Kaspersky Technical Training KL 002.11.1 Kaspersky Endpoint Security and Management Student Guide Kaspersky Lab www.kaspersky.com Unit I. Deployment Introduction .................................................................................................................... 4 Basics of Kaspersky Endpoint Security for Business ................................................................................................... 4 Which products this course covers ......................................................................................................................... 4 What constitutes Kaspersky Security Center .......................................................................................................... 5 What constitutes Kaspersky Endpoint Security ...................................................................................................... 5 How Kaspersky Security Center manages computers ............................................................................................ 7 How the administrator manages protection via the Console ................................................................................. 9 How policies are applied to computers ................................................................................................................ 10 How policies work in groups................................................................................................................................ 10 How tasks are applied to computers .................................................................................................................... 11 How tasks work in groups .................................................................................................................................... 12 How Kaspersky Endpoint Security for Business is licensed ................................................................................. 13 What this course is about ............................................................................................................................................ 15 What we will tell you in this course and what not ................................................................................................ 15 Where to learn more about the products that fall out of this course scope .......................................................... 16 What this course includes .................................................................................................................................... 17 Chapter 1. How to deploy Kaspersky Endpoint Security for Business........................ 18 1.1 What to install and in what order .......................................................................................................................... 18 1.2 How to organize the process ................................................................................................................................. 19 Chapter 2. How to install Kaspersky Security Center ................................................. 20 2.1 Requirements for the Administration Server ........................................................................................................ 20 Support for server versions of Windows .............................................................................................................. 20 Support for Windows workstations ...................................................................................................................... 21 Virtualization support .......................................................................................................................................... 21 Support for database management servers .......................................................................................................... 22 Additional software requirements ........................................................................................................................ 22 Minimum hardware requirements ........................................................................................................................ 23 2.2 Installation of the Administration Server .............................................................................................................. 23 Where to get the Kaspersky Security Center distribution .................................................................................... 23 Kaspersky Security Center installation shell........................................................................................................ 24 What you need to know before the installation .................................................................................................... 24 Setup wizard ......................................................................................................................................................... 25 Additional consoles and plugins .......................................................................................................................... 36 Installation results ............................................................................................................................................... 37 2.3 Installation of Kaspersky Security Center Web Console ...................................................................................... 39 Setup Wizard ........................................................................................................................................................ 39 Web Console services........................................................................................................................................... 42 Interaction with Kaspersky Security Center......................................................................................................... 43 Connecting to several Administration Servers ..................................................................................................... 43 Requirements for browsers .................................................................................................................................. 44 I-2 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 2.4 Quick Start Wizard................................................................................................................................................ 45 Tutorial................................................................................................................................................................. 45 Configuring proxy server for Internet access ....................................................................................................... 46 Downloading information about plugins.............................................................................................................. 46 License installation .............................................................................................................................................. 47 Installing plugins .................................................................................................................................................. 49 Kaspersky Security Network ................................................................................................................................. 50 Creating tasks and policies .................................................................................................................................. 51 Network polling .................................................................................................................................................... 52 Configuring email notification ............................................................................................................................. 53 What to do next..................................................................................................................................................... 53 Automatic license distribution .............................................................................................................................. 54 Chapter 3. How to install Kaspersky Endpoint Security on computers ...................... 55 3.1 Requirements for client computers ....................................................................................................................... 55 Kaspersky Endpoint Security 11 requirements for the operating system ............................................................. 55 The virtual platforms supported by Kaspersky Endpoint Security ....................................................................... 56 Minimum hardware requirements ........................................................................................................................ 57 Requirements for the Network Agent .................................................................................................................... 57 3.2 How to change KES components .......................................................................................................................... 58 Installation packages............................................................................................................................................ 58 Settings of a Kaspersky Endpoint Security package ............................................................................................. 59 Network Agent package parameters ..................................................................................................................... 64 3.3 How to create a new installation package ............................................................................................................. 66 Why create installation packages ......................................................................................................................... 66 Package creation wizard ...................................................................................................................................... 67 3.4 How to create an installation package for KSWS ................................................................................................. 70 Which other protection applications are available for Windows Servers ............................................................ 70 Advantages of Kaspersky Security 10.1 for Windows Server ............................................................................... 71 Specifics of Kaspersky Security 10.1 for Windows Server ................................................................................... 72 Download the distribution of Kaspersky Security for Windows Server from the official support website ........... 73 Unpack the KSWS distribution on the administrator’s workstation ..................................................................... 74 Create an installation package of Kaspersky Security for Windows Server ........................................................ 74 Package creation wizard ...................................................................................................................................... 75 Components of Kaspersky Security 10.1 for Windows Server .............................................................................. 77 Additional settings of the Kaspersky Security 10.1 for Windows Server package ................................................ 78 3.5 Installation methods .............................................................................................................................................. 79 What to do prior to the installation ...................................................................................................................... 79 Available installation methods ............................................................................................................................. 80 3.6 How to remotely install Network Agent and Kaspersky Endpoint Security ......................................................... 81 Information on the main page of the management console .................................................................................. 81 Remote installation wizard ................................................................................................................................... 83 Where to monitor the installation ......................................................................................................................... 90 Installation results ................................................................................................................................................ 91 3.7 How to simplify local installation ......................................................................................................................... 92 Why install locally ................................................................................................................................................ 92 Standalone installation packages ......................................................................................................................... 92 How to create a standalone package.................................................................................................................... 93 What to do with standalone packages .................................................................................................................. 94 I-3 Introduction 3.8 How to install the Network Agent via Active Directory ....................................................................................... 96 How to install applications via Active Directory ................................................................................................. 96 How to publish the Network Agent package in Active Directory using a task ..................................................... 97 What the task changes in Active Directory .......................................................................................................... 98 3.9 How to uninstall incompatible applications .......................................................................................................... 99 Which programs are incompatible and why uninstall them ................................................................................. 99 What if there are incompatible applications? .................................................................................................... 100 How to find out if there are any incompatible applications ............................................................................... 102 How to uninstall incompatible applications that have not been found .............................................................. 103 How to display computers with an incompatible application ............................................................................ 105 How to uninstall incompatible applications using a task................................................................................... 106 Chapter 4. How to organize computers into groups .................................................. 110 4.1 How to understand that the deployment has been completed ............................................................................. 110 Where to look for information about the deployment......................................................................................... 110 Global statuses ................................................................................................................................................... 111 Device selections ................................................................................................................................................ 112 Reports ............................................................................................................................................................... 112 4.2 How the Administration Server discovers computers ......................................................................................... 114 Polling types....................................................................................................................................................... 114 Where to configure polling................................................................................................................................. 114 Windows network polling ................................................................................................................................... 115 Active Directory polling ..................................................................................................................................... 117 IP range polling ................................................................................................................................................. 119 Where to monitor network polling ..................................................................................................................... 121 How to find out that the Server has discovered new computers ......................................................................... 122 4.3 How to create or import groups .......................................................................................................................... 123 Why create groups ............................................................................................................................................. 123 How to add a group ........................................................................................................................................... 124 Navigation within the group structure ............................................................................................................... 125 How to add a computer to a group .................................................................................................................... 125 How to import a group structure ....................................................................................................................... 126 4.4 How to add computers to groups automatically .................................................................................................. 128 Computer relocation rules ................................................................................................................................. 128 Configuring relocation rules .............................................................................................................................. 129 Conditions in relocation rules ............................................................................................................................ 130 How to synchronize groups with Active Directory ............................................................................................. 132 Tags .................................................................................................................................................................... 133 Rule application order ....................................................................................................................................... 134 I-4 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Introduction First of all, let us introduce the course and tell you which topics it covers and which it omits. You will also learn which solutions and products are studied in this course, what they consist of, how they interact and how they are licensed. Basics of Kaspersky Endpoint Security for Business Which products this course covers I-5 Introduction This course describes the Kaspersky Endpoint Security for Business solution that includes several Kaspersky Lab products. This course does not cover all products; it tells only about those that can help to protect a not-too-large Windows network. In our course, a not-too-large network means up to approximately 1,000 endpoints in a single location. Endpoints in this course are servers and workstations running Windows. To protect such a network, two Kaspersky Endpoint Security for Business products are necessary: — Kaspersky Endpoint Security for Windows—to protect computers against threats — Kaspersky Security Center—to centrally manage the protection Kaspersky Endpoint Security is an application that not only protects against malware and hackers, but also can control the users’ actions and encrypt files and drives. What constitutes Kaspersky Security Center Kaspersky Security Center consists of several programs: — Kaspersky Security Center Administration Server (“Administration Server”, “KSC Server” or simply “Server” wherever sounds unambiguous) stores all the settings, collects events, draws up reports, etc. It is the Server that manages protection on the administrator’s command. — The database server maintains the database where the KSC Server stores events and some of the settings. Other settings are stored on the drive among KSC Server installation files. — Kaspersky Security Center Network Agents (we will call them Network Agents, or simply Agents) connect Kaspersky Endpoint Security to the Administration Server: Receive settings for Kaspersky Endpoint Security from the Server, and send events to the server — Kaspersky Security Center Administration Console provides a management system interface for the administrator; the administrator configures parameters in the console, consults reports and events, and manages protection in general Two consoles are available: Traditional MMC and the new Web Console. What constitutes Kaspersky Endpoint Security Kaspersky Endpoint Security is a single application that includes numerous components. I-6 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Protection components Kaspersky Security Network Requests the reputation of programs and web pages from Kaspersky Lab servers, provides the latest information about threats, protects against zero-day attacks and false positives Behavior Detection Monitors what applications do, but analyzes what a program does in general rather than its individual actions. Stops applications that behave as malware. In particular, stops programs that try to encrypt files Exploit Prevention Monitors which files start vulnerable programs, and blocks attempts to start executable files unless initiated by the user Host Intrusion Prevention Also monitors software activities on the computer. Does not allow programs that have bad or unknown reputation to change system settings and user’s files. Prevents them from fiddling around with the operating system and other software Remediation Engine Logs changes to the operating system and rolls back any changes performed by suspicious programs that have been detected by Behavior Detection, Exploit Prevention, or File Threat Protection File Threat Protection Scans files whenever the user or a program creates, changes, copies, or starts one. Blocks operations with malicious files, and quarantines these files Web Threat Protection Scans web pages and files that the user or programs download from the Internet. Blocks dangerous and phishing websites, prohibits downloading malicious files Mail Threat Protection Intercepts email messages, scans their text and attachments, deletes malicious files from messages Firewall Controls the connections established by the programs running on the computer, and the packets they receive or send. Blocks packets according to the configured rules. Does not allow an unknown program or a program that has bad reputation to establish connections Network Threat Protection Scans network packets that the computer receives. Blocks a connection if detects indications of a network attack BadUSB Attack Prevention Does not permit connecting new input devices (keyboards, etc.) to the computer without the user’s consent. Protects against USB devices that pretend to be keyboards and send malicious commands to the computer AMSI Protection Provider Is responsible for integration with Antimalware Scan Interface (AMSI) in Windows 10 and Windows Server 2016. AMSI is a Windows component that acts as an intermediary between applications and an antivirus solution. It enables scanning files, links, and scripts, even those that run in the memory without being saved to a hard drive Control components Application Control Blocks program start according to the configured rules. Can freeze a computer’s state and block any new applications. Device Control Blocks access to devices according to the configured rules. The administrator can prohibit access to all or some of removable drives, Wi-Fi adapters, or modems Web Control Blocks access to web pages according to the configured rules. The administrator can prohibit access to social networks, job search and news websites, torrent trackers, etc. Adaptive Anomaly Control Contains a set of heuristics for monitoring dangerous behavior that is characteristic of malware. Permits blocking suspicious activities non-typical of each specific computer. By default, the component runs in the 2-week training mode: It monitors activities, informs the administrator about them, and it is the administrator who makes the decision whether an activity is characteristic of a computer or not. I-7 Introduction Encryption components Full Disk Encryption Encrypts all drives’ contents. Protects files on notebooks, which may be lost or stolen File Level Encryption Encrypts individual files and folders according to the rules. Protects files on notebooks, which may be lost or stolen BitLocker Management Manages disk encryption via Microsoft BitLocker. Protects files on notebooks, which may be lost or stolen Other components and tasks Virus Scan Scans files on the specified schedule. Performs this more thoroughly than File Threat Protection. Update Downloads descriptions of threats and file reputations to the computers, provides protection when Kaspersky Security Network is inaccessible Endpoint Sensor Informs the Central Node of Kaspersky Anti-Targeted Attack Platform about the programs’ activities on the computers, helps to detect Advanced Persistent Threats Integrity check Ensures that nobody can modify Kaspersky Endpoint Security files Checking connection with KSN Checks KSN accessibility from endpoints For more details about the components and their settings, refer to Units II and III. How Kaspersky Security Center manages computers Let’s see how all components of Kaspersky Endpoint Security for Business interact. In a protected network, two programs are installed on each computer: — Kaspersky Endpoint Security, for protection — Kaspersky Security Center Network Agent, for management I-8 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The Network Agent connects to the Administration Server on the specified schedule, and also if necessary. By default, a so-called synchronization takes place every 15 minutes. What the Server receives from computers For the administrator to see what’s happening in the network, Network Agent sends the following data to the server: As soon as logged When Kaspersky Endpoint Security finds malware, cannot download updates, cannot start components, etc. As soon as logged Kaspersky Endpoint Security is not running Databases are out of date KSN is inaccessible There are dangerous unprocessed objects Lists Once per synchronization interval List of known executable files List of vulnerable programs List of quarantined malicious objects List of unprocessed threats List of hardware List of installed software Kaspersky Endpoint Security settings During a synchronization Events Statuses Typically, Agents send only changes in the lists to the server. Once every several hours (3 hours for some lists, 12 hours for others), the Server completely synchronizes the lists with the computers. Administration Server accepts connections from the Network Agents on TCP port 13000. Agents establish TLS/SSL connections; they encrypt and compress data using the Administration Server certificate. What computers download from the Server For Kaspersky Endpoint Security to protect a computer in a way the administrator wants, the Network Agent downloads settings for Kaspersky Endpoint Security in the form of policies and tasks from the Server. During a synchronization, Network Agent compares tasks and policies on the computer with those of the Administration Server, and if the administrator has changed something on the server, the Agent downloads new tasks and policies. Usually, computers receive tasks and policies earlier than at a planned synchronization. Network Agents accept packets on UDP port 15000. If the Server wants an Agent to urgently connect to the Server, it sends a special signal to this port. When the administrator modifies a task or policy, the Administration Server contacts Agents on all computers to which this task or policy pertains. During a synchronization, policies are downloaded only by those computers that have not received the signal from the Server. The administrator can also send a synchronization request manually, via a computer’s shortcut menu in the Administration Console. Additionally, Agents connect to the Server to download updates for Kaspersky Endpoint Security. For this purpose, they also connect to port 13000 over an SSL connection. I-9 Introduction How the administrator manages protection via the Console The events and statuses sent by the Network Agents help the administrator understand what is happening in the network. The Administration Server summarizes statuses of individual computers and displays them on the main page of the Administration Console—the Monitoring tab of the Administration Server node. To better understand what is going on, the administrator can consult reports, which the Administration Server draws up based on events. There are many search and filter tools in the console that help to arrange events and computers according to various parameters. To specify settings for computer protection, the administrator creates tasks and policies in the console: — Tasks—for operations that have a logical termination. For example, update completes when Kaspersky Endpoint Security receives all new threat descriptions, virus scanning completes when all files in the scan scope have been scanned. That is why updates and virus scanning are configured as tasks, which have schedules — Policies—for all the other parameters: how to scan files that the user downloads from the Internet or receives by email, how to scan files opened by programs, which network connections to allow and which to block. These settings are to be applied permanently to protect the computer, that is why they are specified in a policy If different computers need different settings, the administrator organizes computers into groups and creates individual policies or tasks within each group. For example, to perform virus scanning on servers at weekends, and on workstations in the background mode during a business day, the administrator can create two groups (for servers and workstations) and create virus scan tasks with different schedules for them. I-10 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How policies are applied to computers A policy contains the same parameters as the local settings of Kaspersky Endpoint Security. When the administrator configures a policy, the local protection settings are changed. In a policy, each parameter or a group of parameters has the lock button. If the button appears pressed and the lock is closed, the parameters are applied to the computers where the policy is enforced. The user cannot modify the values of these parameters in the local interface of Kaspersky Endpoint Security. If the button appears released and the lock is open, the computer considers that this parameter has not been specified in the policy. The user can change these parameters in the local interface. The settings whose lock is closed are compulsory. How policies work in groups I-11 Introduction Policies are applied to computer groups. Even if the user has not created any groups, there is the root group on the Administration Server, which is named Managed devices. If the user wants to create custom groups, they are created as subgroups within the Managed devices group. Policies conform to the following rules: — There may be policies for different applications in a group, for example, the Network Agent policy and the Kaspersky Endpoint Security policy — There can be a few policies for the same application in a group, but only one of them can be active. The Active policy is the policy that the Administration Server sends to the computers. An Inactive policy does not influence anything, but the administrator can make it active at any moment and thus quickly reconfigure settings on the target computers. If the administrator makes a policy active, the policy that has been active so far becomes inactive automatically. — If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where there is no Kaspersky Endpoint Security policy, the parent group’s policy is applied to the subgroup’s computers as well — If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where another Kaspersky Endpoint Security policy is configured, the subgroup’s computers receive the policy configured within their subgroup. However, required (locked) parameters from the parental policy are enforced on the subgroup’s policy, and the administrator cannot modify them. In a child policy, the administrator can edit only the parameters that are not locked in the parent group’s policy — The administrator can choose not to apply a group policy to subgroups: in the subgroup’s policy, clear the check box that regulates inheriting parameters from the parental policy. After that, the administrator will be able to edit all parameters in the child policy How tasks are applied to computers The administrator manages update and virus scan settings via tasks rather than the policy. I-12 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management While there can be only one type of Kaspersky Endpoint Security policy1, there are many various task types in Kaspersky Endpoint Security: — — — — — — — — — Virus Scan Update Rollback Inventory Add key Integrity check Change application components Checking connection with KSN Manage Authentication Agent accounts Each task type has its own characteristic settings. For example, a virus scan task has its scope and file scan settings, an update task has an update source and instructions which updates to download. Every task has a schedule. Unlike policies, tasks have no locks. All task settings are enforced on the computers and the user cannot modify them. Tasks can be created not only by the administrator on the Administration Server, but also by the user in the local interface. However, if a policy is configured on the Administration Server and enforced on a computer, it will use only the Administration Server’s tasks. Local tasks will be neither run nor even displayed in the interface, and the user will not be able to create new local tasks. How tasks work in groups The administrator creates tasks in groups for regular activities, such as virus scanning or downloading updates. Similar to group policies, group tasks have their rules: — If there is a subgroup in a group, a group task is applied to the subgroup’s computers 1 One for one or a few product versions. For example, Kaspersky Endpoint Security 10 SP2 has its own policy type, and Kaspersky Endpoint Security 11 has another. Two policies of a single Kaspersky Endpoint Security version contain the same parameters, only the values of these parameters differ. I-13 Introduction — There can be several tasks of each type in a group, for example, a few virus scan tasks. They may differ in the scope and schedule, for example, one of the tasks may scan the whole computer once a week, and another one, only critical areas but daily. — If you want to scan for viruses the same scope with different schedules on different computers, organize computers into respective groups and create individual tasks within each group. For example, you can run full scan on servers during the weekends, and on workstations, during business hours in background mode. — If there is a task in a group, and there is a subgroup with a task of the same type, the subgroup’s computers will be running both tasks. Usually, this means that the administrator has not thought over thoroughly enough which tasks are really needed. You must be especially careful with update tasks. To update Kaspersky Endpoint Security on a computer, there must be one update task. If an update task is configured within a group and another one in its subgroup, both will be applied to the computers that comprise the subgroup. If an update task is running already, another one will return an error if started in the meanwhile. Consequently, the administrator will keep receiving update errors due to a configuration error while updates will work correctly. — Subgroups can be excluded from a task scope. Then the subgroup’s computers will receive only the subgroup’s task, and the parental task will not be used Unlike a policy, a task can be created not only for a group. It can be created for any list of computers, from a single computer to an arbitrary set of computers belonging to different groups. How Kaspersky Endpoint Security for Business is licensed Which licenses are available for Kaspersky Endpoint Security for Business We’ve studied how the components of Kaspersky Endpoint Security for Business interact, and how the administrator manages them. Now let us find out which licenses are available for Kaspersky Endpoint Security for Business, and what makes them different. I-14 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management There are several levels of licenses in Kaspersky Endpoint Security for Business: — Cloud A cloud solution that permits managing security of workstations, servers, and mobile devices via a web browser. The Administration Server is hosted in Microsoft Azure and it is Kaspersky Lab that takes care of the infrastructure; the administrator only deploys and manages protection. Technical training KL 040 Kaspersky Endpoint Security Cloud tells about this solution in detail. — Select — Advanced The last two types of licenses are designed for the on-premises products that we will cover in this course. Different licenses permit using different Kaspersky Lab products and different functions within these products. What licenses activate in Kaspersky Endpoint Security for Business You do not need to activate Kaspersky Security Center to use it. Everything which is necessary for managing workstation protection is available without a license. KESB Select permits protecting workstations, servers and mobile devices. In Kaspersky Endpoint Security, a KESB Select license activates the protection and control components. In Kaspersky Security Center, a KESB Select license activates the mobile device management functionality. You do not need to activate Kaspersky Security Center to be able to manage only the protection and control on workstations and servers. Kaspersky Endpoint Security for Business Advanced permits protecting the same types of endpoints: Workstations, servers and mobile devices, but activates more functions encryption. In Kaspersky Endpoint Security for Windows, a KESB Advanced license permits using encryption. In Kaspersky Security Center, a KESB Advanced license allows the customer to use Systems Management; specifically, automatically download and install software fixes and updates, create and deploy images of operating systems with pre-installed applications, etc. Targeted licenses If a customer does not need all KESB Advanced functions, licenses for individual functions are also available: — Encryption — Mobile Device Management — Systems Management Except for the functionality, these licenses have a limitation on the number of endpoints to be protected. For example, a customer purchases a license for 100 nodes, and if later wants to protect more devices, purchases a new license for, say, 150 or 200 nodes. All the abovementioned licenses are usually valid for a year. After that, the customer renews the license for another year, and so on. Subscription licenses Additionally, Kaspersky Lab supports subscription licenses. These licenses are purchased from special partners, and the customer pays monthly. The customer can suspend a subscription and resume it later. I-15 Introduction With a subscription license, the customer can select which functionality level to use and change the number of nodes every month if necessary: expand or cut down depending on the current needs. What this course is about What we will tell you in this course and what not Kaspersky Endpoint Security for Business includes many products and capabilities. This course does not try to cover all of them. It only talks about how to protect a not-too-large network of computers running Windows operating systems. That is why this course does not describe all the products that belong to Kaspersky Endpoint Security for Business; instead, it focuses on: — Kaspersky Endpoint Security for Windows — Kaspersky Security Center — And a little bit about Kaspersky Security for Windows Server The following products are out of the course scope: — — — — — — — Kaspersky Endpoint Security for Linux Kaspersky Endpoint Security for Mac Kaspersky Embedded Systems Security Kaspersky Endpoint Security for Android Safe Browser for iOS Kaspersky Security for Virtualization Kaspersky Anti-Targeted Attack Platform / Kaspersky Endpoint Detection and Response Also, the course does not talk about all the capabilities of Kaspersky Endpoint Security for Windows and Kaspersky Security Center, but concentrates on how to: — — — — Install protection on the computers Manage computer protection Manage the Control components Use a single Kaspersky Security Center Administration Server I-16 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The following topics fall outside the framework of this course: — — — — Encryption management Third-party vulnerability and patch management Creation and deployment of disks with computer images Protection of large, complex, and distributed networks using Distribution Points, Connection Gateways, or several Kaspersky Security Center Administration Servers Where to learn more about the products that fall out of this course scope The following courses, which are devoted to other products and technologies, are available: How to protect Linux workstations KL 013 1 day How to protect Linux servers KL 007 1 day How to protect Mac workstations KL 011 1 day How to protect Windows servers using Kaspersky Security for Windows Servers KL 005 1.5 days How to protect devices running embedded versions of Windows KL 037 1 day How to manage mobile devices KL 010 1 day How to manage encryption KL 008 1 day How to fix vulnerabilities and install updates on third-party software KL 009 1 day How to manage protection in large, complex and distributed networks KL 302 2 days How to protect virtual machines using Kaspersky Security for Virtualization. Agentless KL 014 1 day How to protect virtual machines using Kaspersky Security for Virtualization. Light Agent KL 031 1 day Troubleshooting KL 016 1 day How to implement a Default Deny policy KL 032 1 day KATA/KEDR KL 025 2 days I-17 Introduction What this course includes This course consists of presentations and labs, which alternate. The instructor first explains every topic with slides, and then the students put theory into practice in lab experience. The Student Guide includes all slides and elaborates on all the topics and product settings. What to do during the labs is described in detail in the Lab Guide. The students complete hands-on exercises using virtual machines. The virtual environment depends on the class: It can be VMware Workstation, VMware vSphere, Microsoft Hyper-V, etc. The Lab Guide is designed for VMware Workstation. Students use five virtual machines, which perform the following roles in the labs: DC Provides AD domain services, DNS, file access Security-Center It is the Kaspersky Security Center Administration Server, where the administrator manages protection from Alex-Desktop Represents a typical desktop computer in a corporate network Tom-Laptop Represents a notebook that may be taken outside the corporate network for some time Kali Linux Provides software for attacking organization’s computers I-18 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Chapter 1. How to deploy Kaspersky Endpoint Security for Business 1.1 What to install and in what order In a deployment, all network computers must be protected, and the administrator must be able to manage protection centrally. To achieve this, you need to install Kaspersky Security Center 11 (KSC 11) and Kaspersky Endpoint Security 11.1 for Windows (KES 11.1) on the computers. First, install the Kaspersky Security Center Administration Server. The Administration Server centrally manages protection, and helps to install other components. The MMC Kaspersky Administration Console is installed automatically along with the Administration Server. To manage the server remotely, use remote desktop, or install Kaspersky Security Center Administration Console on the administrator’s computer. Web Console can also be installed automatically together with the Administration Server; when the installation completes, the administrator is prompted which Administration Console to start. In order to protect the network, install Kaspersky Endpoint Security on every computer. Kaspersky Endpoint Security alone cannot interact with Kaspersky Security Center; install the Network Agent on every computer to make centralized management possible. If you need to enforce different settings on different computers, organize the computers into groups. Do not create more groups than necessary. To be able to easily find computers, import the structure from Active Directory. To sum up, deploy protection as follows: 1. 