the operating system functions

New threats are mainly opposed by System Watcher and Application Privilege Control.

II–44


4.2 What System Watcher and Application Privilege Control Do The components and technologies that help to counter new malware not yet added to the Anti-Virus databases or Kaspersky Security Network or minimize their impact are called Proactive Defense. Heuristic analysis which we’ve studied already is an example of a Proactive Defense technology. However, the main role in this protection aspect belongs to the System Watcher (and to some extent to the Control components, which will be described later).

How System Watcher protects against new threats

System Watcher performs several functions: Logs application activity for comparison with the behavior signatures database — — Detects malicious programs and blocks their actions — Rolls back actions of the malware detected by other components (File Anti-Virus and scan tasks) Malware detection is the main task. For this purpose, System Watcher monitors program actions and compares them with dangerous activity patterns: so-called Behavior Stream Signatures (BSS). The BSS database is updatable, but updates are issued comparatively rarely for it. Efficiency of the System Watcher almost does not depend on the databases’ update regularity. Various components gather data about application activity for the System Watcher:

— The main information source is the klif.sys driver that intercepts file operations (the one used by File Anti Virus). The driver gathers information about file operations and the changes made to the registry.

— Firewall gathers information about network activity of applications — System Watcher has its own module that reacts to complicated system events: installation of drivers, hooks, etc.


Configuration System Watcher has a few settings which correspond to enabling or disabling the abovementioned task components:

— Enable Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative permissions in the system or conceal code execution. Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or service, which processes them and therefore executes some parameters as code. Specifically, such attacks against system services running under the local system account enable criminals to receive administrative permissions on the computer. Typically, malware tries to start itself under the administrator account as a result of such an attack. When this option is enabled, start operations are being monitored and if a vulnerable program starts another program without the user’s explicit command, the start is blocked.

— Do not monitor the activity of a pplications that have a digital signature —do not control the programs that are either signed with trusted certificates or have the Trusted reputation in the KSN To exclude programs signed with self-signed certificates, configure exclusions for the certificates in the Trusted zone (General Protection Settings)

— Roll back malware actions during disinfection—roll back actions taken by the programs deleted by File Anti-Virus or scan tasks or quarantined by System Watcher. Rollback means rolling back the changes made to the file system (creating, relocating, renaming files) and registry keys (the records created by the malware are deleted). Also, a backup copy of some files and keys is created at the time of the system start, which allows rolling back to this version if a virus makes changes to these files and keys. These special objects include hosts and boot.ini files and registry keys responsible for starting programs and services during the system start. This option also recovers the files encrypted by malware (so-called cryptolockers). Do not turn off the System Watcher. It protects against threats that other components may fail to counter To prevent false positives or improve performance, create exclusions.

Actions If System Watcher detects malicious behavior, it selects action automatically . This means that it interrupts the program and quarantines its executable file. Other possible actions:

— Skip—do nothing, only log the detection of malicious activity — Terminate the malicious program—stop the malware and unload it from the memory — Move file to Quarantine—stop the program, delete the malicious file, and place its copy into the Quarantine repository

II–46


How Application Privilege Control stops new threats

The main purpose of the Application Privilege Control is to regulate the activities of the running programs, namely, access to the file system and registry as well as interaction with other programs.

How Application Privilege Control calculates program reputation Application Privilege Control categorizes applications into trust groups, for which limitations are specified. Every program receives one of the four trust levels:

— — — —

Trusted Low Restricted High Restricted Untrusted

Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time; and the start is suspended until the analysis is over. The main categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings:

— Use heuristic analysis to define group—if this check box is selected, Kaspersky Endpoint Security defines the program status using a special heuristic algorithm that emulates the program start. Emulation and analysis require time. By default, the time for assigning a trust group is limited to 30 seconds. There is another setting named Maximum time to define group for this purpose. After the specified time, the analysis is finished and the program gets placed into a trust group

— Automatically move to group—an alternative to using heuristics. This setting allows assigning one of the 3 trust levels ( High Restricted, Low Restricted, or Untrusted) to all unknown programs without the analysis

— Trust applications that have a digital signature —if this parameter is enabled, the programs signed by trusted certificates will be automatically placed in the Trusted group Trusted certificates are certificates that Kaspersky Security Network trusts. To trust other certificates, use the Trusted zone settings (General Protection Settings) The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted depending on the following settings:


— Update control rules for previously unknown applications from KSN databases —program trust group will be changed automatically if it appears in the KSN

— Delete rules for applications that are not started for more than 60 days —allows wiping out the trust group information for the programs that have not been started for a long time. The lifetime is adjustable

How Application Privilege Control lim its programs’ activities Application Privilege Control limits interaction with other programs and operating system services depending on the trust group. Generally, the default restrictions for trust categories are as follows: Trusted

No limits

Low Restricted

Almost everything is allowed, except for building into operating system modules and accessing recorders: web cams and microphones

High Restricted

Interaction with operating system modules and other programs is prohibited. A program is allowed to work only with its own segment of system memory

Untrusted

The program is prohibited even from starting

Application Privilege Control helps limit access to files, folders and registry keys on the hard drives. Application Privilege Control has a list of protected resources. They are grouped into two categories:

— Operating system — Personal data Each category has its subcategories and resource descriptions: paths to folders, file masks, registry key masks. Initially, the list of protected resources contains groups of most important files and registry keys. For example, the Operating system category has a subcategory Startup settings, which lists all registry keys related to startup. Rights to access groups of resources are defined for operations: Read, Write, Remove and Create. By default, Application Privilege Control protects resources as follows: Operating system

Personal data

Trusted

Full access

Full access

Low Restricted

Full access operating to everything except critical system files For critical system files, Read operating only

Full access

High Restricted

Read only

Full access

Untrusted

No access

No access

Program limitations automatically apply to its child processes. If a program with limitations starts a trusted program, this trusted program will also be restricted. If a trusted application is started by the user or another trusted program, there will be no limits

How to configure Application Privilege Control The administrator can modify limitations for any trust group and even for any individual program. Do not change the Application Privilege Control settings unless you know precisely what you are doing

II–48


To find the trust groups and their limitations: 1. 2. 3. 4.

Open the Application Privilege Control section in the Kaspersky Endpoint Security policy Click the upper Settings button in the Application rules area Select the trust group and click Edit Switch to the Rights tab

The administrator can limit or extend rights for a program having the selected reputation here, but you must understand what you are doing. For example, you can allow low restricted programs to access the web cam.

To view protected resources: 1. 2.

Open the Application Privilege Control section in the Kaspersky Endpoint Security policy Click the lower Settings button in the Application rules area

On the managed computers, the list of resources is updated together with the signature databases. To update the list of resources in the policy, click the button Update above the list. Do not delete or edit the pre-configured resources. To stop controlling pre-defined resources, add them to exclusions: click the Exclusions button in the upper-right corner of the window. To protect other files or registry keys, add them to the list. Keep your resources in an individual category. To add your own protected resources: 1. 2.

Click the Add button to create your categories and resource descriptions Configure access rights for the resource in the table on the right

To be informed when Application Privilege Control blocks an operation, enable logging. For this purpose, right click an action in the table and select Log events. You can log allow events of Application Privilege Control to understand which programs work with a resource. Note: The limitations configured for a program are inherited by all its child processes, even if their executable files are included in the Trusted group. Thus, the programs with lo wer trust level may not evade the prohibitions by using the privileges of programs having higher trust levels.


How to configure Application Privilege Control to stop ransomware With the default settings, Application Privilege Control protects the operating system and other software on the computer against programs that have bad reputation. The administrator can also easily protect users’ files against unknown programs. This way, they will be protected against ransomware that encrypt documents. The idea is simple. Malware:

— either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit starting it — or (especially new malware) does not have any reputation in KSN and Application Privilege Control makes them High Restricted or Low Restricted Programs designed for working with documents, such as Microsoft Office, the other way round, are well-known and have Trusted reputation. Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose: 1.

Open the Application Privilege Control section in the Kaspersky Endpoint Security policy and click the second Settings button

2.

Add documents to the list of protected resources in Application Privilege Control: in the list on the left, select the category Personal data \ User files and add a new category named Documents

3.

Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose, add File or folder to the category and specify the extension in the Path field. Repeat for all extensions

4.

Prohibit restricted applications from editing documents. For this purpose, select the category in the list on the left and change the rights in the table on the right: prohibit High Restricted and Low Restricted applications from Writing and Deleting

II–50


4.3 How to Exclude a Program from Monitoring

What to do if KES hampers a program

Almost any heuristic analysis returns false positives. T o reduce them, exclude known clean programs from analysis:

— Programs that are considered to be trusted in Kaspersky Security Network — Programs signed with trusted certificates To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed programs, use the following components’ settings: System Watcher

Do not monitor the activity of applications that have a digital signature Application Privilege Control

Application control rules \ Trust applications that have a digital signature Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates rather than all of them. Trusted certificates are those issued by trusted certification centers. Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates in the local store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky Endpoint Security learns about this from Kaspersky Security Network, and will not trust files signed with this certificate. Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software with a selfsigned certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as described in “ Exclusion by certificate”, section 2.5. If a program does not have a digital signature, you can manually add it to the Trusted group in the Application Privilege Control policy. Alternatively, you can completely exclude a program from scanning by System Watcher and Application Privilege Control. How to do it will be explained later.


How to modify a program’s trust category

Most of the widespread commercial programs have Trusted reputation. However, some open-source programs have Low Restricted reputation. Tailor-made software may not have any reputation in KSN, and may receive High Restricted reputation from Application Privilege Control. If reputation hampers working with a program, change its reputation in the Kaspersky Endpoint Security policy: 1. 2. 3. 4. 5. 6.

Open the Application Privilege Control section in the Kaspersky Endpoint Security policy Click the upper Settings button in the Application rules area Click Add above the list of categories Enter a part of the program’s executable file name and click Refresh Select the executable file in the search results Select a reputation for the file in the lower-right corner of the window and click OK

If the administrator has selected a reputation for a file in the policy, Application Privilege Control will use this reputation on the computers instead of the KSN reputation. Reputation from KSN or by heuristic analyzer is used only for files that are not specified explicitly in the policy. Meaning, for most files, because by default the policy has only reputation groups, and no files. If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its restrictions as desired. For example, the administrator can add a program to the Trusted group, but then open its properties and prohibit accessing the web cam.

II–52


What to do if the li st of known programs is empty in the policy

If you use policies with the default settings, the list of executable files is likely to be empty in the policy. Kaspersky Endpoint Security intercepts all executable files on the computers, and Application Privilege Control assigns a reputation to all of them. However, this data is not sent to the Administration Server by default. And the policy shows only those executable files about which Kaspersky Endpoint Security has informed the Administration Server. To make Kaspersky Endpoint Security send the list of computer’s executable files to the server: 1.

Open in the policy the Reports and Storages section and click the Settings button in the area Inform Administration Server

2.

Select the About started applications check box

3.

To view executable files in the policy, wait for two synchronization intervals (30 minutes)

The lists of computer executable files are rather large. If all managed computers send them to the server, it will increase the load on the network considerably. Usually, this is not necessary. To receive only the necessary files, move a reference computer to a special group and apply a policy with the selected check box Inform about started applications to it, and after you receive the list, move the computer to its srcinal group


How to get the list of applications from a computer

When the user starts a program, Kaspersky Endpoint Security adds it to the local list of known applications. If the administrator hasthe selected list of files with server.to inform the server about started files, Network Agent will periodically synchronize the However, it is not recommended to collect lists of files from all computers, and creating a special group with a special policy for a single workstation is not always desired. Administrators often have test computers where all typical programs are installed. If you have such computers, gather lists of executable files from them. To fill the local list of known programs on a test computer, do not start all programs manually, use the Inventory task. The Inventory task scans files in the specified folders, finds executable files and adds them to the local list of known executable files. It does not send anything to the Administration Server. To ha ve scans results sent to the server, select the check box Inform Administration Server about started applications in the Kaspersky Endpoint Security policy. To create an inventory task, run the task creation wizard in the Tasks node. Select the Inventory task type under Kaspersky Endpoint Security 10 Service Pack 2 for Windows. If it is a task for a test computer, specify the All hard drives scope. Assign the task to individual test computers. Do not assign the inventory task to all computers. It will load the network without doing much good, because lists of executable files are almost the same on different computers.

II–54


How to make a program trusted by System Watcher and Application Privilege Control

If the limitations set by the Application Privilege Control still block a necessary program, you can configure the corresponding exclusion. There are two types of exclusions in Application Privilege Control:

— Exclusions for resources—allow any program to perform any operation with the specified group of resources

— Exclusions for programs—allow the specified program to perform any operation Exclusions for resources are configured in the properties of the Application Privilege Control, on the Protected resources tab. You can configure exclusions for folders, fil es and registry keys. Exclusions for programs are configured in the General protection settings section (Exclusions and trusted zone), and provide several additional capabilities:

— Do not monitor application activity —disable all restrictions for the specified program — Do not inherit restrictions of the parent process (application) —disable the limitations inherited from the process that started the program and the parent processes of higher levels

— Do not monitor child application activity —disable the restrictions for the processes started by the program for which the exclusion is created These exclusions apply to System Watcher and Application Privilege Control.


4.4 Protection Against New and Sophisticated Threats: Summary

Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily System Watcher and Application Privilege Control. Both components monitor the operations performed by the programs. Application Privilege Control calculates the reputation of executable files and limits actions of programs that have bad or unknown reputation. Program reputation is supplied by Kaspersky Security Network or heuristic algorithm. The administrator can manually select a reputation for individual programs. System Watcher monitors what programs do in general rather than their individual actions. For this purpose, it logs everything that programs do and then checks whether sequences of actions resemble malicious activities. System Watcher uses the log of actions to roll back malicious activities. System Watcher has special heuristics that permit detecting ransomware (malware that encrypts documents and demands a ransom). In some cases, System Watcher can recover encrypted documents. To better protect against ransomware, configure Application Privilege Control to block access to documents for programs that have bad reputation. Do not turn off System Watcher and Application Privilege Control. These components implement state-of-the-art technologies that protect against most sophisticated threats

II–56


Chapter 5. How to Control Network Connections

5.1 How Firewall Protects Against Threats

From the security point of view, the Firewall performs two functions:

— Block unauthorized network connections to the computer, thus decreasing the infection probability — Block unauthorized network activity of the programs on the client computer. This decreases the risk of an outbreak, and also limits actions of the users that consciously or unconsciously violate the security policy The Firewall is tightly integrated with Application Privilege Control. Application Privilege Control does not limit programs’ access to the settings of the operating system, other programs and user files. Firewall checks the program reputation and limits its access to the network. This way, the Firewall prevents already running malware from causing harm: for example, sending the user’s passwords to criminals. The Network Attack Blocker component complements the Firewall and analyzes packets. While Firewall uses simple rules to blocks packets, Network Attack Blocker checks sequences of packets for signs of a network attack, for example, buffer overflow attack via known vulnerabilities, and blocks connections through which an attack is performed.


5.2 How Firewall Works in Kaspersky Endpoint Security Firewall controls connections at the network and transport level using packet rules. It analyzes inbound and outbound packets, compares them with the rules and takes one of the two actions:

— Allow — Block

How Firewall analyzes packets and connections

The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it, open the Firewall section in the Kaspersky Endpoint Security policy and in the Firewall rules area, click the second Settings button. A packet rule consists of the following attributes: Action

Allow, Block or According to the application rule According to the application rule means that Firewall will look for an appropriate rule in the settings of the program to which the packet pertains, and if this program has no settings, in the settings of the reputation group to which the program belongs

Protocol

TCP, UDP, ICMP, ICMPv6, IGMP, GRE

Direction

Inbound (packet)—applies to all inbound packets Inbound—applies to all packets within inbound connections Inbound/outbound—applies to all packets Outbound (packet)—applies to all outbound packets Outbound—applies to all packets within outbound connections The TCP protocol establishes connections; use the directions Inbound, Outbound and Inbound/Outbound together with the TCP protocol Other protocols do not establish connections; they send packets. Use Inbound (packet), Outbound (packet) and Inbound/Outbound with them

II–58


Remote ports

Ports on a remote computer Can be specified for TCP and UDP protocols To specify several ports, separate them by comma: for example, 25, 110 To specify a range, use a hyphen: 0-1024

Local ports

Ports on the local computer Can be specified for TCP and UDP protocols

ICMP type

Echo , Echo Reply, Time Exceeded, Destination Unreachable, etc. Can be selected for ICMP and ICMPv6 protocols

ICMP code

Code for some ICMP types. You can select code 0, 1 or 2 For example, for a Destination Unreachable ICMP packet, code 0 means Net Unreachable, code 1—Host Unreachable, code 2—Protocol Unreachable

Network adapters

Permits specifying the network adapter by Interface type, IP address and MAC address Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP connection, PPPoE connection, VPN connection, Modem connection

TTL

Packet lifetime

Remote addresses

Addresses of remote computers, which can be specified directly or indirectly To specify addresses directly, select Addresses from the list and fill the list of IP addresses To specify addresses indirectly, select Any address or Subnet addresses. Subnet addresses are: Trusted networks, Local networks or Public networks

Local addresses

Addresses of a local computer (a computer can have many addresses) You can select either Any address, or Addresses from the list , and fill the list

Both IPv4 and IPv6 can be specified for IP addresses The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports, direction, network adapter, local address, remote address), applies the action specified in the rule. Rule application will be registered in the Firewall log if the Log events check box is selected. The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules, select a rule and move it using the Up and Down buttons. A default policy contains a list of packet rules that provides reasonable security for computers both on and off the corporate network. The standard settings are described in detail in the end of this chapter. Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. For convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity, Browsing web pages, Remote Desktop network activity, etc.) To select a template, click the button to the right of the Name field in the rule settings.


How does the Firewall decide which networks are local?

Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted networks, Local networks or Public networks. How does the Firewall decide which addresses belong to which networks? Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the policy does not describe a network status, the Firewall defines it itself on the client computer. To add a network to the policy and select a status for it: 1. 2. 3. 4.

Click the Settings button in the Available networks area Click the Add button above the list Type a name for the subnet and select its status Specify subnet address in the following format: / , for example 192.168.0.0/24 or 1234::cdef/96 for IPv6 networks

On the computer, the Firewall adds the networks configured for the computer's network adapters to the networks specified in the policy. If an adapter’s network coincides with or belongs to a network from the policy, it receives the status specified in the policy. If the adapter’s network does not belong to any of the networks described in the policy, the Firewall assigns it a status based on its status in the operating system. If it is a domain, work or home network, the Firewall assigns it the Local status. If the network is public in the operating system, it will also be public for Kaspersky Endpoint Security Firewall. All other addresses are considered to be addresses of public networks. For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24 respectively. Let’s say Kaspersky Endpoint Security automatically assigned the Public status to both these networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network effectively becomes Local network, because there is an entry in the policy for network 127.16.0.0/16 that includes 172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching entry in the policy. In the default policy settings, there are three network entries, all of which have the Local network status:

— 10.0.0.0/8 — 172.16.0.0/12 — 192.168.0.0/16

II–60


These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered for computers outside the perimeter, e.g., the computers connected via VPN or laptop computers on a business trip.