2. 3. Install the Kaspersky Security Center Administration Server Install Kaspersky Security Center Network Agent and Kaspersky Endpoint Security Organize computers into groups I-19 Introduction 1.2 How to organize the process You do not need much time to install all components of Kaspersky Endpoint Security for Business. What consumes time is troubleshooting. To save time, do your homework. Try what you want to implement in a test environment. If you encounter issues, think how to solve them, or find a workaround to use in case the issue arises on the network computers. However, you are unlikely to stumble upon every possible issue in a test environment. Therefore, in your real network, start with a small number of computers: 10–20. Try to select different computers to come upon as many potential issues as possible. If you encounter new issues, return to the test environment, reproduce them and come up with a solution or a workaround. Stage the deployment: for example, 100 computers at a time. This way, you will discover new issues gradually, and the number of problem computers will always be small. To sum up, deploy as follows: 1. 2. 3. Install software in a test environment Install software on 10-20 typical computers Install software on all computers, by stages, 100 computers at a time At each step, plan some extra time for troubleshooting. Do not proceed to the following step until you decide how to solve or get around all issues. Whenever possible, solve issues in a test environment rather than on the network computers. Today, an IT test environment is usually made of virtual machines. If virtual machines appear to be a luxury, use the administrators’ computers for testing. I-20 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Chapter 2. How to install Kaspersky Security Center 2.1 Requirements for the Administration Server To install the Kaspersky Security Center Administration Server, prepare a computer that meets the system requirements. If there are fewer than 1000 endpoints in the network, the Administration Server and the database server will easily share a single computer. If nodes are more numerous, use a more powerful computer or use a dedicated computer for the database server. The Administration Server computer can be either physical or virtual. If you are using a virtual Server, make sure that the virtual environment meets the system requirements. Support for server versions of Windows The complete list of supported server operating systems is as follows: — — — — — — — Microsoft Small Business Server 2008 Standard / Premium 64-bit Microsoft Small Business Server 2011 Essentials / Standard / Premium Add-on 64-bit Windows Storage Server 2008 R2 / 2012 / 2012 R2 / 2016 64-bit Microsoft Windows Server 2008 SP2 (all editions) Microsoft Windows Server 2008 Foundation SP2 32-bit / 64-bit Microsoft Windows Server 2008 R2 Standard SP1 64-bit Microsoft Windows Server 2012 Server Core / Foundation / Essentials / Standard / Datacenter 32-bit / 64bit — Microsoft Windows Server 2012 R2 Server Core / Foundation / Essentials / Standard / Datacenter — Microsoft Windows Server 2016 Server Core / Standard / Datacenter — Microsoft Windows Server 2019 Standard / Datacenter I-21 Introduction Support for Windows workstations It is better to use server hosts for the Administration Server. However, in small networks (up to a couple of hundred computers), a powerful workstation will do. Also, you can use a workstation in a test environment. The Administration Server can be installed on the following non-server versions of Windows: — — — — — — — — — Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS5 32-bit / 64-bit Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS4 32-bit / 64-bit Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS3 32-bit / 64-bit Microsoft Windows 10 Pro for Workstations RS3 / RS4 / RS5 Microsoft Windows 10 Enterprise 2015 LTSC 32-bit / 64-bit Microsoft Windows 10 Enterprise 2016 LTSC 32-bit / 64-bit Microsoft Windows 8.1 Pro / Enterprise 32-bit / 64-bit Microsoft Windows 8 Pro / Enterprise 32-bit / 64-bit Microsoft Windows 7 Professional / Enterprise / Ultimate SP1 32-bit / 64-bit Virtualization support To install the Administration Server on a virtual machine, use one of the following virtualization platforms: — VMware vSphere — 6 / 6.5 — VMware Workstation 14 Pro — Microsoft Hyper-V Server — 2008 / 2008 R2 / 2008 R2 SP1 / 2012 / 2012 R2 / 2016 — Citrix XenServer — 7 / 7.1 LTSR — Parallels Desktop 11 — Oracle VM VirtualBox 5.x (Windows guest operating systems are supported) A virtual machine must meet the operating system, software and hardware requirements. I-22 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Support for database management servers Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers are supported: — Microsoft SQL Server — Microsoft SQL Server 2008 Express 32-bit — Microsoft SQL 2008 R2 Express 64-bit — Microsoft SQL 2012 Express 64-bit — Microsoft SQL 2014 Express 64-bit — Microsoft SQL Server 2008 (all editions) 32-bit / 64-bit — Microsoft SQL Server 2008 R2 (all editions) 64-bit — Microsoft SQL Server 2008 R2 Service Pack 2 64-bit — Microsoft SQL Server 2012 (all editions) 64-bit — Microsoft SQL Server 2014 (all editions) 64-bit — Microsoft SQL Server 2016 (all editions) 64-bit — MySQL — MySQL Standard Edition 32-bit / 64-bit — 5.6 / 5.7 — MySQL Enterprise Edition 32-bit / 64-bit — 5.6 / 5.7 — Microsoft Azure SQL Database — Amazon RDS — Microsoft SQL Microsoft SQL Server Express is not included with Kaspersky Security Center distribution anymore. Starting with Kaspersky Security Center version 10 SPЗ, administrators are to download and install Microsoft SQL Server Express manually. Remember that Express editions have their limitations and must not be used for managing a large number of computers (more than 5000). Detailed information about this is provided in course KL 302. SQL server can be installed either on the same computer as the Administration Server or on any other network computer. The Administration Server must have Read and Write access to the SQL database. If the Administration Server and SQL server are installed on the same computer, access issues do not arise. Additional software requirements In addition to the operating system, the following software must be installed on the computer: I-23 Introduction — Microsoft .NET Framework 4 (install as a Windows component) — Windows Data Access Components 6.0 — Windows Installer 4.5 (is included with the distribution) Allocate a new computer for the Administration Server. If it is impossible, make sure that Kaspersky Security Center Network Agent is not installed on the computer. The installer automatically detects previous versions of Network Agent and prompts the administrator to uninstall it. Minimum hardware requirements Minimum hardware requirements are as follows: — 1 GHz or higher processor (1.4 GHz for 64-bit systems) — 4 GB of RAM — 10 GB of free hard drive space (if you plan to use the Systems Management functionality, at least 100 GB of free hard drive space will be necessary) A more powerful server is required for any significant number of clients. Recommendations are available in the Implementation Guide. Practical experience of using the Administration Server in large networks is summarized in course KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”. 2.2 Installation of the Administration Server Where to get the Kaspersky Security Center distribution To install Kaspersky Security Center, run the installer. Prior to installing Kaspersky Security Center, you should install and configure a database server. You can download the installer for Kaspersky Security Center 11 from the Kaspersky Lab website (https://www.kaspersky.com/small-to-medium-business-security/downloads/security-center) or from the product page on the technical support website (http://support.kaspersky.com/ksc11#downloads). I-24 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management There are two installers: — ksc_11_<version>_full_en.exe—the full distribution of Kaspersky Security Center 11 that includes a complete set of its own components, installation packages of Network Agent and Kaspersky Endpoint Security 11.1 for Windows, Microsoft .NET Framework, and other software, as well as the management plugins for all supported products. The size of this distribution is about 1 GB — ksc_11_<version>_lite_ru.exe—the lite version of the distribution that lacks the installation packages of Kaspersky Endpoint Security 11.1 for Windows, Microsoft .NET Framework, and some other software; as far as management plugins are concerned, only those of Kaspersky Security Center 11 components are included. The size of this distribution is about 140 MB. This distribution comes in handy when upgrading Kaspersky Security Center components Kaspersky Security Center installation shell When the full distribution version is run, the installation shell starts. The installation shell permits selecting the components to install, for example, the Administration Server or the Administration Console. You can also extract installation files of the selected components into the specified folder. The following products are available within the installation shell: — — — — — — — Kaspersky Security Center Administration Server Kaspersky Security Center Administration Console Kaspersky Security Center Network Agent Kaspersky Endpoint Security for Windows (extract only) iOS MDM Server (a component of Kaspersky Security Center for managing mobile devices) Kaspersky Endpoint Security for Android (extract only) Microsoft Exchange Mobile Devices Server (a component of Kaspersky Security Center for managing mobile devices) — Application management plugins This course covers only Server, Console, Network Agent, and Kaspersky Endpoint Security. What you need to know before the installation During the installation, the administrator selects: — — — — — — Kaspersky Security Center components (including the new Web Console) Installation folder SQL server type and connection parameters Path to the Administration Server shared folder Ports and connection address of the Administration Server Management plugins for the products Almost all of these values can be changed after the installation. Only the SQL server type cannot be modified. If you select Microsoft SQL, you will not be able to switch to MySQL without losing data. You can switch to another SQL server of the same type without losing data, but it is not easy. You will need to back up the Administration Server data, reinstall the Administration Server, select another SQL server, and after that, restore the data from the backup copy. I-25 Introduction Setup wizard Installation types Installation of the Administration Server can be either custom or standard2. During the standard installation, the administrator is prompted to: — — — — Accept the license agreement for Kaspersky Security Center Specify the network size Select a database server type Configure the database server connection parameters Kaspersky Security Center distribution does not include a Microsoft SQL server anymore. You should deploy and configure a Microsoft SQL or MySQL database server in the network prior to installing Administration Server 2 On Windows Server Core, only custom installation is available. I-26 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If you select Custom installation and leave all the default settings, the result will be exactly the same as after the Standard installation. Components and installation paths You can install the following components together with the Administration Server: — SNMP agent — Packages for mobile device support The SNMP agent is necessary if you want the Administration Server to send notifications over SNMP. This component requires the SNMP service (a Windows component) to be installed on the computer. If the SNMP service is absent, the SNMP agent will not be shown in the list of Administration Server components during the installation. The option Install packages for mobile device support adds the components necessary for managing Kaspersky Endpoint Security for Mobile via Kaspersky Security Center. Detailed information is available in course KL 010. Under the list of components, you can change the location of Administration Server program files. If you want to move files because drive C: lacks space, consider moving only the shared folder of the Administration Server. It can be relocated independently of the program files, and it takes up much more space than the other program files. The path to the shared folder will be configured later in the installation wizard. Remember that backup copies of the Administration Server are stored to the %ProgramData%\KasperskySC folder by default. These copies consume much space, up to several gigabytes, depending on the number of endpoints. Web Сonsole Web Console is an application that you can install either together with Kaspersky Security Center or on another computer. Web Console is included with the distribution of Kaspersky Security Center 11 and the installation wizard prompts you to specify whether you want to install Web Console together with the Kaspersky Security Center. If you do not change anything, the Web Console will be installed with the default parameters; in particular, port 8080 will be used for connections. I-27 Introduction Network size Four options are represented for the network size: — — — — Fewer than 100 networked devices From 100 to 1,000 networked devices From 1,000 to 5,000 networked devices More than 5,000 networked devices The following Administration Server parameters depend on the selected option: Fewer than 100 From 100 to 1,000 From 1,000 to 5,000 More than 5,000 Automatically randomize task start – + + + Display slave Administration Servers – – + + Display security settings – – + + Number of computers in the network I-28 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Automatic randomization of the task start applies to the schedules of virus scan, update, vulnerability search, and other group tasks. If a task starts simultaneously on many computers, the load on the network and Administration Server drastically increases. To even out the peak, tasks can start on the computers with a random delay. The administrator can enable randomization and then specify the randomization range manually or select automatic randomization. On each computer, the delay is selected randomly within the specified or automatically chosen range. How automatic randomization works If automatic randomization is used, the randomization range depends on the number of computers where the task starts: The number of computers Randomization range 0–200 0 minutes 200-500 5 minutes 500-1,000 10 minutes 1,000-2,000 15 minutes 2,000-5,000 20 minutes 5,000-10,000 In 30 minutes 10,000-20,000 1 hour 20,000-50,000 2 hours 50,000+ 3 hours Slave Administration Servers and security parameters are described in course KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”. These functions are rarely used in small and middle-size networks. The default settings are the same when the administrator selects either “From 1,000 to 5,000” or “More than 5,000 networked devices.” If you select the “More than 5,000 computers on network” option, the installation wizard will recommend that you do not use the free version of Microsoft SQL server. Detailed information about large networks is provided in technical training KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”. The network size selection only influences a couple of interface settings, which can easily be modified after the installation. The threshold value that actually makes the difference is 1,000 computers. Administration Server operation parameters do not depend on the selected network size. Selecting the SQL server type The Administration Server stores events, information about computers and a part of the settings in the SQL database. The Administration Server can store the database in either of the following types of SQL servers: — Microsoft SQL Server — MySQL The choice depends on the company’s and the administrator’s preferences. Microsoft SQL Server is an industry standard and is recommended for large networks (5,000 endpoints or more). I-29 Introduction MySQL server has open source code and can run on a Linux operating system. That is why MySQL is sometimes preferred by state institutions. Starting with version 10 SP3, Kaspersky Security Center distribution does not include Microsoft SQL Server Express. The administrator is to install and configure an SQL server unassisted. We recommend that you do it before you start the Kaspersky Security Center installer. How to specify a Microsoft SQL server If you decide to use a Microsoft SQL server, specify the full name of the instance and the name of the database designed for the Administration Server. To find the necessary instance in the network, click the button Browse. If it does not show, make sure that SQL Server Browser service is running on the SQL server. It is disabled by default. I-30 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If you have not installed a Microsoft SQL server in advance, you can do it without interrupting the KSC installation wizard. The SQL server settings page provides two links to Microsoft webpages: — Microsoft SQL Server 2014 SP2 Express download link (a free version recommended for small networks up to 5000 endpoints) — A link to descriptions of Microsoft SQL Server editions, where you will be able to select what you need How to connect to your Microsoft SQL server The database for the Administration Server is created by the installer. Later, the Administration Server will connect to the database to record and extract events. The installer needs the permission to create a database. The Administration Server will need the write and read permissions for the database. If the Microsoft Windows Authentication Mode is selected, the installer connects to the SQL server under the current Windows user account. Meanwhile, the Administration Server will connect to the database under the account of its service: KL-AK-<*> by default, or the one selected by the administrator at a previous step. The current user must have the right to create a database on the SQL server. If the Kaspersky Security Center administrator does not have permissions to create a database on the SQL server, the SQL server administrator should create an empty database, and the Kaspersky Security Center administrator is to specify the names of the instance and database in the installation wizard. The KL-AK-<*> account (or another one specified by the administrator) must have the read and write permissions for the database. You cannot check this before the installation, but you can grant the selected account these permissions afterwards, or even specify another account for the Administration Server service. If you select the SQL Server Authentication Mode, specify an SQL server account rather than a Windows account. Both the installer and the Administration Server will use this account to create the database and record events there. By default, the SQL Server Authentication Mode is disabled in all supported versions of SQL server. It is considered to be obsolete and unsafe. Microsoft and Kaspersky Lab recommend to use Microsoft Windows Authentication Mode. If the SQL server instance is located on another computer, make sure that SQL server allows remote connections, and that ports are not blocked by the firewall. I-31 Introduction How to specify a mySQL server If you selected MySQL server, specify the database server address, port (typically, 3306), and database name. The database page does not offer a download link for MySQL. You can find MySQL products on the website www.mysql.org How to connect to the mySQL server Specify the username and password to connect to MySQL server. These name and password will be used by both the installer to create the database, and by the Administration Server to write into it. In the latest versions of MySQL server, to enable an account to connect to the server, you need to allow a specific address or computer name to use it on the SQL server side. See the MySQL documentation for details. When you click Next, the wizard attempts to connect to the specified server under this account. If the connection fails, the wizard returns an error that describes the issue it encountered. I-32 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Administration Server service account By default, the installer creates a new account named KL-AK-<alphanumeric combination> for starting the Administration Server service. It is a local account, which is not included in the computer administrators’ group, but has the same permissions as administrators. Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of the Administration Server. For security reasons, this account cannot log on to the system locally. If the administrator decides to use another account, he or she must grant it all the necessary permissions. The Administration Server service account must have administrator permissions on the computer selected for the installation. If the database is planned to be located on a remote SQL server, the account must have Read and Write access to the Administration Server database on the SQL server. If the Administration Server account has domain administrator permissions, some operations are simplified, for example, remote installation. Account for accessory services The KL-AK-* account starts only the Administration Server service: Kaspersky Security Center Administration Server. The Administration Server also has other services: — — — — — Kaspersky Activation Proxy Kaspersky Lab Web Server Kaspersky Security Network Proxy Kaspersky Security Center Network Agent Kaspersky Security Center automation object The first three services are started under another service account created by the installer: KlScSvc. This account has the same rights as KL-AK-*: The permissions are equivalent to administrative less the right to log on locally. The Network Agent and the automation object operate under the Local System account. On some operating systems, the automation object operates under the Network Service account. The installation wizard permits selecting another account instead of KlScSvc. For example, if the company already has a service account for this purpose. I-33 Introduction The shared folder of the Administration Server The shared folder stores signature updates and the installation files for applications, specifically, Network Agent and Kaspersky Security Center. By default, the installer creates the shared folder of the Administration Server in the folder with program files. The local name of this folder is Share, and the network name is KLSHARE. Right after the installation and initial setup, the shared folder takes up about 300 MB. It may grow up to several gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place the shared folder of the Administration Server on a drive other than the system one. The location of the shared folder can be changed later via the Administration Console. Connection ports of the Administration Server Administration Server accepts connections from Network Agents on two TCP ports: — 13000 for SSL connections — 14000 for non-SSL connections I-34 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management By default, all connections are encrypted in Kaspersky Security Center, so only SSL port 13000 is used. Port 14000 might be used only if the administrator disables connection encrypting for troubleshooting. If you want to use other ports, make this decision beforehand and specify them in the installation wizard. To modify the ports after the Administration Server has been installed, you will have to edit them in several places in the Console. And to modify the ports after Network Agents have been installed on the network computers, you will have to use a special task or reinstall the Agents. In older versions of Kaspersky Security Center, Administration Consoles connect to port 13000. In the recent versions, KSC Consoles connect on TCP port 13291. You cannot select this port in the installation wizard, but you can easily modify it later via the Administration Console. Web server and activation proxy server services use 4 more ports, which can also be reconfigured in the console. To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years during the installation. To save and restore the certificate after failures or after reinstalling the Administration Server, use the backup procedure (see Unit IV “Maintenance” for details). Administration Server address for Network Agents The client computers where the Network Agent is installed will connect to the Administration Server using the address and port specified during the installation. You can specify the Server address in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice depends on the network configuration. Even though an IPv6 address can’t be specified, Network Agents can connect to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name. If the Administration Server has a static IP address that will not be changed in the foreseeable future, it is the best choice. In this case, the ability to connect depends only on the routers, rather than on the name resolution system. If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection address, because you will have to modify the client connection settings often. To avoid the trouble, it is better to specify the server name: Either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS name since DNS name resolution is not usually blocked by local firewalls. NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls. Therefore, the NetBIOS name should only be used for connections if the other methods cannot be used. I-35 Introduction After the installation, the Server connection address and ports can be changed in the properties of Network Agent installation package. Management plugins for the programs The distribution kit of Kaspersky Security Center includes the management plugins for all current versions of Kaspersky Lab products. The custom installation enables the administrator to select the plugins of the products that are used or will be used in the network. The plugins can also be installed later from the Kaspersky Security Center installation shell. Plugin installers are also included with the distributions of the corresponding products. Every plugin is installed by its own short installation wizard. Some plugins are installed automatically, while others prompt the administrator to accept the license agreement. If you upgrade a product to a new version with a new plugin, uninstall the old plugin. The following knowledgebase article explains how to remove unnecessary plugins: https://support.kaspersky.com/9303 During the standard installation, management plugins for Kaspersky Security Center 11 components and Kaspersky Endpoint Security 11.1 for Windows are installed, as well as mobile device management plugins. Plugins are installed at the very end of the Administration Server installation. After the Kaspersky Endpoint Security 11.1 I-36 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management plugin is installed, the installation is finished. On the last page, the administrator can select whether to start the Administration Console. Completing the installation On the last page, the wizard offers to start the local ММС Administration Console or the Web Console immediately and proceed with the setup in the Administration Server Quick Start Wizard. By default, Web Console will start if it has been installed. Usually, Administration Server needs a few minutes to start working and accept connections. Additional consoles and plugins If you need plugins for other Kaspersky Lab products, you can install them from the installation shell. To be able to manage the Administration Server remotely in a way other than via RDP or the Web Console, install a remote MМС Administration Console. The console has a very simple installation wizard without settings. Plugins I-37 Introduction for the console can also be installed from the same installation shell. Plugins are to be installed on each console rather than on the Administration Server. If the console lacks a plugin, the administrator will not able to open tasks and policies of the corresponding program and the console will display an error message. To fix this, simply install the necessary plugin. Full-fledged management of the Administration Server and other Kaspersky Lab products is possible only via the MMC console. The first release of the new Web Console does not permit managing encryption, for example, and does not support any protection products but Kaspersky Endpoint Security for Windows. Also, the new Web Console does not support Mobile Device Management or Vulnerability Assessment and Patch Management so far. Installation results If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages, the result will be the same as with the Standard option: Components Administration Server Network Agent MMC Administration Console Web Сonsole Installation paths %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center—program files %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console 11—program files %ProgramData%\KasperskyLab\adminkit—settings %ProgramData%\KasperskySC\SC_Backup—the folder for backup copies Services Kaspersky Security Center Administration Server Kaspersky Security Center Network Agent Kaspersky Security Center automation object Kaspersky Security Network proxy server Kaspersky Lab Web Server Kaspersky Activation Proxy Kaspersky Security Center 11 Management Service Kaspersky Security Center 11 Web Console Kaspersky Security Center 11 Web Console Message Queue Shared folder KLSHARE Its local path is %ProgramData%\KasperskyLab\adminkit\1093\.working\Share I-38 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management User groups KLAdmins KLOperators (see course KL 302 for details) Accounts KL-AK-<*>—starts the service of the Kaspersky Security Center Administration Server KlScSvc—starts the services of the Kaspersky Activation Proxy, Kaspersky Security Network Proxy Server, and Kaspersky Lab Web Server The KL-AK-<*> and KlScSvc accounts have the same permissions as the local administrator, but are not included in the computer built-in administrators group KlPxeUser—a user account for the PXE server (see course KL 009 for details) Connection ports 8060—http port of Kaspersky Lab Web Server 8061—https port of Kaspersky Lab Web Server 13000—for SSL connections of Network Agents 14000—for non-SSL connections of Network Agents and Administration Consoles 13291—for SSL connections of Administration Consoles 13111—port of Kaspersky Security Network proxy server service 17000—port of Kaspersky Activation Proxy 13299—for SSL connections of Kaspersky Security Center Web Console SQL server Database name: KAV Connection address DNS name of the server Plugins Kaspersky Security Center 11 (11.0) Administration Server Kaspersky Security Center 11 (11.0) Network Agent Kaspersky Endpoint Security 11.1 for Windows Kaspersky Mobile Device Management 11 Installation packages Kaspersky Endpoint Security 11.1 for Windows Kaspersky Security Center 11 (11.0) Network Agent Microsoft Exchange Mobile device server iOS MDM Server I-39 Introduction Most of these settings can be modified either during the custom installation, or in the product settings after the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is installed; some others are very difficult to change. You should consider the following very carefully before the installation: 1. The path to data files cannot be modified at all, which complies with Microsoft requirements 2. To modify the path to the program files, as well as the SQL server address, you will have to reinstall Kaspersky Security Center 3. The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way. 2.3 Installation of Kaspersky Security Center Web Console Setup Wizard Selecting the installation language Web Console is not required to be installed together with Kaspersky Security Center, you can install it on any other computer like an ordinary application. The Web Console’s distribution is located in the unpacked Administration Server folder: Server\Packages\Web Console. Run the installer and select the language for the installation wizard. I-40 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management License agreement and the list of Web Console localizations Installation path and connection address We recommend that you use the default installation path. If necessary, change the port for connecting to the Web Console. UDP port 8080 is used by default. Account and certificate Web Console installs several services in the system; at this step, you are prompted to select the accounts under which the services will be started. We recommend that you use the default accounts. In this case, the Web Console’s services will start under Local System and Network Service. Now, decide which certificate to use: The installation wizard can generate a self-signed certificate automatically; alternatively, you can specify another one. I-41 Introduction Connecting to Kaspersky Security Center The most important step is adding a trusted Administration Server. At this step, the administrator specifies Kaspersky Security Centers with which the Web Console will be able to interact. If Web Console is installed on a computer where Kaspersky Security Center is installed already, this server will be added to the list of Trusted Administration Servers automatically. Otherwise, you will need to manually add the server: Its address, port, and, last but not least, the path to the Administration Server certificate. This certificate will then be copied to the Web Console installation folder. Web Console uses port 13299 to connect to Kaspersky Security Center by default, but if necessary, you can change it in the Administration Server properties. Installation and finishing the wizard Click the Install button to start the installation and wait for completion (5-7 minutes). I-42 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Now, you can either finish the wizard, or start the Web Console using the respective link. To connect to the console from the administrator’s workstation or any other remote machine, open a browser and go to https://<IP address>:8080 (or the port that you specified during the installation). Web Console services Web Console’s architecture includes numerous components and processes which are hidden from the user; it does not make any sense to tell about them in detail either. The main component is Server Web Console that is based on Node.js; it runs as a separate node.exe process. There are also other components that run in other node.exe processes, for example, each plugin has a dedicated process. Separate processes are also used for the message queue processing (nsqd.exe) and logging (nsq_to_file.exe) subsystems. The standard Node.js process manager monitors and manages processes. Because of the operating system limitations, the process manager starts processes under the same account under which it is running. For this reason, two instances of the process manager run: One under the Local System, and the other under the Network Service account. Limited permissions are sufficient for most processes; but some scenarios require elevated privileges. I-43 Introduction Now let us see which services Web Сonsole installs in the system: — Kaspersky Security Center Web Console Management Service—SrvLauncher.exe—this service is used solely to start the process manager under the Local System account — Kaspersky Security Center Web Console—SrvLauncher.exe—this service is used solely to start the process manager under the Network Service account — Kaspersky Security Center Web Console Message Queue—nsqd.exe—NSQ-based distributed messaging platform Interaction with Kaspersky Security Center The Web Console is a Node.js web server. The server part of the Web Console connects to Kaspersky Security Center over a new protocol KSC Open API based on HTTPs. The client part of the Web Console is a Single Page Application (SPA). In its most basic form, SPA is a web application that literally has only one page, which loads content dynamically. Meaning, when you click an interface element in the Web Console, a Javascript runs that loads the respective modules and visualizes the requested content. For the user, it looks like a new page has opened. Connecting to several Administration Servers What if we have several Administration Servers at the company and want to connect to all of them via a browser? The simplest option is to install a dedicated Web Console on each Kaspersky Security Center and work with different Administration Servers from different browser tabs. However, you can also use a single Web Console as an entry point for managing several Administration Servers. To implement this scenario, add several Trusted Administration Servers to the Web Console. Two methods can help to achieve this: — Either click Change | Update in Programs and Features (this is the recommended way) — Or manually edit the сonfig.json configuration file in the Web Console installation folder (a less recommended method) I-44 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If the Web Console has several Trusted Administration Servers, the login page will display an additional field, ‘Server name’. The administrator will need to select which Administration Server to connect to. Requirements for browsers You can work with the Web Console via the following browsers: — Google Chrome version 62 or higher — Mozilla Firefox version 60 or higher — Safari version 12 Note that Internet Explorer is not supported. I-45 Introduction 2.4 Quick Start Wizard Tutorial When you connect to the Web Console for the first time, Tutorial opens. It is a small demo that tells what is where in the Web Console interface. If you have previously used the MMC console, the Web Console will be very unfamiliar to work with at first, and we strongly recommend that you read the Tutorial to acquire basic information. If you’ve closed Tutorial accidentally or want to re-read it, there is the Show Tutorial link at the bottom of the main window. At the first connection, after you pass or close the Tutorial, the Quick Start Wizard will open. I-46 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The Quick Start Wizard prepares the Server: — Downloads the necessary plugins — Creates policies and tasks — Downloads updates to the Administration Server repository The wizard prompts the administrator to: — — — — Configure the proxy server for Internet access Add a license Enable Kaspersky Security Network Configure email notification and reporting Configuring proxy server for Internet access The next step prompts to configure proxy server connection parameters for Internet access. The Administration Server connects to the Internet to download updates and communicate with KSN servers of Kaspersky Lab. Both features use common proxy server parameters. The settings are rather typical: Address, port, optional user name and password for authorization, and an option to bypass proxy server for local addresses. Downloading information about plugins The wizard connects to Kaspersky Lab servers and checks information about plugins available for the Web Сonsole. I-47 Introduction License installation The next step is product activation. Most Kaspersky Lab products require activation and some, particularly Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different levels of functionality. That is, depending on the license, some functions may be unavailable. Activation keys and codes To activate a product, you need a key or a code. Both can represent the customer’s license with all relevant restrictions. A key is a file and the product can verify its validity and restrictions locally. A code is just a string and the product needs to connect to Kaspersky Lab Activation service online to verify its validity and restrictions. Old versions of Kaspersky Lab products can be activated only with a key. All recent versions can be activated with either a key or a code. I-48 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Codes are more useful, because a single code can activate all products that you have purchased. With key activation, a license often includes several different key files. A key designed for Kaspersky Security Center cannot activate Kaspersky Endpoint Security, and vice versa. Meanwhile, a single code can activate both. Keys are indispensable when you need to activate a product on a computer without access to the Internet. If you have only a code rather than keys, add it to the license storage on the Administration Server (Operations | Licensing | Kaspersky Lab Licenses in the Web Console). The Server will automatically download the corresponding keys, which you will be able to export into files. If computers have no Internet access but are connected to the Administration Server, which does have access, the products on the computers can be activated with a code. The products will verify the code via the Administration Server service, Kaspersky Activation Proxy. Activation with a code In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all simple, just choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to connect to the Internet at this stage. For more details about how to activate Kaspersky Endpoint Security on the client computers, refer to Chapter 3 of this Unit. Activation with a key If you have a key, than most probably you have more than one of them, and you need to decide which one to feed to the wizard. It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be added later either in the properties of the Administration Server or on the Operations | Licensing | Kaspersky Lab Licenses tab in the Web Console. You can select to install a code (or key) to the client computers automatically. For this purpose, open its properties and select to Deploy key automatically. If the Administration Server detects a managed computer where Kaspersky Endpoint Security is not activated, it will automatically send the key selected for automatic installation there. I-49 Introduction Installing plugins The list of plugins By default, the Web Console is installed with two plugins: — For the Administration Server — For the Network Agent Plugin for Kaspersky Endpoint Security 11.1 is to be added manually. If you click Add, the list of plugins available for the Web Console will open; this list is downloaded from Kaspersky Lab servers. Also, the Quick Start Wizard can check whether new versions are available for the existing plugins. In the list of new plugins, the wizard shows the program version managed via the plugin, the version of the installed plugin, and the version of the latest available plugin. The Web Console, unlike the MMC console, permits uninstalling a plugin by clicking a single button. I-50 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If you use both the MMC console and Web Console, take care that versions of plugins for Kaspersky Endpoint Security 11.1 coincide; otherwise, it may happen that an earlier plugin is not able to work with a policy created using a later plugin. The same is true for tasks. Adding plugins from a file Sometimes, a plugin is designed for testing or to solve some specific issue of a particular company; in this case, it is sent in an archive to the user instead of being published on Kaspersky Lab servers. To install such a plugin, carry out the command Add from file and specify the path to the archive and the file with the checksum. Kaspersky Security Network The wizard prompts the administrator to accept the Kaspersky Security Network (KSN) statement. KSN is the name of the cloud-assisted protection technologies of Kaspersky Lab. KSN provides extra protection for the computers by receiving the latest information about new threats before this information is added into the traditional anti-malware signatures. In return, Kaspersky Lab will receive anonymous I-51 Introduction information about the files and URL addresses processed on the client computers. The KSN service is described in more detail in the Introduction and in Unit II “Protection Management”. If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be disabled in the Kaspersky Endpoint Security 11.1 policy; the use of KSN proxy will be enabled nevertheless. The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server. The KSN proxy function is implemented as a service named Kaspersky Security Network proxy server in the Administration Server. It is enabled by default. Creating tasks and policies At this stage, the Quick Start wizard creates the policies and tasks necessary for endpoint protection. The following policies and tasks are always created: Administration Server tasks I-52 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Task Scope Schedule Parameters Download updates to the repository Administration Server Hourly Source: Kaspersky Lab update servers Database maintenance Administration Server Saturday at 1:00 a.m. Optimizes the database without shrinking it Backup of Administration Server data Administration Server Every other day at 2:00 a.m. Stores the 3 latest copies, the password is not specified Policies Policy Scope Kaspersky Endpoint Security 11.1 for Windows The “Managed devices” group Kaspersky Security Center 11 Network Agent The “Managed devices” group Tasks Task Scope Schedule Parameters Update Managed devices When new updates are downloaded to the repository Source: Administration Server Installs only approved module updates Note that the group Quick Virus Scan task is not created by default anymore. Instead, Background Scanning is enabled, which scans system areas while a computer is locked. This option is available in the policy, in Application Settings | Local Tasks. If you want to manage on-demand scanning to the full extent, you will have to create a group scan task with the necessary settings manually. Network polling I-53 Introduction The next step is to poll the network using Windows tools. This type of scanning works via network neighborhood in Windows Explorer, which is disabled in the operating system by default. Configuring email notification The next step is to set up email notification and delivery of reports. To have notifications about important events sent to the administrator’s mailbox, specify the email address and SMTP server parameters (address, port and, if necessary, authorization data). These parameters will be used when sending notifications and reports. By default, event notifications are not sent. To receive the information about events by email, turn on notifications in the event properties. The parameters of Kaspersky Security Center events are configured in the Administration Server properties; and parameters of Kaspersky Endpoint Security events, in the Kaspersky Endpoint Security policy. The wizard does not check the correctness of the specified settings, but allows the administrator to do it with the Send test message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to check the inbox and make sure that the message is actually there. What to do next The last page of the Quick Start wizard displays the check box that allows you to start the remote installation wizard for deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is preferable to adopt a deployment plan and stick to it rather than rush into action: 1. Let the Server discover network computers 2. Check the settings of installation packages to install exactly what is necessary 3. Try various installation methods in a test environment If necessary, the administrator can start the Quick Start wizard again. In this case, the wizard will create only the tasks and policies that are missing. I-54 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Automatic license distribution If you’ve added an activation code to the Quick Start Wizard, we recommend that you enable automatic distribution as soon as the wizard completes, while you still remember about it. I-55 Introduction Chapter 3. How to install Kaspersky Endpoint Security on computers 3.1 Requirements for client computers Kaspersky Endpoint Security 11 requirements for the operating system Kaspersky Endpoint Security can be installed on the following Microsoft Windows operating systems: Client — — — — — — — — — 3 Windows 10 Pro x86 / x64 (all editions)3 Windows 10 Education x86 / x64 (all editions)3 Windows 10 Enterprise x86 / x64 (all editions)3 Windows 8.1 Enterprise x86 / x64 Windows 8 Pro x86 / x64 Windows 8 Enterprise x86 / x64 Windows 7 Professional SP1 x86 / x64 Windows 7 Enterprise SP1 x86 / x64 Windows 7 Ultimate SP1 x86 / x64 The limitations concerning the latest versions of Windows 10 are described in Kaspersky knowledgebase at https://support.kaspersky.com/13036 I-56 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Server — — — — — — — Microsoft Windows Server 2019 Microsoft Windows Server 2016 Microsoft Windows Server 2012 R2 Foundation / Essential / Standard Microsoft Windows Server 2012 Foundation / Essential / Standard x64 Microsoft Small Business Server 2011 Essential / Standard x64 Microsoft Windows Server 2008 R2 SP1 Standard / Enterprise x64 SP1 Microsoft Windows Server 2008 SP2 Standard / Enterprise x86 / x64 An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky Security for Windows Server is designed for their protection. The list of operating systems includes most Windows versions from Windows 7 / Windows Server 2008 R2 to Windows 10 RS5 / Windows Server 2019. The virtual platforms supported by Kaspersky Endpoint Security Kaspersky Endpoint Security 11.1 for Windows can be installed on the following virtualization platforms: — — — — — — VMware Workstation 14 VMware ESXi 6.5 Microsoft Hyper-V 2016 Citrix XenServer 7.2 Citrix XenDesktop 7.14 Citrix Provisioning Services 7.14 On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command line switch. In Kaspersky Endpoint Security 11.1 for Windows, this parameter can also be enabled in the installation package properties rather than only via the command line. To install Kaspersky Endpoint Security, administrative permissions are necessary. I-57 Introduction Minimum hardware requirements General hardware requirements for Kaspersky Endpoint Security 11.1 are as follows: — A 1 GHz processor (that supports SSE2 instructions) — 1 GB of RAM4 — 2 GB of free drive space Requirements for the Network Agent The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint Security 11.1 for Windows. Hardware requirements for Network Agent installation are as follows: — Processor: — 1 GHz or higher for 32-bit systems — 1.4 GHz or higher for 64-bit systems — Memory: 512 MB — Hard drive space: 1 GB RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less memory. 4 The minimum RAM with which the application can be installed is 768 MB I-58 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 3.2 How to change KES components Installation packages In Kaspersky Security Center, installation packages are ready to be installed. A package includes installation files along with the installation parameters and some product setup parameters. Installation package parameters in a sense replace the local installation wizard and local setup wizard. Every product has its own settings. As you know, installation packages are used in the remote installation wizards and tasks, and for creating standalone installation packages. Kaspersky Security Center includes all packages necessary for deploying the protection system: — — — — Network Agent Kaspersky Endpoint Security for Windows iOS MDM Server Microsoft Exchange Mobile Devices Server The list of available packages is displayed on the Operations | Repositories | Installation Packages page. The following information is available for each package: Name, language, and version of the product, as well as the unique name of the package. In the package properties, you can also find its size, which is the total size of all its files. Packages can be created, modified and removed. If a package is used in an installation task, it cannot be removed until the associated task is deleted. First, delete all tasks that use the package, and then delete the package. You can create various installation packages in Kaspersky Security Center. You can use them to install operating systems, third-party programs, updates and critical fixes for third-party applications, and also to run various scripts and utilities on the computers. This is described in more detail in KL 009 “Systems Management” course. Within the framework of this chapter, we describe only the installation packages created for Kaspersky Lab programs. I-59 Introduction Settings of a Kaspersky Endpoint Security package General properties Each package has general properties and settings that depend on the program for which the package was created. To be able to review the package settings, the application plugin must be installed in the console. You can download the plugin right from the Web Console interface: At the top of the page, click Console settings | Plug-ins. The General section of the package properties shows the program version and file size, and also the path to the package file in the shared folder of the Administration Server. If necessary, an IT employee can download the installation files over the network and install the application locally. How to update databases in a package There is the button Update databases in the general properties of a Kaspersky Endpoint Security package. It updates the signature database within the package. I-60 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky Endpoint Security is installed, the update task starts and downloads the new databases. Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more important, since it may constitute tens of megabytes if the package contains outdated databases. In this case, databases can be updated in the package prior to the installation. The date of the last update, unfortunately, is not visible in the Web Console, but it is shown in the MMC console, in the general package properties, in the Databases updated field. The Update databases button copies a complete set of databases from the Server storage to the Kaspersky Endpoint Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After an update using the Update databases button, the archive is replaced with a folder named bases. The folder’s volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed. Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to the repository. However, this is performed only once for each package. If databases have ever been updated automatically in a package, they will not be updated automatically any more. In fact, the Kaspersky Endpoint Security package that is added to the storage during the server installation is updated automatically shortly after the installation, and any other newly created Kaspersky Endpoint Security package will be updated soon after it is created. How to select components in a package Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters. The main parameters are the list of components and the program files folder. The list of components available for installation is as follows: — Advanced Threat Protection — — — — Behavior Detection Exploit Prevention Remediation Engine Host Intrusion Prevention * I-61 Introduction — Essential Threat Protection — — — — — — — File Threat Protection Web Threat Protection * Mail Threat Protection * Network Threat Protection Firewall BadUSB Attack Prevention AMSI Protection Provider — Security Controls — — — — Web Control * Application Control Device Control * Adaptive Anomaly Control * — Data Encryption — File Level Encryption * — Full Disk Encryption * — Bitlocker Management — Endpoint Sensor — Endpoint Sensor By default, mainly the components included in the Select license are installed. Remember that some of the components only work on workstations, while a package can be installed on any supported operating system. On server systems, only the following components can be installed: — — — — — — — — — — — Behavior Detection Exploit Prevention Remediation Engine File Threat Protection Network Threat Protection Firewall BadUSB Attack Prevention AMSI Protection Provider Application Control Bitlocker Management Endpoint Sensor Although Host Intrusion Prevention settings will also show up in Kaspersky Endpoint Security on servers, the component will not be actually installed. Kaspersky Endpoint Security won’t control application privileges on servers, e.g., it won’t block Untrusted applications on servers. The reason why Host Intrusion Prevention settings are visible on servers is that a part of these settings are also used by the Firewall component. Host Intrusion Prevention and Firewall are described in more detail in Unit II of this course. In addition to the components, local tasks are installed. They cannot be deselected in the package properties and are installed on all operating systems: — — — — Update Rollback Integrity check Virus scan — Full scan — Critical areas scan — Custom scan — The scan task that users can run from an object’s shortcut menu I-62 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Compatibility settings By default, the Kaspersky Endpoint Security components are installed to: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Endpoint Security for Windows If necessary, the administrator can modify this path. Those administrators who often use the command line interface can select to automatically add the installation folder to the %PATH% environment variable. Then they will be able to carry out product management commands via avp.com without specifying the complete path. The package has two additional parameters that provide compatibility settings. One of them, Do not protect the installation process, disables self-defense during the installation. Self-defense prevents applications (primarily malicious) from modifying Kaspersky Endpoint Security installation files. It also blocks access to the folder where Kaspersky Endpoint Security files are installed, and to the registry keys of Kaspersky Lab software. Sometimes, self-defense conflicts with third-party applications, for example, with backup agents. That is why it can be disabled. Another parameter provides compatibility with Citrix Provisioning Services. If you want to install Kaspersky Endpoint Security on a virtual machine image in Citrix PVS environment, enable this option. How to add a configuration file to a package One more parameter is the Configuration file. This file defines the configuration settings that Kaspersky Endpoint Security will use after the installation. The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If a configuration file is not specified, the product will use the default settings. However, as soon as the Network Agent connects to the Server, the Kaspersky Endpoint Security policy will be enforced, which will override the protection settings. So, the configuration file is necessary if the policy does not regulate some of the product settings, or for unmanaged devices. To create a configuration file, install Kaspersky Endpoint Security on a computer, but do not connect it to the Administration Server; otherwise, the group policy will not allow you to modify the local settings. Configure Kaspersky Endpoint Security via the local interface as necessary, and save these settings into a file. The Save button is located in the Settings window, in the General Settings | Manage Settings section. I-63 Introduction How to add a key to a package Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed product. One of them is to specify the key file in the installation package properties. In the package properties, you can add only a key, a code cannot be added. Also, a key or code can be distributed to the selected computers by a special task. The third option is to select the check box Automatically deployed key in the properties of key or code on the Operations | Licensing | Kaspersky Lab Licenses page of the Web Console. As a last resort, a code or key can be added via the local interface of Kaspersky Endpoint Security. I-64 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to disable uninstallation of incompatible applications By default, the Kaspersky Endpoint Security installer looks for and uninstalls incompatible applications: third-party antiviruses and firewalls. The list of programs that Kaspersky Endpoint Security can uninstall is rather large, but it is not exhaustive. Usually, it does not include the most recent versions of protection solutions by other manufacturers, or uncommon software. How to uninstall applications that Kaspersky Endpoint Security failed to detect is described at the end of this chapter. If Kaspersky Endpoint Security uninstalls an incompatible application incorrectly, disable automatic uninstallation and remove the program manually. Network Agent package parameters I-65 Introduction Installation path The General section of the Network Agent package is the same as that of Kaspersky Endpoint Security, but without the button Update databases. The Network Agent has no databases. The Settings section allows changing the installation folder and also setting the uninstallation password. If the Network Agent installation folder is not specified explicitly, the standard path is used: %ProgramFiles%\Kaspersky Lab\NetworkAgent Password protection Agent uninstallation can be protected with a password that can be specified in the package properties. Even users with administrator permissions will not be able to uninstall the Agent using regular tools unless they know the password. However, users with administrator permissions can make the Agent inoperative if they really want to. If you have not enabled password protection in the Network Agent installation package, enable it in the Agent policy, where it is also available. Administration Server connection parameters The Connection section of the Network Agent installation package properties contains the Administration Server connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive installation. The main connection parameters are the Administration Server address and ports. Initially, they take the values specified during the Administration Server installation. If the client computers and Administration Server belong to different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation package properties. These standard parameters include the proxy server address and port, and also the user name and password for authentication. Remember that these parameters will be used by Network Agents when connecting to the Server, not the other way round. When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP port. To prevent Windows Firewall from blocking requests on this port, the Network Agent can automatically create the necessary exclusions. To modify this behavior, clear the Open Network Agent ports in Microsoft Windows Firewall check box. By default, the Network Agent accepts connections on UDP port 15000. This value can be changed both in the package properties and later in the Network Agent policy. I-66 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted connections to the Server. SSL is enabled by default. Network Agents automatically download and use the Administration Server certificate. In networks with strict security requirements, the certificate can be specified manually to prevent substitution. The advanced parameters of the Network Agent installation package are useful in networks with a complicated infrastructure. These are described in the courses KL 009 “Systems Management” and KL 302 “Kaspersky Endpoint Security and Management. Advanced Skills”. 3.3 How to create a new installation package Why create installation packages I-67 Introduction Installation packages included in Kaspersky Security Center are usually enough for protecting most networks. Additional packages can be necessary in the following cases: — A new version of Kaspersky Endpoint Security has been released. For an upgrade, just like for the initial installation, an installation package is necessary. The administrator can either create the package manually or download the new version of Kaspersky Security Center that includes a new package version and reinstall Administration Server over the old one (all settings will be saved). — You need to remotely install a Kaspersky Lab product that is not included in the distribution of Kaspersky Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to be created manually. — Different parameters are needed in several network parts. For example, according to the deployment plan, some computers do not need Web Threat Protection and Mail Threat Protection components. To be able to deploy the system simultaneously on both categories of computers, create an additional installation package with those non-standard settings. Package creation wizard Selecting the package The administrator does not need to search for installation files or download them manually. Kaspersky Security Center monitors current versions of the Kaspersky Security Center, Kaspersky Endpoint Security, Kaspersky Security for Windows Server, etc. and allows the administrator to create installation packages right from the distributions available on Kaspersky Lab servers. To create an installation package, on the Operations | Repositories | Installation Packages page, click the Add button. This will open the list of available distributions for various versions and localizations. To search for the necessary application among others, the best choice is to use the filter, where you can specify at least name and language. The administrator just selects the necessary distribution and clicks the Download distribution package button; and the Administration Server automatically completes the job: Downloads the files and creates an installation package from them. I-68 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Kaspersky Security Center manages numerous programs by Kaspersky Lab. The list of updates contains not only new program versions, but also updates for them, new versions of plugins, and various localizations of the same applications. As a result, the list is rather long. To find what you need, use a filter. In the filter, you can select: — Components: — Controls—Kaspersky Security Center components — Workstations—applications for workstation protection, including Kaspersky Endpoint Security for Windows — File Servers and Storage—programs for protecting servers and storages, for example, Kaspersky Security for Windows Server — Virtualization—various versions of Kaspersky Security for Virtualization — Mobile—applications by Kaspersky Lab for Android and iOS smartphones and tablets — Embedded Systems—Kaspersky Embedded Systems Security (protection for ATMs and POS systems) — Update type: — Application distribution packages — Management plugins — Patches — Updates to display: — Only the latest versions — Only updates for software versions in use — Only updates for software with plugins installed in the Administration Console — Language: — All languages — Administration Console language or basic set (English, German, French) — Administration Console language and the language selected on the list After you apply the filter, the window will show only the updates that meet the specified conditions. You can also sort the contents by name, type, language and other parameters. Select the necessary package and click Download and create installation package. I-69 Introduction License agreement The progress bar will stop at approximately 85% and will be waiting for you to accept the license agreement. I-70 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The Accept button appears dimmed by default; to have it highlighted, scroll the license agreement to the end 3.4 How to create an installation package for KSWS Which other protection applications are available for Windows Servers Not everybody knows that Kaspersky Lab offers several applications for protecting Windows servers. Kaspersky Endpoint Security is all right, but there is also another product named Kaspersky Security for Windows Server that was developed taking into account special requirements for server protection. I-71 Introduction For crucial servers, stability is often a number-one priority. Administrators sometimes prefer to risk server security rather than stability. After all, critical servers are usually located in a well-protected internal network, where malware and criminals are not likely to get. On the other hand, various attacks are aimed exactly at these servers. It is clear that any additional software, especially cyberprotection solutions, can affect server stability and performance. When we are talking about protection of critical servers, an antivirus must provide strong protection on the one hand, and have minimal impact on the server on the other. Main capabilities of Kaspersky Security for Windows Server: — — — — — — — It protects the server file system Controls the programs started on the server Controls connection of devices to the server Protects remote desktop sessions Protects storages against malware and file-encrypting ransomware Analyzes operating system logs and monitors file operations Sends events to SIEM Advantages of Kaspersky Security 10.1 for Windows Server Why is Kaspersky Security for Windows Server the best choice for server protection, especially in a large company? Because large companies require the following: — Stability We’ve mentioned already that servers must operate stably and uninterruptedly. Kaspersky Security for Windows Server was thoroughly tested on various server configurations, which is confirmed by software manufacturers’ certificates, including Microsoft, Citrix, and VMware. Neither installation nor uninstallation nor module updates of Kaspersky Security for Windows Server require a restart. The same is true for upgrading the application from Kaspersky Security 10 for Windows Server to Kaspersky Security 10.1 for Windows Server. I-72 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — Performance Another important factor is performance. During the installation, the administrator can select which components to install, and thus minimize the load on the server’s system resources. Since Kaspersky Security for Windows Server is designed for server operating systems, the developers optimized it accordingly. Kaspersky Security for Windows Server provides flexible configuration tools for real-time and on-demand protection. — Various corporate scenarios are supported Kaspersky Security for Windows Server, unlike ordinary antiviruses, provides additional capabilities for the scenarios often encountered in large organizations, to name a few: — Installation on Windows Server in the Core Mode — Seamless operation on servers with the Remote Desktop Services (Terminal Services) role — Operation on a failover cluster — Protection for storages — SMNP support Specifics of Kaspersky Security 10.1 for Windows Server Kaspersky Lab offers two solutions for protecting servers that run Microsoft Windows Server: — Kaspersky Endpoint Security — Kaspersky Security 10.1 for Windows Server Both products protect against malware, and the question is when it is desirable to use Kaspersky Security for Windows Server, and when Kaspersky Endpoint Security. Let’s think it over. You can install Kaspersky Endpoint Security on an ordinary server, but cannot use it on a cluster, or on a Core server, or on a terminal server. Kaspersky Endpoint Security has more components and drivers, which increases the probability of potential conflicts. Kaspersky Endpoint Security may require a restart. The following conclusions can be made. You can use Kaspersky Endpoint Security in small companies, where administrators are few, and servers do not perform any complicated tasks and can be restarted periodically. I-73 Introduction Kaspersky Security for Windows Server is a better choice for large companies, where every administrator has specific responsibilities, where there are many servers and each runs a particular role, and where fault tolerance is important. Here are some of the unique capabilities of Kaspersky Security for Windows Server compared to Kaspersky Endpoint Security: — Kaspersky Security 10.1 for Windows Server is installed without an interface by default; to manage it, you can use: Kaspersky Security 10.1 Console, Kaspersky Security Center, or the command line management utility kavshell.exe. This permits you to install Kaspersky Security for Windows Server on Windows Server Core — Kaspersky Security 10.1 for Windows Server has a component that looks out for encryption activities in server shared folder and NetApp storages — Kaspersky Security for Windows Server can block remote computers that try to copy malicious files to the server shared folders or encrypt files there — Kaspersky Security for Windows Server can correctly recognize terminal and remote desktop sessions and send a notification to the specific user if a threat is detected — On a failover cluster, Kaspersky Security for Windows Server can correctly understand the active node change, and apply the same scanning parameters to the shared cluster resources involved in the failover — Kaspersky Security for Windows Server can protect NAS (Network Attached Storages) that often run their own proprietary operating systems and connect to the server over specific protocols, which makes them incompatible with ordinary antivirus tools. Download the distribution of Kaspersky Security for Windows Server from the official support website You can download the distribution of Kaspersky Security for Windows Server from the official technical support website, https://support.kaspersky.com/ksws10#downloads Documentation is also available there, as well as the plugin for managing the product via Kaspersky Security Center. Kaspersky Security for Windows Server and the documentation are localized; language versions include English, Russian, German, French, and Japanese. I-74 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Unpack the KSWS distribution on the administrator’s workstation The distribution of Kaspersky Security for Windows Server is supplied in a self-extracting archive, which is to be unpacked to begin with. If the administrator manages Kaspersky Security Center from the workstation, the distribution should be unpacked there. By default, the archive is unpacked to the folder C:\ks4ws\<version>\english\. Create an installation package of Kaspersky Security for Windows Server Now we need to create an installation package of Kaspersky Security for Windows Server in Kaspersky Security Center. It is best to do it from the MMC console, because you cannot manage Kaspersky Security 10.1 for Windows Server from the KSC Web Console as of now. I-75 Introduction By default, Kaspersky Security Center has a few ready installation packages, but the package of Kaspersky Security for Windows Server is to be created manually. To create an installation package, go to the Advanced | Remote installation | Installation packages container and click the respective link. Package creation wizard Package type The New Package Wizard of Kaspersky Security Center prompts you to select one of the three types of installation packages. For Kaspersky Security 10.1 for Windows Server, select Create an installation package for Kaspersky Lab application. Package name Type a name for the installation package. You can specify any name. To avoid confusion if you use several similar installation packages, we recommend that you briefly describe configuration specifics in each package name. I-76 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Files for creating a package In the package creation wizard, specify the ks4ws.kud file, which is located in the Server folder. After that, the Wizard will generate the installation package. License agreement Accept the license agreement and the Privacy Policy that describes the handling of data. Automatic plugin installation If the wizard fails to find the plugin of Kaspersky Security 10.1 for Windows Server when loading the installation package to the repository, it will automatically initiate its installation. I-77 Introduction Completion All you have to do is to wait for the package to load to the repository and finish the wizard. Components of Kaspersky Security 10.1 for Windows Server In the installation package properties, the administrator can select which of the Kaspersky Security for Windows Server protection components are to be installed: You can always edit an installation package and add or delete components that you do not plan to install. Only two components cannot be deselected during the installation through Kaspersky Security Center: Integration with Kaspersky Security Center and On-Demand Scan. By default, the following components: Script Monitoring and Firewall Management are not installed. I-78 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management In the real world, it is hard to imagine a situation when one would carefully select the components to be installed. We recommend that you install the whole set of components, and then regulate whether to use them through the policy. Additional settings of the Kaspersky Security 10.1 for Windows Server package In the package properties, you can specify additional settings to be used during the installation: — Scan computer for viruses before installation—this option is disabled by default, because scanning will take additional time. If you enable it, only the server’s system memory will be scanned rather than all the drives and boot sectors. We recommend that you use this parameter if the server has been running without an antivirus, an antivirus by another manufacturer has been installed, or you suspect that the computer is infected. — Enable real-time protection after installation of application—whether to start real-time file protection. If you select this check box, real-time protection will be applied to all server drives, which is not always desirable. Instead, you can opt out of starting it immediately, adjust its scope and protection parameters and start later. By default, file protection starts immediately. I-79 Introduction Add Microsoft recommended files to exclusions list—in the Microsoft Knowledge Base, many articles are published with recommendations on how to configure antivirus software installed under various versions of Windows together with various Microsoft server products (Exchange, Forefront TMG, etc.). If this option is selected, the corresponding exclusions are automatically created in the Trusted Zone of Kaspersky Security for Windows Server. — Add Kaspersky Lab recommended files to exclusions list—Kaspersky Lab provides analogous recommendations. They concern co-existence of the File Anti-Virus and the antivirus products that protect Microsoft server applications (Exchange, Forefront TMG, etc.) For example, it is recommended to exclude temporary catalogs of Kaspersky Security for Microsoft Exchange Servers from the File Anti-Virus scan scope. These parameters replicate the installation parameters available in the local installation wizard. 