How does the Firewall restrict programs?

If the Firewall does not find a matching rule for a packet, or finds, but the action specified in the rule is According to the application rule, it starts looking for the packet rule configured for this application. And if the application has no settings in the policy, it checks the program’s reputation and looks for a matching packet rule in the reputation settings. The Firewall uses the same reputations as Application Privilege Control. The settings that Application Privilege Control uses to select a reputation are also applied to the Firewall. If Application Privilege Control is not installed, Firewall defines the reputation itself using the Application Privilege Control settings. A program cannot be Trusted for Application Privilege Control and at the same time High Restricted for the Firewall. Each program has only one reputation. To view packet rules for applications and reputations: 1. 2. 3.

Click the upper Settings button in the Application rules area Select an application or reputation and click Edit Switch to the Network rules tab

There are no applications in a policy by default; there are only reputations and settings for reputations. The administrator can add programs to a reputation and after that he or she will be able to add whichever packet rules to the program properties. Applications can be added in the same manner as in Application Privilege Control. Each program and reputation in the list of rules has three rules that are always located at the bottom of the list:

— Any network activity in Trusted networks — Any network activity in Local networks — Any network activity in Public networks For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for the High Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or modified, except for the Action attribute, which can be changed by the administrator. By default, if only reputations are configured in the policy, reputations have only these three rules. These rules intercept any network activity, because any address belongs to either a trusted, or a local, or a public network. That


is why there is always a rule for any packet: a packet belongs to a process, the process has a reputation, and the reputation has at least one rule for any remote address according to the network type. The administrator can add custom rules to the list of reputation or application rules. These rules have only the following attributes: Action

Allow or Block

Protocol

TCP, UDP, ICMP and ICMPv6

Direction

Inbound, Outbound or Inbound/Outbound

Remote ports

for TCP and UDP

Local ports

for TCP and UDP

ICMP type

for ICMP and ICMPv6

ICMP code

for ICMP and ICMPv6

Remote addresses Local addresses

for TCP and UDP

Action

Allow or Block

5.3 What Firewall Does Under Default Settings Default network packet rules

A standard policy does not contain rules for applications (except for the standard ones specified for the reputations). That is why, by default, the ultimate network status and application reputations are defined locally in the Firewall. Packet rules are inherited from the policy, and accordingly, packets are filtered as follows: 1.

The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external port 53) and e-mail (over TCP protocol, external ports 25, 465, 143, and 993). The According to the application rule action is selected in these rules, that is, programs from the Trusted and Low Restricted groups will be able to send DNS requests and e-mail, while the others will not

II–62


2.

Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted networks, any activity is allowed by default, except for DNS and e-mail limitations for Untrusted and High Restricted programs

3.

The fifth rule defines the order of packet processing in local networks. Such packets are processed according to the application rules. The default application rules say that the programs from the Trusted and Low Restricted groups have no limitations in local networks, while High restricted and Untrusted have no access

4.

The rest of the rules effectively regulate program behavior in the Public networks, since all packets from Trusted and Local networks are processed one way or another by the above rules. Rules 6-8 block remote desktop connections to the computer from public networks, and also block connections to the local DCOM service, NetBIOS packets, access to Windows shared folders, and access to Universal Plug & Play devices

5.

Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the Trusted and Low Restricted groups. Considering the default application rules, this means that Trusted and Low restricted applications can receive incoming connections fr om Public networks, whereas High restricted and Untrusted applications cannot.

6.

Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to test connection to remote computers

What it means for applications on the computer

Trusted and Low Restricted programs have full access to all networks. That is why Firewall does not hamper wellknown programs by default. Untrusted and High restricted programs are allowed to access only trusted networks, and even there may not work with e-mail and DNS. However, there are no trusted networks in a policy by default, and Untrusted and High restricted programs have no network access. Thus Firewall prevents unknown malware from stealing passwords, downloading additional modules, receiving commands from the control center and sending spam Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop, DCOM, etc.) and blocks ICMP requests from public networks.


What if the Firewall impedes an application

Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed to exchange data over the network. However, little-known open source programs or tailor-made software may receive the High Restricted reputation and will not be able to work with the network. To grant access to the network to a program that has High Restricted reputation, use one of the following approaches:

— Change the program reputation, add its executable file to the Low Restricted or Trusted reputation as described in section 4.3

— If the program’s files are signed with a certificate, use Application Privilege Control settings to trust these files

— If files are not signed with a certificate, think about signing them with a self-signed certificate and use the Trusted zone settings to trust this certificate

— Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet rules are processed earlier than the rules for applications and reputations. Move your rules to the top of packet rules list

II–64


5.4 Why Is the Network Attack Blocker Necessary?

What the Network Attack Blocker does

The purpose of the Network Attack Blocker component is to block network attacks including port scanning, denial of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services running on the computer. Network Attack Blocker uses signatures and blocks all connections that correspond to the descriptions of known network attacks. As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory and thus execute the malicious code. The Network Attack Blocker component is able to prevent infections from spreading this way. That is why it must be enabled, and its settings must be locked. Network Attack Blocker has a few configurable parameters. If the component is enabled, attacks are blocked automatically. Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for some time. The Add the attacking computer to the list of blocked computers option regulates this behavior; by default, it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but only in the local interface of Kaspersky Endpoint Security. Sometimes, Network Attack Blocker considers numerous packets sent by surveillance cameras and other similar devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses to exclusions. Network Attack Blocker will not analyze packets from trusted addresses.


How to unblock a blocked computer

When a client computer blocks another client computer because of a network attack, the administrator can see only an event informing of a network attack in the console. There is no list of blocked computers, or events informing that a computer was blocked and later unblocked. You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security: 1.

In the Kaspersky Endpoint Security window, on the tab Protection and Control right-click the Firewall component and select Network Monitor

2.

In the Network Monitor window, open the Blocked computers tab

3.

To unblock a computer, select it and click Unblock

To unblock a computer from the Administration Console, restart the Network Attack Blocker component on the computer that blocked an attack: 1.

Find the event informing about the attack and check which computer sent the event (not which computer attacked)

2.

Find this computer in the console and open its properties

3.

Switch to the Tasks section and find the Network Attack Blocker component

4.

Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list)

II–66


5.5 Network Protection: Summary

At the network level, packets are scanned by the Firewall and Network Attack Blocker components. Network antiviruses (Web Anti-Virus, Mail Anti-Virus and IM Anti-Virus) scan the data at the application level. Firewall protects computer services in public networks, and also does not allow Untrusted and High Restricted programs to use network. Thus it prevents unknown malware from connecting to its control center. Network Attack Blocker analyzes sequences of packets within allowed connections and blocks known types of attacks. If these components impede a program:

— Make the program trusted for Application Privilege Control. The Firewall uses the same reputations as Application Privilege Control.

— Open ports and addresses with which the program works using simple packet rules — Add the application’s address to exclusions of Network Attack Blocker


Chapter 6. How to Protect a Computer Outside the Network

6.1 Which Local Networks to Trust

The risk of computer infection is lower within a corporate network than outside. Thus, applying different settings to the computers that are taken out of office seems reasonable. Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within them. However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may belong to hotels, bars, airports and other public places. It is dangerous to trust them similarly to local networks. Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is taken outside the corporate network.

6.2 How to Create a Policy for Computers Outside the Office Out-of-office is the third possible policy status, in addition to the Active and Inactive status.

An out-of-office policy may be created for any group. There can be only one out-of-office policy for each version of Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner as an active policy . However, while an active policy is enforced immediately, a policy for out-of-office computers starts working only when the computer meets the specified conditions (which will be described later).

II–68


If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever settings are locked in the parent group policy, they do not restrict the policy of the ou t-of-office users within the child group. In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy, where the locked settings are inherited by the policies of child groups. Out-of-office policies are inherited only completely by those subgroups where an out-of-office policy is not configured.

How to create a policy for computers outside the office To create an out-of-office policy: 1.

Run the New Policy Wizard: select the Policies node or the Policies tab in the administration group and click the button Create a policy

2.

Select the Kaspersky Endpoint Security for Windows application Note: The Out-of-office policy status only exists in the policies o f Kaspersky Endpoint Security for Windows. Policies of the Network Agent or, for example, Kaspersky Security for Windows Servers Enterprise Edition do not have such an option.

3. 4. 5. 6. 7. 8.

Name the policy comprehensibly Create a policy with the default settings Confirm the default exclusions Accept the KSN agreement Select a group for the policy (if you are creating a policy in a group, this step will not be displayed) Select the policy status: Out-of-office policy

To modify the status of a ready policy, open the General section in its properties.


When computers switch to the out-of-office policy

By default, computers never switch to the out-of-office policy. To make them switch to such a policy, specify conditions in the Network Agent policy using either of the following methods: 1.

Select the Switch to out-of-office policy when Administration Server is not available check box A computer will switch to the out-of-office policy if it is not connected to any network, or if the Network Agent cannot synchronize with the Administration Server three times in a row. In practice, this happens when a computer is disconnected from the corporate network. By default, the synchronization period is 15 minutes. Therefore, a client will switch to the out -of-office mode instantly after disconnected from the network or in 30 to 45 minutes if the network has not been disconnected.

2.

Configure conditions for the profile

We recommend that you configure conditions. Conditions can describe more precisely when a computer is located in a corporate network, and when it is not. If there are many computers in the network and the Administration Server is overloaded, some of the computers may fail to connect to the Server at every regular synchronization. It might happen that a computer fails to synchronize three times in a row and will switch to the out-of-office policy within the corporate network. Depending on the out-of-office policy settings, such a computer can, for example, block access to its shared folders, which would make quite a lot of trouble if it happens to a file server or a domain controller. Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be solved 6. However, improperly configured conditions of switching to the out-of-office mode may aggravate the issue.

6

How to correctly scale Kaspersky Security Center in large networks is described in course KL 302.10.

II–70


How to set conditions for switching to the Out-Of-Office policy

Instead of using the option Switch to out-of-office policy when Administration Server is not available , configure conditions that precisely describe when a computer is located within the corporate network, and when outside. Conditions switch the connection profile for the Network Agent. See course KL 302.10 for details. To make computers switch to the out-of-office mode, use the built-in profile . There are various conditions in the Network Agent policy. Many of them are simple and clear, for example, subnet address or main gateway address. However, they may fail to unambiguously define the corporate network. Suppose, subnet 192.168.0.0/24 is used in the internal network. However, there can be the same network in a hotel, bar or a free hotspot in the street. That is why the conditions by subnet, gateway or DNS server address are insufficiently reliable. You had better use the condition Name resolvability and specify a name that can only be resolved on the i nternal DNS server of the company. Configure computers to switch to the out-of-office mode when they cannot resolve this name: 1.

In the Network Agent policy, in the Network \ Connection section, add a profile switch rule: click the Add button below the lower list

2.

Name the rule comprehensibly, for example, “ unresolvable”

3.

In the Use connection profile drop-down list, select the < Not connected> profile

4.

Add a Name resolvability condition

5.

Add a name that can only be resolved in the internal network to the list

6.

For Condition is true if parameter, select Does not match any of the values in the list

7.

Save the condition, select the check box Rule activated, save the rule and save the policy


6.3 Which Settings Computers Should Use Outside the Office

The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer restrictions. This may not be a safe assumption out of office. These can be networks in hotels, bars or other public places which cannot be trusted. Make these networks public in the out-of-office policy. Alternatively, if you trust the users, delete all networks from the policy: Firewall will check the statuses of networks in the operating system, which are specified by the user. A policy for out-of-office computers must take into account the fact that the host is outside the corporate network and that it is the user who manages Kaspersky Endpoint Security meanwhile. Consequently, the policy must allow the user access to the information about the protection status and to the product management tools. The user should at least be allowed to scan suspicious files/drives and start updates. For this purpose, allow the user to manage group or local tasks, or both. See the previous chapter for details. To help the users make rational decisions about protection, it is necessary to provide them with more information about incidents. The user should be warned about detected threats, the need for advanced disinfection and about outdated databases:

— Open the list of Kaspersky Endpoint Security events in the policy, in section Reports and Storages — Select all events that are important for the user in the Notify on screen column Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a yellow triangle on the application icon in the notification area. Select about which issues to inform the user in the Interface section of the policy.

II–72


6.4 Out-of-Office Policies: Summary

When the users work outside the corporate network, they need other settings for Kaspersky Endpoint Security. Kaspersky Security Center has out-of-office policies for this purpose. By default, out-of-office policies are not used. To make them used, configure conditions in the Network Agent policy. Create switch rules for the profile. In the rules, specify the conditions that reliably describe when a computer is located within the corporate network, and when outside. Use the “Name resolvability” and “Availability of SSL connection address” conditions. In the out-of-office policy, strengthen protection settings:

— Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12 Give the users more information and more control over Kaspersky Endpoint Security:

— Inform about threats on the computer screen — Signal the about issues on the the notification area — Allow user to start andicon stop in tasks


Chapter 7. What Else Is There in Protection and Why?

7.1 What Self-Defense Does and Why It Is Necessary

What self-defense does

A self-defense technology is implemented within Kaspersky Endpoint Security, which prevents unauthorized product disabling and other attempts to hamper its operation. Self-defense is configured using two options in \ Application : Advanced Settings Settings

— The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security processes in the computer system memory, its files on the hard drive and its registry keys

— The Disable external management of the system service option does not permit stopping the Kaspersky Endpoint Security service unless the command is carried out via the product interface If self-defense is disabled, the computer protection level decreases. By default, both parameters are enabled and locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with remote management utilities, though there are better ways for handling those) or for troubleshooting.

II–74


How to manage KES over Remote Desktop

To prevent malware from disabling protection by simulating the user’s commands in the product window, selfdefense accepts mouse and keyboard events only directly from a device rather than from other processes by default. Therefore, when the administrator tries to manage Kaspersky Endpoint Security via a remote access program, such as UltraVNC or TeamViewer, self-defense does not permit clicking anything in the Kaspersky Endpoint Security window. If you need to manage Kaspersky Endpoint Security via a remote access program, and self -defense will not allow this, configure an exclusion. Add the executable file of your remote access tool to the list of trusted applications. The process that the administrator starts on his or her computer is not necessarily the same as the process on the remote computer that accepts the connection and provides access to the desktop. Add the process that runs on the remote computer In the properties of the trusted program, select the check box Do not block interaction with the application interface. Clear the other check boxes. Do not allow programs more than they need for their work.


7.2 How to Protect Kaspersky Endpoint Security from the User

How the user can stop protection

The default settings provide the users with at least two methods to disable the protection.

— Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in the notification area.) This action doesn’t even ask for elevated permissions, any user can do this.

— Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However, some users may have them, especially on laptops. To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password protection for the mentioned actions in the policy and make these settings required (close the lock). Though a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which doesn’t allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and processes in the memory. Together, password protection and self-defense are mostly able to prevent any damage a user might try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas password protection is not. Another, a less evident way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and the user will be able to change any settings. There is password protection for the Network Agents too, and it is not enabled by default either.

II–76


How to enable password protection

Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its settings, exiting, and uninstalling. To enable password protection for Kaspersky Endpoint Security: 1.

Open the policy, go to Advanced Settings / Application Settings and click the Settings button in the Password protection area

2.

Select the check box Enable password protection

3.

Set a username and password

4.

Select which operations will prompt the user for password:

— Configure application settings—protects against any attempts to modify Kaspersky Endpoint Security settings, including the options that enable and disable the components (e.g. File Anti-Virus); but the user will still be able to stop a component via its shortcut menu

— Exit the application—protects the Exit command on the shortcut menu of the product's icon. Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its processes or files

— Disable protection components —the user can start protection components and local tasks (if they are displayed); the password window appears only if the user attempts to stop them. The update tasks lack this protection

— Disable control components —the password is necessary to disable the Device Control, Application Startup Control, or Web Control

— Disable Kaspersky Security Center policy —adds the option to temporarily disable the policy via the shortcut menu of Kaspersky Endpoint Security icon after entering the password. This capability is useful for local troubleshooting. When a policy is active, the administrator can’t change Kaspersky Endpoint Security parameters to see which component or which particular setting is causing troubles forthe theproblem user. Moving a problem computer to a special groupiffor diagnostics andare then returning for it back after is solved is an awkward solution, especially different IT units responsible centralized protection management and local diagnostics. The capability to temporarily disable a policy


using a special password on a computer helps to carry out diagnostics without changing the settings on the Administration Server.

— Remove key—the user cannot stop protection by deleting the key unless the password is entered — Remove/Modify/Restore the application—the password prompt is added to the uninstall wizard of Kaspersky Endpoint Security access to data on encrypted drives —prevents the user from starting the data recovery tool. It is — Restore the administrator’s job to recover data, not user’s

— View reports—prompt for the password prior to showing events in the local interface of Kaspersky Endpoint Security The password protects both graphic interface of Kaspersky Endpoint Security and the command line interface. The advantage of password protection is that it remains active even when the policy is disabled. Once the password protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product without a valid password even if the administrator disables the policy.

Configuring password protection for Network Agent The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges, the attempt will succeed. To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates the Network Agent policy automatically in the Managed computers node. The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not specified. Enable the Use uninstall password option, click the Modify button to enter the password and don’t forget to lock this group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’ has zero effect on the local Network Agent settings. Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An attempt to uninstall the Network Agent using the command line without the password will also fail.

7.3 Which Other Protection Settings Are Available Kaspersky Endpoint Security policy has more settings than we have described in this chapter.

II–78


Actions For most of the protection components, you can select what to do with malicious files and other threats. By default, all components select the action automatically. This means that they try to disinfect malicious files, and if it is impossible, delete them. The administrator can select to delete all malicious files immediately, or only block them rather than delete. Blocking instead of deleting makes sense only if you are testing something. On the protected computers, use the action that deletes malicious files. We recommend that you leave the default action. Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup or Quarantine. It is a special folder on the computer, whereto Kaspersky Endpoint Security stores encrypted copies of malware. If Kaspersky Endpoint Security deletes a file mistakenly, the administrator will be able to restore it from the Backup after configuring an exclusion.

Other settings The settings that we have not mentioned usually should not b e changed. They are described in the help system of Kaspersky Endpoint Security. The following table briefly describes some of the settings: Antivirus protection | General Protection Settings | Objects for detection | Settings Viruses and worms (cannot be disabled) Trojans (cannot be disabled) Malicious tools (enabled) Adware (enabled) Auto-dialers (enabled) Other (disabled) Packed files that may cause harm (enabled) Multi-packed files (enabled)

Do not change these settings. All these objects at least hamper the user, and may cause significant harm if the worst comes to the worst. If the administrators use testing utilities that the antivirus considers to be malicious, configure exclusions for them instead of disabling detection of the whole category of objects. The Other category includes remote management utilities, such as RAdmin, UltraVNC, DameWare, etc. Criminals may use these legitimate tools for unauthorized access to computers. However, administrators and users may need them for their work. Configure as necessary.

| Action on threat detection Select action automatically Disinfect Delete if disinfection fails

Do not modify the action settings. Let the components delete all malicious objects. If false positives occur, configure exclusions. Restore erroneously deleted files from the Backup repository after configuring an exclusion.


Advanced Settings | Application Settings | Scan removable drives on connection Action when a removable drive is connected: (by default) Do not scan Maximum removable drive size: (by default) 4096 MB

Change the action toQuick Scan or Detailed scan. Although File Anti-Virus scans everything the user starts or copies from a removable drive, it is not recommended to leave passive malicious files on removable drives. The user may, for example, take this drive to a customer and accidentally infect a computer. To save employees’ time and prevent Kaspersky Endpoint Security from scanning large drives, limit the maximum size of the drive to be scanned, for example, to 32 MB.

Advanced Settings | Application Settings | Operating mode | Allow use of local tasks (By default) Is disabled

Do not enable. Local tasks are difficult to manage with the Administration Server and they confuse the administrator. If you need to enable the users to start updates or stop virus scanning, select the check box Allow group tasks to be displayed in this list.

Advanced Settings | Application Settings | Operating mode | Postpone scheduled tasks while running on battery power (By default) Is enabled

Do not disable.

Advanced Settings | Application Settings | Operating mode | Concede resources to other applications (By default) Is enabled

Do not disable.

Advanced Settings | Reports and Storages | Report parameters Store reports no longer than: (by default) 30 days Maximum file size: (by default) 1024 MB

For most companies, event history of 30 days is enough. If you need to store events longer, increase the storage time and maximum file size. Think about sending events to an SIEM system (see course KL 009.10).

Advanced Settings | Reports and Storages | Quarantine and Backup Rescan Quarantine after update: (by default) is enabled Store objects no longer than: (by default) 30 days Maximum storage size: (by default) is not specified

Do not rescan Quarantine after updates. Kaspersky Endpoint Security quarantines nothing but malicious files, which need not be rescanned. If you suspect a file to be malicious, but Kaspersky Endpoint Security does not react to it, send the file to technical support viathe companyaccount.kaspersky.com portal.

Advanced Settings | Reports and Storages | Inform Administration Server About files in Quarantine About files in Backup

Enable the first three lists: they inform about threats and false positives. Disable the vulnerability list, since it duplicates a similar list sent by the Network Agent.

About About About About About

Send the lists of devices and encryption errors only if you use Device Control and Encryption. We recommend that you send the list of started applications only from individual computers, do not enable it for the whole network.

unprocessed files vulnerabilities found installed devices started applications file encryption errors

Advanced Settings | Reports and Storages | Notifications | Settings | Save in local log Save in Windows Event Log Notify on screen Notify by email

Store all events in the local log. In Windows log, store at least functional failure events to be able to view them if Kaspersky Endpoint Security does not work. Notify on screen only about control events. The less messages by Kaspersky Endpoint Security the user sees, the better. Do not configure e-mail notifications here. To receive e-mail notifications, enable them in the section Event notification (the second section in the policy).

Advanced Settings | Interface | Interaction with user Display program interface: is enabled by default

Disable if users complain that antivirus hampers them.

II–80


Advanced Settings | Interface | Warnings Unprocessed files Computer restart required Problems with antivirus databases Problems with protection level Problems with license Updates available

Disable on the network computers. It is the administrator who needs to be informed about issues rather than the user, and they are to be displayed in the Administration Console rather than in the local interface. Enable in an out-of-office policy to permit the users take care of protection on notebooks.

Computer protection: summary

All protection components in Kaspersky Endpoint Security either detect and block threats, or decrease attack surface, meaning, prevent the user and applications from taking potentially dangerous actions on the computer. Therefore, do not disable protection components. Instead, create exclusions for those programs that are slowed down by the antivirus. Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of scanned files, after which File Anti-Virus and other components work faster. All components do good with the default settings. Usually, these settings can hardly be improved, and should not be changed. However, to better protect computers against ransomware, configure Application Privilege Control to protect documents. The default settings can be improved for notebooks, which are taken outside the corporate network. Create an out of-office policy for them. Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user. Configure password protection for Kaspersky Endpoint Security and Network Agent.

III-1 Unit III. Endpoint Control

Unit III. Endpoint Control Chapter 1. Overview ....................................................................................................... 4 1.1 Purpose of Control components .............................................................................................................................. 4 1.2 Licenses and Installation Types .............................................................................................................................. 4 1.3 Installing the Control Components ......................................................................................................................... 6

Chapter 2. Application Startup Control ............. ............. ............. .............. ............ ......... 8 2.1 How Application Startup Control works ................................................................................................................ 8

Operation Principles .............................................................................................................................................. 8 How to Configure Application Startup Control ................................................................................................... 10 2.2 How to configure application categories .............................................................................................................. 10

1. A Category That Is Created and Updated Manually ........................................................................................ 12 2. Automatically Filled Folder-Based Category .................................................................................................. 20 3. Category Based on a Reference Computer ...................................................................................................... 22 What you can do with programs and categories after the initial configuration................................................... 24 2.3 How to Create Control Rules ................................................................................................................................ 32

Two control modes ............................................................................................................................................... 32 Application startup control rules ......................................................................................................................... 32 2.4 How It Will Work ................................................................................................................................................. 34

How to find out what a particular user is prohibited from .................................................................................. 34 Local notifications and complaints ...................................................................................................................... 34 User requests selection ........................................................................................................................................ 36 Events ................................................................................................................................................................... 36 Report on blocked runs ........................................................................................................................................ 38 2.5 Default Deny Mode .............................................................................................................................................. 38 Chapter 3. Device Control ............................................................................................ 42 3.1 What Can Be Blocked and How ........................................................................................................................... 42

Additional options ................................................................................................................................................ 44 USB flash drive access log ................................................................................................................................... 46 How to specify trusted Wi-Fi networks ................................................................................................................ 46 3.2 How to specify a trusted device ............................................................................................................................ 48 3.3 How to Configure Interaction with User ............................................................................................................... 50 3.4 How to configure temporary access ...................................................................................................................... 52

How to send a request .......................................................................................................................................... 52 How to create activation code.............................................................................................................................. 54 How to activate temporary access ....................................................................................................................... 54 3.5 Monitoring Device Control ................................................................................................................................... 56

III–2

KASPERSKY LAB™


Chapter 4. Web Control ................................................................................................ 58 4.1 Blocking Criteria................................................................................................................................................... 58 4.2 Configuring Exclusions and T rusted Servers ........................................................................................................ 64 4.3 Diagnostics and Testing ........................................................................................................................................ 64 4.4 Configuring Interaction with User ........................................................................................................................ 66 4.5 Web Control Statistics .......................................................................................................................................... 68 4.6 Web Control Report .............................................................................................................................................. 68


III–4

KASPERSKY LAB™


Chapter 1. Overview

1.1 Purpose of Control components In addition to anti-malware protection, Kaspersky Endpoint Security 10 contains control components that restrict actions harmful to the computers or the company in general. Primarily, Application Control, which can be used to prohibit computer games, movies, and other activities that have little to do with work. Device Control enables the administrator to bring the use of various devices to conformity with the company policy. In particular, blocking removable drives considerably impedes unauthorized data copying; the prohibition to connect mobile phones and players helps reduce the temptation of listening and copying music; also, Wi -Fi connections and external network adapters can be blocked.

If network connections are allowed, they can be regulated by Web Control, which allows restricting access to social networks and non-corporate web e-mail, communications with recruiting agencies or browsing job sites.

1.2 Licenses and Installation Types There are five functional areas in Kaspersky Security Center 10:

— — — — —

Antivirus protection Control components Encryption Systems management Mobile device management

The control components require KESB Select license and are automatically installed if the Standard installation type is selected. (Except for Application Privilege Control, which belongs to the Basic functionality level and requires KESB Core license.) Under KESB Core license, the control components will not work. Licenses and activation are described in more detail in Unit I.


III–6

KASPERSKY LAB™


Since control components are not included in the Basic functionality, their settings are not displayed in the Administration Console 1 by default. To be more precise, their settings are not displa yed in Kaspersky Endpoint Security 10 policies. To be able to change the settings of the control components within a policy, the corresponding interface elements must be activated in the Administration Console. This is found in the interface settings window: click the Configure functionality displayed in user interface link located in the Administration Server area on the Monitoring page. An alternative method to open this window is to select the Administration Server node on the tree, then on the View system menu, click Configure interface. In the interface settings window, select the Display endpoint control settings check box. To apply these settings, restart the Administration Console.

1.3 Installing the Control Components To install the control components on the computers, Standard installation or Custom installation type must be selected in the properties of the Kaspersky Endpoint Security 10 installation package that will be used for deployment. If only Basic components are installed on the computers, the administrator can upgrade the installation type to

Standard. Using the Change application components task of Kaspersky Endpoint Security 10. This task is designed especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product. The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on the client computer during the initial installation2. In the task properties, you can select either the installation type or the components that you need to be installed, just like in an installation package. However, you cannot select individual components while creating the task in the wizard. To specify the necessary components, complete the task creation wizard and then open the task properties: the choice of components is not limited there.

1

Except for the Application Privilege Control, which is displayed always You can find the package in the %ProgramData%\Kaspersky Lab\KES10SP1\Setup folder on the protected computers.

2


III–8

KASPERSKY LAB™


Chapter 2. Application Startup Control Application Startup Control allows the administrator to restrict the program start on the endpoint. At the same time, Application Startup Control reduces the computer infection risk by decreasing the attack surface.

2.1 How Application Startup Control works

Operation Principles Application Startup Control allows the administrator to restrict the program start on the client computer. Program start permissions are specified in special rules. When a program starts, Application Startup Control checks:

— The category the program belongs to (the categories are configured by the administrator) — The account under which the program was started — Whether the KES policy contains any rules that regulate the start of this program category for this account Then the Application Startup Control operation mode is verified: 1.

Black list: everything is allowed by default. Only the programs that belong to categories that the administrator prohibited in the KES policy are blocked. Meaning, if there is no matching block rule, the program will be permitted to start

2.

White list: everything is blocked by default. Only the programs that belong to categories that the administrator allowed in the KES policy are permitted to start. If there is no matching allow rule, the

program will be blocked The white list mode is used in the Default deny approach. It is described in the respective section of this chapter, and much more detail is available in a dedicated training course KL 032.10 Default Deny.


III–10

KASPERSKY LAB™


How to Configure Application Startup Control In two stages: 1.

Create application categories a)

Make up the list of categories. For example, Web browsers, Games, Third-party messengers, Allowed programs, etc.

b)

Add all programs that we want to control to these categories. How to do it is described in the next section.

Categories are configured once for the whole Administration Server: in the container Advanced / Application management / Application categories 2.

Make up the list of rules: In the KES policy, you can specify what KES is to do with the applications that belong to each application category: allow, block, or just notify KSC about each start.

Note: categories are specified for the whole server, while different rules may be configured for different computer groups. For example, Skype can be prohibited for everybody except individual users; additionally, marketers can be allowed to use it, but every time when they start it, the administrator will receive the respective notification.

2.2 How to configure application categories An application category is a list of conditions and exclusions that allows identifying a program or a group of programs. The list is displayed in the Advanced, Application management, Application categories container and is empty by default. New categories are created using a special wizard. There are three types of categories: 1.

Filled manually—their conditions are added and changed only manually For example, all programs that have “zombies” in their names, or all programs signed with the specified certificate

3.

Filled automatically from a folder —the administrator selects only the directory where executable files of programs belonging to this category are located; the Administration Server checks the contents of this directory on schedule, calculates checksums of executable files (MD5) and updates the list of the category criteria A network folder whereto all prohibited or allowed programs are copied may come in handy

4.

Filled automatically from computers —the administrator selects one or several managed computers, and the Administration Server automatically includes executable files found on the computers into the category Meaning, you can specify a reference computer

Categories are created on the KSC Administration Server and are transferred to client computers similarly to policies and tasks. You can monitor categories’ delivery to computers using the chart in the upper-right corner of the Advanced | Application management | Application categories page.


III–12

KASPERSKY LAB™


You can send the complete list and contents of categories every time, or only what has changed. This is configured in the Administration Server properties, in the Application categories section. This transfer option appeared in KSC 10 SP2 MR1 and KES 10 SP2; in earlier versions, the full set of categories is always transferred, even if changes are few and minor. That is why everything is transferred by default, because otherwise, if there are older clients in the network, they will not be able to receive changes only, and will receive nothing.

1. A Category That Is Created and Updated Manually For a manually filled category, conditions for the programs are specified in the list; each condition can contain several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set by various methods, but all of them can be boiled down to six general types: 1.

Checksum—the checksum returned by SHA-256 function that allows unambiguous identification of the file (the checksums of different files are different) Note: in KES version 10 SP1 MR3 and earlier, MD5 checksum was used for file identification in Application Control instead of SHA-256. Starting with KES 10 SP2, only SHA-256 is used.

If there are various KES versions in the network, select the corresponding check box in the category properties, for example, collect not only SHA-256, but also MD-5. Then the same category will be usable for policies configured for different KES versions. On the other hand, if application categories become too large as a result, you can create different categories for different versions of KES. 5.

Certificate—another new function, which works only starting with KES SP2

6.

Metadata—file name, its version, name of the program and manufacturer. The version does not have to be specified exactly. You can select all files older or younger than the specified version. Various file characteristics constitute a single condition, rather than several individual conditions When specifying metadata, you can allow only files signed with a valid certificate, or those for which KSN returns the Trusted verdict

7.

Application folder—the path to the folder that contains program executable files

8.

Device type—a special parameter that allows the administrator to create a separate category for the files started from a removable medium

9.

KL category—application category according to Kaspersky Lab classification, for example, Browsers, Games, Drivers, etc.

From Applications Registry Most of the available condition adding options boil down to a condition based on SHA256 (MD5 for old versions of KES) or metadata. For example, the Add button by default opens a window where you can select a program from the applications registry. This registry contains programs installed on the computers, namely, the programs displayed in the Programs and components tool. Network Agents gather names and attributes of these programs and transfer them to the server. The gathered information about the installed programs does not contain data about the program executable files. But it is the data about executables that is necessary to create a condition. That is why the Administration Server compares data about installed programs and data about executable files detected on the computers, and after that creates a condition based on the hash sum of the program executables.


It might happen that a program is considered to be installed by mistake, or a program is installed but started extremely rarely and the data about its executable file is missing on the Administration Server. In this case, a condition for this program may fail to be created. On the other hand, if a program has several executable files, the applications registry simplifies rule creation. The Administration Server automatically adds conditions for all executable files associated with the program. If a program is installed but its executable files haven’t been reported to the Administration Server yet, the administrator may consider running an Inventory task to speed up the process. We will describe inventory tasks in detail later.

III–14

KASPERSKY LAB™


From the Executable Files List The administrator can create a condition based on individual files. The files can be selected using several methods:

 From the executable files list—the list of executable files that have ever been started on the client computers or detected by an Inventory task. This list of files is displayed in the Advanced | Application management | Executable files container

 From file properties —you can add a checksum or metadata of a local or network file to the condition list When selecting a file on the drive, the administrator can specify a simple SHA-256 (MD5) condition for it, or a more flexible condition based on the attributes. A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For example, hash sums are used in automatically filled categories described earlier, because it is important to allow starting the exact file versions installed on the reference computer or included in an approved distribution. Any changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file start. Hash sums are also convenient if it is necessary to prohibit renamed files from starting. Renaming does not influence the hash sum and the blocking rule will still work. At the same time, you may need to include several application versions in a category. In this case you should create a condition based on file attributes, such as name, manufacturer name, version number. The version number may not only coincide with the specified value, but also be more or less than the specified value, or start from it, etc.; so you will be able to block old program versions or too new, which have not been approved yet. Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create a condition based on the file name and then be surprised that a file with a matching name is not treated as expected. Most probably, this means that the file has no digital signature. In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by the vendor’s certificate. To control open-source and freeware programs, use other condition types.

How to add all file s from a folder to a category at once You can select not only a file, but also a whole folder. If a file or several files are located within an MSI package, you can specify this MSI package. The wizard will scan the specified folder or package for executable files and create a condition for each of them. The condition can be created based on the hash sum or on the attributes. These capabilities are similar to creating an automatic category based on folder; but in an automatically filled category, the Administration Server monitors the changes within the folder and updates the condition correspondingly. An automatically filled category cannot have conditions other than those retrieved from the files located in the folder.


III–16

KASPERSKY LAB™


Use Metadata or Checksum of Files in an MSI If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be scanned once when creating the category, and later will not be rescanned. The administrator can add any other condition to such a category.

Use KL Categories The described conditions enable the administrator to allow or prohibit known programs —programs whose hash sum, or attributes, or location on the drive, etc. are known or can be found out. In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for one, etc. This task is not easy to solve using the described tools. The solution is to use KL categories. These categories define program class or type: e-mail programs, web browsers, development tools, electronic payment systems, etc. ‘KL category’ means that the programs are categorized by Kaspersky Lab experts. The program categorization information is a part of the downloadable databases. That is why the Download updates to the repository task must run at least once before you can create conditions based on KL categories. Programs started on each computer are independently scanned for correspondence to the conditions, and if different database versions are used on different computers, Startup Control rules can work to different effects. Also, if the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time. Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All uncategorized files are automatically associated with the Other Software KL category.

Specify the path to the files explicitly So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file location. Copying or moving the executable file would not influence the file start regulations based on these conditions. The following two types of conditions consider only the file location: 1.

Application folder—defines the local path to the file. The administrator can, for example, prohibit starting executable files from the desktop or from the whole user's home directory

Alternatively, the administrator can allow starting executable files from the system folders: c:\Windows, c:\Program Files and prohibit from all other computer locations. The condition is recursive, meaning, it works for the files in subfolders of the specified folder. 2.

Device type—can have only one value: Removable device. Essentially, its purpose is to enable the administrator to prohibit starting programs from removable media.


III–18

KASPERSKY LAB™


Specify Certificates A more reliable method than using file path, but a bit less reliable than SHA-256, is selecting files by certificates. You can select from among the certificates on the Administration Server.

How to specify exclusions from a category If it is necessary to prohibit all programs corresponding to the specified conditions except for one, add an exclusion to the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion condition will be excluded from the category.


III–20

KASPERSKY LAB™


2. Automatically Filled Folder-Based Category The contents of an automatically filled category are updated when the source folder contents change (executable files are deleted or added). Also, you can make a category update to schedule. If the specified folder contains archives or installation packages (for example, .msi), the Administration Server will automatically unpack them (into a temporary folder) and include in the category data about the executable files within archive orfile, package. So,program if you place only thethe installation but also files.program distribution into the folder, the category will include not This method of creating a category is useful if the company has a repository of program distributions to be installed on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add programs to the list or replace them with newer versions. To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make the Administration Server automatically monitor the changes and add parameters of the detected files to the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in the policy to allow start of all the used programs. You can also select to Include dynamic-link libraries (.DLL) in this category . If this check box is selected, Kaspersky Security Center will calculate checksums of .dll files and add them to the category along with executable files. It makes sense to care about .dll files because Windows allows starting processes from them through the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others blocked. In this regard .dll files are similar t o script files (.js or .vbs), which are not executable, but are started via the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked. To include scripts into a category, select the check box Include script data in this category . Similar to other category types, select whether to use hash sums. If various KES versions are installed in the network, 10 SP2 and older, you can select both check boxes. Then the category will be larger, but will work for all KES versions.