3.5 Installation methods What to do prior to the installation Prior to installing Kaspersky Endpoint Security on the computers, prepare the following: What to do Why Let the Administration Server discover network computers You will not have to look for and enter names or addresses Prepare an independent list of computers The server may fail to discover all of the computers; it is best to have a reference list at hand, where you will be able to check the progress Find out computer addresses If the Administration Server has not discovered a computer, but you know its address, you will be able to start remote installation nevertheless Find out usernames and passwords of the administrators If there is a domain, the domain administrator password is sufficient For non-domain computers, you need to know the administrator’s password regardless of whether the installation is remote or local I-80 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Find out whether there are third-party antiviruses on the computers, and which ones Kaspersky Endpoint Security may fail to detect and uninstall antiviruses by other manufacturers, in which case you will have to remove them manually If there are many computers, phase the installation The more computers, the more issues you will encounter, the longer it will take you to solve them, and the longer the total downtime will be Try to test various installation methods in a test environment You will encounter at least some of the issues that can arise in the network, and you will be able to decide how to avoid or quickly solve them Select the installation method that is the least troublesome Start Available installation methods Kaspersky Endpoint Security can be installed in various ways, each with its own specifics and advantages. Remote installation using Kaspersky Security Center You do not need to go to each computer, you can run the installation on many computers simultaneously, which saves time Installation can be started at any time and you will start receiving results in mere minutes. However, you need to know the administrators’ passwords on the computers, and the computers’ shared folders must be accessible over the network. Often, firewalls or Windows security settings block access to shared folders Installation via Active Directory Again, you do not need to go to the computers and the installation can be run on many computers simultaneously. Moreover, you do not need to ensure access to the computers’ shared folders or know the computer administrators’ passwords. The computers will download and install the programs themselves. On the other hand, the computers must be joined to the domain and the administrator must have enough permissions within the domain to be able to publish the package. A computer does not begin the installation immediately; everything starts only the next time it connects to the domain, meaning, after a restart. Installation using third-party tools The administrators do not only install Kaspersky Endpoint Security, and they may have thirdparty software installation and management tools. Specifics depend on the tool, but usually the administrator can install applications remotely on many computers at a time. I-81 Introduction Local installation from a standalone package None of the remote installation methods guarantees 100% success. Computers may not be joined to the domain, their shared folders may be blocked by the firewall, and the administrator may have no third-party computer management tools. Sometimes, it is easier to go to the computer and install an application locally than troubleshoot a remote installation. Standalone packages that are generated in the Kaspersky Security Center save time during a local installation: The administrator does not need to pass through the installation wizard and configure parameters. All he or she is to do is to simply run the installer and wait For remote installation, use a method that fits your network best. On the computers where remote installation fails, install the products locally using standalone packages. 3.6 How to remotely install Network Agent and Kaspersky Endpoint Security Information on the main page of the management console MMC console There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on the same mechanism. The difference is in the location of their starting points in the Console and the number of available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard. Its typical use is described below. The Administration Server detects computers where protection solutions are not installed. This information is displayed on the Monitoring tab of the Administration Server node, in the Deployment area: The indicator is yellow and a warning is shown. To fix this, the administrator can click the Enable protection link. I-82 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Web Сonsole Unfortunately, the main page of the Web Console represents minimal information when compared with the the MMC console: It is impossible to tell whether protection is installed everywhere and how many devices are unassigned. There are a few ways to start the remote installation wizard: — Discovery & Deployment | Deployment & Assignment | Protection Deployment Wizard — Go to Discovery & Deployment | Deployment & Assignment | Installation Packages, select the necessary package, and click Deploy — Go to the Devices | Tasks tab, click Add, and select the Install application remotely task type Alternatively, you can use automatic installation available within the administration groups. I-83 Introduction Remote installation wizard Select the installation package The product to be installed is selected from the list of available installation packages. The standard distribution of Kaspersky Security Center contains the installation packages of the current versions of Network Agent and Kaspersky Endpoint Security for Windows. If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network Agent. The wizard not only installs the selected package, but also connects the computers to the Administration Server by installing the Network Agent on them. If the computers are already connected, the Network Agent will not be reinstalled. Installation packages of Kaspersky Endpoint Security for Windows and Network Agent can be installed on any supported operating system: Server or Workstation, 32-bit or 64-bit. Due to this universality, the installation package of Kaspersky Endpoint Security 11 is relatively large, just under 200 MB. There are no supported ways to reduce the size. The Network Agent package is much smaller: about 40 MB. I-84 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Adding a license Kaspersky Endpoint Security, unlike the Network Agent, needs to be activated to operate properly. In the installation wizard, you can explicitly select which code or key should be used to activate the product from the list of codes and keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary, you can add another code or key to the storage without quitting the wizard. Select a key. The wizard will not just use the selected key for this installation, but also save it in the properties of the Kaspersky Endpoint Security package. The plugin of Kaspersky Endpoint Security does not support activation codes in the installation package properties. To activate Kaspersky Endpoint Security with a code rather than key, do not select anything in the installation wizard. Instead, open the activation code properties and enable the option Automatically deployed key. I-85 Introduction Select the Agent installation package Even if you want to install only Kaspersky Endpoint Security, you must select the Network Agent package as well, you cannot leave it out. However, if the Network Agent is installed already, it will not be reinstalled Selecting the computers After the package, select the target computers.You can select managed computers, groups of computers, or individual computers in the wizard. If you start the wizard right after the Administration Server has been installed, there is only one computer in the groups, the Administration Server itself. All the other computers discovered by the Administration Server are on the Unassigned devices page. The Administration Server may fail to detect some computers: They will be absent from the console. Why does the wizard suggest selecting groups if there are no computers there? For example, if prior to deploying protection you’ve imported the computers’ structure from Active Directory. Then you already have groups filled I-86 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management with computers, and you can install Kaspersky Endpoint Security by groups. How to import groups and computers from Active Directory is explained in the Chapter 4 of this Unit. Let’s now get back to the scenario of when you have no groups. To select computers from the Unassigned devices list or specify addresses of undiscovered computers, switch to the option Select devices for installation. As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If a group is selected, the wizard will create a group task; if computers, a task for specific computers. If you choose Select devices for installation | Devices, the wizard will show all discovered computers: Those that have already been added to the Managed devices groups, and those that are in the Unassigned devices node so far. In the Unassigned devices node, computers are grouped by domains and workgroups. Select the target computers. If you select a group, domain or a top-level node, you will select all computers within that group, domain or node. To install Kaspersky Endpoint Security on the computers that Administration Server has not discovered, add them manually using their IP addresses or names. To add many addresses at once, you can specify a range of addresses. Importing a list of names or IP addresses from a text file is available only in the MMC console. The wizard will add all the addresses you’ve entered, and select them automatically. Installation method At the following step, the wizard prompts how to perform remote installation. There are two methods: Using Network Agent Network Agent must already be installed on the computer and must be connected to the current Server. The Server sends a command to the Agent, the Agent downloads packages to a temporary folder and performs the installation under the Local System account. The administrator’s name and password do not need to be specified, access to the computer’s shared folders is not required. Using operating system tools Network access to the computer’s shared folders is required. The Administration Server copies package files to the system shared folder \\<computer name>\admin$. Then the server uses Remote Procedure Call (RPC) protocol to remotely start a service process that will perform the installation and inform the server of the results. To copy files and start the installation, you need to specify the username and password of the computer administrator. I-87 Introduction The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on the computer, installation using Windows tools is tried. If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 11 using the Network Agent. Computer restart The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky Endpoint Security 11 installation requires restarting the computer. The Network Agent installation almost never requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection program has been installed on the computer. The default choice, Prompt user for action, works well for workstations. When installing the product on servers, we recommend that you select not to restart the computer. At a server, a user is unlikely present and no one will react to the prompt. I-88 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management For the user not to postpone the restart for too long, the task displays a warning every 5 minutes by default and forces computer restart in 30 minutes. The administrator can modify these settings and the message text. Uninstalling incompatible applications The Kaspersky Endpoint Security 11 installer can detect and uninstall incompatible applications (various protection solutions, including anti-viruses, firewalls, etc.), which are not recommended to be used concurrently with Kaspersky Endpoint Security, because this may result in serious problems for users and computers. The administrator usually knows which potentially incompatible protection solutions are installed in the network and should uninstall them beforehand. The programs are recommended to be uninstalled either by their built-in uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer should be regarded only as a contingency measure. Detection of incompatible applications cannot be disabled5, since it is intended to prevent conflicts. You can modify uninstallation settings in the remote installation wizard; this is described in detail at the end of this chapter. Where to place computers after the installation As a result of installing the Network Agent and protection software, computers should become manageable: Use the settings of policies and tasks specified on the Administration Server. To actually achieve this, computers must belong to Managed devices rather than Unassigned devices. If a computer has the Network Agent installed, but is not included in an administration group, it will neither send its events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified by the administrator. It is manageable only locally. If the administrator selects computers rather than groups, the wizard will ask whether it is necessary to relocate the computers to an administration group, and if yes, into which one. The selection affects only unassigned computers. If both unassigned and managed computers are on the installation list, the managed ones will remain in their original groups. This step is displayed only if Network Agent is installed together with Kaspersky Endpoint Security. 5 Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible applications; if necessary, it can be added to the package description file for remote installations. I-89 Introduction Administrator account Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers. The deployment wizard allows you to specify several accounts, in case different administrator passwords are used on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges, the next one is tried, and so on. Before trying the specified accounts, the installer attempts to act under the Administration Server service account, which you don’t actually see on the list. However, if the administrator used the default settings when installing the server, the server service account cannot be used for remote installations. As a result of an installation with the default settings, the server service starts under the KL-AK account that is created automatically and receives the rights of a local administrator (not literally, but effectively the same). It has no rights on remote computers. So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain environment, a domain administrator account is the best choice for remote installations. In large companies, there is usually a special account for remote installations, or the IT personnel accounts have the necessary rights. I-90 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Finishing the wizard At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are going to do. To start the task, select the check box Run task after Wizard finishes. Where to monitor the installation Installation task The installation wizard uses the settings specified by the administrator to create and immediately start the product installation task on the selected computers. After that, it automatically opens the task page in the Web Console. The task page displays the task progress on the selected computers. An installation can be ready for execution, running, waiting for reboot, completed successfully, or return an error. The number of computers in every status is displayed on the pie chart and in the table. I-91 Introduction Task log To check progress on each individual computer, use the Device history command. The task log shows the history of each task status change on the computer. The status can be the same, while its description may vary. For example, an installation task log usually contains several records of the Running status, where the first one informs of starting file copying to the remote computer; the second one, of starting the installer; and the third one, of the installation completion. A typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer. After the Agent is installed, the Administration Server waits for it to connect and start the installation of Kaspersky Endpoint Security. Installation results I-92 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Although a single Kaspersky Endpoint Security package fits all Windows versions, installation results differ on the servers and workstations. — On workstations, all components selected in the installation package properties are installed. — On servers, only the following components (if selected in the package): — Behavior Detection — Exploit Prevention — Remediation Engine — File Threat Protection — Network Threat Protection — Firewall — BadUSB Attack Prevention — AMSI Protection Provider — Application Control — BitLocker Management — Endpoint Sensor 3.7 How to simplify local installation Why install locally If remote installation fails, it often makes sense to simply go to the computer and install the applications locally instead of troubleshooting. Especially if such computers are comparatively few. If you use an ordinary installer, you have to complete the installation wizard. Although it doesn’t take long, it is boring, and you may easily mistype the Administration Server address. It is best to prepare a standalone package with all the settings, and install from it. Standalone installation packages A standalone package in Kaspersky Security Center is a single setup.exe file that includes the installation files and installation parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can include Network Agent installation files and the Administration Server connection parameters. I-93 Introduction This package is designed for local installation by the IT employees, administrators or users who have sufficient rights. It saves time and reduces the number of errors. An extremely simple installation procedure is an advantage of standalone packages. No parameters need to be specified during the installation, as they are already included in the package. This helps to save time and prevent errors, for example, when specifying the Server connection address. Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This eliminates the risk of missing some files, and reduces the overall installation time. How to create a standalone package As of now, standalone packages can be created in the MMC console only. Standalone or ‘1–click’ packages are created from regular installation packages available in the Advanced | Remote installation | Installation packages node of the Administration Server. A special wizard is used that prompts for the installation parameters. When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include the Network Agent, so that the target computer could immediately connect to the Administration Server. I-94 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Just like with a remote installation, computers can be moved into the managed category right after the installation. Leaving protected computers in the unassigned category does not make any sense. This step appears in the wizard if the Network Agent is installed together with the main package. If you need to modify the default settings of Kaspersky Endpoint Security or select specific components to be installed, do it within the properties of the regular installation package before starting the standalone package wizard. The parameters of the installation packages are described earlier in this chapter. After all the parameters are specified, the wizard generates the setup.exe installation file and places it to the PkgInst subdirectory of the shared folder on the Administration Server. The folder that contains the setup.exe file is named after the package. You can find the package later at the following network path: \\<Administration Server name>\KLSHARE\PkgInst\<standalone package name>\setup.exe. The Administration Server signs standalone packages with its certificate by default. This certificate is self-signed, and Windows will display a warning when the package is run. The administrator can select to sign packages with another certificate. Specify the necessary certificate in the properties of the Installation packages node, in the Signing stand-alone packages section. What to do with standalone packages The wizard suggests that the administrator takes one of the following actions: — Open folder—for example, to copy it to a flash drive — Sample HTML code for link publication on a website—a text window opens, which contains HTML code of the link to the package that can be added to a web page I-95 Introduction — Email link to standalone installation package—the Administration Server starts the default email client and automatically fills in the message subject and body providing a link to the package located in the shared folder; the only thing the administrator has to do is to specify the recipients’ addresses Later, you can click View the list of standalone packages button in the Installation packages node to open the list of created standalone packages. You can delete unnecessary packages or send another email message to users. The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server. If non-domain users whose accounts have not been added to the Administration Server try to click it, they will not be able to access the resource. Replace the link to the network folder with the http link to the package, which can be copied from its properties. There is a built-in web server on the Administration Server where any user can download the package from. Each standalone package gets a unique http link based on the package id. The administrator can find the link in the package properties in the list of all standalone packages. If standalone package creation wizard is started for a package repeatedly, the administrator can either re-create the standalone package or create another one. I-96 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 3.8 How to install the Network Agent via Active Directory How to install applications via Active Directory You can also install programs using Active Directory group policies without Kaspersky Security Center. The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to a group policy that is applied to the domain computers. When a client computer starts and logs into the domain, the policy is applied and the installation package is installed automatically, even before the user logs on to the system. This installation method can be comparatively easy when implemented manually. Kaspersky Security Center makes it even more convenient. I-97 Introduction How to publish the Network Agent package in Active Directory using a task To publish the Network Agent package to a domain group policy, in the task (or in the installation wizard), select Assign Network Agent installation in the Active Directory group policies. This method is applicable to the Network Agent only, because after the Agent is installed, other programs are supposed to be installed using the Agent. Installations using AD group policies are performed during a restart For the task to complete successfully, remember to run it under a domain administrator account. For this purpose, add the domain administrator account to the Account section of the task settings. I-98 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management What the task changes in Active Directory The group of target computers If the above-mentioned option is selected, the Administration Server creates a new group named Kaspersky_AK{GUID} in Active Directory and includes in it the accounts of the computers to which the task applies to. Group policy object Also, the Administration Server creates a new group policy object at the domain level that is named Kaspersky_AK{the same GUID} in Active Directory and assigns within it the installation of the Network Agent MSI package located in the shared folder on the server. The permission to apply the policy is granted only to the created group which contains the accounts of the target computers. So, the domain level policy will be applied to the selected domain computers rather than to all domain computers. I-99 Introduction Group policy object parameters After this, the installation is performed as per usual. The policy eventually applies to the computers. At the next restart, computers download the Network Agent MSI package from the shared folder on the Administration Server and install it. The installation parameters, which include server address and ports, are taken from the answer file located in the same folder as the MSI package. Thus computers automatically connect to the Administration Server. If the task is configured to install not only the Agent, but also another program, for example, Kaspersky Endpoint Security, the installation will resume after the Agent connects to the Server. The security group and group policy object created by the task persist in the Active Directory until the task is removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory group policies option is cleared in the task properties. 3.9 How to uninstall incompatible applications Which programs are incompatible and why uninstall them Kaspersky Endpoint Security is not compatible with other protection solutions. Before the installation, the conflicting programs must be uninstalled. If you do not do this, the computer may operate slowly and unstably. In the worst-case scenario, though rare, the computer may hang, restart spontaneously, and display a blue screen. Protection solutions co-exist poorly because of the drivers that they install to intercept file operations, network connections, and system calls. The Network Agent does not install any drivers, and therefore does not conflict with third-party protection tools. I-100 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to uninstall incompatible applications To uninstall protection solutions by other manufacturers, it is best to use regular tools: — The applications that have their own centralized management system should be removed via this system — If possible, uninstall third-party protection using Windows tools If the incompatible applications cannot be uninstalled using regular tools, the administrator may use the Kaspersky Security Center functionality for this purpose: — The Uninstall incompatible applications automatically option in the installation package of Kaspersky Endpoint Security, or — The Administration Server’s task Uninstall application remotely The former option is always enabled in the installation package and reliably uninstalls many widespread versions of third-party antiviruses and firewalls. However, if you have an uncommon antivirus or a recently released version, Kaspersky Endpoint Security installer may fail to detect it. Besides, some of the incompatible applications can be detected by the installer, but cannot be uninstalled. What if there are incompatible applications? Kaspersky Endpoint Security found and uninstalled incompatible applications If the installer has detected and uninstalled incompatible applications, it will require restarting the computer to complete the installation of Kaspersky Endpoint Security. It is the only difference compared to a typical installation. If there are no incompatible applications on the computer, the installer will install everything without a restart. The installation task has restart parameters for such cases. By default, the task will show the user a message that the computer needs to be restarted every 5 minutes, and will force a restart after 30 minutes. The administrator can adjust all these intervals in the remote installation task properties. I-101 Introduction Kaspersky Endpoint Security found incompatible applications, but failed to uninstall them If uninstallation of incompatible applications is disabled and a conflicting application is found during the Kaspersky Endpoint Security 11 installation, the installer returns an error. The error description explains that the product cannot be installed if incompatible applications are installed on the computer. The administrator needs to uninstall the conflicting programs and re-start the installation. If it is a task that installs Kaspersky Endpoint Security together with Network Agent, it will install the Network Agent and only after that inform about the error. This is handy, because you can use the Agent to uninstall incompatible applications by a special task. Kaspersky Endpoint Security failed to find the installed incompatible applications If there are incompatible applications on the computer, but the installer fails to detect them, it will complete the installation as if they did not exist. In this case, the administrator may not know for quite a while about the conflict. I-102 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Eventually, the users will complain that a computer works slowly or malfunctions. When investigating the issue, the administrator will discover that there are several protection applications on the computer. How to find out if there are any incompatible applications The administrator can learn that there are third-party protection applications on the computers from the Administration Console. Network Agents send lists of installed programs to the server, and you can find the aggregate list in the Web Console, on the Operations | Third-Party Applications | Applications Registry page. If the administrator suspects that there may be protection tools by other manufacturers in the network, it makes sense to search for them on the list by the manufacturer name. For example, Symantec, McAfee, etc. The list of computers where the program is installed is available in its properties. After that, the administrator will only need to uninstall it. There is an Administration Server’s task that serves this purpose: Uninstall application remotely. However, it will not be of any help immediately. The list of applications that the Agent can uninstall usually coincides with the list of programs that can be removed by the Kaspersky Endpoint Security installer. This list is updated only when a new version or service pack is released, and new versions and service packs for Kaspersky Endpoint Security and Kaspersky Security Center are almost always released simultaneously. I-103 Introduction How to uninstall incompatible applications that have not been found What to do For each program on the list, there is an INI file, which tells how to detect and uninstall it. To uninstall an application that is not included in the list, send the program distribution to KL technical support and request an INI file for it. Kaspersky Lab experts will need some time to study the application and develop an INI file for it. This service is available only for comparatively large customers. Copy the received INI file to the folder with other INI files on the Administration Server: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Data\Cleaner. After that, restart the Administration Server service. Now the Network Agent’s Uninstall application remotely task will be able to remove this program. Run the task to uninstall all incompatible applications on all computers. Or, to save resources, make a selection of only those computers where the incompatible application is installed, and run the uninstallation task there for only this particular incompatible application. How to contact technical support To contact technical support, use the companyaccount.kaspersky.com portal. To sign up, specify your email address and license: Activation key or code. I-104 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management To request an INI file, create a new request and select the category Make a request for Tech Support. I-105 Introduction In the request, select — Scope—for workstations — Product name and version—Kaspersky Endpoint Security for Windows 11.x.x.xxxx — Request type and subtype—Installation and Incompatible Software Then describe the situation and do not forget to attach to the request the installer of the third-party program that you want to uninstall. How to display computers with an incompatible application How to create a selection To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where these programs are installed. To display computers where an incompatible application is installed, create a computer selection on the Discovery & Deployment | Device Selections page. There are also pre-configured selections that show problem computers: — — — — — — — — — — — — — — — Distribution points Databases are outdated Virus Scan has not been performed in a long time Not connected in a long time Active threats are detected Too many viruses detected Protection is disabled No security application is installed Unassigned devices with Network Agent New networked devices found Data encryption errors Device has become unmanaged Devices with Critical status Devices with Warning status Devices with Warning and Critical statuses due to vulnerabilities I-106 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management These selections are hard-coded: They can neither be modified, nor deleted. There is no selection of computers with incompatible software among them. To create a selection, click the Add button. In a selection, you can select to search: — Among all computers — Only among managed — Only among unassigned Unassigned devices do not transfer lists of installed programs to the server. That is why you should search for computers with incompatible applications either among managed, or among all computers. By default, a selection does not have any conditions, and it finds all the computers within the specified scope. Selection parameters To find computers with an incompatible application, change the conditions. By default, each selection has a macrocondition with numerous microconditions. All microconditions within the macrocondition are combined with logical AND. Macroconditions are combined with logical OR. To find computers with an incompatible application, one macrocondition is enough. Open its properties and switch to the Third-party software details section. Select the program name in the list Incompatible security application name. Save the condition and the selection. The computer selection results