III–22

KASPERSKY LAB™


3. Category Based on a Reference Computer In addition to the repository of allowed program distributions, there may be a reference computer in the organization where all the programs used in the company are installed. Such a reference computer is usually necessary for creating images to be deployed on new computers. As a result of such a deployment, the operating system and all programs necessary for work are installed on the computer, and the whole process takes much less time than installing everything from distributions. The administrator periodically upgrades programs on the reference computer and updates the image accordingly. With this approach, it would only be logical to automatically make all programs installed on the reference computer allowed. For this purpose, it is necessary to scan the computer, add all programs to a category, and then create an allowing rule for it in the policy. This is what a category automatically filled with files from selected computers is designed for. Sometimes it is necessary to categorize the files found on the reference computer. For example, separate Windows files from Program files. In this case, you can configure a filter based on the folder where a file is located. The category will include only the files that are located in the specified folder of the reference computer. Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky Endpoint Security. That means that a reference computer must be equipped with Kaspersky Endpoint Security for file detection and with Kaspersky Network Agent for sending the data to the Administration Server. There will be more details on how this works later in this chapter. Similar to a category filled from a folder, the administrator can specify the scanning interval. The detected files will be added to the category and will later be identifiable by SHA-256 (for the latest versions of KES) or MD5 hash sums (for KES 10 SP1 MR3 and earlier) —depending on the KES version installed on the reference computer. Note: unlike for a folder-based category, here you must select either SHA-256 or MD5 (depending on the KES version installed on the reference computer). Which means that if KES of different versions is installed in the network, you need to use two reference computers for a category


III–24

KASPERSKY LAB™


What you can do with programs and categories after the initial configuration How to find out which KL category a file belongs to

If the administrator wantsontothe know which KL includes a specific executable they can findmay this vary information both locally computer and category in the Administration console. The localfile, verdicts (which slightly on different computers because of different database versions) are available in the Application Activity Monitor window. Information in the Administration Console can be used for troubleshooting as well as for planning the rules. The list of executable files is located in the Advanced | Application management | Executable files node. The administrator can view the attributes and KL category of each file. Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering options may help finding the necessary one. The administrator can search for a file using a part of its name , or apply a filter and search by the values of various file attributes. You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as when the file was first detected on the computers, but also to add or exclude the file to or from an administratordefined category. There is a button that adds the file to administrator-defined categories. You can add the file to an existing category or create a new one. And when modifying an existing category, you can either add the file to the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the file’s MD5 hash sum.

How to add a program to an existing category If the administrator notices something new when looking through the list of executable files detected on computers connected to KSC, and decides to add the program to a category, he or she does not need to memorize its name and go to the container with program categories. You can simply right-click it and select Add to category. You can add programs to categories and exclusions this way. The program will be added by hash sum or certificate with which its executable file is signed.


III–26

KASPERSKY LAB™


How to find out which category a file belongs to There are two handy lists in KSC Administration Console: applications registry and executable files. When you need to do something with a specific program, it is logical to use the list of applications. However, a program may have several executable files. KES can be configured to work with individual executable files as well as with programs.

Via the Applications Registry Select the necessary program in the registry, open its properties, and go to the list of executable files that correspond to this program. Application categories are filled with executable files.

Via the list of all executable files The list of executable files that we can see on the KSC Administration Server consists of all executable files detected by KSC and KES on all computers connected to this Administration Server. Meaning, this list can be very long. However, when you know what you are looking for, it is very handy. You can sort it by names, or use filters.


III–28

KASPERSKY LAB™


Which other useful information is available about a file On which computers and when it was detected for the first time (but not how), when it undertook network activity for the first time, whether it is signed with a certificate.

How to make sure that all files have been collected Right after the installation, the Executable files container will be almost empty on the Administration Server: it will contain only names of files that have been detected by the local Network Agent. Gradually, when new clients are connected, new data will be sent to the Administration Server. How to make sure that client computers collect information and send it to the Administration Server? Note: we recommend that you do not enable sending information about installed applications for all client computers. In some cases, it is especially recommended to disable it: for example, on weak computers, or nonpersistent virtual machines

How to view all executable files found on a computer There is a list of executable files in the properties of each managed computer. This list is supplemented by: 1.

The Inventory task, which scans the client computers’ folders specified in it properties

2.

Application Startup Control and Application Privilege Control, which, when enabled, collect information about all executable files started on the client computers

Network Agent also gathers information about software, but only about installed applications, for which it scans the registry. Meaning, the Network Agent does not add data to the list of executable files found on the computer.

Where to enable sending information about found executable files There are two places to check: make sure that Application Controls transfer data to the server (configure in the KES policy), and that the Inventory task has been created and run. Neither is enabled by default. Information transfer can be enabled in the KES policy: Reports and Storages / Inform Administration Server / Settings / About started applications. This check box enables sending information about running applications, as well as results of the Inventory task. The Inventory task is to be created and started. You can also configure a schedule, but we recommend that you do not do it for all computers: for large drives, if you select to scan the whole drive, it can noticeably affect computer performance.


III–30

KASPERSKY LAB™


Inventory task It is not created by default. Executable files are reported to the Kaspersky Security Center by Kaspersky Endpoint Security via the Network Agent. When a file is launched, either Application Startup Control or Application Privilege Control intercepts the file, collects its data and sends it to the Administration Server. However, some files may start very rarely. It may take a very long time until all executable files are intercepted and reported to the Administration Server. A faster way to detect files is by using an Inventory task. This is a Kaspersky Endpoint Security task, which can be created for both groups and computer selections. With standard settings, the task searches for executable files in the following directories:

— %SystemRoot% — %ProgramFiles% — %ProgramFiles(x86)% The list of folders is configurable. The information about discovered files is sent to the Administration Server and is available in the Advanced | Application management | Executable files container. Unlike the monitoring components, this task can detect executable files within archives and installation packages. Click the Additional button and select the Scan archives and Scan installation packages check boxes. When executable files are being searched for, their checksums are calculated, which may slow down the computers. To reduce resource consumption, you can use the option to scan only new and changed files. The information about changes is obtained using the iSwift technology and requires almost no calculations. Alternatively, you can schedule the task to run during nonworking time, or use the Suspend scheduled scanning when the screensaver is off and the computer is unlocked option. Note: There are settings in the Kaspersky Endpoint Security policy that control which types o f data are sent and which are not. It is critically important that informing the Administration Server about executable files is disabled by default. The settings are located in the Reports and Storages section of the policy. As a result, all l ists of executable files will be empty. Even a successful execution of an Inventory task will not change this, unless you enable sending information About started applications in the Kaspersky Endpoint Security policy.


III–32

KASPERSKY LAB™


2.3 How to Create Control Rules

Two control modes Note that Application Startup Control is disabled by default in Kaspersky Endpoint Security starting with version 10 Service Pack 1. That is one of the reasons why sending the information about executable files is disabled. The first thing the administrator needs to do before configuring rules is to enable the component and select the mode: white list or black list. By default, right after you enable Application Startup Control, the Notify mode will be used. Which is good: it is recommended first to test how everything will work. Instead of real denies, only events will be sent to the Administration Server: Application startup prohibited in test mode or Application startup allowed in test mode. You can generate a report for them. It will include only what would have been blocked if the control operated in the normal mode, either white or black list. The report helps to analyze everything, and make changes prior to enabling Control for real. There is also the option to Control DLL and modules. If it is enabled, start of DLL libraries and drivers will also be controlled. However, it increases KES overhead, and is recommended to be enabled only if it is really necessary. For example, with rigid Default Deny.

Application startup control rules There can be as many rules as you wish; prohibition always has a higher priority. The black and white lists have different sets of rules. For example, if you first selected the Black list, added a rule, and then switched to White list, your rule will not be there. Each rule has the following parameters:

 Category—an application category created on the Administration Server beforehand. A policy may contain only one rule for each category

 Users and/or groups that are granted permission —the list of local or domain users and groups who are allowed to start the programs belonging to the selected category. If more than one entity needs to be specified, separate them with semicolon (;)

 There is a related option Deny for other users. When enabled, it automatically denies permission to all unlisted users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this option were always enabled. In version 10 Service Pack 1 this option is configurable and disabled by default. Unlisted users are granted or denied permission based on the rest of the rules

 Users and/or groups that are denied permission —this parameter explicitly defines the list of users and groups who are prohibited from starting the programs

 Trusted updaters—consider all programs of this category to be trusted updaters 3 Each rule (regardless of the selected mode, white or black list) can be either allowing (Allowed) or prohibiting (Blocked).

3

This option is described in detail later in this chapter.


Denial has a higher priority than permission. For example, if a rule is configured to allow program start to all users and prohibit for the Tom user, this user will not be able to start the program according to this rule. The list of rules is initially empty for the Black list mode; for the White list, it contains two system rules that cannot be deleted:

 Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not be blocked 4

even if there are no allowing rules for them. It is a special KL category that includes programs that download and install module updates, for example, Adobe Updater, Chrome Component Updater, etc. The rule is enabled by default, meaning, Trusted updaters are allowed.

 Golden Image—contains the executable files necessary for the operating system, as well as executable files supplied with the system —various standard utilities and applications, To prevent KES from accidentally blocking files important for the operating system.

4

This KL category cannot be selected when configuring program category conditions.

III–34

KASPERSKY LAB™


The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of different application categories; but some programs may belong to several categories at once. If there is at least one rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say. If a program does not belong to any category, in the black list mode, it will be allowed, and in the white list mode, blocked.

2.4 How It Will Work

How to find out what a particular user is prohibited from There is the Statistical analysis button next to the list of star tup control rules in the KES policy. It opens the window where you can select a user or a group; in the right pane, the list of prohibited categories and blocked files will be displayed.

Local notifications and complaints When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up message notifying that the program was blocked so that the user is not confused about the reason for the program behavior. If the user needs this program for work, the pop-up notification allows for sending the administrator a request for program start permission. The user should click the Request access link in the notification window and then click the Send button. The text of the pop-up notification, as well as the request to allow a program start, can be modified in the Kaspersky Endpoint Security policy. You can use variables there, which provide information about a specific event, for example, the name of the blocked program, the computer where the event was registered, etc.


III–36

KASPERSKY LAB™


User requests selection The standard User requests event selection contains the Application startup blockage message to administrator events registered over the last 7 days. The Application startup blockage message to administrator event is registered when a user sends a request to allow program start, and contains the request text along with the information about the computer, username and the program in question: complete information necessary for the administrator to make a decision. complete information necessary for the administrator to make a decision. It may happen that a user would need a program urgently. That is why, if the administrator rarely opens the User requests selection, it might be worthwhile to configure e-mail notification for the Application startup blockage message to administrator event. This will enable the administrator to process the requests as soon as possible. It is possible to use the request events to modify application categories. An event contains complete important information about the blocked file, including its SHA-256 (MD5 for older versions of KES). The administrator can use the Add file to category link to immediately add the blocked file to an existing or a new category either as an inclusion condition or as an exclusion.

Events Application Startup Control generates five types of events:

— — — — —

Application startup prohibited Application startup blockage message to administrator Application startup allowed Application startup prohibited in test mode Application startup allowed in test mode

By default, all the events except for Application startup allowed are transferred to the Administration Server. If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup prohibited in test mode or Application startup allowed in test mode events,


III–38

KASPERSKY LAB™


Report on blocked runs Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked runs, which shows the distribution of the number of blocked starts on the client computers by applications. Click the program name in the Summary table to open another report in the browser, which contains information about all computers where start of this program was blocked. Starting withonly KSCevents version 10 SP2 MR1, you can generate report on program starts list blocked in the will contain about blocked starts, regardless of athe selected mode: black or white list.test mode. It

2.5 Default Deny Mode This mode is also named whitelisting. Meaning, there is a white list: everything is prohibited except for “white” known good programs, for which allowing rules are configured. In most cases, this approach is optimal and helps prevent unwanted activity, without causing serious inconvenience to the users. However, the security policy may prescribe that all programs are prohibited except for those that are absolutely necessary for work. For example, there can be a policy for using programs on the computers that are used as point-of-sale (POS) terminals. Only special programs must be allowed to start on them, and all unknown programs must be prohibited. The main difficulty when working in the white list mode ( when the start of uncategorized programs is prohibited by default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked along with other programs. That is why there is an allow rule for operating system files in the white list by default.


III–40

KASPERSKY LAB™


Various configurations of allowing rules are possible; it will be necessary to create one or several categories for system executable files and configure allowing rules for them using one of the following methods:

 Use a «reference» computer with the operating system and allowed programs installed for creating an automatically filled category

 Use a directory with distributions of allowed programs for creating an automatically filled category For those programs for which allowing rules are configured not to be blocked after upgrades, use the Trusted updaters standard rule. This rule exists b y default in the list and cannot be deleted; but it is disabled by default. When enabled, the programs downloaded and installed by the applications included in the Trusted updaters category will not be blocked even if the corresponding allowing rules are not configured. The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allowing rule. For more details about configuring KES for Default Deny, refer to course KL 032.10.


III–42

KASPERSKY LAB™


Chapter 3. Device Control The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various devices in the corporate network and, if necessary, prohibit using some of them. The most popular use case for this component is blocking USB flash drives. The users can bring infected files on them or, for example, their children’s homework and end up devoting a workday to it. Accidentally or deliberately, the user can take away files that are of commercial value for the company on a USB drive. Various restrictions help prevent such problems. The Device Control component in Kaspersky Endpoint Security allows the administrator to enforce the corporate security standards, by specifying who, when and which devices can use on the computers. The rules may be applied to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc.

3.1 What Can Be Blocked and How Almost all peripheral devices can be blocked. They can be blocked by types (removable drives, CD/DVD, Wi-Fi, portable devices (MTP), etc.), or by buses: for example, you can entirely disable all USB devices. Some devices can be allowed, but with limitations: you can explicitly specify the prohibition schedule, restrict only writing operations or make exclusions for some users but not others. You can do that for:

— Hard drives — Removable drives — Floppy disks All other device types you can only disable completely:

— — — — — — — — — — — —

Printers CD/DVD drives Modems Tape devices Multifunctional devices Smart card readers Windows CE USB ActiveSync devices Wi-Fi Cameras and scanners Smart card readers Portable devices (MTP) Bluetooth

Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as removable drives, if connected as external data carriers.


III–44

KASPERSKY LAB™


The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking their connection buses. Kaspersky Endpoint Security allows blocking connected devices by interface type (bus):

— — — —

USB FireWire Infra Red Serial Port — Parallel Port — PCMCIA The administrator can totally block, for example, all USB devices. Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules To protect against attacks when an infected USB flash drive pretends being a keyboard, install and use a special component, BadUSB Attack Prevention

Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash drive will work correctly. By default, all devices work in the “Depends on bus” mode, and all buses are allowed.

Additional options Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list cannot be edited to add new devices. You can partially restrict the use of removable drives, CD/DVD, hard drives, and floppy disks by specifying:

 What can be done. You can select to prohibit only reading or writing  The list of accounts that are allowed to use the device type. You can select accounts from the domain to which the computer where the Administration Console is started belongs, or among local users if there is no domain. The rule will work on any computer where the policy is enforced The Everyone universal account is always available.

 Operation types and access schedule. You can manage Read and Write permissions separately. The schedule is specified by hours and days of the week. For example, you can allow Read operations for removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to the Administrators and only during business hours If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means “always allow everyone to perform any operation .” You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for the administrators: allow them using USB flash drives during business hours. The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable as soon as the policy is enforced and the next operation will be blocked.


III–46

KASPERSKY LAB™


USB flash drive access log If USB flash drives are allowed at the company in principle, but the company does not welcome using them, you can configure logging access to USB flash drives. Then for each of the selected operations the corresponding event will be sent to the Administration Server, File operation performed. It will specify who (which account) copied or deleted a file. Unlike other events, this event will not be stored locally. By default, logging access to USB flash drives is disabled. To enable it, click the Logging button. It is available only for removable drives. You can select which operations to log, writing and/or deleting, and file formats:

       

Text files Video files Audio files Graphic files Executable files Office files Database files Archives

How to specify trusted Wi-Fi networks Connecting corporate notebooks to public Wi-Fi networks is not always desired. Also, the users may try to access a workstation via a Wi-Fi hotspot configured on a mobile phone, while the corporate policy prohibits this. In the latter case, you can simply block Wi-Fi. However, for notebooks, which the users may take home, it is not the most optimal solution. It will be more logical to prohibit W i-Fi in general, but allow trusted networks: for example, corporate and home. Trusted networks are specified by name, authentication type, and encryption type.


III–48

KASPERSKY LAB™


3.2 How to specify a trusted device If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile to make them trusted. Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device Control | Trusted devices section. Devices can be made trusted by their ID, a mask of ID or by model. When you click the Add button above the list of trusted devices, it expands into a list of three options:

— Devices by ID — Devices by model — Devices by ID mask The first two options allow you to select the device that you want to make trusted and its ID or model will be added to the list. ‘Select’ means that the Administration Server should have the device it its database. If the Administration Server is unaware of this particular device you can’t make it trusted. The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on the Administration Server knowledge of the device, only on the administrator’s knowledge of the device ID. Device ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of the Device Instance Path property. It looks somewhat like USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0 When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple devices, e.g., ‘NEC*CDR??’. This helps when a co mpany has a lot of devices with similar IDs that should be trusted. Adding a device by model can also help in this case, if all devices are from the same vendor and of the same type. There is also a Comment filed when adding a trusted device, which the administrator can fill in to describe why this trusted device (or a group) is added. To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some time till the information about the device makes it to the Administration Server. To simplify the search for the necessary device, you can choose the device type and also specify the name of the computer where it is or was connected. Then click the Refresh button to display the filtered results. Before devices, adding the younot can also restrict the everybody list of userstothat will haveto access it. You only may administrators want to have trusted butdevice, you may necessarily want have access them.toPerhaps should be able to use them.


III–50

KASPERSKY LAB™


3.3 How to Configure Interaction with User When the user attempts to connect a blocked device, a pop-up notification is displayed. If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add the contact information of the person responsible for device access. To open the notification template, click the Templates button in the Device Control section of Kaspersky Endpoint Security policy. You can use variables in the notification text, for example, the name of the device or the blocked operation. If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled nor hidden. If the user sends a request, it will be sent to the server as an event having the Warning severity level. Similar to the other control components, requests are displayed in a special selection named User requests. The administrator does not have to react to a request; but if they want to, they can, for example, configure the corresponding e-mail notifications in the KES policy.


III–52

KASPERSKY LAB™


3.4 How to configure temporary access Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as follows: 1.

The user finds out that the necessary device is blocked

3.

Generates a request key for it in the Kaspersky Endpoint Security local interface

4.

E-mails the key to the administrator

5.

The administrator examines the request, and in the case of an affirmative answer, creates and sends the user a special access code

6.

The user activates the received code. After this, the selected device (and only that device) becomes accessible for the time span specified by the administrator. The user cannot pause temporary access to use it later; and the administrator cannot remotely revoke temporary access

It goes without saying that many users may believe that their devices are blocked by mistake, and will ask the administrator for temporary access. To avoid numerous requests, you can disable this capability: in the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access check box.

How to send a request The user opens Kaspersky Endpoint Security interface on the Protection and Control tab, and on the shortcut menu of Device Control clicks Access to device. A window opens with the list of devices ever connected to the computer, including those blocked. Find the device for which the access is necessary, select it and click Get access code. So as not to make a mistake when selecting the device, switch the device representation mode from For the entire runtime to Currently. Note: If the administrator prohibits requesting temporary access, the button appears dimmed

The only configurable parameter is the desirable access duration (24 hours by default). The value entered by the user is only a wish. The administrator can either use the offered value or change it when generating the access code. The user is to send the generated .akey file to the administrator.


III–54

KASPERSKY LAB™


How to create activation code Temporary access is granted to a specific user for the specified device on the specified computer. That is why the code is generated using the client computer’s shortcut menu, neither in the policy nor in the group prop erties. A client computer can be conveniently found in the Administration Console by the Search utility. Then the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode Device Control tab and click the Browse button to select command. the window the receivedIn.akey file. that opens, switch to the

The Administration Server checks the file integrity and whether it belongs to the selected computer, and then displays the request. If necessary, the administrator can change the access duration and activation window. Both periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours. Then the administrator is to save the generated code into an .acode file and send it back to the user. So, the code is generated for the exact device and the computer where the user generated the key. Any other devices will still be blocked; also, the device for which the access was granted will be blocked on other computers. The code is also bound to the username. Another user will not be able to access the same device on the same computer using this access code. If temporary access is activated by the user who requested it and another user logs on to the computer during the allowed period, they will not be able to use the device.

How to activate temporary access In the same window where the request key was generated, the user clicks the Activate access code button, and specifies the received .acode file. The device can be used immediately. Neither restart, nor synchronization with the Administration Server is necessary. The code must be activated before the specified activation window expires, and the access duration countdown starts at the moment of activation. The device may be connected at any time (or even several times) during this period, or not connected at all. The access countdown cannot be paused. When temporary access is activated, a notification is sent to the Administration Server, but it is not included either in the selection of user requests, or in the report on Device Control events.


III–56

KASPERSKY LAB™


3.5 Monitoring Device Control Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and the account that initiated it. The event is named Operation with the device prohibited , it is Critical and is displayed in the selection of Critical events. If necessary, the administrator can make a separate selection for blocked device access attempts. The Operation with the device allowed event having the Info severity will be sent if a non-p rohibited device is connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners, removable drives, etc. All events, including complaints, are stored on the server for 30 days by default. The Report on Device Control events provides the general view of the device control work. It displa ys a chart with the distribution of its responses by user names. By default, the report includes all actions —device connecting, disconnecting and blocking. To generate a report about device blocking only, leave only the Connection is blocked check box selected in the Settings section of the report properties. If necessary, the administrator can configure receiving daily e-mail statistics about who and when tried to connect, for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV Maintenance.


III–58

KASPERSKY LAB™


Chapter 4. Web Control The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is used to block social networks, music, video, non-corporate web e-mail, etc. during business hours. If a user tries to open such a site, either a notification that the access is blocked or a warning about an unwelcome site can be displayed, depending on the settings in the policy. Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule properties include the user accounts, schedule, connection and content-specific conditions, and the action. The rules are applied in the order specified by the administrator, and a page is processed according to the first applicable rule. The Default rule that allows everything to everyone takes the last place on the list and acts as a ‘catch all’ rule. Only HTTP and HTTPS traffic is scanned.

4.1 Blocking Criteria First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*. Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following categories:

— Online stores, banks, payment systems  Shops and auctions  Banks  Payment systems — Internet communication  Web-based email  Social networks  Chats and forums  Blogs  Dating sites — Religions, religious associations — Job search — Weapons, explosives, pyrotechnics — News media — Software, audio, video  Torrents  File sharing  Audio and video — Anonymizers — Banners — Profanity, obscenity — Violence — — — —

Computer games Adult content Alcohol, tobacco, narcotics Gambling, lotteries, sweepstakes


The content can also be categorized by data types:

— — — — — —

Video Sound Office files Executable files Archives Graphic files

As far as secure connections (HTTPS) are concerned, Kaspersky Endpoint Security has no access to the traffic contents. Therefore, HTTPs traffic is filtered only be addresses, for example, if social networks are blocked, https://facebook.com will also be blocked, as this address is included in the signature databases as pertaining to social networks.

III–60

KASPERSKY LAB™


The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and data types. Filtering by category and data type can be combined within a rule: for example, you can block office files and archives received by web mail. Sites are categorized using the database of known addresses ( pc*.dat files in the updates folder), and heuristic analysis of page content (for non-secure connections only). URL reputation can also be requested from Kaspersky Security Network.


III–62

KASPERSKY LAB™


Data types are hard-coded in Kaspersky Endpoint Security and include the following file types: Category

Category contents

Executable files Win32 PE—exe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files Visual Basic Script—vbs, vb Executable files (not PE) MS-DOS, Win-16, OS/2—exe, dll, com Command Line Script—cmd, bat Microsoft Installer Archive —msi Video

PowerShell scripts Adobe Flash Video—flv, f4v Audio/Video Interleave—avi MPEG4 ISO format —3gp, 3g2, 3gp2, 3p2 MPEG4 —divx, mp4, m4a Matroska—mkv Apple Quicktime—mov, qt Microsoft Container—asf, wma, wmv RealMedia CB/VB—rm, rmvb MPEG2 (DVD) format —vob VCD (MPEG 1)—dat, mpg Bink Video—bik

Sound

MPEG-1 Layer 3—mp3 Lossless Audio—flac, ape OGG Vorbis Audio—ogg Advanced Audio Coding—aac Windows Media Audio—wma AC3 multichannel audio—ac3 Microsoft Wave—wav Matroska Audio—mka RealAudio—rm, ra, ravb MIDI—mid, midi CD digital Audio —cdr, cda

Office files

Open XML documents—docx, xlsx, pptx, dotx, potx, and others Office 2007 macro enabled docs—docm, xlsm, pptm, dotm MS Office documents—doc, xls, ppt, dot, pot Adobe Acrobat—pdf

Archives

ZIP archive—zip, g-zip 7-zip archive—7z, 7-z RAR archive—rar ISO-9660 CD Disk—iso Windows Cabinet—cab Java (ZIP) archive —jar BZIP2 archive—bzip2, bz

Graphic files

JPEG/JFIF —jpg, jpe, jpeg, jff GIF—gif Portable Graphics—png Windows Bitmap (DIB)—bmp Targa Image File Format —tif, tiff Windows Meta-File—emf, wmf Post-Script Format—eps Adobe Photoshop—psd Corel Draw—cdr


Let’s mention some specifics of Kaspersky Endpoint Security types and categories:

 The type is defined by the file format Therefore, this does not work for secure connections; but it is possible to use the address filter to block files by extensions. For example, to block .key files, specify the *.key mask

 Data types inside archives are not checked —if executable files are prohibited while archives are not, archived executable files will be allowed

 PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites that use pdf may display incorrectly

 In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web Control

 Flash videos in SWF format can be blocked o nly by extension mask—usually it is *.swf The rules may be applied depending on the account and access time.

III–64

KASPERSKY LAB™


4.2 Configuring Exclusions and Trusted Servers Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network, or online trainings can be blocked because of video files. In this case, it is easier to create an allowing rule instead of creating a separate group with a special policy. You can configure an allow rule giving access to some categories or data types located on the specified servers. To have such a rule applied before the blocking rules, place it higher on the list. In extreme cases, the organization policy can prohibit the Internet during business hours and allow only the corporate site. An exclusion can be made only for the IT department. In this case, the administrator creates the general rule: during business hours, deny everything to everybody. Then adds two allowing rules above it: the first allowing any content to the accounts of IT department employees, and the second allowing everybody to access the corporate site. By default, in addition to the universal rule allowing everything to everybody, there is another rule in web control, Scripts and Stylesheets, which explicitly allows files with .css, .js, and .vbs extensions. Usually these files contain style sheets, java scripts and visual basic scripts saved as separate files. This rule is necessary because sometimes such files are located on separate servers and their URLs differ from the main site address. If a site is allowed while its scripts and style sheets are blocked, it will be displayed incorrectly. To avoid this, keep the rule allowing .css, .js, and .vbs higher than the prohibiting rules.

4.3 Diagnostics and Testing When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control. To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens the window where you can specify the conditions of a presumed request: — Select categories — Select data types — Specify day and time — Select accounts — Type site address (the * wildcard is allowed) and get the web control verdict with the list of rules applicable to these conditions. For example, the administrator can check whether access to a personal home mail server of an employee is blocked by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you can find out which rule causes the disorder.


III–66

KASPERSKY LAB™


4.4 Configuring Interaction with User If web control blocks a part of page contents, the user may overlook it. If the page is completely forbidden, a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or a message about blocking. If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of the links in the warning message: the link to the specific page that was requested, or the link that enables access to all pages on the web site, or all pages on the web site and its sub sites (e.g. access *.amazon.com/* as opposed to www.amazon.com/*) If the site is blocked, there are no links to proceed, access is completely denied. Notifications are displayed only for non-secure connections. If the HTTPS protocol is used to open a Web site, the user will see only the browser message about inability to display the page in both cases.


III–68

KASPERSKY LAB™


There is also a Request access link in all types of messages to disagree with the policy and request a policy change to be able to access the blocked web site freely. Requests are sent to the Administration Server as events and fall into the User requests selection. You can edit both warning and blocking notifications, as well as the request template: in the Kaspersky Endpoint Security policy, switch to the Web Console section and click the Templates button.

4.5 Web Control Statistics When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with Warning severity, respectively. In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web Control verdict. If the rule was created for a category or data type, they are also specified. Note: Web Control independently processes each object of which the site consists. That is why, for example, when graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses the Internet day and night. That is why these events are not transferred to the Administration Server by default.

If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully attempted after warning event having the Warning severity is sent to the ser ver.

4.6 Web Control Report For regular control and general information, a report can be used. It provides aggregate statistics on the number of warnings and blockages for each rule. Allowing rules are not included.


III–70

KASPERSKY LAB™


IV-1 Unit IV. Maintenance

Unit IV. Maintenance Chapter 1. How to Maintain Protection ......................................................................... 3 Chapter 2. What to Do Daily ........................................................................................... 5 2.1 How to Create a Custom Dashboard ....................................................................................................................... 6

How to answer all questions at a glance................................................................................................................ 6 How to create a custom dashboard ........................................................................................................................ 7 2.2 How to email reports............................................................................................................................................... 8

Which reports to email ........................................................................................................................................... 9 How to create a custom report ............................................................................................................................. 10 2.3 How to email notifications .................................................................................................................................... 11

Where to enable notifications............................................................................................................................... 11 Where to modify the addressee and the mail server ............................................................................................. 13 About which events you need to know .................................................................................................................. 14 Chapter 3. What to Do If Something Has Happened .................................................... 15 3.1 What to do with malware ...................................................................................................................................... 15

Where to learn about threats................................................................................................................................ 16 How to find computers with threats ..................................................................................................................... 17 How to Understand What Has Happened to the Threats ..................................................................................... 18 How to find computers with non-disinfected viruses............................................................................................ 19 How to scan critical areas ................................................................................................................................... 20 How to isolate a computer and eliminate an active infection .............................................................................. 21 How to reset virus counter ................................................................................................................................... 22 3.2 What to do if Kaspersky Endpoint Security does not work .................................................................................. 23

Where to find out that Kaspersky Endpoint Security does not work .................................................................... 24 How to understand whether a computer is under a policy................................................................................... 25 How to start protection remotely ......................................................................................................................... 26 3.3 What to Do If Databases Are Outdated ................................................................................................................ 27

Where to find out that databases are out of date ................................................................................................. 28 How to find out whether a computer has an update task ..................................................................................... 29 How to find out whether the Server has an update task ....................................................................................... 32 Where to specify proxy server parameters ........................................................................................................... 33 How not to assign Update Agents automatically ................................................................................................. 34 How to check whether KSN is used ...................................................................................................................... 35 3.4 How to Check the Client-Server Connection ........................................................................................................ 36

How powered What to to distinguish do if a computer hasoff notcomputers connected.......................................................................................................... for a long time ................................................................................ 36 37 How to make a computer connect to the Server ................................................................................................... 38 How to reconnect a computer to the Server ......................................................................................................... 39

IV–2

KASPERSKY LAB™


3.5 How to Contact Technical Support ....................................................................................................................... 40

When and how to contact technical support ......................................................................................................... 40 How to remotely collect Windows and GetSystemInfo logs ................................................................................. 41 How to remotely collect trace logs ....................................................................................................................... 42 How to collect logs locally ................................................................................................................................... 43 How to send a request to technical support ......................................................................................................... 44 Chapter 4. What to Do from Time to Time ............. ............. ............. ............. ............. ... 45 4.1 How to Install Program Updates ........................................................................................................................... 45

Program update types .......................................................................................................................................... 45 Where to find out that an update has been issued ................................................................................................ 46 How to install only approved updates .................................................................................................................. 47 How to find out that a new version has been released ......................................................................................... 49 4.2 How to Renew a License....................................................................................................................................... 51

When to renew a license ....................................................................................................................................... 51 How to find out that the license expires ............................................................................................................... 52 How to find out that the number of activations is exceeded ................................................................................. 53 How to switch over to a new license .................................................................................................................... 54 How to replace the active license ......................................................................................................................... 56 4.3 How to Configure Backup .................................................................................................................................... 57

Why back up? ....................................................................................................................................................... 57 How to configure backup ..................................................................................................................................... 58 How to restore from a backup .............................................................................................................................. 59 How and why maintain the database.................................................................................................................... 60 4.4 Maintenance: Summary ........................................................................................................................................ 61


Chapter 1. How to Maintain Protection

After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the necessary policies and tasks, and configured them as necessary, you need to monitor the system to make sure protection works, and react to incidents. To keep protection working, you have to do various things; something has to be done often, and something rarer. Most of the actions are obvious, but we will tell about them nevertheless, just in case.

What to Do Daily Check the most important things. What to check

Why so often

There are no unprocessed threats on the computers

You install protection to repel threats. Kaspersky Endpoint Security blocks most of them automatically. But if protection cannot cope with a threat, you should be informed about this as soon as possible and neutralize it manually. The longer a threat is active, the more harm it does. This is obvious enough.

Protection is installed and works on the computers

If protection does not work, you do not know whether there is malware on the computer. And the longer protection does not work, the more chances that malware infects the computer.

IV–4

KASPERSKY LAB™


What to do weekly Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly. What to check

Why so often

The computers

Almost all protection components use signatures to detect malware. If signatures a re old,

have the latest signature databases

Kaspersky Endpoint Security will not be able to detect new viruses. The older the signatures, the greater the risk. If signatures are 2 -day old, it is bad, but not critical. And if they are 2 month old, it is almost as dangerous as if protection was not running at all

Protection uses Kaspersky Security Network

Kaspersky Security Network informs about known malicious files and helps to detect them even if signatures are obsolete. Moreover, Kaspersky Security Network informs about new malicious files earlier than signatures are issued for them. Without Kaspersky Security Network, protection works not so well. But still works and protects against most of the threats.

What to do monthly Perform predictive maintenance on the Administration Server.

What to check Make sure that you can recover the Server from a backup copy

Why so often You spent quite a lot of time to install protection. If you lose the Administration Server because of a hardware failure, you will have to spend almost as much time to install and configure protection anew. Backup copying can prevent this. The crucial point about backup copying is not make a copy, but make sure that you will be able to restore it. Spend half an hour per month for maintenance to make sure that you do not find yourself in a critical situation with a misconfigured backup from which you cannot restore data.

Optimize the Administration Server database

If the database is not optimized, eventually it grows in size and becomes fragmented. You will have to spend more time generating reports or displaying a computer selection, especially in a large network or if the resources are scarce on the Administration Server (to be more precise, database server, but it is often the same computer).

What to do quarterly Install updates and patches. What to check

Why so often

If there are any updates or patches for Kaspersky Lab products

Kaspersky Security Center patches and Kaspersky Endpoint Security maintenance releases are issued approximately once every quarter or two. They correct errors, improve performance and sometimes add new functions that are important for protection. You do not need to put much effort into installing patches, but do not forget to test them beforehand.


What to do yearly Renew the license and install new versions. What to check

Why so often

The license has not

Commercial licenses are usually valid for 1 year (sometimes, 2 or 3 years, but rarely).

expired and the node limitation has not been exceeded

Without a license, protection keeps working, but the update task stops downloading signatures and Kaspersky Endpoint Security stops using KSN. Eventually, protection suffers.

Whether there are any new versions of Kaspersky Lab products

New versions or service packs are issued once every year or two. They correct errors, improve performance, and also change settings and products’ operation logic. New technologies, components, interception methods, etc. appear in new versions or service packs. If an old version is not updated for too long, it will not be able to counter the latest threats even with up-to-date signatures and KSN. A few years after release, a version’s support ends.

Chapter 2. What to Do Daily

During a daily inspection: 1.

Find out which threats Kaspersky Endpoint Security has detected since your last inspec tion. If you perform inspection daily, you are interested in threats over the last 24 hours.

2.

Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed threats, deal with them immediately

3.

Check it. whether protection works on all computers. If protection is not running or is not installed, run or install Find out why it has happened.

To save time, configure the console to be able to quickly learn what you need about threats and protection.

IV–6

KASPERSKY LAB™


2.1 How to Create a Custom Dashboard How to answer all questions at a glance

Kaspersky Security Center console provides a lot of information:

— — — — — — —

Reports Events Computer statuses Computer properties Statistics of installed applications in computer properties Repositories Task logs

However, these sources are either insufficiently clear as, for example, lists of events, or cannot be reviewed all together as reports. To get a general idea of the overall protection status, open the Monitoring page of the Administration Console. Indicators are colored icons and short descriptions which provide general information: how many computers are protected, when the updates were last downloaded, how many clients have the Critical status. However, the Monitoring tab cannot be configured to include or exclude some data. Besides, information is entirely represented in text messages, which are not as visual as charts. The best information source is the Statistics tab of the Administration Server. The administrator selects which charts to show, which chart types to use and how to organize them. To save time, make your own statistics page and add there panes that inform about:

— — — — —

Malware Network attacks Computer statuses Computer protection statuses And other important data of your choice, for example, signature versions

Pane types are hardcoded, abundant can answerofmost your questions. For those questions which have no ready-made panes, you canbut often use theand pane History set ofofevents matching criteria . You can select an event type there, and the pane will show how many events of this type were logged in the network over the last 24 hours. For example, there is no pane informing about phishing attacks. To be able to see phishing attacks, add events’ history pane and select the event Previously opened phishing link detected.


How to create a custom dashboard

By default, Statistics includes 6 pages devoted to various network status aspects: Protection status, Deployment, Update, Statistics of threats, General information, Updates for applications. Each page represents 3 to 4 information panes. All this can be customized. The administrator can re-arrange the panes on a page at their wish. Or add more panes or more statistics pages, or remove some. Usually, a pane contains a chart with a legend or a table. By default, they represent events from all managed computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties window, which opens with the

button. A statistics page consists of several panes.