will contain only the computers where this program has been detected. To display computers with various incompatible applications in a single selection, add macroconditions and specify the other incompatible applications there. How to uninstall incompatible applications using a task Where to create tasks in the console Now, create an uninstallation task for this selection. Start the task creation wizard on the Devices | Tasks page, and when prompted for the target computers, choose the created selection. Every time the task runs it will check the contents of the selection and update the list of target computers. I-107 Introduction Task types The wizard shows all the tasks you can create. Each plugin installed in the console adds tasks of the respective application to the list. After the standard installation of the Administration Server, you will be able to create tasks for Kaspersky Security Center and Kaspersky Endpoint Security. The remote installation and uninstallation tasks are the tasks of Kaspersky Security Center. To uninstall incompatible applications, select Kaspersky Security Center | Uninstall application remotely in the task creation wizard. By default, the wizard offers the task name that coincides with the task type: Uninstall application remotely. If you are uninstalling a single program, specify its name in the task name. This way, in the future you will be able to quickly understand whether this task is still necessary, or you can delete it. Select the target computers: The available options include: — Specifying a computer group name — Picking computers from the Managed devices group and the Unassigned devices node — Specifying a computer selection name I-108 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers where incompatible applications have been detected. Selecting the computers Choose the necessary selection; when started, the task will receive up-to-the-minute list of devices where the respective incompatible applications are installed. Selecting the program After that, specify the name of the incompatible application to be uninstalled. You can select several programs or even all the applications that are included in the list. Selecting more than one program increases the task run time though, because such a task executes, step by step, the uninstall scripts for all the selected programs. I-109 Introduction Account The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because the Network Agent is already installed on the computers and will run the uninstallation task under the local system account. The account must be specified if the task is run either on computers without a Network Agent, or on computers where the Network Agent has no administrator permissions. Finishing the wizard At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are going to do. To start the task, select the check box Run task after Wizard finishes. I-110 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Chapter 4. How to organize computers into groups 4.1 How to understand that the deployment has been completed Now you know everything to be able to install protection on all network computers: — — — — — — How to select components and installation parameters for Kaspersky Endpoint Security How to install Kaspersky Endpoint Security and Network Agent remotely How to install Kaspersky Endpoint Security and Network Agent using Active Directory How to create a standalone package for local installation How to create several different packages with different parameters How to install on discovered and undiscovered computers Handy monitoring tools supplement this list: — How to understand which programs are installed on which computers — How to understand that installation has been completed in the network For this purpose, you can use the installation task results, as well as reports, computer selections and event selections. Where to look for information about the deployment Task results and the information available on the Managed devices group do not always provide comprehensive information on the protection deployment in the network. Deployment by a single task on all computers, as well as managing all computers within one group, is characteristic of small networks only. I-111 Introduction For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are: — Incompatible applications report — Kaspersky Lab software version report — Protection Deployment Report The following selections are also very useful at the deployment stage: — New networked devices found — Security application is not installed — Unassigned devices with Network Agent Global statuses In the MMC console, information about the protection deployment is available on the Monitoring tab of the Administration Server node. The Deployment area contains the number of managed computers where Kaspersky Endpoint Security is not installed. If it is non-zero, a link to the selection that includes all these computers is also displayed. I-112 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If there are any computers with the Network Agent in the Unassigned devices node, this will be reflected in the Management scheme area with another link to the corresponding selection of computers. In the Web Console, unfortunately, the information represented on the main page is rather limited. You cannot quickly understand on which managed devices Kaspersky Endpoint Security is installed, and which lack it. There are only lists of managed devices distributed by statuses. However, the Critical status may include devices where Kaspersky Endpoint Security is not installed as well as devices where Kaspersky Endpoint Security is installed, but is not running for some reason. The only advantage is that you can immediately open the list of devices with non-OK statuses and study them in more detail. Device selections Computers with the Network Agent must be located within the Managed devices node. If they are located in the Unassigned devices node, they neither send events to the Administration Server nor receive tasks and policies from the Server. That is why the Administration Server displays such computers on the Monitoring page of the MMC console and in the corresponding selection. Reports Where to look for reports Reports are available on the Monitoring & Reporting | Reportspage. Kaspersky Lab software version report The software version report shows the number of Kaspersky Lab programs installed on managed computers. In particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security instances. I-113 Introduction Various versions (builds) of the products are represented separately, which is convenient when upgrading the products. The report shows how many computers use the current versions of the programs, and how many run older versions. The graphic part of the report illustrates the statistics table, which lists all versions of managed products and the number of installations for each of them. The Details table gives information on every computer: Which products are installed, which versions, etc. Protection deployment report This report shows three categories: — Computers with the Network Agent and a security application — Computers with Network Agent, but without a security application — Computers without Network Agent Computers with a protection application, but without the Network Agent are included in the last category. If the Network Agent is not installed, the Administration Server does not know whether protection is installed on the computer. This category also includes the computers where the Network Agent is installed, but is not connected to the Administration Server. For example, computers where Agents use an incorrect server address. The chart and the Summary table show the number of computers in every category. The Details table, just like in the software version report, shows the version of the Network Agent and Kaspersky Endpoint Security on every computer. This report is especially useful if the administrator first moves all of the computers into the Managed devices group, and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed computers are not connected to the server, and how many of those connected are not yet protected with Kaspersky Endpoint Security. If the administrator uses the remote installation wizard for the deployment and always selects the computers from unassigned devices area, this report is less useful as it does not cover unassigned devices. I-114 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 4.2 How the Administration Server discovers computers Polling types In the deployment wizard or when creating a deployment task, the administrator can select computers from a list. The Administration Server makes up this list by polling the network. Polls are performed periodically in several different ways: — Windows network polling — Active Directory polling — IP subnet polling The network is polled by the service of the Network Agent installed on the Administration Server rather than by the Administration Server service. The Network Agents installed on ordinary network computers do not poll the network. Where to configure polling Polling results are shown on the Discovery & Deployment | Discovery tab separately for each discovery method: — IP subnets—IP subnets are represented as folders — Domains—computers detected during Windows network polling; workgroups and domains are represented as folders containing computers — Active Directory—domains and organizational units are represented as folders containing computers The discovered computers are also displayed on the Discovery & Deployment | Unassigned Devices page. A computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in the corresponding folders. I-115 Introduction To modify the poll settings for every method, go to Discovery & Deployment | Discovery, select the necessary method and click Properties. You can also start any type of polling manually on the respective page. Windows network polling What a quick poll does The Administration Server collects the list of Windows network computers just like the operating system itself. When a user opens the computer’s network places, the list of neighborhood computers grouped by domains and workgroups is shown. The Administration Server can acquire the same list. This polling method is called quick Windows network polling. It hardly places any extra load on the network. The Computer Browser service is responsible for making up and representing the list of computers. In every network segment there is the main computer that stores the general list and provides it when requested. To receive the list, Administration Server only needs to send a request. In the latest versions of Windows, the Computer Browser service is disabled by default or is not installed at all. If the Administration Server cannot receive the list of computers from the Computer Browser service, it sends a request to Active Directory and tries to receive a list of computers from it. Certainly, only if the Administration Server is on an Active Directory domain. Quick poll is performed every 15 minutes. After a quick poll, the Server receives the list of NetBIOS names of computers, domains and workgroups. What a full poll does During a full poll, the Administration Server tries to receive as much information as possible about each computer from the quick poll results. For each name, the Server resolves the name into the IP address using NetBIOS, DNS and LLMNR protocols. For the received addresses, the server performs a reverse resolution into the name, and if this name does not coincide with the original one, receives the IP address for the new name. The Server checks whether the IP addresses are accessible using ICMP requests and finally tries to connect to the computers using SMB and RPC protocols to find out the operating system. I-116 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management All these numerous requests are necessary because names and addresses of the computers may change. The Administration Server uses direct and reverse resolution of names and IP addresses to distinguish new network computers from the old ones that just changed the name or IP address. As the number of requests is proportionate to the number of computers, the network activity is much higher than with a quick poll. That is why full poll is performed hourly by default. How the server displays polling results In polling results, the Server shows everything it was able to find out about a computer: Its name, address, operating system, etc. Windows network polling parameters For each poll type, the administrator can: — Enable or disable polling completely — Enable or disable polling for a part of the network (what “a part of the network” is depends on the polling type) — Select the polling schedule — Select when polling data becomes obsolete Polling schedule is defined as a start time and a timespan. A timespan can be as small as a few minutes or as large as several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but will be useful if polling is performed once a week or a month. Computer information lifetime Additionally, for Windows network polling the administrator can specify the life span for the information on the discovered computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by Windows network polling, the information about this computer is deleted from the server database. This interval can be specified independently for every domain or workgroup. Also, you can specify a common life span and use it for the whole Windows network. Additionally, you can disable polling of a domain or a workgroup in its properties. I-117 Introduction Active Directory polling What Active Directory polling does The Administration Server requests from Active Directory the structure of containers (units) and the list of computers for each of them. Additionally, the Administration Server requests the list of users and security groups. Working with AD users falls outside the scope of this course. See courses KL 010 and KL 302 for details. In a large network, the total volume of all lists (computers, users, groups) may be very large, and that is why Active Directory polling is performed every 60 minutes by default. I-118 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Active Directory polling parameters Polling parameters for Active Directory are similar to those for Windows network polling. There is an option to turn off this polling method entirely and a schedule. There is no explicit lifetime parameter for the polling results. Each polling replaces the previous results: — Adds missing units and computers — Deletes the computers and units that have been removed from Active Directory In the Advanced polling parameters, the administrator can select the polling scope: — The Active Directory domain to which the Administration Server belongs (the default choice) — The domain forest to which the Administration Server belongs — The specified list of Active Directory domains To add a domain to the polling scope, specify the address of the domain controller, and the name and password of the account for accessing it. You can selectively disable polling for some organizational units in their properties. When the administrator changes the polling scope, after the next polling, the Server will show only the new scope contents. For example, if the administrator has disabled polling within a unit, after the next polling, the Administration Server will delete all the information about the contents of this unit from its database. Also, if the Server scanned several domains previously and the administrator deletes one of the domains from the list, after the next polling, the Server will delete all data about this domain from its database. I-119 Introduction IP range polling What IP subnet polling does IP range polling works similarly to full Windows network polling. However, the original list of computers is not received as a result of quick polling; it is the list of IP addresses from the IP ranges specified by the administrator. The server tries to resolve each address into a name, and the name into an address again; then checks whether the address answers ICMP ECHO REQUESTs, etc. To find out the device type, the Server also sends SNMP requests. The polling results include only those computers that answered the ICMP request. IP subnet polling parameters I-120 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0, the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses from 192.168.0.1 to 192.168.0.254. IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When this polling method is enabled, the default period is 420 minutes (7 hours). How to add a network to be polled In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually. You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also, the name of the subnet should be specified. The life span for the polling results is 24 hours by default. If an IP address is not verified by polling in 24 hours, it is removed from the results. Such a short life span tries to account for dynamic IP addresses (assigned over DHCP protocol), which can change frequently. When modifying the settings, make sure that the information life time exceeds the polling interval. How to modify ranges in an IP subnet One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas named subnets are not allowed to overlap, Ranges may overlap within a subnet. You can enable and disable scanning independently for every subnet. I-121 Introduction Where to monitor network polling If you want to monitor polling, you can do it only in the MMC console. When the network is being polled, the Advanced | Network poll page displays the progress. Detailed information is available in the Administration Server statistics (Administration Server properties: Advanced | Administration Server operation statistics). There you can find the time of the last poll performed by each method, polling progress percentage and the name of the polled domain for Windows network polling. I-122 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to find out that the Server has discovered new computers The administrator can configure notifications about new computers found in the network. The corresponding event is available in the properties of the Administration Server, and you can enable email notification in the event properties. To receive information about new computers, open the Event configuration tab in the Administration Server properties. Find the event New device has been detected in the Info section. Open the event properties and enable the option Notify by email. For notifications, the Server uses the parameters that you specified in the Quick Start wizard when installing the Administration Server. If you are not sure that the correct parameters have been specified, check them in the server properties, in the Notification section of the General tab. I-123 Introduction 4.3 How to create or import groups Why create groups After the initial installation, there is only one group on the Administration Server—Managed devices. With a single group, the same protection policy and task schedule is applied to all computers, which is not always preferred. Even in small networks, it may be necessary to use different protection settings for servers and workstations. In large networks, where different groups of users need various types of software, the capability to create policies with different exclusions for different users is extremely useful. The computers must be placed into different groups to be able to apply different policies6. From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. This way, the administrator can quickly understand where the computer is located to send an IT employee there. There are also other examples of group use. Often, especially in large networks, the administrators create groups to organize the deployment process. Computers without the Agent or a protection application are placed into the Deploy Agent group, where the Network Agent automatic installation task is created. The computers with installed Agent are moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible applications is configured. The computers without incompatible applications are moved into the Deploy KES group, where the task of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected computers are moved into the permanent management structure. 6 Starting with version 10 Service Pack 1, Kaspersky Security Center provides the capability to apply different configuration profiles to different computers within the same group. For more details, refer to course KL 302. I-124 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to add a group Unlike the MMC console, where groups are created as simply as folders in Windows Explorer, Web Console can be a bit challenging. First, groups are created within the Managed devices node. Then you can create new groups either in the same node or inside the created groups. To create a new group in Web Console, click Devices | Edit Groups. Then select the level where you want to create a group and click Add. Enter the name of the group in the displayed dialog window: It will then appear as a subfolder in the structure of managed devices. If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or subgroups. Groups can be moved within the hierarchy of managed devices. For example, if the structure of groups reflects physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup can be easily relocated together with its computers from the group Building 1 to the group Building 2. For this purpose, select the group that you want to move, click Move, and specify the group into which you want to move it. I-125 Introduction Another method of creating a subgroup is to open the properties of the parent group. On the General tab, there is the Add button that creates a subgroup. Navigation within the group structure At first sight, it is not quite clear how to navigate within the group structure in the Web Console. However, there is an almost imperceptible navigation button: Devices | Groups, which displays the existing group structure, and when you select a group, the list of its policies opens. The Change Structure button redirects you to the Edit Groups tab. How to add a computer to a group In the Web Administration Console, you can move computers using one method only, which is applicable to managed and unassigned devices. Select one or several computers, click Move to Group, and specify the target group. I-126 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to import a group structure If the network is large enough and the planned structure of managed devices requires a large number of groups, creating a hierarchy using the methods described above can be very labor-intensive. Sometimes it is easier to import a group structure from the network polling results or from a text file. If administrators want to arrange the managed devices in the exact same order as their network, to combine them into the same workgroups or domains and subdivisions, they can use the structure import functionality. You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In the first two cases you may import either the entire structure (groups including computers) or just groups. When importing the topology from a text file, only groups can be created. Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit that is being imported are already present in a group of managed devices, the wizard will not relocate them. To start the wizard, select the Managed devices group and click Import. In the wizard, specify the structure to be imported and the destination group. You can also import only a structure from Windows network or Active Directory, and disable importing the computers. I-127 Introduction Windows network topology and a structure defined in a text file are always imported completely. When importing an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be ignored. The wizard is designed for initial creation of the structure of managed devices. It is not intended for regular synchronization of structures of Kaspersky Security Center, with, for example, Active Directory. If you need to synchronize, configure the computer relocation rules. A structure import via a text file must be prepared manually. Every group or subgroup must be specified on a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters, for example: Office1\Subdivision1\Department1 Office1\Subdivision1\Department2 Office2 Office3\Subdivision1 If a subgroup path contains groups that do not exist yet, they are created. I-128 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Groups created during the import procedure are completely identical to the groups created manually. You can rename, move, delete them, etc. 4.4 How to add computers to groups automatically Computer relocation rules If groups in Kaspersky Security Center are to reproduce IP subnets or Active Directory units, the administrator can easily automate the computers’ distribution into the groups. Computer relocation rules serve this purpose. The list of relocation rules is available on the Discovery & Deployment | Deployment & Assignment | Moving Rules page Rules created by tasks In some cases, computer relocation rules are created automatically in the Kaspersky Security Center. For example, when the administrator selects to move unassigned devices into a group in the remote installation wizard or when creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can be viewed on the list and can be disabled, but cannot be deleted or edited. The server deletes them automatically when the corresponding task or standalone package is deleted. I-129 Introduction Configuring relocation rules A relocation rule consists of the following basic settings: — What to move—a set of conditions a computer must meet to be relocated — Where to move—the name of the group in the structure of managed devices where the hosts matching the rule conditions will be relocated — When to move—the conditions that will trigger automatic relocation When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on the rule list. Also, you will need to select the destination group—where to move the computers. When to apply the rules Afterwards, decide when to apply the rule to the computers. Three capabilities are available: — Run once for each device—as soon as the rule is created, it will be applied to all computers in the server database, and then it will be applied only to new computers when they are discovered I-130 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — Run once for each device, then at every Network Agent reinstallation—is similar to the previous option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such a host — Rule works permanently—the rule is permanent; if a computer matching its conditions is manually moved to another group, the Administration Server will immediately return it to the location specified in the rule. If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will not The rules created by the Administration Server for installation tasks and standalone packages Run once for each device, then at every Network Agent reinstallation. Permanent rules are more convenient in a sense, but create a persistent computational load on the Administration Server. Conditions in relocation rules Move managed devices Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is located in the General section and is named Move only devices that do not belong to an administration group. With this option selected, a rule—even a permanent one—will not hamper the administrator to manually move computers in the groups. It affects only unassigned devices. To apply such a rule to a computer within a group, just delete the computer from the group. When deleted from the managed devices structure, the computer becomes unassigned and the rule will apply to it. If the Move only devices that do not belong to an administration group check box is cleared, the rule applies to all computers in the server database and the corresponding computers are moved into the specified group no matter what happens. This does not prevent the administrator from deleting these computers from the Administration Server database, though. Other conditions are located in additional sections of the rule properties. Move computers by names and IP addresses I-131 Introduction Many of the relocation conditions are related to the network attributes of the computers: — — — — — — NetBIOS name Name of the domain or workgroup DNS name DNS domain IP address Server connection IP address (if a computer is behind a NAT gateway, the connection address is the gateway address) To apply a rule to several computers, you can specify IP addresses as ranges, and names can be specified as masks with “*” and “?” wildcards. If these options are insufficient, you can always create several rules with different conditions that will move computers to the same group. Move computers by operating systems Conditions for devices may include operating system version, architecture and currently installed Service Pack. Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions used in the network. For example, Windows Server 2008 R2 and Windows Server 2012 R2. Also, there is the Network Agent is running condition. This condition can separate the computers already connected to the Administration Server from those that need to be connected. Other conditions A relocation rule has a condition for virtual machines. Virtual machines running on different virtualization platforms can be moved into different groups. Protection of virtual machines is described in courses KL 014 Kaspersky Security for Virtualization. Agentless and KL 031 Kaspersky Security for Virtualization. Light Agent. If these conditions are not enough, computers can be tagged and you can configure conditions using the tags. For more details, refer to course KL 302. I-132 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to synchronize groups with Active Directory There are similar conditions for the computers within the Active Directory structure: — Active Directory unit name — Active Directory group name Relocation rules permit configuring synchronization with Active Directory. For this purpose, enable additional options under the condition Apply the rule to Active Directory organization unit: — Including child organization units—if the selected unit has child units, computers within them will be moved into the destination group — Move computers from child organizational units to corresponding subgroups—if the selected unit has child units, and the destination group has the corresponding subgroups, computers from the child units will be moved into the corresponding subgroups — Create missing subgroups—if the selected unit has child units, and the destination group has no corresponding subgroups, the Administration Server will create these subgroups and move the computers of the child unit there — Delete subgroups that are not present in the Active directory—the opposite of the previous option. When an organizational unit is deleted from the Active Directory, this option will remove the respective group from the Kaspersky Security Center. If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another, Kaspersky Security Center will automatically repeat these changes in its group structure. In addition to units, Active Directory has groups, which may contain computer accounts. To move computers into groups according to the domain groups, select the condition The device is member of Active Directory group and specify the group name. I-133 Introduction Tags A tag is an additional attribute that the administrator can assign to devices and use it to configure relocation rules more flexibly. The administrator can assign tags manually to each device individually or several devices at once, or configure automatic tag allocation rules. A device can have several tags assigned. Relocation rules may be applied to devices without the specified tags or to the devices that have at least one of the specified tags. To assign tags, select one or several devices, open the properties window and switch to the Tags tab. There is also a link there: Set up automatic tagging rules. Automatic tag allocation rules can also be configured on the Devices | Tags | Auto-Tagging Rules tab. In some cases, it makes sense to assign tags automatically when deploying the protection application. You can also do it in the Network Agent package properties. To assign different tags to computers during the installation, create several installation packages for the Network Agent, specify the necessary tag within each package, and use different packages for different computers. Regardless of how a tag was added to the system or assigned to a device, you will be able to assign it to any other device as well afterwards. I-134 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Rule application order The created rules are organized into a list where their order makes a difference. Permanent rules have priority over the others. Among rules of the same type, the higher the rule is on the list, the higher its priority. In other words, if a computer meets the conditions of several rules, only the top one is applied. Rule order can be changed using the arrows. Also, a rule can be applied manually using the Force button at the bottom of the window. This permits re-applying a non-permanent rule. For the permanent rules, the button does nothing, since permanent rules are constantly forced anyway. The Rule execution wizard prompts for the group where the rule is to be applied, and moves the computers that meet the rule conditions from the selected group to the group specified in the rule. There is an option that permits skipping the computers to which this rule has already been applied and only force the rule on new computers. II–1 Unit II. Protection management Unit II. Protection Management Chapter 1. How Kaspersky Endpoint Security 11 protects computers ......................... 4 1.1 How criminals attack a computer............................................................................................................................ 4 How malware gets on a computer .......................................................................................................................... 4 How malware causes harm .................................................................................................................................... 7 1.2 How Kaspersky Endpoint Security counters attacks............................................................................................... 9 How Kaspersky Endpoint Security repels threats .................................................................................................. 9 How Kaspersky Security Network helps to repel threats ..................................................................................... 10 Where are Kaspersky Endpoint Security settings located .................................................................................... 12 Chapter 2. How to configure file protection ................................................................ 13 2.1 How Kaspersky Endpoint Security protects files.................................................................................................. 13 2.2 What and how to configure in File Threat Protection ........................................................................................... 14 Configure File Threat Protection......................................................................................................................... 15 2.3 What to do if File Threat Protection slows down the computer ............................................................................ 19 How to exclude an application’s folder ............................................................................................................... 20 How to exclude files that a process accesses ....................................................................................................... 21 How not to scan network drives ........................................................................................................................... 22 How to apply settings to computers ..................................................................................................................... 22 2.4 How and why configure scheduled file scanning ................................................................................................. 23 Why scan for malware after the File Threat Protection?..................................................................................... 23 What and how to scan for threats ........................................................................................................................ 24 How to select an optimal schedule ....................................................................................................................... 25 2.5 What to do with false positives ............................................................................................................................. 27 How to configure an exclusion for an incorrect verdict....................................................................................... 27 Exclusions by checksum ....................................................................................................................................... 28 Exclusion by certificate ........................................................................................................................................ 28 2.6 File protection: Summary ..................................................................................................................................... 29 Chapter 3. How to configure protection against network threats .............................. 31 3.1 How network protection works ............................................................................................................................. 31 What network components do .............................................................................................................................. 31 How Kaspersky Endpoint Security intercepts traffic ........................................................................................... 32 How Kaspersky Endpoint Security scans encrypted traffic .................................................................................. 33 II–2 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 3.2 Mail Threat Protection .......................................................................................................................................... 35 What Mail Threat Protection does ....................................................................................................................... 35 Configuring Mail Threat Protection .................................................................................................................... 36 Attachment filter ................................................................................................................................................... 37 Exclusions for false positives ............................................................................................................................... 38 3.3 Web Threat Protection .......................................................................................................................................... 38 What Web Threat Protection does........................................................................................................................ 38 Configuring Web Threat Protection ..................................................................................................................... 39 How to make a website trusted ............................................................................................................................. 