The statistics is configurable at three levels. The administrator can add, delete and move statistics pages, add, delete and move panes on a page, and can also modify settings and representation of the panes. Overall, there are more than 50 types of panes grouped into six categories for the administrator to choose from. To rearrange the pages, click the Customize view button to the right of the page tabs. The administrator can add as many pages as they wish and name them as they wish. They can also delete the default pages, or re-order them. The tabs are always lined up in a single row. To modify page contents, click the button to the right of the page name in its tab. This button is displayed only for the active page. In the page properties, you can draw up the list of the panes to be displayed and their layout on the page: one column, two columns (the default choice), 3 columns, etc. In the pane settings, depending on its type, you can modify the time interval for the displayed data and select the computers whose data will be shown. There are only two options for the computers: either all computers, or computers from a specified selection. You cannot specify a group of computers or draw up an arbitrary list of computers, as in reports. As far as the pane layout settings are concerned, you can modify the height for the panes to better fit in the console window. You can also modify chart type, axle orientation, chart appearance (gradient, transparency). Depending on the pane type, the following chart types can be available: Pie chart, Column chart (the columns can be displayed either vertically or horizontally), Table, and Graph. The information panes’ capability to display the history of parameter changes over the specified period can be useful. For example, you can view how many viruses were detected during each hour of the last day. These data may help to select the threshold for the Virus outbreak event. Reports lack this capability.

IV–8

KASPERSKY LAB™


2.2 How to email reports

To consult Statistics, you need to open the Administration Console first. Some of the administrators open the Console only when they need to find out or configure something, and prefer to be informed about issues by e-mail. This way, they use a single tool, mailbox, to learn about issues of various subsystems instead of opening a dozen of various consoles. Kaspersky Security Center can e-mail notifications and reports. Reports that show what is happening in the network better fit daily inspections. Notifications inform about specific threats that need immediate attention. To receive reports by e-mail, use the corresponding task: 1.

Select the Reports tab of the Administration Server node and click the button Configure report delivery

2.

If a task of this type has already been created, the Administration Console will select it in the Tasks node. In this case, click the link Configure task in the right pane and select the Report type section

3.

If there is no task of this type yet, the Console will start the report delivery task creation wizard

4.

Select the types of reports that you want to receive. The task shows all report templates available on the Reports tab of the Administration Server node. However, those are not all of the r eport types that Kaspersky Security Center can create. If some reports are missing, create them beforehand on the the Reports tab of the Administration Server node.

5.

Select the format (html, xml or pdf) in the task parameters.

6.

Switch to the Schedule section and select when to receive reports. By default, the task e -mails reports daily at 8 in the morning.

To select where to send reports, in the task properties, select the section Action to be applied to report and click the link Email notification settings. Specify the recipient’s address and message subject. Check the sender’s address and mail server parameters in the Administration Server properties. Note: The Quick Start wizard automatically creates a deliver reports task for the Protection status report , if the administrator fills in the e-mail notification parameters. Later, you can edit this task or create more of them.


Which reports to email

For daily inspections, you will need reports that show threats and protection status:

— Threats: — — — —

Viruses (over the last day) Network attacks (over the last day) Phishing attempts (over the last day) Application Privilege Control rule triggered (over the last day)

— Protection — Protection status — Anti-virus database usage — Errors (over the last day) All pre-configured reports available on the Reports tab of the Administration Server node either do not have any period, or show events over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is difficult to understand what has changed since yesterday. You need to create 1-day reports manually. Delete all the reports you are not going to u se. For example, reports about encryption errors if you do not have an encryption license.

IV–10

KASPERSKY LAB™


How to create a custom report How to create a report over the necessary period of time

Formally, the Reports page contains report templates, which describe report type and parameters, rather than reports themselves. The Administration Server generates reports from templates when e-mailing them, or when the administrator clicks the link Show reports. To create a report (report template): 1.

On the Reports page, click the button Create a report template

2.

Name the report comprehensibly, for example Viruses report over the last day

3.

Select the report type. There are more than 40 types of reports in Kaspersky Security Center

4.

Select the reporting period. For the daily reports, specify a 1-day period

5.

Select a scope for the report. A report can cover a group, individual computers (a list), or a computer selection. Most of the reports should cover the whole network; select report for a group and the Managed devices group

Template settings also include the list of information fields to constitute the report tables. Some fields contain insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes little sense in a report if virtual Administration Servers are not used in the network 1.

1

The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with Administration Servers running inside a virtual machine. These two usages of theword “virtual” have almost nothing in common. If your Administration Server runs in a virtual machine, it is still just a normal Administration Server, not a virtual server. And virtual servers in the reports and other parts of the Console are something else entirely. Virtual Administration Servers are described in course 302.10.


How to create a report about events

The administrator can use information field settings in a report template to create complex filters for the events to be object included thespecify report.the Allowed values canAs beaspecified in will the field Foronexample, forrelated the Detected field, youincan malware name. result, you get aproperties. report based the events to the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers with the specified version of the protection software, even if these computers belong to different groups.

For example, there is no report type to display all phishing attempts. Instead, you can use an Event report: 1. 2. 3. 4.

Create a new report template of the Event report type Open the template properties and switch to the Detail fields section Select the Description field and click Modify Select the check box Filter field values and in the Value field, type *Threat of data loss*

This is a part of description of events informing about blocked phishing attacks. This way, you will receive a report that shows the number of such events. In addition to filtering by field value, you can change sort order: ascending, descending, or unsorted. Starting with version 10 Service Pack 1, you can do it in the generated report too, by clicking the column titles in the tables. Click again to reverse the sort order.

2.3 How to email notifications

Where to enable notifications Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also in the Administration Server properties, in the Event notification section. The events are grouped by four severity levels: Critical event, Functional failure Warning , and Info The severity level is a permanent attribute of an event, it cannot be modified. Each program has, its own events with. their default settings.

IV–12

KASPERSKY LAB™


An event has three storage settings:

— On the Administration Server—meaning, in the server database This storing method is enabled for most critical and error events, as well as for many warning and some info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for all events (naturally, except for the events whose storage is disabled). The Administration Server events’ default lifetime depends on their severity levels. For Information events, it is 30 days; for Warning, 90; and for Critical and Error, 180.

— In the operating system event log on the Administration Server —similarly to local Kaspersky Endpoint Security events. If the Administration Server becomes inaccessible, the administrator will be able to find information in the Windows log.

— In the operating system event log on the client computer —makes sense only for the Network Agent events. Kaspersky Endpoint Security already has this capability in the settings of local event processing. When the specified lifetime is over, events are automatically deleted from the Administration Server database (but not from Windows logs, which have their own settings). The more the lifetime, the more events are stored in the database on average at each specific moment, and the more time will event processing operations take. On the other hand, when the administrator decreases event lifetime, the maximum reporting period also decreases. To be informed about important events, configure notifications. This is configured in the properties of every particular event type that you want to be notified about. Kaspersky Security Center 10 supports four notification channels:

— — — —

E-mail SMS Start of an executable file SNMP

Notifications help to draw the administrator’s attention to the most important events. By default, notifications are not sent. To start receiving notifications, open the event properties and select notification methods.


Where to modify the addressee and the mail server

By default, all events are delivered with the same parameters, which are specified in the Administration Server properties. To send different notifications to different addresses or with different messages, click the Settings link in the event properties and clear the check box Use Administration Server settings . After that, change the recipients’ addresses, text template and other notification parameters. At first, e-mail notification delivery parameters are specified in the Quick Start wizard. Later, they can be modified on the Events tab of the Administration Server node. Expand the list next to the link Configure notifications and event export and select Configure notifications. These parameters are also available in the Administration Server properties, in the section Notification delivery settings. E-mail notification delivery parameters include:

— — — —

Recipients’ addresses—e-mail addresses separated by semicolons SMTP server address—name or IP address SMTP server ports Message text

These parameters are sufficient if the selected SMTP server does not require authorization. The recipient address is also used for the sender address, and the subject of the sent notifications is made of the event severity level and its type, for example, Critical event: Threats have been detected To view additional e-mail notification settings, click the Settings link. Then you will be able to modify:

— Message subject — Authorization username and password — Sender address When configuring the notification subject and text, you can use macros, which will be replaced by the corresponding event attributes in the notifications:

— — — — — — — —

%SEVERITY%—event severity level %COMPUTER%—the sender computer %DOMAIN%—domain %EVENT%—event %DESCR%—event description %RISE_TIME% —event time %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name %KL_PRODUCT%—program

IV–14

KASPERSKY LAB™


— %KL_VERSION%—version number — %HOST_IP%—IP address — %HOST_CONN_IP%—connection IP address The macros can be added using the special buttons located next to the fields where notification text and subject are edited.

About which events you need to know

It is up to the administrator about which events to receive notifications. However, prime candidates are events about active threats and potentially successful attacks: Event

What does it mean?

Active threat detected. Advanced Disinfection should be started

The malicious file is not running on the computer, but Kaspersky Endpoint Security cannot terminate it. The user or the administrator must confirm starting the Advanced Disinfection procedure

Malicious object detected (KSN)

A malicious object was detected using a request sent to KSN rather than signatures. This means that it is a new threat, and the administrator should carefully monitor what is happening in the network. Maybe even switch to a policy with stricter protection settings

Previously opened phishing link detected

Information that the link is phishing has appeared already after a user opened it (data about previous actions is stored in the KSN cache and System Watcher’s logs). The phishing attack presumably succeeded

Previously opened malicious link detected

Information that the link is malicious has appeared already after a user opened it. The user could have downloaded and started new malware

Process terminated

Malware was running on a computer. Although Kaspersky Endpoint Security terminated it, it could have done harm

Network attack detected

If the attacking computer is located within the network, it may mean that it is infected with unknown malware, or that protection does not work there

Application Control rule Privilege triggered

If you configured Privilege Control toprograms protect documents against ransomware, theseApplication events inform when unknown try to edit or delete the user’s documents


All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in the Kaspersky Endpoint Security policy, in the Event notification section. The last event is an Info event. The others are Critical events. Some events (including important) may occur too frequently to send a notification for each of them. For example, the Threats have been detected event during a virus outbreak may invoke tens and hundreds of not ifications. To make each notification draw your attention, limit the number of notifications. For this purpose, in the Administration Server properties, open the Notification delivery settings section and click the link Configure numeric notification limit. Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached, notifications are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew. The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for the Threats have been detected event hit the limit, notifications for o ther event types will not be affected.

Chapter 3. What to Do If Something Has Happened

3.1 What to do with malware

If no new events about threats have appeared on the computers over the last day, you need not do anything. But what to do if there are some events? First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted, disinfected or blocked threat, you need not do anything. Just reset the virus counter on the computer to be able to see when new threatsaappear. If malware is not treated or removed, act according to a plan. Prepare the plan beforehand.

IV–16

KASPERSKY LAB™


A typical plan may include the following steps:

— Run the critical areas scan task to understand whether the computer is infected — If a computer is infected or you suspect that it may be infected with unknown malware: — Isolate the computer from other computers in the network — Disable the policy using the password — Raise the heuristics level and enable Advanced Disinfection technology — Check integrity of Kaspersky Endpoint Security by a local task — Perform full scan on the computer If this does not help, restore the computer from an image. If all computers are installed from images at the company, and the users’ data are stored in the network rather than on the computers, restoring from an image may be the first step of your plan to save time. If you find suspicious files during an investigation, send them to Kaspersky Lab for analysis via the companyaccount.kaspersky.com portal

Where to learn about threats

You can find out that viruses have been found from events, reports, statistics and computers’ statuses. Next to statistics, statuses draw your attention first of all. Threat detection and their processing results define the computer status in the Administration Console: OK, Warning or Critical. This allows the administrator to easily notice problematic computers when looking through the groups. The OK status corresponds to a green icon, the Warning icon is yellow, and Critical is red. The Many viruses detected status tells that viruses were found on the computers. This status is related to the virus counter parameter. Every time malware is detected on the computer, the counter increases its value by 1. The counter value is transferred to the Administration Server during the synchronization. The status is activated if the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled. To enable the status to show the computers where malware was found, open the properties of the Managed devices node. Switch to the Device status section and select the check box next to status Many viruses detected. To make computers receive the Warning status and be displayed yellow, select the respective check box in the list Set status to Warning if. To make computers receive the Critical status and be displayed red, select the respective check box in the list Set status to Critical if . To paint computers yellow when there are a few viruses on them, and red when the number of viruses exceeds, say, 5, configure different thresholds for the status Many viruses detected (via the status’s shortcut menu).


How to find computers with threats

If at least one of the managed computers receives either There are unprocessed objects, or Many viruses detected status, the global Protection status also changes on the Monitoring tab of the Administration Server node. The cause of the status change is displayed in the same area. If there are computers with different statuses in the network, the Protection settings area will show all critical statuses. If there are computers with the Critical status, this area will describe all causes that are giving this status to the computers. The causes that are giving the Warning status to other computers at the same time will be hidden. For example, the critical status Protection is off can override the status There are unprocessed objects, which has the Warning level, on the Monitoring page. A message like Many viruses detected on ХХ devices is a link. If you click it, the Console will open the selection of computers where many viruses have been detected. All statuses behave this way on the Monitoring page. A selection is a dynamic set of computers selected by an attribute. There are standard selections on the Administration Server, which show computers with various statuses. For example, There are unprocessed objects and Many viruses detected You can take group actions on the computers joined into a selection, for example, start update and search tasks, reset virus counters, move into a group, etc. So, selections are very useful when dealing with the computers having a problem status.

IV–18

KASPERSKY LAB™


How to Understand What Has Happened to the Threats

The Viruses report shows statistics of processing the malware detected on the managed computers: how many objects were treated, how many blocked (by Web Anti-Virus), how many deleted and how many still remain unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics are available for each type of malware. The Viruses report can show which malware KES detected using KSN, and which threats were detected using traditional tools (antimalware databases and heuristics). To be able to see this information, add the By KSN verdict column to the Details table. If you find it difficult to sort out the report about all network computers, consult reports of individual computers. For this purpose:

— Select a computer where malware was detected — Expand the description of the status Many viruses detected and click the link View virus activity level report If you do not use the Many viruses detected status, you can open a computer’s report from its properties, in the Protection section. Use the link View report on viruses Except for the viruses report, Report on most heavily infected devices and Report on users of infected devices may come in handy. If some computers have been infected considerably more than others, it might be worthwhile to fin d the reason and take appropriate measures. Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the Network attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking computers. Knowing the address, the administrator can investigate the incidents and better solve the problem. The Network attack report is not created by default. To view it, create a new template on the Reports tab of the Administration Server node. In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with threats. Events show what was happening simultaneously with threat detection, whether there were other threats or errors in components’ operation. To understand wherethat a threat ended, alwaysa check theinlast event about it.that It isthe normal for Kaspersky Endpoint Security to first inform it cannot disinfect file, and a second, report file was deleted successfully.


How to find computers with non-disinfected viruses

You do not have to study reports and events to be able to understand whether any computers are infected. Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this using the status There are unprocessed objects . This status is enabled by default, gives computers the Warning status, and is displayed on the Monitoring page. This status is assigned to computers where malware programs were detected and were not cured. The Unprocessed files category can be comprised of widely different objects. It can be a virus in memory, which actively counters the attempts to delete it. Or it can be an infected object on a network drive where Kaspersky Endpoint Security has no Write permission to disinfect or delete the file. When a user accesses a malicious file in a shared folder on a file server, the antivirus installed on the server may block access and delete the file. Meanwhile, the antivirus installed on the user’s computer detects the threat at the same time, but cannot delete the file from the folder and informs that there is an unprocessed threat, although in reality it has been processed on the server. It is a reason for paying attention anyway, since malicious files must not appear in shared folders, and you need to find out how it got there. To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the described situation with malware in a shared folder, delete the record about the unprocessed object from the list of unprocessed objects: 1. 2.

In the Administration Console, open the node Advanced, Repositories, Unprocessed files Find the file that has actually been removed from the shared folder, and carry out the Delete command on it

IV–20

KASPERSKY LAB™


How to scan critical areas

If many viruses or a previously opened malicious link have been detected on a computer, or a malicious process has been terminated, it may mean that the computer can still be infected. To scan a computer for known threats, run critical areas scan there. There are a few ways to achieve this. The one which is always available is as follows: 1. 2. 3.

Open the computer properties Switch to the Tasks section Find the task Critical Areas Scan and run it

Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security. Local means that it is displayed only in the computer properties, but is not shown in groups or in the Tasks node. This makes it less useful. To start it on several computers, you have to open their properties one by one.

You can also use the group task Quick Virus Scan, which the Quick Start wizard creates. However, it will scan all computers, and why slow down the computers where there are no threats? To quickly scan critical areas on those computers where threats have been detected, make a virus scan task for specific computers. For this purpose, copy the group task Quick Virus Scan to the Tasks node and rename it. To scan a computer, select on its shortcut menu All tasks, Run a task, and in the window that opens, select the virus scan task for specific computers. You can start only tasks for specific computers from the shortcut menu, group tasks are not available there To run a task on several computers, select them with the mouse and use the same command from the shortcut menu: All tasks, Run a task. To start a task on all computers within a selection, open the target selection, click the button Perform action and select the command Perform task.


How to isolate a computer and eliminate an active infection

Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Application Privilege Control and System Watcher components are responsible for this. File Anti -Virus does not scan programs in the memory. If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced Disinfection technology. This technology is disabled by default, because it blocks start of all programs and restarts the computer, which would hamper the users. The user can agree to perform the Advanced Disinfection procedure and take the risk of losing data, or refuse to start the procedure and leave the computer infected. Anyway, it should be the administrator who makes the decision rather than the user. If you suspect that a computer is infected, you had better reinstall it from the image. If it is unacceptable or impossible, try to disinfect the computer:

— Disconnect the computer from the corporate network —

Disable the policy using the command Disable policy in the shortcut menu of KES icon To use this command, enable password protection in the Kaspersky Endpoint Security policy

— — — —

Open Kaspersky Endpoint Security window and switch to the Settings tab Select the Anti-Virus protection node and select the check box Enable Advanced Disinfection technology On the Protection and Control tab, run the Full Scan task If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection procedure, agree With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit new programs to start, scans memory, takes more aggressive methods when terminating processes, tries to delete malicious files at restart

— Restart the computer, connect it to the Internet and update the signatures — Scan the whole computer once again

IV–22

KASPERSKY LAB™


How to reset virus counter

After all threats have been neutralized, reset the virus counters on the computer. The virus counter can only increase without interference from outside, and the only method of changing this status is to manually reset the counter. To do it, on the shortcut menu of the computer, click All tasks, Reset Virus Counter. This command can also be applied to a few computers: select them with the mouse and click Reset virus counter in the right pane of the Console window. If you are sure that there are no threats on any computers, use the command Reset virus counter in the shortcut menu of the Managed devices node.


3.2 What to do if Kaspersky Endpoint Security does not work

If protection does not work, it may be caused by various reasons. Prior to contacting the technical support, solve trivial issues. Make sure that: The Network Agent is installed on the computer

The user could have uninstalled Network Agent and then the Console would show the last data which the Agent had sent to the Server. Reinstall the Agent and protect it from the user: set an uninstallation password

Kaspersky Endpoint Security is installed on the computer

The user may have uninstalled Kaspersky Endpoint Security. Reinstall the protection and protect it from the user: set a password

A policy is applied to the computer

A computer may belong to a group without a policy, or a Kaspersky Endpoint Security version for which there is no policy on the server can be installed on the computer.