39 3.4 How not to intercept the whole traffic of a program ............................................................................................. 40 3.5 Protection for network connections: Summary ..................................................................................................... 41 Chapter 4. How to configure protection against sophisticated threats ...................... 42 4.1 How Kaspersky Endpoint Security protects against new threats .......................................................................... 42 4.2 Detection technologies used in Kaspersky Endpoint Security .............................................................................. 43 4.3 What Advanced Threat Protection does ................................................................................................................ 44 How Behavior Detection protects against new threats ........................................................................................ 44 How Exploit Prevention protects against new threats ......................................................................................... 45 How Remediation Engine protects against new threats ....................................................................................... 46 How Host Intrusion Prevention stops new threats ............................................................................................... 47 How to configure Host Intrusion Prevention to stop ransomware ....................................................................... 50 How AMSI Protection Provider stops new threats ............................................................................................... 51 4.4 How to exclude a program from monitoring ......................................................................................................... 52 What to do if KES hampers a program ................................................................................................................ 52 How to modify a program’s trust category .......................................................................................................... 52 How to make a program trusted for Behavior Detection and Intrusion Prevention ............................................ 55 4.5 Protection against new and sophisticated threats: Summary ................................................................................. 56 Chapter 5. How to control network connections ......................................................... 57 5.1 How Firewall protects against threats ................................................................................................................... 57 5.2 How Firewall works in KES ................................................................................................................................. 57 How Firewall analyzes packets and connections ................................................................................................. 58 How Firewall decides which networks are local.................................................................................................. 59 How Firewall restricts programs ......................................................................................................................... 61 5.3 What Firewall does under default settings ............................................................................................................ 62 Default network packet rules ................................................................................................................................ 62 What it means for applications on the computer .................................................................................................. 63 What if the Firewall impedes an application........................................................................................................ 64 5.4 Why Network Threat Protection is necessary ....................................................................................................... 65 What Network Threat Protection does ................................................................................................................. 65 What the Protection from MAC Spoofing does .................................................................................................... 66 How to unblock a blocked computer .................................................................................................................... 66 5.5 Network protection: Summary .............................................................................................................................. 68 Chapter 6. How to protect a computer outside the network ....................................... 69 6.1 Which local networks to trust ............................................................................................................................... 69 6.2 How to create a policy for computers outside the office ....................................................................................... 69 How to create a policy for computers outside the office ...................................................................................... 70 When computers switch to the out-of-office policy ............................................................................................... 71 How to set conditions for switching to the out-of-office policy ............................................................................ 72 6.3 Which settings computers should use outside the office ....................................................................................... 73 6.4 Out-of-office policies: Summary .......................................................................................................................... 74 II–3 Unit II. Protection management Chapter 7. What else is there in protection and why? ................................................ 75 7.1 What Self-Defense does and why it is necessary .................................................................................................. 75 What Self-Defense does ........................................................................................................................................ 75 How to manage KES over Remote Desktop ......................................................................................................... 76 What BadUSB Attack Prevention does................................................................................................................. 77 7.2 How to protect Kaspersky Endpoint Security from the user ................................................................................. 78 How the user can stop protection......................................................................................................................... 78 How to enable password protection ..................................................................................................................... 79 Configuring password protection for Network Agent .......................................................................................... 80 7.3 Which other protection settings are available ....................................................................................................... 81 Actions ................................................................................................................................................................. 81 Other settings ....................................................................................................................................................... 81 Computer protection: Summary ........................................................................................................................... 84 II–4 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Chapter 1. How Kaspersky Endpoint Security 11.1 protects computers 1.1 How criminals attack a computer How malware gets on a computer Malware gets on a computer via everything that connects the computer to the external world. Specifically, via network connections and removable drives. Let us examine typical scenarios of how malware penetrates a computer, and how to prevent this. Via a browser A vulnerable web browser The user has installed a vulnerable browser. A web page may use a vulnerability to make the browser download and run any software on the computer. The user opens a dubious website, and the website starts malware on the user’s computer. Malicious code can reside in the ad blocks that the website receives from other sites rather than on its own pages. To protect against such an attack: — — — — — Install updates for web browsers Do not allow the users to start whichever browsers Do not allow the users to open whichever web pages Do not allow the users to open known infected websites Do not allow web browsers to start child processes II–5 Unit II. Protection management An infected file The user looks for free software on the internet. For example, a handy free utility, or a pirate version of an expensive program, or a key generator for an expensive application. Finds, downloads, and starts it on the computer. The program turns out to be malicious. Maybe the user has downloaded a seemingly appropriate file from an “Internet garbage”. Or maybe criminals have altered freeware code or cracked the site and replaced the program. To protect against such an attack: — Do not allow the users to open whichever web pages — Do not allow the users to open websites that are known for distributing malware — Scan the files that the users download from the Internet by protection software Via email The user receives an email message that looks like a message from a bank, shop, delivery service, from a partner, acquaintance, etc. The message prompts to click a link or open an attachment. The link leads to a malicious or phishing website. The attachment contains malware or a document with embedded malware. To protect against such an attack: — — — — Filter email by antispam tools (software that protects against anonymous bulk unsolicited emailing) Scan files attached to email messages by protection software Do not allow the users to save executable files from email messages to the drive Protect against links in the messages the same way as against attacks via web browsers From other computers over the network From a shared folder The user copied a program from a shared folder on another computer and started it. The program turned out to be malicious. The user opened a document from a shared folder on another computer. The document contained malicious code. To protect against such an attack: — Install protection tools on all computers — Scan the files that the users copy, open or start A network attack There is a vulnerability in the operating system on the user's computer. If a special sequence of packets is sent to a specific port, one can make the vulnerable service run the code within these packets. An infected computer will also attack the vulnerable service on all other network computer and infect them. To protect against such an attack: — Install security updates for operating systems — Prohibit connections to the ports that the users do not need for their work — Use protection software to check inbound packets for network attacks II–6 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management From external media A user’s USB memory drive The user connected a USB flash drive to the computer to copy documents. The USB flash drive contains malware that uses a vulnerability in the operating system to automatically run on the computer. Or the user simply connected a USB flash drive to find out what it contains, found a document or an executable file with an intriguing name and decided to open it. The file turned out to be infected. To protect against such an attack: — Do not allow the users to connect unknown (or all) USB flash drives to the computers — Scan files on USB drives by protection software — Install security updates for operating systems BadUSB The user connected a USB device that looks like a USB flash drive to the computer. The device registered with the operating system as a USB flash drive and as a keyboard. After a while, the device started to execute commands on the computer by sending keystrokes. To protect against such an attack: — Use protection against BadUSB attacks How to protect against threats All threat prevention methods can be grouped as follows: Eliminate potential attack targets Install security updates for operating systems Install updates for web browsers and other programs Do not allow the users to start whichever browsers Do not allow the users to open whichever web pages Do not allow web browsers to start child processes Do not allow the users to save executable files from email messages to the drive Prohibit connections to the ports that the users do not need for their work Do not allow the users to connect unknown (or any) USB flash drives to the computers Use protection tools to detect attacks Install protection on all computers Scan the files that the users copy, open or start Scan files on USB drives by protection software Scan files attached to email messages by protection software Scan files that the users download from the Internet by protection software Do not allow the users to open known infected websites Do not allow the users to open websites that are known of distributing malware Use protection software to check inbound packets for network attacks Use protection against BadUSB attacks II–7 Unit II. Protection management How malware causes harm No protection tool can protect against 100% of threats. Criminals may always be half a step ahead since they: — Register new domains and websites — Write new malware — Use zero-day vulnerabilities for which updates have not been issued yet Even if protection works properly, there is always risk that a computer may be infected with a new malware. If protection is not installed on some computers, if databases are outdated on computers, if important protection components are disabled, the risk grows. Let us study the harm that malware can cause and how it can be decreased. Ransomware Ransomware encrypts documents and other files on the computer and in shared folders, and demands money in return for the encryption key. The key is stored on the criminals’ server. Malware either downloads the key from the server, encrypts files and deletes the key; or generates a random key, sends it to the server, encrypts files and deletes the key. Anyway, ransomware connects to its server over the network. To protect against such an attack: — Regularly back up all important files — Do not allow unknown programs to establish and accept network connections — Use protection tools that detect encryption heuristically Spyware Malware looks for non-encrypted or poorly encrypted passwords in software settings and in the files on the drive. Malware intercepts everything the user enters, takes screenshots and shoots through the web camera. The program sends all this to the criminals’ server. To protect against such an attack: — Do not allow unknown programs to establish and accept network connections — Use protection tools that detect spying heuristically II–8 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Network malware Malware writes itself to the USB flash drives connected to a computer and to shared folders over the network. Malware infects neighbor computers via vulnerable services. Malware sends spam and participates in DDOS attacks at a control center’s command. To protect against such an attack: — Do not allow unknown programs to establish and accept network connections — Use protection tools that heuristically detect dangerous activities Loaders Criminals often use very simple files, which do not impose any direct threat, to get around protection tools and infect a computer. But these files may download additional malicious files, which can encrypt documents, steal passwords, etc. To protect against such an attack: — Do not allow unknown programs to establish and accept network connections Low-grade malware Malware makes other programs hang or malfunction, a computer run really slow, spontaneously restart, or display a blue screen. To protect against such an attack: — Regularly scan files on the computer by protection software How to reduce losses The loss reduction methods may be grouped similarly to attack prevention methods: Eliminate potential attack targets Do not allow unknown programs to establish and accept network connections Use protection tools to detect attacks Use protection tools that heuristically detect dangerous activities Regularly scan files on the computer by protection software II–9 Unit II. Protection management 1.2 How Kaspersky Endpoint Security counters attacks How Kaspersky Endpoint Security repels threats Kaspersky Endpoint Security and Kaspersky Security Center components do everything to protect against attacks and prevent losses: Eliminate potential attack targets Install security updates for operating systems Kaspersky Security Center (see course KL 009) Install updates for web browsers and other programs Kaspersky Security Center (see course KL 009) Do not allow the users to start whichever browsers Application Control Do not allow the users to open whichever web pages Web Control Do not allow web browsers to start child processes Behavior Detection Exploit Prevention Do not allow the users to save executable files from email messages to the drive Mail Threat Protection Prohibit connections to the ports that the users do not need for their work Firewall Do not allow the users to connect unknown (or any) USB flash drives to the computers Device Control Do not allow unknown programs to establish and accept network connections Firewall II–10 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Use protection tools to detect attacks Install protection on all computers Kaspersky Security Center (see Unit I) Scan the files that the users copy, open or start File Threat Protection Host Intrusion Prevention Scan files on USB drives by protection software Virus scanning Scan files attached to email messages by protection software Mail Threat Protection Scan files that the users download from the Internet by protection software Web Threat Protection Do not allow the users to open known infected and phishing websites Web Threat Protection Do not allow the users to open websites that are known for distributing malware Web Threat Protection Use protection software to check inbound packets for network attacks Network Threat Protection Do not allow the users to automatically connect any USB devices as a keyboard BadUSB Attack Prevention Use protection tools that heuristically detect dangerous activities Behavior Detection Host Intrusion Prevention Regularly scan files on the computer by protection software Virus scanning This list includes all components of Kaspersky Endpoint Security. All of them either decrease the attack surface, or actively scan, detect and block threats. Kaspersky Endpoint Security neither backs up files on the computer, nor protects against spam. To protect against spam, use Kaspersky Lab products for mail systems: — Kaspersky Security for Microsoft Exchange Servers — Kaspersky Secure Mail Gateway How Kaspersky Security Network helps to repel threats II–11 Unit II. Protection management To ensure that Kaspersky Endpoint Security components reliably protect against threats, it is important to regularly update the signature databases. It is also important to allow Kaspersky Endpoint Security to use the Kaspersky Security Network. Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all protection components. Kaspersky Security Network servers collect information about files on the protected computers, analyze it using machine learning technologies, consider when a file was detected for the first time, whether it is widespread, in which regions, whether the users of personal versions of Kaspersky Security trust the file, whether the file is signed with a certificate and which one, etc. Suspicious files are additionally analyzed by Kaspersky Lab experts. After that, Kaspersky Security Network assigns a trust group to the file: — — — — Trusted Low Restricted High Restricted Untrusted For each trust group, Kaspersky Lab analysts have developed scenarios that describe what files are allowed to do and what is prohibited depending on the assigned trust group reputation). This way, Kaspersky Endpoint Security components learn which programs are to be allowed to connect to the network, which programs may install drivers, and which of the trusted programs are to be scanned especially thoroughly, because they may contain vulnerabilities. Kaspersky Security Network contains a huge database of checksums of known good files. Kaspersky Lab receives checksums of reference files from many known software manufacturers, such as Microsoft, Adobe, Google, etc. That is why Kaspersky Endpoint Security components know which files are not infected for sure and do not hamper the respective programs. Except for files, Kaspersky Security Network forms reputation for web pages and software activity patterns. If Kaspersky Lab detects a new threat, checksums of all malicious files and web pages get to the Kaspersky Security Network in a split second and are available to all products that use the Kaspersky Security Network. Products learn about new threats via Kaspersky Security Network a few hours earlier than the threat signatures that are downloaded with updates. The data that Kaspersky Endpoint Security sends to Kaspersky Security Network are depersonalized and anonymous. The complete list can be found in the Kaspersky Security Network agreement that the administrator must accept prior to enabling Kaspersky Security Network in the Kaspersky Endpoint Security policy. To be able to use Kaspersky Security Network without sending anything to Kaspersky Lab, there is the Kaspersky Private Security Network service. II–12 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Where are Kaspersky Endpoint Security settings located In this chapter, we will study which settings are available in the Kaspersky Endpoint Security components: — The default values — How the parameters influence the components’ behavior — When and how to modify settings to improve computer protection or user experience Most of Kaspersky Endpoint Security settings are located in the policy. Some settings, for example, scheduled virus scan or update settings, are set up in tasks. II–13 Unit II. Protection management Chapter 2. How to configure file protection 2.1 How Kaspersky Endpoint Security protects files File Threat Protection intercepts all file operations (such as reading, copying, executing) using the klif.sys driver and scans the files being accessed. By default, if the file is infected, the operation will be blocked, and the file will be either disinfected or deleted. Except for the vulnerabilities that allow malware to load code into the memory, all attacks save malicious files on the computer drive. And even those attacks that start with executing code in the memory, can load only small amount of code there and use it as the first step of the attack, which then downloads additional modules in files and saves them to the drive. Even if Mail Threat Protection and Web Threat Protection are disabled, the user will not be able to start an infected file received by email or downloaded from the internet, because a file cannot be started either from an attachment or from a web page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and blocked by the File Threat Protection. This makes File Threat Protection an important component of Kaspersky Endpoint Security. File Threat Protection scans for malware using: — Malware signatures—a signature database is a “black list” of known malicious files. If a file does not match any of the database records, it is not malicious. A complete black list, where each known malicious or infected file is described thoroughly, requires too much space; that is why a signature database is optimized and narrowed down to a size that can be easily downloaded to a computer. Each record identifies a family of similar threats. — Heuristic analysis (emulation of execution)—helps detect polymorphous malicious files, which change their code during the execution, and which are therefore difficult to detect using signatures. File Threat Protection starts executable files in a special isolated environment and checks whether code changes in the memory to match a signature. II–14 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — KSN checks—File Threat Protection sends the file checksum to KSN and receives an answer: Whether such a file is found in the KSN database, and what reputation it has. The KSN database is a huge list of all files (to be more exact, their checksums) known to Kaspersky Lab. This list includes files with an untrusted reputation. It is a black list, and File Threat Protection blocks such files. There are also files with a trusted reputation. It is a white list, which includes known harmless files of operating systems and widespread software. File Threat Protection does not block these files even if they match malware signatures. KSN verdict has higher priority, because KSN contains more information than a local signature database. To receive a verdict from KSN, a computer needs a connection to the internet, which may be unreliable. For this reason, Kaspersky Endpoint Security does not rely upon KSN entirely, and uses the signature database and emulation. KSN verdicts may change with time. A file that has just appeared on the internet has no reputation at first. Eventually, when KSN accumulates data about who, where and how uses this file, its reputation changes and may become trusted or untrusted. For better protection, Kaspersky Endpoint Security could check the KSN verdict at each file operation. But it would scale up the computer’s network traffic. Besides, sending a request and receiving an answer takes time, which depends on the quality of communication channel. To avoid creating extra traffic and detaining file operations, Kaspersky Endpoint Security saves KSN verdicts in the local cache. Each verdict has its lifetime. For new files, it is short, which makes Kaspersky Endpoint Security recheck the verdict often. For the files that have long been known, this time is large. To avoid slowing down the computer, File Threat Protection does not scan all files; it scans only those files that may infect a computer. For example, File Threat Protection does not scan archives, because files must be extracted prior to being started. It is either the user who extracts the file from the archive, or the operating system does this for the user. Anyway, File Threat Protection will scan the extracted files (and block them if necessary). Scan the files that are not scanned by File Threat Protection by virus scan tasks. Virus scanning checks files within the specified scope and uses the same methods as File Threat Protection. 2.2 What and how to configure in File Threat Protection II–15 Unit II. Protection management Configure File Threat Protection File Threat Protection, as well as Kaspersky Endpoint Security in general, solves two tasks: — Prevent malware from causing harm — Not to hamper the user or legitimate software The more files File Threat Protection scans, the better it solves the former task, and the worse the latter, and vice versa. The default settings balance protection and performance. By adjusting the settings, the administrator can tilt the balance one way or the other. You can adjust Kaspersky Endpoint Security settings in the policy. The settings of all components are located in the respective sections: File Threat Protection, in Essential Threat Protection on the Application Settings tab. Let us first talk about the parameters that should not be changed and explain why. File Threat Protection does not scan all file types Files that may harm a computer are mainly executable files, but not only. Microsoft Office documents may contain executable code (macros), which can be malicious. Even documents without code, some graphic files for example, may use vulnerabilities of the applications that open them and make these programs run a part of the file as code. By default, File Threat Protection scans files by format. This way, Kaspersky Endpoint Security reliably protects the computer, because it scans all dangerous files, but does not slow down the computer, since it does not scan all the files. Scanning files by extension only is dangerous. For example, a malicious Word document may have extension .123, which is not included in the scan list, but the user can open it nevertheless via its shortcut menu (Open with). Also, scanning by extension is not significantly faster than scanning by format. The user will not perceive any difference in performance. If the administrator wants to improve performance of slow computers, better start with exclusions for the programs with which users work. How to create exclusions is explained at the end of this section. The list of scanned extensions: com exe sys prg bin bat cmd dpl dll scr cpl ocx tsp drv vxd pif lnk reg ini cla vbs Program executable file whose size does not exceed 64 KB Executable file, self-extracting archive System file of Microsoft Windows Text of the dBase™, Clipper or Microsoft Visual FoxPro® application, a program from WAVmaker suite Binary file File that contains one or more commands Command file of Microsoft Windows NT (a counterpart of a bat file for DOS), OS/2 Packed Borland Delphi library Dynamic-link library Microsoft Windows screen saver file Control panel module in Microsoft Windows Microsoft OLE object (Object Linking and Embedding) Time-shared program Device driver Driver of a Microsoft Windows virtual device File with information about a program Link file in Microsoft Windows File for importing and exporting Microsoft Windows registry keys Configuration file that contains settings for Microsoft Windows, Windows NT and some other software Java class Visual Basic script II–16 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management vbe js, jse htm htt hta asp chm pht php wsh wsf the hlp eml nws msg plg mbx doс* doс docx docm dot* dot dotx dotm fpm rtf shs dwg msi otm pdf swf jpg, jpeg emf ico ov? xl* xla xlc xlt xlsx xltm xlsb xltx xlsm xlam pp* pps ppt pptx pptm potx potm ppsx ppsm ppam Video BIOS Extension JavaScript source text Hypertext document Microsoft Windows hypertext template file Hypertext program for Microsoft Internet Explorer Active Server Pages script Compiled HTML file HTML file with built-in PHP scripts Script built into an HTML file Microsoft Windows Script Host file Microsoft Windows script Screensaver file for Microsoft Windows 95 desktop Help file in Win Help format Microsoft Outlook Express message Microsoft Outlook Express news message file Microsoft Mail email message Email message Extension for a saved message of Microsoft Office Outlook Microsoft Office Word document, such as: Microsoft Office Word document XML-based Microsoft Office Word 2007 document Macro-enabled Microsoft Office Word 2007 document Microsoft Office Word 2007 document template Microsoft Office Word document template Microsoft Office Word 2007 document template Microsoft Office Word 2007 macro-enabled document template Database program, a startup file of Microsoft Visual FoxPro Document in the Rich Text Format Windows Shell Scrap Object Handler file AutoCAD drawing database Microsoft Windows Installer package VBA project for Microsoft Office Outlook Adobe Acrobat document Shockwave Flash object Graphic file for storing compressed images Enhanced Metafile. The next generation of Microsoft Windows operating system metafiles. EMF files are not supported in 16-bit Microsoft Windows Icon Microsoft Office Word executable files Microsoft Office Excel documents and files, such as: Microsoft Office Excel add-in Microsoft Office Excel chart Microsoft Office Excel template Microsoft Office Excel 2007 workbook Microsoft Office Excel 2007 macro-enabled workbook Microsoft Office Excel 2007 workbook in binary (non-XML) format Microsoft Office Excel 2007 template Microsoft Office Excel 2007 macro-enabled template Microsoft Office Excel 2007 macro-enabled add-in Microsoft Office PowerPoint documents, such as: Microsoft Office PowerPoint slide Microsoft Office PowerPoint presentation Microsoft Office PowerPoint 2007 presentation Microsoft Office PowerPoint 2007 macro-enabled presentation Microsoft Office PowerPoint 2007 presentation template Microsoft Office PowerPoint 2007 macro-enabled presentation template Microsoft Office PowerPoint 2007 slide show Microsoft Office PowerPoint 2007 macro-enabled slide show Microsoft Office PowerPoint 2007 macro-enabled add-in II–17 Unit II. Protection management md* mda mdb sldx sldm thmx Microsoft Office Access documents, such as: Microsoft Office Access workgroup Microsoft Office Access database Microsoft Office PowerPoint 2007 slide Microsoft Office PowerPoint 2007 macro-enabled slide Microsoft Office 2007 theme Heuristic analysis of Kaspersky Endpoint Security starts a program executable in an isolated environment and watches what it does. First of all, heuristic analysis helps detect polymorphous malware, which can change its code during the execution. When criminals email new malware, or upload a new version of a malicious module to an infected computer, they may generate a file with a unique checksum for each computer or addressee. Signatures and even Kaspersky Security Network will not help in this case. But heuristic analysis clearly shows that all these versions restore the same malicious code when running. File Threat Protection does not scan files that have already been scanned Most of the files a rarely changed on the computer, and if File Threat Protection scans only new and changed files, it almost does not load the computer. In the first few days, while all files are new for Kaspersky Endpoint Security, the user may feel that the computer works slower. But File Threat Protection stops influencing performance soon. Do not turn off the option Scan only new and changed files in File Threat Protection, it will slow down the computer. How does Kaspersky Endpoint Security learn which files have been changed and which have not? The NTFS file system (and its successor ReFS) logs when files are changed, and guarantees integrity of these records. Therefore, on NTFS drives, Kaspersky Endpoint Security simply checks the file modification date. FAT32 file system cannot log the modification date; neither can it protect the modification date against unsolicited changes. Malware may modify a file, and then assign any modification date to it. For this reason, Kaspersky Endpoint Security saves checksums of scanned files into a special database for FAT32 drives. When the file is accessed next time, Kaspersky Endpoint Security re-calculates the checksum and compares it with that saved. If the sums differ, the file has been changed, and File Threat Protection scans it. Scanning new files only once is dangerous. If malware gets on the computer before Kaspersky Endpoint Security receives its signatures, File Threat Protection will scan it, consider to be clean, and will not scan at the next start. To prevent this, even if the option Scan only new and changed files is enabled, File Threat Protection scans all new files repeatedly, at least twice, or even several times. For this purpose, Kaspersky Endpoint Security stores the release time of the signatures with which the file was scanned fist and last. If a file has been scanned only once, or if the current version of signatures was issued less than 24 hours after that with which the file was scanned for the first time, File Threat Protection re-scans the file. What if signatures for a new threat are not issued in 24 hours? This almost never happens. Besides, except for signatures, Kaspersky Endpoint Security uses data from Kaspersky Security Network, which contains most recent information about threats. To further reduce the risk, use a virus scan task to check all files on the computer, including those that have not been changed, and which File Threat Protection scanned already. II–18 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management File Threat Protection does not scan compound files (archives, etc.) Application Settings | Essential Threat Protection | File Threat Protection | Scan archives Enabled File Threat Protection scans files within RAR, ARJ, ZIP, CAB, LHA, JAR, and ICE archives. For this purpose, File Threat Protection unpacks an archive into a temporary folder or into the memory Disabled (by default) File Threat Protection neither unpacks archives nor scans files within them To scan archived files, File Threat Protection unpacks the archive, which consumes considerable computer resources. Archives are not dangerous as they are. A malicious file cannot be started from the archive. The user either unpacks the archive manually, or the operating system does this for the user. Anyway, a malicious file gets on a drive prior to run, and File Threat Protection scans it as any other file. Do not enable the Scan archives option in File Threat Protection. It will slow down the computer, but will not improve protection Application Settings | Essential Threat Protection | File Threat Protection | Scan distribution packages Enabled File Threat Protection scans files within self-extracting archives and installation packages, such as MSI. For this purpose, File Threat Protection unpacks an archive into a temporary folder or into the memory Disabled (by default) File Threat Protection does not scan self-extracting archives and installation packages Installation packages are executable files, and File Threat Protection scans their executable part anyway. However, a large part of data within an installation package consists of archived files of the program to be installed by the package. To scan them, File Threat Protection extracts them from the package, similar to archives. Installation packages do not need to be scanned by File Threat Protection. If the user copies a package, it cannot infect the computer. If the user starts a package, it will extract files itself and save them on the drive, where they will be scanned by File Threat Protection. Application Settings | Essential Threat Protection | File Threat Protection | Scan Office formats Enabled (by default) File Threat Protection scans executable parts not only within Microsoft Office documents, but also in the objects embedded into them Disabled File Threat Protection scans executable parts only within Microsoft Office documents, and skips embedded objects Microsoft Office files have a complicated structure. We can even say that there is a file system with additional files within a Microsoft Office document. When the user pastes an Excel chart into a Word document, Microsoft Office can add the whole Excel document to the Word document, with all its data, formulas and macros. Do not disable scanning for office documents. Not scanning objects embedded in office documents is dangerous. They may contain malicious macros, which Office programs can start without saving to the drive. Archive scan settings If the administrator selects to scan archives, whenever the user tries to copy or open an archive, the operation will not start until File Threat Protection unpacks the archive and scans all files within it. Meanwhile, the user cannot do anything with the archive. II–19 Unit II. Protection management If the administrator wants to scan archives, the user experience can be improved by changing additional archive scan settings. Do not unpack large compound files Maximum file size: File Threat Protection will scan only those archives that are less than the Maximum file size 8 MB by default. Unpack compound files in the background mode File Threat Protection will detain operations with small archives only. If the user opens a large archive, File Threat Protection will allow access, but at the same time will unpack the archive and scan the files. The user will not have to wait. Large archives are those that are larger than the Minimum file size value Minimum file size By default, is not specified. Meaning, if you select to unpack compound files in the background, File Threat Protection will scan all archives in the background mode File Threat Protection has detected and deleted the malware Malware detected by File Threat Protection should not be left unprocessed, and the settings that regulate File Threat Protection actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected files. Most of the malicious files cannot be disinfected, because they contain nothing but the infected code. Before a file is disinfected or deleted, its copy is placed into the Backup repository. In case a file contains important information or is deleted because of a false positive, it can be recovered. If the Remediation Engine component is enabled in Advanced Threat Protection, Kaspersky Endpoint Security not only deletes malicious files, but also rolls back their actions1. 