Policy settings are locked

Create policies in all groups and for all used versions of Kaspersky Endpoint Security If the locks are open, the user can modify parameter values and potentially can disable components or even start of Kaspersky Endpoint Security. Close the locks for all important parameters in the policy

Password protection is enabled

If password protection is not enabled, the user can exit Kaspersky Endpoint Security even without administrative permissions

After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run because of failures, collect diagnostic logs and contact the technical support of Kaspersky Lab.

IV–24

KASPERSKY LAB™


Where to find out that Kaspersky Endpoint Security does not work

The following computer statuses may mean that protection does not work: No security application installed

It is enabled by default for the Warning and Critical statuses

Real-time protection level is different from the level set by the administrator

It is disabled by default. You can set one of the following values: Stopped, Paused, Running

Protection is off

It is enabled by default for the Critical status

The security application is not running

It is enabled by default for the Critical status

The status Real-time protection level is different from the level set by the administrator, although disabled by default, is more useful than the status Protection is off. The status Protection is off does not show why it is off: because of a failure or because the user has disabled it. The status Real-time protection level is different from the level set by the administrator shows this difference. We suggest that you enable the condition Real-time protection level is different from the level set by the administrator for the Critical status and select the Running value for it. There are standard computer selections for the statuses Protection is off and No security application installed. The administrator can create custom selections for other statuses. The status Security application is not running is always accompanied by the status Protection is off , but not the other way around. If Kaspersky Endpoint Security works, but all protection components are disabled, the computer’s status will be Protection is off without the status Security application is not running. Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection components works. Even if it is just IM Anti-Virus To understand that components have not started on the computer because of a failure, co nsult the Errors report or an event selection. To check all errors:

— Open the Events tab of the Administration Server node — Click the selection name to the right of the Selection events text and select Functional failures


To understand which components are running on a computer, open the Tasks section in the computer properties. Components are listed among other tasks and the list shows which ones are running and which are not.

How to understand whether a computer is under a policy

Protection or some components may be not running if a policy is not applied to the computer. Then the user can open Kaspersky Endpoint Security settings and disable its components. By default, the Quick Start wizard creates the Kaspersky Endpoint Security policy in the Managed devices group, meaning, for all computers. However, the administrator may regroup computers later, create new policies in groups, and delete the srcinal policy or make it inactive. As a result, there may be a group where the administrator have not created or have not activated a policy by mistake. Different versions of Kaspersky Endpoint Security require different policy versions. Usually, a single policy applies to all installations of Kaspersky Endpoint Security that have the same Service Pack version. Different Service Packs require different policies. It may turn out that some computers do not have a policy after an upgrade. To check whether a computer has a policy, start with the computer selection Protection is off: 1.

Open computer properties and switch to the Applications section

2.

Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version

3.

Close computer properties and go to its group: use the command Go to device on its shortcut menu

4.

In the group, select the Policies tab

5.

Set the Inherited policies option to Show, to be able to see policies of the parental groups

6.

Make sure that there is a policy for the necessary version of Kaspersky Endpoint Security on the list

7.

If no, create it. Think which group to place it into.

8.

If the policy exists already, select it and click the Details link in the right pane. Make sure t hat the policy is applied to the computer

9.

Open the policy and make sure that locks are closed, especially on the parameters that enable the protection components

IV–26

KASPERSKY LAB™


How to start protection remotely How to start protection on a single computer

The Kaspersky Anti-Virus is not running status is one of the most critical protection statuses. To solve this problem, carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications tab of the computer properties. If individual components are not running, you can start them on the Tasks tab.

How to start protection on a few computers

Another method of starting Kaspersky Endpoint Security —the Start or stop application task. This task is an advanced task of Kaspersky Security Center that can be created both for groups and for specific computers. A group task is convenient if the Virus outbreak event is registered —it can start protection on all network computers, in case the protection is stopped somewhere.


A task for specific computers can better serve the purpose of rectifying the Protection is off status. A task for specific computers can be started from a computer’s shortcut menu or using the button Perform action in a computer selection. To create a task that starts Kaspersky Endpoint Security: 1. 2.

Run the task creation wizard in the Tasks container Under Kaspersky Security Center Administration Server 10 | Advanced, select the Start or stop

3. 4. 5.

application task type Select the Kaspersky Endpoint Security versions that need to be started Select the Start application command Select a scope for the task: specify the computer selection Protection is off

3.3 What to Do If Databases Are Outdated

If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay attention to computers that have old signatures, update them and find out why the signatures have not been updated. First, solve trivial issues. Check the following: The computers have an update task

This task is created by default. However, when groups and tasks become numerous, it may turn out that some computers do not have an update task for the necessary version of Kaspersky Endpoint Security

Task schedule

If the administrator created update tasks manually, he or she may failed to set a schedule for them by mistake

Task source

Within the network, the Kaspersky Security Center source must be specified

The Administration Server has a “Download updates to the repository” task

It is created by default, but may have been deleted by mistake

Schedule and source of the “Download updates to the repository” task The Administration Server can access the selected source

IV–28

KASPERSKY LAB™


After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect logs and contact the technical support. Specifically consider whether you need Update Agents. They are not of much help in a small network, but complicate diagnostics. The Administration Server automatically assigns Update Agents by default. You can disable this.

Where to find out that databases are out of date

The Monitoring page provides the most important information about the databases in use. If everything is fine, the Update area displays the time when the latest updates were downloaded to the server repository. If t here is a problem, the indicator will turn yellow or red and a problem description will appear, which also acts as a link to remediation (run a task) or troubleshooting (check a computer selection) tools. The Databases in the repository not updated for a long time link opens the properties of the Download updates to the repository task. The Databases are out of date: N devices link opens the selection of hosts that have a Databases are outdated status. The permanent link Go to Kaspersky Lab software updates and patches folder in the Update area of the Monitoring page opens the node Advanced / Repositories / Kaspersky Lab software updates and patches . which contains links to the settings of the default update tasks and the database version report. More detailed information about the databases in use and computers with problems is available on the statistics screen and also within the appropriate reports. The Database usage report shows the number of computers where databases are 1-day old, 3-day old, 7, and more. These data are also available on the Statistics tab of the Administration Server node. The charts concerning updates are displayed on the Update page. Unlike reports, statistic charts are updated in real time. If the databases became obsolete on the computer not because it was off, but because of update task errors, the administrator would need to view update task events to find out the reason. The events sent to the Administration Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint Security usually contains more events.


Computer statuses inform about old signature databases. Computers with old databases receive a Warning or Critical status depending on how old their databases are. The status criteria are configured in the group properties. By default, the Warning status is given to the co mputers whose databases are 7 or more days old, and Critical is assigned after 14 days. You can identify that the computer status changed from OK due to outdated databases by the status description in the Protection section of computer properties, or in the panel displaying computer characteristics in the lower-right part of the Administration Console. To view detailed information about the signatures and, specifically, the last update date, open the properties of the Kaspersky Endpoint Security program in the Applications section of computer properties.

How to find out whether a computer has an update task

Updates from the Administration Server repository are distributed to the client computers by group update tasks. To ensure coverage of all managed computers, an update task must be a group task created within the Managed computers node. The Quick Start wizard creates this type of task: Install update. If computers are combined into

IV–30

KASPERSKY LAB™


groups and the optimal updating procedure is different for various groups, you can create a customized update task for each group. If both parent and child groups have tasks of the same type, the computers of the child group will run both tasks. This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their own tasks from the parent group task scope. Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac or Kaspersky Security for Windows Servers) are used in your network, they need separate update tasks.

If there are many groups in the console, and different versions of Kaspersky Endpoint Security are installed on the computers, it is hard to immediately understand whether all computers have update tasks. If signatures are outdated on a computer, to understand whether it has an update task: 1.

Open computer properties and switch to the Applications section

2.

Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version

3.

Open the computer’s group (click the command Go to device on the computer’s shortcut menu)

4.

Open the Tasks tab and set the Inherited tasks option to Show

5.

Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with that displayed in the computer properties

If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as possible. One update task per each version of Kaspersky Endpoint Security created in the root group Managed devices is often sufficient.

Schedule Each product update task has a specific schedule and settings, including:

— The list of update sources list of updates — The The settings used to copy updates to a specified folder — The list of subgroups on whose computers the task will not run


The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts the task regardless of whether the Administration Server can be reached or not, the When new updates are downloaded to the repository schedule means that the task is always started b y the Administration Server command. The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect to the Administration Server and download whatever new settings are available. Upon connection to the Server, the Agent receives the command to start the task and transfers it to Kaspersky Endpoint Security, which carries it out. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned synchronization performed every 15 minutes (the period is defined in the Network Agent policy). The schedule When new updates are downloaded to the repository guarantees that the client computers will receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple periodical schedule can be used (for example, once an hour). To prevent serious peak loads on the update source and the network at the moment of task start, randomization of the task launch within a certain interval is used. E.g., if the 5 -minute interval is selected, the computer will begin the next scheduled update after a random delay ranging from 0 to 5 minutes. By default, the Administration Server automatically defines the randomization interval depending on the number of computers the task pertains to. The administrator can also specify it manually. If signatures are outdated on the computers, check the update task schedule. If the schedule is set to Manually, weekly or monthly, change it to When new updates are downloaded to the repository or Once every N hours

Source To specify the list of sources, open the Properties section of the task properties and click the Settings button. Updates can be retrieved from the following sources:

— Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most natural source for the When new updates are downloaded to the repository schedule

— Kaspersky Lab update servers—the recommended source for the computers outside the corporate perimeter or a backup source if the specified Administration Server is not accessible. However, the administrators often prefer the computers to wait for the Administration Server connection rather than create extra Internet traffic

— Local or network update folder—another option for backup update sources. An HTTP or FTP address may be specified instead of a network folder. For example, if there are several Administration Servers in the network (which is described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky Lab or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security without the Agent. If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security Center source. If you want to use a folder or FTP server, make sure that updates are accessible at this address, and the computers can access the files In the update task properties you can configure copying updates into a separate folder. This mode can be used for creating an update source in small networks or subnets without their own Administration Server. In larger networks, update agents are used to create intermediate update sources. The Administration Server assigns Update agents automatically (for more details, refer to course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills.)

IV–32

KASPERSKY LAB™


How to find out whether the Server has an update task

The task that updates the Administration Server repository is named Download updates to the repository . The Quick Start wizard automatically creates this task. It can be found in the Administration Console in the Tasks node. If databases are outdated on the computers, check whether the Administration Server has an update task. Open the Tasks node and look for the Download updates to the repository task You can have only one task of this type. If it is present already, the task creation wizard doesn’t allow creating another one. However, it is possible to delete the automatically created Download updates to the repository task and create a new one for troubleshooting. The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be downloaded and a few additional options. Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging from 15-20 minutes to several hours. The default value is 1 hour. The following update sources are possible:

— Kaspersky Lab update servers—a list of FTP and HTTP servers officially maintained by Kaspersky Lab. These servers are located in various countries worldwide to help ensure a high reliability of the updating procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of servers is downloaded together with the other updates

— Master Administration Server—this option is used if there are several Administration Servers and they are connected in a hierarchy (described in detail in course KL 302.10 Kaspersky Endpoint Security and Management. Advanced Skills)

— Local or network folder—an update source created by administrators. You may specify not only a network folder, but also an FTP or HTTP address The task can have several different sources organized in a list. If the first source turns out to be inaccessible 2, the task will attempt to download updates from the next.

2

The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.


Where to specify proxy server parameters Where to specify proxy server parameters for the Administration Server

You may need to specify the proxy server parameters for the Administration Server update source. All sources would share the same proxy server. If some sources are accessed without it, enable the Do not use proxy server option in their properties. The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server parameters. To specify a proxy server later: 1.

In the Administration Server properties, open Advanced/ Configuring Internet access

2.

Specify the proxy server address, port and authentication parameters: the user name and password

These settings will be used for downloading updates and for KSN requests.

IV–34

KASPERSKY LAB™


Where to specify proxy server parameters for the computers

If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy server, specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open Advanced Settings / Application Settings, and in the Proxy Server Settings area, click the Settings button. By default, an automatically detected proxy server is used. This means that Kaspersky En dpoint Security will take the proxy server settings specified in the Internet options in Windows Control Panel. The administrator can explicitly specify the address, port and account for authentication.

How not to assign Update Agents automatically

Update Agents are additional update sources in a network. Any computer where the Network Agent is installed can act as an Update Agent. The Administration Server automatically selects the computers to which it assigns the Update Agent role. The administrator can disable automatic allocation and assign Update Agents manually.


Automatically selected Update Agents multicast update files and you cannot disable multicasting. Network administrators often do not like uncontrollable traffic in the network. Also, in a small network of a few hundred machines, the Administration Server can cope with updates alone, without Update Agents. To disable automatic assignment of Update Agents: 1. 2.

Open the Update Agents section in the Administration Server properties Clear the check box Assign update agents automatically

When the check box is cleared, the administrator can manually select the computers to be assigned Update Agents. For more details about Update Agents, please refer to course KL 302.10. Advanced Skills.

How to check whether KSN is used Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers have no access to KSN, they are more likely to get infected.

How to find out that computers have no access to KSN

If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via the status KSN servers unavailable. This status does not get on the Monitoring page. To quickly find all computers that have no access to KSN, create a custom computer selection. By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named Kaspersky Security Network proxy server . The service accepts connections on TCP port 13111. If computers cannot access KSN, make sure that:

— The service Proxy server Kaspersky Security Network is running on the Administration Server — Port 13111 is not closed by a firewall — The service can access KSN servers in the Internet: — Open the Administration Server properties — Go to KSN proxy server, KSN proxy server statistics — Click the button Check KSN connection

IV–36

KASPERSKY LAB™


How to find out that KSN is turned off on the computers

It may turn out that KSN servers are accessible, but the use of KSN is disabled in the policy. To find out about this and also which computers are experiencing the issue, run the task Checking connection with KSN: 1. 2. 3.

Open the Tasks node and click the button Create a task Select the task type Checking connection with KSN under Kaspersky Endpoint Security 10 SP2 Select the Managed devices group to make it run on all computers

On the computers where KSN is turned off in the policy, the task will return the error “Participation in KSN is disabled”. The task will also show the computers where KSN is used but inaccessible.

3.4 How to Check the Client-Server Connection

How to distinguish powered off computers In a large network, computers are almost never turned on simultaneously. Some are off at any moment in time. They differ by the icon in the console: powered off computers have an icon with network connection crossed out in red at the bottom (workstations) or on the right (servers). Also, check the columns Agent running and Connecting to Server. If the Agent is not running, and the last connection was established long ago, do not pay attention to the computer protection status, it can be inaccurate.


What to do if a computer has not connected for a long time

If a computer remains powered off for a long time, Administration Server assigns one of the following two statuses to it: Not connected for a long time

By default, computers receive this status in 14 days. You can change this in the status settings, in the properties of the Managed devices node This status means that the Network Agent has not connected to the Server all this time, and the Server was not able to connect to the computer during the full network poll either

Device connection lost

This status means that the Network Agent has not connected to the Server, but the Server connected to the computer during the full network poll

If the computer has the status Not connected for a long time, find out what is the matter with it. If the computer does not exist anymore, delete it from the group and then once again from the Unassigned devices node. If its owner is on vacation, do nothing.

IV–38

KASPERSKY LAB™


If employees may not connect to the network for a long time (months), increase the period after which the Administration Server automatically deletes computers from groups (60 days by default). Open the properties of the Managed devices node, select Devices and change the value of the parameter Delete the device from the group if it has been inactive for longer than (days) . Or disable this parameter at all, if employees may work out of office for an indefinitely long time. To enable computers connect to the Administration Server, receive settings and inform about threats when outside the office, configure access to the Administration Server ports from the Internet. How to do it is described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills

How to make a computer connect to the Server

If the computer’s status is “Device connection lost”, make sure that:

— Network Agent is installed — Network Agent is running If the user has uninstalled the Network Agent, configure password protection in the Network Agent po licy. If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network Agent’s folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent:

— Run the command line interface (cmd.exe) as an administrator — Go to the Network Agent’s folder — Start the klnagchk.exe utility When run without parameters, the utility outputs the Network Agent settings, tries to connect to the Administration Server with these settings, publishes the result, and finally outputs the connection statistics. During the test connection, the Agent neither checks whether new settings are available on the server nor sends its data to the server. To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb This command must be executed locally on the client computer.


The Administration Console also has commands for checking connection to a computer: Check device accessibility

Verifies the computer status Visible in the network against the Administration Server database. Does not try to connect to the computer, and therefore adds nothing to what the computer icon shows

All tasks, Force synchronization

Sends a signal to UDP port 15000 of the computer. If the Agent answers in a few seconds, closes the synchronization window. Otherwise, informs that the Agent does not answer and queues synchronization

How to reconnect a computer to the Server

If the Network Agent has incorrect Server connection parameters, modify them using the utility klmover.exe that is located in the same folder of Network Agent:

— Run the command line interface (cmd.exe) as an administrator — Go to the Network Agent’s folder — Run the utility klmover.exe with the parameter –address and Server address: klmover.exe

–address

10.28.0.20

If the Server’s port is non-standard, add the parameter –ps and the port number. To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the settings of the Network Agent package. If an Agent has incorrect parameters, they may also be incorrect in the package.

IV–40

KASPERSKY LAB™


3.5 How to Contact Technical Support

When and how to contact technical support

If Kaspersky Endpoint Security does not work or works differently from what the administrator has configured, and simple measures cannot help, contact the tech support. To receive an answer quicker, collect all logs and attach them to your request:

— — — —

Kaspersky Endpoint Security logs Trace logs of Kaspersky Endpoint Security around the moment when the issue arises Windows logs GetSystemInfo log—information about the computer

To contact the technical support: 1. 2. 3. 4.

Create a request at https://companyaccount.kaspersky.com Select the product and functional area Describe the steps that result in the issue Attach the logs

You can collect logs either on the computer or via the Kaspersky Security Center Console.


How to remotely collect Windows and GetSystemInfo logs

To collect logs remotely, connect to the computer using the remote diagnostics utility: 1.

Select the computer in the Administration Console

2.

On the shortcut menu, click Custom tools, Remote diagnostics The utility can also be started from the Kaspersky Security Center folder in the Start menu. Then you will need to specify the computer name and the Administration Server address in the window. The console fills in these boxes automatically

3.

Click the Sign In button

4.

To receive information about the computer, click the link Load system information in the upper-left corner of the window

5.

To receive Windows logs, select the log and click the link Download event log… in the upper-left corner of the window

Download Kaspersky Event Log and any other logs that contain events concerning the issue The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in the lower-left corner of the window.

IV–42

KASPERSKY LAB™


How to remotely collect trace logs

To collect trace logs using the diagnostics utility: 1.

Select Kaspersky Endpoint Security in the tree

2.