2.3 What to do if File Threat Protection slows down the computer 1 The rollback procedure is described in Chapter 4 of this Unit. II–20 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management First, find out whether File Threat Protection actually slows down the computer (or a program): — — — — Find the computer that works slowly Disable the policy on it (see the section How to Protect Kaspersky Endpoint Security from the User) Stop (disable) File Threat Protection Check whether the computer (program) works any faster Even if programs work faster on the computer without File Threat Protection, do not leave File Threat Protection disabled. Configure exclusions for applications. Try various exclusion types: — If all program files are located in a single folder, exclude the program’s folder from scanning — If the program works with files in various folders or in a temporary folder, make the executable file of the program trusted Never exclude the operating system’s temporary folder from scanning. Malware is often started from it. — If the program works with files in shared folders, try to disable scanning of network drives — For the programs that start on the specified schedule during off business hours, pause File Threat Protection while the program runs How to exclude an application’s folder Exclusions are configured in Kaspersky Endpoint Security policy: Open Application Settings | General Settings and click the Exclusions link. To set up exclusions for folders, click the Scan exclusions link. They will apply to all protection components. A scan exclusion consists of three attributes: — File or folder—the name of the file or folder to which the exclusion applies. The name of the object may include environment variables (%systemroot%, %userprofile% and others) and also “*” and “?” wildcard characters — Object name—the name of the threat to be ignored (usually corresponds to a malware name), which can also be specified using wildcard characters — Object hash—checksum (SHA-256) of the file to which the exclusion applies. II–21 Unit II. Protection management — Protection components—the list of protection components to which the rule applies Of the four attributes, any of the first three and the last one must be specified. You can create a scan exclusion for a file or folder without specifying the threat type; then the selected components will ignore any threats in the specified file or folder. Alternatively, you can create a scan exclusion for a threat type, for example, for the UltraVNC remote administration tool, so that the selected protection components would not respond to this threat regardless of where it is detected. All attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object (typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from another folder, Kaspersky Endpoint Security would consider it a threat. How to exclude files that a process accesses If the computer runs resource-consuming programs, their operation can be slowed down by the File Threat Protection. This is especially true for the programs that perform numerous file operations, for example, backup copying or defragmentation. To avoid slowdowns, make these applications trusted. For this purpose, in the exclusion settings window, add the executable file to the Trusted applications list. Within the Application window, specify the path to the executable file, and select the Do not scan opened files action. The path may contain environment variables and “*”, “?” wildcards. II–22 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How not to scan network drives Not scanning network drives at all is dangerous. Prior to disabling network drive scanning, make sure that protection tools are installed on all network computers. Do not disable network drive scanning “just in case”; do it only if it solves the users’ issues To exclude network drives from scanning, edit the protection scope in the security level settings. By default, Protection scope of the File Threat Protection includes: — All removable drives — All hard drives — All network drives In other words, all drives from which malware can be run. A protection area allows adding individual drives and folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection level. How to apply settings to computers Policy settings must be enforced, meaning, locked. Unlocked settings are not applied to the computers. Since all locks are closed in a policy by default, the administrator may not even notice them. While you edit settings without touching the locks, all settings remain required and are enforced on the computers. However, you should remember that if locks are open, the configured settings are not applied. If you have changed settings in a policy, and they have not changed on the computers, check the locks in the policy. II–23 Unit II. Protection management 2.4 How and why configure scheduled file scanning Why scan for malware after the File Threat Protection? How can virus scanning help if File Threat Protection scans all dangerous files anyway? Virus Scan: — Prevents users from spreading archived malware — Updates caches of KSN and information about files’ checksums, after which File Threat Protection can scan fewer files — Scans files that have not been changed. The File Threat Protection does not scan such files, which may be dangerous Virus scan tasks check objects using the same methods as File Threat Protection: signature and heuristic analysis and KSN. The difference is that File Threat Protection checks files on-the-fly when they are accessed while virus scan tasks inspect the files by schedule or on demand. File Threat Protection works with the user. The more actively work the user’s applications, the more files are scanned by the File Threat Protection and the more resources it consumes. Therefore, the File Threat Protection settings are optimized to ensure protection against immediate threats only. If the user copies an archive, there is no immediate infection risk, and the archive does not need to be scanned. Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be performed. That is why the scan task will wait for the answer from KSN before returning the final verdict, regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from the scan scope of the File Threat Protection—archives, installation packages, files in non-infectable formats, etc. A virus scan task can be configured to check the processes in the memory and be scheduled to run after each successful database update. II–24 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management What and how to scan for threats Configure malware scan settings in virus scan tasks. The administrator is to manually create a virus scan task in the Managed devices group. Starting with Kaspersky Security Center version eleven, the Quick Start Wizard does not create a Quick Virus Scan task anymore. By default, computers are scanned for viruses by a special local Background scan task. Background scanning is less resource-intensive when compared with an ordinary virus scan task. It is performed while the computer is locked, does not display any notifications to the use; however, it does not reset the Not scanned for a long time status either. You cannot modify scan settings or scope of this task. If you want to use a custom virus scan task, we recommend that you disable background scanning. To disable the Background scan task, in the properties of Kaspersky Endpoint Security policy, open Application Settings | Local Tasks | Background scan and clear the check box Scan when the computer is idling. Scan scope Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select whether to scan all the contents, including subfolders. If subfolders are not selected to be scanned, the object icon is marked with the little red "minus" sign. In addition to files and directories, the following scan objects can be specified: — My email—Outlook data files (.pst and .ost) — Kernel Memory—the kernel memory of the operating system — Running processes and Startup Objects—the memory area allocated for processes and executable files of applications that start at the operating system start. Additionally, if this object is selected in the task properties, rootkit scanning will also be performed (rootkits are hidden objects of the file system) — Disc boot sectors—boot sectors of hard and removable drives — System Backup—System Volume Information folders — All removable drives—the removable drives connected to the computer at the moment — All hard drives—computer hard drives — All network drives—all network drives connected to the computer Create a task that scans the whole computer weekly or every other week. If you cannot find proper time for such a task, scan at least critical areas: II–25 Unit II. Protection management — — — — — — — — — Kernel Memory Running processes and Startup Objects Disk boot sectors %systemroot%\ %systemroot%\system\ %systemroot%\system32\ %systemroot%\system32\drivers\ %systemroot%\syswow64\ %systemroot%\syswow64\drivers\ Account By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem, specify an account that has the necessary rights within the task properties. How to select an optimal schedule Virus scan tasks can use any regular schedule: every N days, weekly, monthly. They can also be started once: either automatically at the specified time, or manually. In addition, special schedule types are available: — After application update—the task will start after new threat signatures are downloaded and applied. This is convenient for the scanning of memory and other locations where active threats may appear — Start in N minutes after application startup—the task will start in a few minutes after the launch of Kaspersky Endpoint Security. This is another opportunity for the scanning of the most vulnerable computer areas — On completing another task—a universal schedule that allows arranging tasks into a chain. From the practical viewpoint, the best approach would be to link virus scan to update completion, but there is already a special schedule option for that purpose There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task will start as soon as the computer is switched on. Use this option cautiously. If virus scanning starts in the morning when the user turns on the computer, scanning will hamper the user. II–26 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The mode Use automatically randomized delay for task starts makes more sense for an update task than for a virus scan task. See Unit IV for details. The Additional task settings area contains a few other useful settings: — Activate the device before the task is started through Wake-On-LAN (min)—the option allows you to schedule scan start for the night time or weekends without needing to worry whether the computer is on. However, to use this feature, you need to enable its support in the BIOS settings of the target computers — Turn off device after task completion—the option may supplement the previous one. If scanning is scheduled for the night or weekend, the computer can be turned off afterwards — Stop task if it has been running longer than (min)—the option allows guaranteed task completion before the working day begins, so that it does not interfere with the user’s activity On servers, perform virus scanning on weekends, when they are less loaded. On workstations, try to find such a time when computers are on, but virus scanning will not hamper the users: — Quick virus scanning can be performed during the lunchtime — Full scanning should run at night. Explain the users which day of the week they should not shut down their computers What if none schedule is optimal If you cannot arrange that the users do not turn off their computers, use Wake-On-LAN to power on the computers at night and run the virus scan task. If this capability cannot be used either, use so-called idle scanning. To enable idle scanning, open the Application Settings tab in the task properties and under Advanced Settings, select Scan when the computer is idling. In this mode, virus scanning will be performed only when the computer is locked; while the user is working, the task will be Paused. Full computer scan in the idle mode may take a few days or even a couple of weeks, but it is better than not to scan a computer at all. II–27 Unit II. Protection management 2.5 What to do with false positives How to configure an exclusion for an incorrect verdict If Kaspersky Endpoint Security informs about a threat in a file that is known to be clean, it is a false positive. False positives hamper work considerably. Kaspersky Lab very thoroughly tests new signatures on a huge number of files of operating systems and popular software to prevent false positives. During a scanning, Kaspersky Endpoint Security checks files against Kaspersky Security Network and ignores threats in the files which KSN considers to be trusted. False positives happen extremely rarely, and usually concern files of infrequent software, for example, homeware. If File Threat Protection or a virus scan task finds a threat in a clean file, create an exclusion for it: II–28 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings | General Settings | Exclusions | Scan exclusions 2. Add the file that gets a false positive to the Scan exclusions list. Select the File or folder check box. Click the link select file or folder in the lower part of the window to specify the complete path to the file. Use environment variables, for example, %ProgramFiles% It is safer to create an exclusion for a specific threat that Kaspersky Endpoint Security detected erroneously rather than exclude the file entirely. For this purpose: 3. Select the check box Object name in the exclusion window. Click the link enter object name in the lower part of the window to specify the threat name. The threat name can be found in the event about detected threat by Kaspersky Endpoint Security in the Description field. Exclusions by checksum What to do if a file for which you need to configure an exclusion may be installed into different directories on different computers? If the same file version is used on all computers, use the file checksum: 1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings | General Settings | Exclusions | Scan exclusions 2. Add the file that gets a false positive to the Scan exclusions list. Select the Object hash check box Specify the file checksum in the Object hash field in the lower part of the window. You can calculate the file’s checksum and add it manually, or copy it from a detection event. Kaspersky Endpoint Security calculates checksums of the scanned files and displays them in the detection events. Exclusion by certificate What to do if you configured an exclusion, but a new program version has been issued with new names of the folder and executable file, which also gets a false positive? II–29 Unit II. Protection management If file names are similar, use a path mask. In a mask, the asterisk “*” stands for an arbitrary sequence of symbols, and the question mark “?” stands for a single arbitrary symbol. For example, the file*.exe mask matches all files whose names start with “file” and have the .exe extension. If file names are entirely different, but all files are signed by a certificate, place the certificates to the certificate store on the computers where the program is used and configure Kaspersky Endpoint Security to trust these certificates: 1. Open the trusted zone settings in the Kaspersky Endpoint Security policy: Application Settings | General Settings | Exclusions 2. Select the check box Use trusted system certificate store and select a store. The default choice is Enterprise Trust 3. Place the certificate(s) with which program files are signed to the selected store on the client computer. You can use, for example, Active Directory group policies for this. Each computer has the user’s certificate stores and the computer’s certificate stores. Kaspersky Endpoint Security trusts only the certificates that are located in the computer’s store For homeware, you can use even self-signed certificates. 2.6 File protection: Summary File Threat Protection scans files on the drive that the user, operating system, and programs access. To avoid slowing down the computer, File Threat Protection scans only those files that pose an immediate threat. However, it does not prevent the user from copying archived malicious files. Virus scan tasks scan all files and delete malicious files that are passively stored on the computer, for example, archived malicious files. If you cannot figure out a suitable schedule for running the scan task, use idle scanning. If File Threat Protection slows down the computer or programs: — Schedule virus scanning. It updates the cache of scanned files and permits File Threat Protection not to scan them repeatedly if they have not been changed II–30 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — Configure exclusions for applications: For folders, executable files, or certificates — If files (for example, user profiles) load slowly over the network, and protection is installed on network servers, do not scan network drives — As a last resort, pause File Threat Protection while a resource-consuming program runs Do not disable File Threat Protection. Schedule virus scanning on computers II–31 Unit II. Protection management Chapter 3. How to configure protection against network threats 3.1 How network protection works What network components do A network is one of the main ways of malware spreading. That is why network protection and network traffic scanning are so important for computer security. In Kaspersky Endpoint Security, Mail Threat Protection and Web Threat Protection components are responsible for anti-malware scanning of network traffic: Mail Threat Protection Deletes malicious code from email messages and attachments Renames potentially dangerous attachments Web Threat Protection Blocks attempts to download malicious files Does not permit visiting malicious and phishing websites II–32 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How Kaspersky Endpoint Security intercepts traffic Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. The driver intercepts outbound connections from the computer programs and transfers packets to the network protection components. Kaspersky Endpoint Security detects the connection protocol and transfers packets to the corresponding component: HTTP, HTTPS, FTP Web Threat Protection, Web Control SMTP, POP3, POP3S IMAP, NNTP Mail Threat Protection Other packets are sent directly to the programs and applications for which they are destined. Kaspersky Endpoint Security can scan secure connections (SSL/TLS) Kaspersky Endpoint Security can intercept only connections to the specified ports rather than all of the outbound connections. To configure this, in the Kaspersky Endpoint Security policy, open Application Settings | General Settings | Network Settings and in the Monitored ports area, select Monitor selected ports only. Click the link 37 ports selected and specify the ports that are to be controlled. If you do not know which ports a program uses, select the check box Monitor all ports for specified applications, and add the path to program’s executable file to the list. Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or programs are used, add them to the list. II–33 Unit II. Protection management How Kaspersky Endpoint Security scans encrypted traffic During the installation, Kaspersky Endpoint Security creates a self-signed certificate—Kaspersky Endpoint Security Personal Root Certificate—and saves it to the local Trusted Root Certification Authorities store. At each start, KES checks whether the certificate is still there, and if no, restores it. To scan encrypted traffic (SSL/TLS), Kaspersky Endpoint Security replaces the certificate. Kaspersky Endpoint Security intercepts an outbound connection from an application to a server, receives the server’s certificate, generates a similar session certificate signed with Kaspersky Endpoint Security Personal Root Certificate, and gives it to the client application. This permits intercepting the symmetric encryption key and decrypting the whole communication session. The web browser will not show any warnings because Kaspersky Endpoint Security Personal Root Certificate is located in the trusted certificate store. Encrypted traffic scanning is enabled by default and pertains to the following components: — Web Threat Protection — Mail Threat Protection — Web Control SSL/TLS protocols support three authentication modes: Mutual authentication, anonymous client–server authentication, and complete anonymity. For example, when the user connects over https to a web server, in most cases, the second authentication mode is used: Anonymous client–server authentication. In this case, the certificate is easy to replace. If the first authentication mode is used, mutual authentication. For example, if a banking application client or cloud storage client rejects the substituted certificate, the encrypted connection will not be scanned. With the default settings, if errors arise when scanning a secure connection, the domain will be automatically added to the list of Domains with scan errors and its whole traffic will be skipped without scanning. An individual list is drawn up for each computer; it is stored locally and is not sent to the Kaspersky Security Center. To consult its contents, in the local KES interface, open Settings | General settings | Network settings | Advanced Settings; then click the link Domains with scan errors list. II–34 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If necessary, you can reset the local lists of Domains with scan errors. For this purpose, in the Kaspersky Endpoint Security policy, open Application Settings | General Settings | Network settings, under When secure connection scan errors occur, select to Break connection, save the changes, and wait for the policy to be applied to the computers. Then restore the initial value of the parameter When secure connection scan errors occur: Add domain to exclusions, and apply the policy again. As a result, the local lists of Domains with scan errors will be cleaned out. If something is wrong with the web server’s certificate, for example, it has expired, the web browser will not be able to inform the user about this, because KES certificate is used within the session, which is all right. It is KES that informs the user about connecting to a domain with untrusted certificate and prompts whether to connect to the domain. If necessary, the administrator can prohibit connecting to domains with untrusted certificates. For this purpose, set the option When visiting a domain with an untrusted certificate to Block. Most websites use secure connections, and we recommend that you do not disable scanning secure connections entirely. If secure connection scanning hampers a program, configure exclusions. II–35 Unit II. Protection management In the Kaspersky Endpoint Security policy, open Application Settings | General Settings | Network settings. There are two links for configuring exclusions in the Encrypted connections scan area: Trusted domains and Trusted applications. If secure connection scanning hampers opening a website, add the website address to the trust list: 1. 2. Click the link Trusted domains Add the website address to the list. To specify a mask, use “*” and “?” wildcards Certificate will not be substituted for the listed websites. If you have a program that conflicts with secure connection scanning, disable encrypted traffic scanning for it: 1. Click the link Trusted applications 2. Add the application executable file to the Applications tab: Specify the full path to the file. You can use environment variables, such as %SystemRoot%. 3. Select the check box Do not scan network traffic, then select Encrypted traffic only, and clear the other checkboxes 4. If servers with which a program works have permanent addresses (or a range of addresses) and ports, specify them in the lower part of the window: It is safer this way This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control components. 3.2 Mail Threat Protection What Mail Threat Protection does The Mail Threat Protection protects from email threats. Messages are intercepted at the protocol level (POP3, SMTP, IMAP and NNTP), and by embedding into Microsoft Office Outlook (MAPI). II–36 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Mail Threat Protection detects and deletes malware using malware signatures, heuristic analysis and Kaspersky Security Network. Additionally, Mail Threat Protection can block or rename email attachments that match the specified masks. Mail Threat Protection changes the subject of infected messages. The action taken is described in the message subject. Configuring Mail Threat Protection Protection scope Security settings, among other options, determine the Protection scope. Mail Threat Protection can scan either — Incoming and outgoing messages — Incoming messages only To ensure minimal computer protection, you can scan incoming messages only. The scan of outgoing messages can prevent inadvertent sending of an archived infected file and save the embarrassment. Additionally, you can select to scan outgoing messages if you want to block attachments of certain types, for example, music or videos. By default, incoming and outgoing messages are scanned. You can modify the protection scope only in the MMC Administration Console. Connectivity The Connectivity group of settings more precisely defines the protection scope: — POP3/SMTP/NNTP/IMAP traffic—enables scanning of mail and news messages transferred over the specified protocols II–37 Unit II. Protection management — Additional: Microsoft Office Outlook extension—scan objects2 when they are received, read and sent at the level of Microsoft Office Outlook client. Scanning at the protocol level operates independent of the mail clients used. However, messages transferred over unsupported protocols (for example, through Microsoft Exchange or Lotus Notes servers) will not be scanned. Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of supported mail clients is rather limited. Scanning methods These settings concern attached compound files. If archives are attached, they can be unpacked and scanned. This behavior is controlled with the following settings: — Scan attached archives—this setting allows the administrator to fully disable archive scanning. As a rule, it is better to leave this check box selected and to scan archives “on the fly” using Mail Threat Protection. It is much easier not to allow any infected archive to penetrate into the mail database than to remove it from the database later using a virus scan task — Scan attached Office formats You can disable these parameters only in the MMC Administration Console. Do not turn off these parameters. Malicious files are often spread in attached archives and office documents — Do not scan archives larger than NN MB—limits the volume of archives or office files to be scanned. Malware is rarely spread in big files. Enable this limitation to avoid waiting too long when receiving large compound files — Do not scan archives for more than NN sec.—this option implements protection against “archive bombs” whose scanning requires a very long time and a lot of resources, which slows down the computer. Attachment filter These settings concern only attached files. You can: — Disable filtering—let through all kinds of non-malicious attachments — Rename specified attachment types3—is used by default and renames attachments of executable types (.exe, .bat, .cmd, etc.) This is a preventive measure against unknown malware. The user will not be able to start an attached file without consciously renaming it. If archive scanning is enabled, Mail Threat Protection will rename archived files with the specified extensions. This option can also be used to fight outbreaks of new malware. If names of the attachments used by the malware are known, they can be added to the list and then renamed so that the users are unable to open these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless attachment matches the specified mask, renaming would not cause any serious problems. The user can consult the administrator and receive instructions on how to rename the file back 2 Not only mail messages are scanned, but also the objects within Public folders and Calendar: any objects received over MAPI from the Microsoft Exchange storage. 3 Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes file.ex_ II–38 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — Delete specified attachment types is a safe way to prevent infections, which can also be used to prevent exchange of files of certain types, for example, music or video files If archive scanning is enabled, Mail Threat Protection will delete files of the specified types from attached archives By default, the list of filters contains the masks of frequently used file extensions. In addition to the extensions, userdefined masks can contain parts of names. “*” and “?” wildcard characters can be used. The added masks will go to the beginning of the list and will be enabled immediately. Exclusions for false positives Exclusions for Mail Threat Protection are configured the same way as for File Threat Protection: In the Application Settings | General Settings | Exclusions | Scan exclusions. For the File or folder, you can specify a name or mask to exclude all matching files from scanning. The same exclusion must be configured for File Threat Protection, or else the received attachments will not be saved or opened. 3.3 Web Threat Protection What Web Threat Protection does The Web Threat Protection component performs two important functions: — Analyzes addresses of web pages opened by the user or applications, and blocks access to phishing and malware-spreading sites — Scans objects downloaded over HTTP, HTTPS, and FTP protocols, and blocks malicious files. Four technologies are used for scanning the links: — Check against the database of malicious web addresses—compare the address of the site to be opened with the addresses of the websites known for hosting malware, attacking computers, or other harmful activities II–39 Unit II. Protection management — Check against the database of phishing web addresses—is similar to the previous check, but against the database of sites on which phishing pages have been detected — Heuristic analysis for detecting phishing links—analysis of the site contents for HTML code characteristic of phishing — KSN check—addresses of the opened sites are checked against KSN. Dangerous links are blocked. The received answer is saved in the local cache and is used for further checks. Downloaded files are scanned using all the available methods: signature and heuristic analysis, as well as KSN. Configuring Web Threat Protection Actions You can select the action to be taken against all detected dangerous objects: — Block download, or — Inform You should select the Block download action in the policy and lock it so that the users are not able to download hazardous objects or visit hazardous websites. When the user attempts to open a black-listed website or download an infected object, a notification will be displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security. How to make a website trusted If Web Threat Protection erroneously considers a website to be malicious or phishing, add its address to the trust list: 1. 2. 3. In Essential Threat Protection, click the link Web Threat Protection Select the check box Do not scan web traffic from trusted web addresses Add the website address to the list. To specify a mask, use “*” and “?” wildcards II–40 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management The listed sites and the objects downloaded from them will not be scanned by Web Threat Protection. If Web Threat Protection erroneously considers a file that a user downloads from a website to be malicious, make an exclusion for the file in Application Settings | General Settings | Exclusions. Apply the exclusion at least to Web Threat Protection, File Threat Protection and Virus scan. 3.4 How not to intercept the whole traffic of a program Starting with version eleven, Kaspersky Endpoint Security uses a driver that does not disrupt the connection; it uses the operating system functions to receive access to all packets. This interception method usually does not affect network applications4. If you have a program that conflicts with the new interception method too, disable traffic interception for it: 1. In Kaspersky Endpoint Security policy, open the Application Settings | General Settings | Exclusions, and click the link Trusted applications. 2. Add the application executable file to the list of Trusted applications: Specify the full path to the file. You can use environment variables, such as %SystemRoot%. 3. Select the check box Do not scan network traffic and clear the other check boxes 4. If servers with which a program works have permanent addresses (or a range of addresses) and ports, specify them in the lower part of the window: It is safer this way 4 In old versions of Kaspersky Endpoint Security (before 10 Service Pack 2), the driver that intercepts connections for network protection components acts as a local proxy. When a program establishes connection to a remote server, Kaspersky Endpoint Security replaces the server address with its own address to receive the packets, and then establishes another connection to the remote server to send the scanned packets. The answer packets from the server are processed in a similar manner: First through the connection established by Kaspersky Endpoint Security, and then from Kaspersky Endpoint Security to the program. Some network programs are incompatible with this interception method. II–41 Unit II. Protection management This exclusion applies to the Mail Threat Protection, Web Threat Protection, and Web Control components. 3.5 Protection for network connections: Summary The network components Mail Threat Protection and Web Threat Protection consume few resources. On the contrary, they enable File Threat Protection to scan fewer files, and improve computer performance. Web Threat Protection is the only component that protects against phishing. It also protects against new threats that are spread through known malicious websites. Do not turn off network protection components, it will not improve performance, but will affect protection If Web Threat Protection or Mail Threat Protection erroneously delete files, block safe websites or hamper network programs, configure exclusions: — Exclusions for websites in the Web Threat Protection settings — Exclusions for programs in General Settings | Exclusions — Exclusions for ports in General Settings | Exclusions II–42 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Chapter 4. How to configure protection against sophisticated threats 4.1 How Kaspersky Endpoint Security protects against new threats Criminals continually create new malicious files. Kaspersky Lab is famous for detecting new threats and adding their signatures to the database very quickly. Checksums of malicious files get to Kaspersky Security Network even more promptly. However, criminals are still half a step ahead. How does Kaspersky Endpoint Security protect against new threats and especially against ransomware? Ransomware that encrypts documents and demands money in return for the key cause immediate and direct harm Kaspersky Endpoint Security tries to detect and block malware, including new, at all stages of an attack: Criminals publish malware on websites. Often these websites have also been used previously Web Threat Protection uses the database of known malicious websites and websites’ reputation in KSN and prevents the users from opening them Criminals email new malware Mail Threat Protection renames executable attachments, including archived ones Criminals use software vulnerabilities to run malicious code Exploit Prevention blocks attempts to infect the machine through known and some unknown application vulnerabilities New malware have different code to get round signature scanning, but behave similarly to other malware Behavior Detection monitors what a programs does, and detects new malware by behavior II–43 Unit II. Protection management Encrypted data are statistically homogeneous, as if produced by a random-number generator. This makes them different from most ordinary files Behavior Detection uses heuristic and statistical analysis as well as machine learning technologies to detect encryption in files New malware does not have any reputation in KSN Host Intrusion Prevention does not allow the programs without a reputation to use many of the operating system functions New threats are mainly opposed by Behavior Detection, Exploit Prevention, and Host Intrusion Prevention, with the help of Kaspersky Security Network. 