Click the link Enable tracing on the left, do not change the trace level, and click OK

3.

Reproduce the steps that demonstrate the issue

4.

Click the link Disable tracing in the diagnostics utility

5.

Expand the folder Trace files under Kaspersky Endpoint Security

6.

Select files one by one and download them using the link Download file on the left

If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of Network Agent, Administration Server, Updater component in a similar manner. When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the folder until you send the logs to the technical support.


How to collect logs locally

Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs locally, too. To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com web site. Run it and save the log in a folder. The utility also collects information about the system and Windows logs, and you will not have to add them manually. To collect the trace logs: 1.

In the Kaspersky Endpoint Security window, click the second out of the three icons in the lower-left corner

2.

In the Support window, click the link System tracing

3.

Select the check box Enable tracing, select level Normal (500) and click OK

4.

Reproduce the problem

5.

Clear the check box Enable tracing

6.

Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\

The file name includes the creation date and time, select the latest logs How to locally enable trace logs for Kaspersky Security Center components is explained in the article http://support.kaspersky.com/9323

IV–44

KASPERSKY LAB™


How to send a request to technical support

When you have all logs at hand, contact the technical support: 1.

Log on to the web site companyaccount.kaspersky.com If you have no account, sign up: specify your email and license for Kaspersky Lab products (the activation code or key file)

2.

Click the button New request and select Make a request for Tech Support

3.

Select the protection scope, product, version, operating system, request type and subtype

4.

Type the request subject: define the problem briefly

5.

Describe the issue: the steps that result in it, which result you expect, and which get instead

6.

Attach the archive with all logs


Chapter 4. What to Do from Time to Time

4.1 How to Install Program Updates

Program update types

Except for signature updates, which are issued continually, there are program updates, which are released much rarer: New versions

Are released once every few years, introduce new capabilities, components, settings, etc. Are installed by Kaspersky Endpoint Security installation task and the installation wizard of Kaspersky Security Center

Service Packs

Are released approximately yearly, sometimes rarer. Upgrade components and drivers, may add new settings and capabilities, but the changed are not as significant as in a new version Are installed by Kaspersky Endpoint Security installation task and the installation wizard of Kaspersky Security Center

Maintenance Releases

For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix errors, may slightly change settings, are installed by the update task For Kaspersky Security Center, a Maintenance Release is almost the same as a Service Pack: they are released in a year after a new version or Service Pack, and are installed by the installation wizard of Kaspersky Security Center

Patches

Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center, patches are released quarterly, fix errors, slightly alter operation, are installed automatically on Network Agents

Private fixes

Are released by request, correct specific issues for individual customers. Usually, for customers with a Maintenance Service Agreement

IV–46

KASPERSKY LAB™


Where to find out that an update has been issued

You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for Kaspersky Security Center) has been released on the Monitoring page. Monitor messages in the Update area. Minor updates are installed automatically, but only after the administrator approves them. When updates are released, the status “New updates for Kaspersky Lab software modules registered” appears. Usually, to install an update, you need to accept the license agreement. “Kaspersky Lab software updates not approved” status informs about this Both statuses lead to the node Advanced, Application management, Software updates. This node shows all available updates, not only for Kaspersky Lab programs, but also for operating systems and third-party software. To be able to install updates by other manufacturers, you need a Systems Management license, for example, KESB Advanced. This is described in course KL 009.10 Systems Management. To view only updates by Kaspersky Lab: 1.

Click Filter…

2.

In the Source field, select AO Kaspersky Lab and wait for a while


How to install only approved updates How to install only approved updates of KES

Kaspersky Endpoint Security can do without application updates. If there are no critical issues that impede work, you can use Kaspersky Endpoint Security until a new version or Service Pack is released. Still, module updates can be useful. They can improve computer performance, increase protection efficiency and add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing the updates and installing only approved ones. As far as module updates are concerned, the administrator has the following option in the update task of Kaspersky Endpoint Security:

— Download updates of application modules —enabled by default. Can be disabled in the groups where computers are extremely sensitive to changes, e.g., groups with important servers

— Install critical and approved updates—installs the updates marked as approved by the administrator and the updates marked as critical by Kaspersky Lab without the administrator’s approval. Installing unapproved updates may be risky because unforeseen issues might arise

— Install only approved updates (the default choice) To approve an update: 1.

Select the update in the node Advanced \ Application management \ Software updates

2.

Click the Approve button above the list of updates

3.

If the update has a license agreement, the respective window will open. Accept the agreement

If you approve a wrong update by mistake, open its properties and change the value o f the Update approval field to Undefined or Declined. Prior to approving an update, install it on test computers and make sure that it is not causing any issues. After a program update is installed, a restart may be required.

IV–48

KASPERSKY LAB™


How to install only approved updates of Network Agent

Approved updates of Network Agent are installed automatically without tasks. After the administrator approves an update, Agents will start downloading it during planned synchronizations and install locally. By default, the Administration Server installs all Network Agent updates rather than only approved ones. To install only approved updates: 1.

Open the policy of Network Agent in the Policies node

2.

Switch to the section Manage patches and updates

3.

Clear the check box Install applicable updates with Undefined approval

To test Network Agent updates, create a group for test computers and enable installing unapproved updates in the policy of this group The administrator can always select not to install some update, even if automatic update is configured in the policy. For this purpose, open the update properties and for the parameter Update approval, select Declined. To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable the respective parameter in the task Download updates to the repository : 1.

In the Tasks node, open the properties of the task Download updates to the repository

2.

Switch to the Settings section and in the Other settings area, click the link Configure…

3.

Clear the check box Update Network Agent modules (for Network Agent versions earlier than 10 Service Pack 2)

Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or will not be installed in the whole network. You cannot enable installation of these updates in some groups and disable in others.


How to find out that a new version has been released Where to look for new versions

The Update area of the Monitoring page also informs about new product versions and Service Packs. Monitor the messages:

— Updates are available for Kaspersky Security Center 10 components — Updates are available for Kaspersky Lab applications — Latest versions of Kaspersky Lab applications All of them lead to the Current application versions window. To open this window in another way, click the link View current version of Kaspersky Lab applications . Alternatively, open the node Advanced, Remote installation, Installation packages in the console; click the button Additional actions and select View current version of Kaspersky Lab applications . The window shows the list of available product versions by Kaspersky Lab, which are manageable via Kaspersky Security Center. You can download them from Kaspersky Lab servers through this window. Program versions include:

— Distributions that can be downloaded to the Administration Server using the button Download and create installation package

— Distributions that cannot be transformed into a package, but can just be downloaded — Management plug-ins, which can be downloaded and installed in the console

How to find the necessary product, version and language The list includes numerous programs, a few versions of each program and several localizations of each version, and it’s easy to get lost.

IV–50

KASPERSKY LAB™


To find what you need, for example, the latest version of Kaspersky Endpoint Security in English, configure a filter: 1.

Components:

Controls

Distributions and patches of Kaspersky Security Center and Network Agent components for various platforms

Workstations

Kaspersky Endpoint Security for various platforms (Windows, Mac)

File Servers and Storages

Distributions and plug-ins of Antivirus Kaspersky for Windows File Servers, Kaspersky Anti-Virus for Windows Servers and Kaspersky Security for Windows Server

Virtualization

Distributions and plug-ins of Kaspersky Security for Virtualization Light Agent

Mobile

Distributions and plug-ins of Kaspersky Security for Mobile (Android)

Embedded Systems (ATM and POS)

Kaspersky Embedded Systems Security distributions and plug-ins

2.

Update type: Full distribution package, plug-in or patch

3.

Which software updated to show—select any of the following combinations:

— Only the latest software versions — Only updates for software versions in use —meaning, those that are installed on the network computers — Only updates for software with plug-ins installed in Administration Console (in the one where the window is currently open, the results may differ in different consoles) 4.

Language

— All languages — Administration Console language or basic set (English, German, French) — Administration Console language and another language selected on the list To receive updates only for the Console language, select the third option and then select the console language once again on the drop-down list


4.2 How to Renew a License

When to renew a license

Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to overcome one of the following license limitations:

— Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to renew the license to keep using it

— Increase the number of computers—if the company grows and the number of computers is about to exceed the license limit

— Extend functionality—if the necessity to use additional product functions has appeared in the company, for example, Encryption or automatic installation of Windows updates Also, a license may be blacklisted if it is exposed to the Internet. Kaspersky Lab blocks these licenses, and they stop working. Products receive black lists of licenses together with signature updates. Without a license, Kaspersky Endpoint Security works with limitations: Before the first license is installed

File Anti-Virus and Firewall work, an update task runs once

If a commercial license has expired

All components keep working, but update tasks will not start and KSN servers are inaccessible. Protection level gradually decreases

If a trial license has expired or a commercial license has been blacklisted

All components stop working until the administrator activates the product with a valid commercial license

IV–52

KASPERSKY LAB™


How to find out that the license expires

If the license is about to expire or has expired on a computer, the administrator should pay attention. The license expiration date is displayed in the license properties in the node Advanced , Application management, Kaspersky Lab licenses. To quickly open this node, use the link Manage keys in the Deployment area of the Monitoring page. The computer statuses configured in the administration group properties may also attract the administrator’s attention. Two status conditions relate to licenses:

— License term expired—sets the computer status to Critical. By default, the condition is triggered in 0 days, meaning, right after the license expires. It can be configured to trigger several days after the license expiration so that the license could update automatically and not waste the administrator’s time

— License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before the expiration, but this parameter is adjustable When the license that activates the Administration Server is about to expire, a pop-up message is displayed to the administrator every time the Administration Console starts. Upcoming expiration is also indicated in the Deployment area of the Monitoring tab of the Administration Server node.


How to find out that the number of activations is exceeded

Most of the information about the keys that the administrator would ever need is available on the page Advanced | Application management | Kaspersky Lab licenses , including node restriction and use percentage. The Administration Server shows how many of the managed computers are using the license. It does not receive data from Kaspersky Lab activation servers, which may have different statistics if the license is also used on computers without the Network Agent Administration Server events inform about exceeding the node limitation:

— License restriction has been exceeded—there are two events with this name, critical and warning. The critical event is generated when the number of installations constitutes 110% of the license limit. The warning informs of reaching the limit (100%)

— Over 90% of this key is used up —an information message The Administration Server does not take any measures if the license limit reaches either 100% or 110%. If keys are used for activation, the administrator can distribute them with a key installation task to any number of computers. However, if the Automatically deploy key to managed computers check box is selected in the key properties, the Administration Server will not only distribute it to computers, but also remove the key from excessive computers if the license limit is surpassed. If activation codes are used, Each instance of Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a ticket for using the product. If the number of simultaneously issued tickets greatly exceeds the license limit (1.5 to 2 times), the activation server will stop issuing tickets.

IV–54

KASPERSKY LAB™


How to switch over to a new license How to renew a li cense on the computers

When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one license to another without a time gap and without reducing the effective license period of any of the licenses. You would rather not replace the old license when there still several days left of the licensing period. However, you want to activate the new license before the old one expires. To prevent losing the validity period of neither old nor new license, use one of the following approaches: 1.

Distribute a new key to the computers using a key installation task beforehand. In the task settings, specify that it is an additional (backup) key Additional keys and codes can be added in almost all products by Kaspersky Lab. Once the active key expires, the product is automatically activated with the additional key or code.

2.

Add the new license to the Administration Server and enable in it properties the check box Automatically

deployed key When the previous key expires on the computers, they will receive the new automatically distributed key from the Administration Server. Automatically deployed keys are sent to all computers. If a computer does not have an active license, the automatically distributed key will be activated on it. If an active license is already available, the automatically distributed key will be deployed as an additional one. If a computer has both an active and an additional license, the automatically distributed key will not be installed. The key or code to be distributed can be added in the Quick Start wizard. To add keys later, in the Advanced \ Application management \ Kaspersky Lab licenses node, click the Add key button. The key adding wizard prompts the administrator whether to add code or key. Registered keys and codes can be imported from the storage as key files or text files with the code. These can be used for local activation, if necessary, or for backup purposes.


How to Renew an Administration Server License

Only the extended functions of Kaspersky Security Center Administration Server 10 available in KESB Select and KESB Advanced licenses require Administration Server functions supported by the KESB Core license do not need activation, it isactivation. sufficient The to activate the managed products. The operations described in this course do not require activating the Administration Server To replace the active key or add another one to the Administration Server, open the Keys section in the Server properties. You can specify the active and additional license in this section. You can also replace or delete licenses as necessary. You can select a license for the Administration Server from among those added to the Kaspersky Lab licenses node. To add a key to the Administration Server, select a key specifically designed for Kaspersky Security Center. Check what is written in key table at the very end of the Application name field. There is usually a descriptor there: Security Center or Kaspersky Endpoint Security that indicates the key purpose.

If you are adding a code, you need not check Security the name,Center. the same code activates all products covered by the license: Kaspersky Endpoint Security and Kaspersky

IV–56

KASPERSKY LAB™


How to replace the active license

Sometimes it is necessary to install a specific key on a specific computer or a group of computers. Automatic distribution would not serve this purpose. Instead, you can create an Add key task. This task can be created using the typical task creation wizard in a group or in the Tasks node. You can also click the Distribute key on the client computer button in the Advanced | Application management | Kaspersky Lab licenses node—in this case, the wizard displays fewer steps. If two products require different Console plugins to be managed, they would require different Add key tasks as well. For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint Security 10 Service Pack 1 have independent plugins. Therefore, a task to add key to Kasper sky Endpoint Security 10 SP2 wouldn’t run on Kaspersky Endpoint Security 10 SP1 and vice versa. In the task creation wizard or later in the task properties, you can select a license either from the list of registered keys and codes (in the Advanced | Application management | Kaspersky Lab licenses node) or from a file. There is an option in the task that allows installing the selected key or code as an additional key. This option is enabled by default, because the main license is supposed to be installed through the automatic installation feature (an option in the key or code properties).


4.3 How to Configure Backup

Why back up?

Creating backup copies is a good practice that can save you a lot of trouble The administrator will be able to restore the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important to store backups in a reliable location. A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This includes the event database (which contains more than just the events), administration group structure, tasks and policies, report templates, installation packages3, selections of computers and events, the Administration Server certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to keep an old copy. Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more important. The Administration Server configuration now includes the encryption key store that contains master keys for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost irretrievably. Encryption and the risks involved are described in course KL 008.10 Encryption. However, even if we leave encryption out of consideration, losing Administration Server data can result in many hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, and this means that Network Agents, even if they use the correct address, will not be able to establish a connection to the new Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be reinstalled. A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all the settings, and the encryption key store. Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore

3

Including standalone, but excluding operating system image packages (these packages are described in detail i n course KL 009.10 Systems Management).

IV–58

KASPERSKY LAB™


its configuration from the backup. You can use this method when it is necessary to upgrade not only the software components of the Administration Server, but also its hardware configuration. In a similar manner, you can use backups to move the Administration Server to a different computer. First create a backup copy, and then install the Administration Server on another system. Restore the Administration Server settings from the backup copy. In this case, it is important to ensure that the same type of SQL server (Microsoft SQL or MySQL) is used by both new and old instances of the Administration Server. If you move the Administration Server to another system and want to change the Server’s name, you must make this change before the migration. Refer to course KL 302.10 Kaspersky Endpoint Security and Management. Advanced Skills. The most important thing about backup copying is to regularly make sure that you can restore the system from a backup copy Spend half an hour once a month or at least quarter to restore Administration Server data on a test computer. This way, you will make sure that the backup copies are not corrupted and sharpen your skills. In case of a real failure, you will be able to restore systems quickly and easily.

How to configure backup

To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data. Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure. The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the Administration Server. The task launches the utility with the specified options, which then creates a backup copy. To create a backup copy, the klbackup.exe utility stops the Administration Server service (and the Network Agent service) and copies the Server settings and data. After the backup copy is created, the utility starts the Administration Server and Network Agent services. When the Administration Server service is stopped, all instances of the Administration Console receive a message that the connection with the Administration Server is lost. Then, the utility commands the SQL server to create a backup copy of the event database. Only one parameter is required for the backup task: the location of backup copies. This folder will contain subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default


location of backup copies is the SC_Backup folder in the Administration Server data directory (%ProgramData%\KasperskySC\SC_Backup). However, it is risky to store backup copies on the same disk with the Administration Server, because in the event of a hardware failure, both the current system and its backup copy might be corrupted. So, it is strongly recommended that you store backup copies separately. The administrator can either specify a network location or use an additional process to move backup copies to a safer place for storage. It is important to realize that backup copies of the Administration Server data are created under the Administration Server account, whereas backups of the database are created under the database server account. If you specify a network path as the target location for backup copies, both the Administration Server and SQL server must have access to this folder. Also, the specified drive must have enough free space. Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup copies is three. The Administration Server certificate is stored in an encrypted form for security reasons. This security measure prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption, you need to provide a password. By default, the password is empty. The backup data copying task is scheduled by default to start daily at 2 a.m.; therefore, only three backup copies of the last three days are stored.

How to restore from a backup

There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done by design, because an accidental launch of such a task would result in the loss of newly added settings and data. In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from the Start menu. When started without command line options, this utility works as a wizard, which prompts you to choose the restore option, enter the path to the backup copy and the password to decrypt the Administration Server certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if you specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to c:\backups\klbackup2011-12-27#02-00-02 The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To do so, at the Choose Action step, select Backup of Administration Server data .

IV–60

KASPERSKY LAB™


Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can be used, for example, when you only need to restore connection between the Network Agents and the Server, but want to create the structure and settings from scratch. This limited backup is not available in the backup task. The klbackup.exe utility can be launched from the command line with the following parameters:

— –path—backup copy destination folder, or the source folder during a recovery — –restore—the option that instructs the utility to restore data; without it, the utility will create a backup copy use_ts—the option that creates a subfolder with a name consisting of the time and date of creation; — –without it, the utility will create a backup copy right in the folder specified by the path option — –password—the option that specifies the password for encrypting the Administration Server certificate

How and why maintain the database

With time, the Administration Server database may slow down. In particular, the reports may be generated slowly, and lists of events or computers may be displayed only after a noticeable pause. To speed up the console’s work with the events stored in the database, the database is to be optimized. Before Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize the database using the database server tools. To speed up the Administration Server database, the Database maintenance task performs the following:

— — — —

Looks for errors in the database and fixes them Rebuilds indexes Updates the database statistics Optionally shrinks the database

The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases the database size. The database is recommended to be optimized once a week. If the Administration Server works slowly because its resources are scarce, the Maintenance database task will not help There can be only one Maintenance database task. It is created by the Quick Start wizard. By default, the task starts every Saturday, at 1 a.m.


4.4 Maintenance: Summary

To keep protection working on the computers, monitor important events:

— Configure notifications about possibly infected computers — Configure reports to be emailed — Organize daily inspections of the protection status: Prepare an all-in-one statistics page Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week. Do not allow them to pile up; otherwise, it will soon be difficult to notice something important among them. If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect logs and attach them to your request. Install updates and new versions. They correct errors and improve performance and protection. Back up the Administration Server data. Regularly make sure that you can restore data from a backup. Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration beforehand.

v1.0

Kl 002.104 Eng Student Guide v1.0

Recommend Documents