4.2 Detection technologies used in Kaspersky Endpoint Security Kaspersky Endpoint Security components can be broken down into three groups: Components that provide static protection, components that provide dynamic protection, and additional components. The File / Web / Mail Threat Protection components provide static protection for a device: Scan objects before they run, block start and download of dangerous objects. The Behavior Detection, Exploit Prevention, and Rollback components provide dynamic protection: Monitor objects’ actions, analyze, detect, and block dangerous behavior. The third group includes Host Intrusion Prevention, Firewall, and Network Attack Blocker: Their task is to decrease the attack surface on the protected devices by limiting untrusted programs’ start and network access. This helps to partly take a load off dynamic and static protection. Kaspersky Endpoint Security components scan objects using the antivirus engine, information from KSN, and various technologies. Some of the detection technologies are implemented on the client side, meaning, in the engine (signature analysis, heuristic analysis, behavior analysis). Some, on the Kaspersky Lab side (expert analysis, machine learning, reputation service). KES receives only the results: Signature updates, program reputations, dangerous activity patterns, machine learning models, etc. A detection event displays the name of the component and technology that pinpointed the threat. II–44 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management In the local Kaspersky Endpoint Security interface, detection technologies display the source from which they received information about the threat: — Automatic analysis—data about the threat were received from the automatic object analysis system. Object analysis is automated at Kaspersky Lab. The automatic object analysis system processes all objects that KL receives, returns verdicts and generates signatures. If the system cannot process an object, it sends it to virus analysts — Expert analysis—data about the threat were added by virus analysts of Kaspersky Lab. Virus analysts are experts who develop not only threat signatures, but also dangerous activity patterns, machine learning models, etc. — Behavior analysis—data about the threat were received upon analyzing the object’s behavior — Cloud analysis—data about the threat were received from the Astraea technology, a part of KSN. Astraea is a big data processing system; it receives data from all sources of KSN requests, analyzes, ranges validity, and evaluates the threat — Machine learning—data about the threat were received from a machine learning model. A machine learning model is developed at Kaspersky Lab. Then the model learns on a large array of data received from KSN and the Astraea system. Then KES uses the model along with other technologies when hunting for threats. Since the threat landscape changes continually, the model is regularly improved and learns incrementally on the Kaspersky Lab side. Updates to the machine learning model are supplied to KES periodically the same way as threat signatures 4.3 What Advanced Threat Protection does The components and technologies that help to counter new malware not yet added to the signature databases or minimize their impact are called proactive defense. Heuristic analysis which we’ve studied already is an example of a proactive defense technology. However, the main role in this protection aspect belongs to Behavior Detection, Exploit Prevention, Remediation Engine, Host Intrusion Prevention, and to some extent to the Control components and Firewall. How Behavior Detection protects against new threats II–45 Unit II. Protection management Behavior Detection performs several functions: — Logs application activity for comparison with the behavior signatures database — Detects malware and blocks their actions — Protects shared folders against external encryption Malware detection is the main task. For this purpose, Behavior Detection monitors program actions and compares them with dangerous activity patterns. The application activity log includes file access operations, established network connections, and system function calls. The database of patterns is updatable, but updates are rarely issued for it. Efficiency of the Behavior Detection almost does not depend on the databases’ update regularity. Settings Behavior Detection settings are few: in substance, you can only enable or disable the entire component, or protection of shared folders against external encryption. Actions If Behavior Detection detects malicious behavior, it stops the program, deletes its executable file, and moves it into the Backup repository. Other possible actions: — Inform—do nothing, only log the detection of malicious activity — Terminate the program—stop the malware and unload it from the memory — Delete file—stop the program, delete the malicious file, and place its copy into the Quarantine repository If Protection of shared folders against external encryption detects an attempt to encrypt files in a shared folder over the network, it blocks the write and delete operations for this session for 60 minutes. Then it tries to restore nonencrypted file versions from a backup copy using the Remediation Engine component. Do not disable Behavior Detection. It protects against threats that other components may fail to counter. To prevent false positives or improve performance, create exclusions. How Exploit Prevention protects against new threats Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative permissions in the system or conceal code execution. Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or service, which processes them and therefore executes some parameters as code. Specifically, such attacks against system services running under the local system account enable criminals to receive administrative permissions on the computer. Typically, malware tries to start itself under the administrator account as a result of such an attack. When this option is enabled, start operations are being monitored and if a vulnerable program starts another program without the user’s explicit command, the start is blocked. II–46 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How Remediation Engine protects against new threats Remediation Engine—rolls back actions taken by the programs deleted by File Threat Protection, Virus Scan tasks, and Behavior Detection. Actions to be rolled back are any changes made to the file system (creating, relocating, renaming files) or registry keys (the records created by the malware are deleted). Also, a backup copy of some files and keys is created at the time of the system start, which allows rolling back to this version if malware changes these files and keys. These special objects include hosts and boot.ini files and registry keys responsible for starting programs and services during the system start. This option also restores files encrypted by ransomware, which encrypt files on drives and in shared folders, and then demand a ransom. Remediation Engine uses the application activity log written by the Behavior Detection component. II–47 Unit II. Protection management How Host Intrusion Prevention stops new threats The main purpose of the Host Intrusion Prevention is to regulate the activities of the running programs, namely, access to the file system and registry as well as interaction with other programs. How Host Intrusion Prevention calculates a program’s reputation Host Intrusion Prevention categorizes applications into trust groups, for which limitations are specified. Every program receives one of the four trust levels: — — — — Trusted Low Restricted High Restricted Untrusted Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time. The main categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings: — If a trust group cannot be defined, automatically move applications to—this setting permits the administrator to select which category to assign to the programs that do not yet have a reputation. The administrator can select High Restricted, Low Restricted, or Untrusted — Trust applications that have a digital signature—if this parameter is enabled, the programs signed by trusted certificates will be automatically placed in the Trusted group Trusted certificates are certificates that Kaspersky Security Network trusts. The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted depending on the following settings: — Update rights for previously unknown applications from KSN database—program’s trust group will be changed automatically if it appears in the KSN — Delete rights for applications that are not started for more than N days—allows wiping out the trust group information for the programs that have not been started for a long time. The lifetime is adjustable II–48 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — Applications launched before Kaspersky Endpoint Security for Windows are automatically moved to the trust group— permits configuring the trust group for programs that start earlier than Kaspersky Endpoint Security5 How Host Intrusion Prevention limits applications Host Intrusion Prevention limits interaction with other programs and operating system services depending on the trust group. Generally, the default restrictions for trust categories are as follows: Trusted No limits Low Restricted Low Restricted—almost everything is allowed, except for building into operating system modules and accessing recorders (web cams and microphones) High Restricted Interaction with operating system modules and other programs is prohibited. A program is allowed to work only with its own segment of the system memory Untrusted The program is prohibited even from starting Host Intrusion Prevention helps limit access to files, folders and registry keys on the hard drives. Host Intrusion Prevention has a list of protected resources. They are grouped into two categories: — Operating system — Personal data Each category has its subcategories and resource descriptions: Paths to folders, file masks, registry key masks. Initially, the list of protected resources contains groups of most important files and registry keys. For example, the Operating system category has a subcategory Startup settings, which lists all registry keys related to startup. Rights to access groups of resources are defined for operations: Read, Write, Remove and Create. By default, Host Intrusion Prevention protects resources as follows: Operating System Personal data Trusted Full access Full access Low Restricted Full access to everything except critical operating system files For critical operating system files, Read only Full access High Restricted Read only Full access Untrusted No access No access Program limitations automatically apply to its child processes. If a program with limitations starts a trusted program, this trusted program will also be restricted. If a trusted application is started by the user or another trusted program, there will be no limits How to configure Host Intrusion Prevention The administrator can modify limitations for any trust group and even for any individual program. 5 Drivers of the Firewall and Intrusion Prevention start before any other software, while the Kaspersky Endpoint Security module responsible for the reputation of executable files, later. To protect the computer while the reputation module is not running, drivers apply the limitations of the specified trust group to all programs. II–49 Unit II. Protection management Do not change the Host Intrusion Prevention settings unless you know precisely what you are doing To find the trust groups and their limitations: 1. 2. 3. 4. 5. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint Security policy Click the link Application rights and protected resources Switch to the Application rights tab Select the trust group in the left pane At the top of the right pane, in the drop-down list, select Rights The administrator can limit or extend rights for a program having the selected reputation here. For example, you can allow low restricted programs to access the web cam. To view protected resources: 1. 2. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint Security policy Click the link Application rights and protected resources II–50 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management To protect other files or registry keys, add them to the list. Keep your resources in an individual category. To add your own protected resources: 1. 2. Click the Add button to create your categories and resource descriptions Configure access rights for the resource in the table on the right To be informed when Host Intrusion Prevention blocks an operation, enable logging. For this purpose, right-click an action in the table and select Log events. You can log allow events of Host Intrusion Prevention6 to understand which programs work with a resource. Note: The limitations configured for a program are inherited by all its child processes, even if their executable files are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions by using the privileges of programs having higher trust levels. How to configure Host Intrusion Prevention to stop ransomware With the default settings, Host Intrusion Prevention protects the operating system and other software on the computer against programs that have a bad reputation. The administrator can also easily protect users’ files against unknown programs. This way, they will be protected against ransomware that encrypt documents. The idea is simple. Ransomware: — Either already has bad reputation in KSN, and Kaspersky Endpoint Security will not permit starting it — Or does not have any reputation in KSN and Host Intrusion Prevention will make it Low Restricted (by default) or High Restricted, depending on the administrator’s choice Programs designed for working with documents, such as Microsoft Office, are well-known and have a Trusted reputation. Therefore, to protect documents, prohibit restricted programs from editing them. For this purpose: 6 1. In the Kaspersky Endpoint Security policy, open Advanced Threat Protection | Host Intrusion Prevention and click the link Application rights and protected resources 2. Add documents to the list of protected resources in Host Intrusion Prevention: In the list on the left, select the category Personal data| User files and add a new category named Documents 3. Include in the category document extensions, such as *.doc, *.docx, *.pdf, etc. For this purpose, add File or folder to the category and specify the extension in the Path field. Repeat for all extensions 4. Prohibit restricted applications from editing documents. For this purpose, select the category in the list on the left and change the rights in the table on the right: Prohibit High Restricted and Low Restricted applications from Writing and Deleting Be careful not to create an overwhelming stream of events from computers to the Administration Server. If you need to analyze access allow events, save them only into the local log of Kaspersky Endpoint Security rather than sending to the Administration Server II–51 Unit II. Protection management How AMSI Protection Provider stops new threats Antimalware Scan Interface (AMSI) is an open API developed by Microsoft that permits antivirus and other security solutions synchronously scan macros and other scripts and block execution of malicious code within applications. The AMSI Protection Provider component permits Kaspersky Endpoint Security better interact with AMSI and thus improve detection of various attack types, for example, fileless attacks. Fileless attacks are based on the following idea: Why develop malware if you can use existing legitimate tools to achieve your aim? (For example, PowerShell, JavaScript, VBScript etc.) The criminals’ aim when organizing a fileless attack is to intercept management of a process, run your code in its memory, and use this code to start other tools available on the device. (For example, PowerShell.exe, or wmic.exe.) Such an attack is difficult to detect, because criminals do not need to save their applications that may be recognized as malicious on the device. Additionally, various masquerade techniques are often used. For example, code obfuscation, which complicates code analysis, and evasion techniques, which permit transferring the necessary information to the computer. How interaction is organized Let us explain operation of AMSI Protection Provider through the example of an attack that is becoming increasingly widespread nowadays: Running PowerShell interpreter from a macro in document and executing a malicious script in PowerShell. When an application opens a document, before running the script, it transfers it to ASMI for scanning and waits for the verdict. AMSI protocols the script’s actions and sends its commands via AMSI Protection Provider to the antivirus provider: Kaspersky Endpoint Security. This permits antivirus provider to access the commands that the script has compiled on the fly in the memory. Kaspersky Endpoint Security scans commands generated by the script and returns a verdict. Depending on the received verdict, AMSI instructs the application whether to run the script. This schema is implemented for Microsoft applications, and can also be implemented for any application that supports AMSI. Except for scripts, applications can transfer distribution plugins for scanning prior to installation, and archives. II–52 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 4.4 How to exclude a program from monitoring What to do if KES hampers a program Almost any heuristic analysis returns false positives. To reduce them, exclude known clean programs from analysis: — Programs that are considered to be trusted in Kaspersky Security Network — Programs signed with trusted certificates To avoid blocking programs that are considered to be trusted in KSN, simply use KSN. To trust signed programs, use the following Host Intrusion Prevention setting: Application processing rules | Trust applications that have a digital signature. Kaspersky Endpoint Security trusts only those digital signatures that are is based on trusted certificates rather than all of them. Trusted certificates are those issued by trusted certification centers. Kaspersky Endpoint Security uses its own database of certificates and does not always trust certificates in the local store Trusted Root Certification Authorities. If a certificate has been compromised, Kaspersky Endpoint Security learns about this from Kaspersky Security Network, and will not trust files signed with this certificate. Kaspersky Endpoint Security does not trust self-signed certificates either. To trust tailor-made software with a selfsigned certificate, add the certificate to the trusted zone of Kaspersky Endpoint Security as described in “Exclusion by certificate”, in section 2.6. If a program does not have a digital signature, you can manually add it to the Trusted group in the Host Intrusion Prevention policy. Alternatively, you can completely exclude a program from scanning by Behavior Detection and Host Intrusion Prevention. How to do it will be explained later. How to modify a program’s trust category Most of the widespread commercial programs have a Trusted reputation. However, some open-source programs have a Low Restricted reputation. Homeware may not have any reputation in KSN, and may receive a Low Restricted reputation (or High Restricted, depending on the policy settings). II–53 Unit II. Protection management If the reputation hampers working with a program, change its reputation in the Kaspersky Endpoint Security policy: 1. 2. 3. 4. 5. 6. 7. Open the Advanced Threat Protection | Host Intrusion Prevention section in the Kaspersky Endpoint Security policy Click the link Application rights and protected resources Switch to the Application rights tab Click Add above the list of application categories Select the group to which you want to move the file: Trusted, Low Restricted, etc., and click Next Click Filtering, and filter the list of applications by executable file name. Select the executable file in the filtering results and click OK If the administrator has selected a reputation for a file in the policy, Host Intrusion Prevention will use this reputation on the computers instead of the KSN reputation. Reputation from KSN is used only for files that are not explicitly specified in the policy. Meaning, for most files, because by default the policy has only reputation groups, and no files. If the administrator has added a file to a reputation group in the policy, he or she can reconfigure its restrictions as desired. For example, the administrator can add a program to the Trusted group, but then open its rights and prohibit it from accessing the web cam. What to do if the list of known programs is empty in the policy If you use policies with the default settings, the list of executable files is likely to be empty in the policy. Kaspersky Endpoint Security intercepts all executable files on the computers, and Host Intrusion Prevention assigns a reputation to all of them. However, this data is not sent to the Administration Server by default. And the policy shows only those executable files about which Kaspersky Endpoint Security has informed the Administration Server. To make Kaspersky Endpoint Security send lists of executable files to the server, create and run an Inventory task, or enable the Application Control component and run the necessary application. The lists of computer executable files are rather large. If all managed computers send them to the server, it will increase the load on the network considerably. Usually, this is not necessary. Do not run the Inventory task on all computers. Do not enable Application Control for the computers where you are not planning to use it to regulate applications’ start. To receive only the files that you need, create an Inventory task for specific computers. II–54 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to get the list of applications from a computer We recommend that you do not collect lists of files from all computers. Administrators often have test computers where all typical programs are installed. If you have such computers, gather lists of executable files from them. To fill the local list of known programs on a test computer, do not start all the programs manually, use the Inventory task. The Inventory task scans files in the specified folders, finds the executable files, adds them to the local list of known executable files, and activates data transfer to the Administration Server. To have scanning results sent to the server, select the check box Inform Administration Server about started applications in the Kaspersky Endpoint Security policy. To create an inventory task, run the task creation wizard on the Devices | Tasks tab. Select the Inventory task type under Kaspersky Endpoint Security 11 for Windows. If it is a task for a test computer, after creating the task, open it properties and include All hard drives in the scope. Assign the task to individual test computers. II–55 Unit II. Protection management How to make a program trusted for Behavior Detection and Intrusion Prevention If the limitations set by the Host Intrusion Prevention still block a necessary program, you can configure the corresponding exclusion. There are two types of exclusions in Host Intrusion Prevention: — Exclusions for resources—allow any program to perform any operation with the specified group of resources (is not available in the web console) — Exclusions for programs—allow the specified programs to perform any operation Exclusions for resources are configured in the properties of Host Intrusion Prevention, on the Protected resources tab. You can configure exclusions for folders, files and registry keys. Exclusions for programs are configured in the Trusted applications, and provide several additional capabilities: — Do not monitor application activity—disable all restrictions for the specified program — Do not inherit restrictions of the parent process (application)—disable the limitations inherited from the process that started the program and the parent processes of higher levels — Do not monitor child application activity—disable the restrictions for the processes started by the program for which the exclusion is created These exclusions apply to Behavior Detection and Host Intrusion Prevention. II–56 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 4.5 Protection against new and sophisticated threats: Summary Almost all Kaspersky Endpoint Security components help protect against new threats, but primarily Behavior Detection and Host Intrusion Prevention. Both components monitor the operations performed by the programs. Host Intrusion Prevention calculates the reputation of executable files and limits actions of programs that have bad or unknown reputations. Program reputation is supplied by Kaspersky Security Network, or the administrator specifies it in the policy settings. Behavior Detection monitors what programs do in general rather than their individual actions. For this purpose, it logs everything that programs do and then checks whether sequences of actions resemble malicious activities. Remediation Engine uses the log of actions to roll back malicious activities. Behavior Detection has special heuristics that permit detecting ransomware (malware that encrypts documents and demands a ransom). In many cases, Behavior Detection can recover encrypted documents with the help of Remediation Engine. To better protect against ransomware, configure Host Intrusion Prevention to block access to documents for programs that have a bad reputation. Do not disable Behavior Detection and Host Intrusion Prevention. These components implement state-of-the-art technologies that protect against most sophisticated threats II–57 Unit II. Protection management Chapter 5. How to control network connections 5.1 How Firewall protects against threats From the security point of view, the Firewall performs two functions: — Block unauthorized network connections to the computer, thus decreasing the infection probability — Block unauthorized network activity of the programs on the client computer. This decreases the risk of an outbreak, and also limits actions of the users that consciously or unconsciously violate the security policy The Firewall is tightly integrated with Host Intrusion Prevention. Host Intrusion Prevention does not limit programs’ access to the settings of the operating system, other programs and user files. Firewall checks the program reputation and limits its access to the network. This way, the Firewall prevents already running malware from causing harm: for example, sending the user’s passwords to criminals. The Network Threat Protection component complements the Firewall and analyzes packets. While Firewall uses relatively simple rules to block packets and connections, Network Threat Protection checks sequences of packets for signs of a network attack, for example, buffer overflow attack via known vulnerabilities, and blocks connections through which an attack is performed. 5.2 How Firewall works in KES Firewall controls connections at the network and transport level using packet rules. It analyzes inbound and outbound packets, compares them with the rules and takes one of the two actions: — Allow — Block II–58 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How Firewall analyzes packets and connections The simplest part of Kaspersky Endpoint Security Firewall is the list of packet network rules. To view it, open the Firewall section in the Kaspersky Endpoint Security policy and in the Firewall rules area, click the second Settings button. A packet rule consists of the following attributes: Action Allow, Block or According to the application rule According to the application rule means that Firewall will look for an appropriate rule in the settings of the program to which the packet pertains, and if this program has no settings, in the settings of the reputation group to which the program belongs Protocol TCP, UDP, ICMP, ICMPv6, IGMP, GRE Direction Inbound (packet)—applies to all inbound packets Inbound—applies to all packets within inbound connections Inbound/outbound—applies to all packets Outbound (packet)—applies to all outbound packets Outbound—applies to all packets within outbound connections The TCP protocol establishes connections; use the directions Inbound, Outbound and Inbound/Outbound together with the TCP protocol Other protocols do not establish connections; they send packets. Use Inbound (packet), Outbound (packet) and Inbound/Outbound with them Remote ports Ports on a remote computer Can be specified for TCP and UDP protocols To specify several ports, separate them by comma, for example: 25, 110 To specify a range, use a hyphen: 0-1024 Local ports Ports on the local computer Can be specified for TCP and UDP protocols ICMP type Echo, Echo Reply, Time Exceeded, Destination Unreachable, etc. Can be selected for ICMP and ICMPv6 protocols II–59 Unit II. Protection management ICMP code Code for some ICMP types. You can select code 0, 1 or 2 For example, for a Destination Unreachable ICMP packet, code 0 means Net Unreachable, code 1—Host Unreachable, code 2—Protocol Unreachable7 Network adapters Permits specifying the network adapter by Interface type, IP address and MAC address Types of interfaces: Loopback, Wired network (Ethernet), Wi-Fi network, Tunnel, PPP connection, PPPoE connection, VPN connection, Modem connection TTL Packet lifetime Remote addresses Addresses of remote computers, which can be specified directly or indirectly To specify addresses directly, select Addresses from the list and fill the list of IP addresses To specify addresses indirectly, select Any address or Subnet addresses. Subnet addresses are: Trusted networks, Local networks or Public networks Local addresses Addresses of a local computer (a computer can have many addresses) You can select either Any address, or Addresses from the list, and fill the list Both IPv4 and IPv6 can be specified for IP addresses The Firewall compares packet attributes with rule attributes, and if everything coincides (protocol, ports, direction, network adapter, local address, remote address), applies the action specified in the rule. Rule application will be registered in the Firewall log if the Log events check box is selected. The Firewall looks for the first matching rule (from the top down) and applies it. To rearrange the rules, select a rule and move it using the Up and Down buttons. A default policy contains a list of packet rules that provides reasonable security for computers both on and off the corporate network. The standard settings are described in detail in the end of this chapter. Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. For convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity, Browsing web pages, Remote Desktop network activity, etc.) To select a template, click the button to the right of the Name field in the rule settings. How Firewall decides which networks are local Addresses of remote computers may be specified indirectly in the rules, as Subnet addresses: Trusted networks, Local networks or Public networks. How does the Firewall decide which addresses belong to which networks? Network statuses are specified by the administrator in the Kaspersky Endpoint Security policy. If the policy does not describe a network status, the Firewall defines it itself on the client computer. To add a network to the policy and select a status for it: 1. 2. 3. 4. 7 Click the Networks link in Application Settings | Essential Threat Protection | Firewall Click the Add button above the list Type a name for the subnet and select its type Specify subnet address in the following format: <IP address>/<netmask length in bits>, for example 192.168.0.0/24 or 1234::cdef/96 for IPv6 networks For ICMP message types and code values, consult protocol documentation II–60 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management On the computer, the Firewall adds the networks configured for the computer's network adapters to the networks specified in the policy. If an adapter’s network coincides with or belongs to a network from the policy, it receives the status specified in the policy. If the adapter’s network does not belong to any of the networks described in the policy, the Firewall assigns it a status based on its status in the operating system. If it is a domain, work or home network, the Firewall assigns it the Local status. If the network is public in the operating system, it will also be public for Kaspersky Endpoint Security Firewall. All other addresses are considered to be addresses of public networks. For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24 respectively. Let’s say Kaspersky Endpoint Security automatically assigned the Public status to both these networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network effectively becomes Local network, because there is an entry in the policy for network 172.16.0.0/16 that includes 172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching entry in the policy. II–61 Unit II. Protection management In the default policy settings, there are three network entries, all of which have the Local network status: — 10.0.0.0/8 — 172.16.0.0/12 — 192.168.0.0/16 These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered for computers outside the perimeter, e.g., the computers connected via VPN or laptop computers on a business trip. How Firewall restricts programs If the Firewall does not find a matching rule for a packet, or finds it, but the action specified in the rule is According to the application rule, it starts looking for the packet rule configured for this application. And if the application has no settings in the policy, it checks the program’s reputation and looks for a matching packet rule in the reputation settings. The Firewall uses the same reputations as Host Intrusion Prevention. The settings that Host Intrusion Prevention uses to select a reputation are also applied to the Firewall. If Host Intrusion Prevention is not installed, Firewall defines the reputation itself using the Host Intrusion Prevention settings. A program cannot be Trusted for Host Intrusion Prevention and at the same time High Restricted for the Firewall. Each program has only one reputation. To consult packet rules for applications and reputations: 1. 2. 3. In the Related Host Intrusion Prevention settings area, click the Network rules link In the left pane Applications, select a program or reputation At the top of the right pane, in the drop-down list, select Network rules There are no applications in a policy by default; there are only reputations and settings for reputations. The administrator can add programs to a reputation and after that he or she will be able to add whichever packet rules to the program properties. Applications can be added in the same manner as in Host Intrusion Prevention. Each program and reputation in the list of rules has three rules that are always located at the bottom of the list: — Any network activity in Trusted networks — Any network activity in Local networks — Any network activity in Public networks II–62 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management For the Trusted and Low Restricted reputations, all three rules use the Allow action by default, and for the High Restricted and Untrusted reputations, the Block action. Standard rules cannot be deleted or modified, except for the Action attribute, which can be changed by the administrator. By default, if only reputations are configured in the policy, reputations have only these three rules. These rules intercept any network activity, because any address belongs to either a trusted, or a local, or a public network. That is why there is always a rule for any packet: A packet belongs to a process, the process has a reputation, and the reputation has at least one rule for any remote address according to the network type. The administrator can add custom rules to the list of reputation or application rules. These rules have only the following attributes: Action Allow or Block Protocol TCP, UDP, ICMP and ICMPv6 Direction Inbound, Outbound or Inbound/Outbound Remote ports for TCP and UDP Local ports for TCP and UDP ICMP type for ICMP and ICMPv6 ICMP code for ICMP and ICMPv6 Remote addresses Local addresses for TCP and UDP Action Allow or Block 5.3 What Firewall does under default settings Default network packet rules A standard policy does not contain rules for applications (except for the standard ones specified for the reputations). That is why the ultimate network status and application reputations are defined locally in the Firewall. II–63 Unit II. Protection management Packet rules are inherited from the policy, and accordingly, packets are filtered as follows: 1. The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external port 53) and email (over TCP protocol, external ports 25, 465, 143, and 993). The According to the application rule action is selected in these rules, that is, programs from the Trusted and Low Restricted groups will be able to send DNS requests and email, while the others will not 2. Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted networks, any activity is allowed by default, except for DNS and email limitations for Untrusted and High Restricted programs 3. The fifth rule defines the order of packet processing in local networks. Such packets are processed according to the application rules. The default application rules say that the programs from the Trusted and Low Restricted groups have no limitations in local networks, while High restricted and Untrusted have no access 4. The rest of the rules effectively regulate program behavior in the Public networks, since all packets from Trusted and Local networks are processed one way or another by the above rules. Rules 6-8 block remote desktop connections to the computer from public networks, and also block connections to the local DCOM service, NetBIOS packets, access to Windows shared folders, and access to Universal Plug & Play devices 5. Rules 9 and 10 allow inbound TCP and UDP streams only to the programs belonging to the Trusted and Low Restricted groups. Considering the default application rules, this means that Trusted and Low restricted applications can receive incoming connections from Public networks, whereas High restricted and Untrusted applications cannot. 6. Rules 11 to 15 block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to test connection to remote computers What it means for applications on the computer Trusted and Low Restricted programs have full access to all networks. That is why the Firewall does not hamper well-known programs by default. Untrusted and High restricted programs are allowed to access only trusted networks, and even there may not work with email and DNS. However, there are no trusted networks in a policy by default, and Untrusted and High restricted programs have no network access. II–64 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Thus Firewall prevents unknown malware from stealing passwords, downloading additional modules, receiving commands from the control center and sending spam Additionally, the Firewall blocks access to the operating system services (shared folders, remote desktop, DCOM, etc.) and blocks ICMP requests from public networks. What if the Firewall impedes an application Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed to exchange data over the network. However, little-known open source programs or tailor-made software may receive the High Restricted reputation and will not be able to work with the network. To grant access to the network to a program that has High Restricted reputation, use one of the following approaches: — Change the program reputation, add its executable file to the Low Restricted or Trusted reputation as described in section 4.3 — If the program’s files are signed with a certificate, use Host Intrusion Prevention settings to trust these files — If files are not signed with a certificate, think about signing them with a self-signed certificate and use the exclusion settings to trust this certificate — Alternatively, configure packet rules to allow the program to use its addresses and ports. Packet rules are processed earlier than the rules for applications and reputations. Move your rules to the top of packet rules list II–65 Unit II. Protection management 5.4 Why Network Threat Protection is necessary What Network Threat Protection does The purpose of the Network Threat Protection component is to block network attacks including port scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services running on the computer. Network Threat Protection uses signatures and blocks all connections that correspond to the descriptions of known network attacks. As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory and thus execute the malicious code. The Network Threat Protection component is able to prevent infections from spreading this way. That is why it must be enabled, and its settings must be locked. Network Threat Protection has a few configurable parameters. If the component is enabled, attacks are blocked automatically. Additionally, Kaspersky Endpoint Security can block any further packets from the attacking computer for some time. The Add the attacking computer to the list of blocked computers option regulates this behavior; by default, it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but only in the local interface of Kaspersky Endpoint Security. Sometimes, Network Threat Protection considers numerous packets sent by surveillance cameras and other similar devices to be an attack, and blocks the packets. To prevent this, add the devices’ addresses to exclusions. Network Threat Protection will not analyze packets from trusted addresses. II–66 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management What the Protection from MAC Spoofing does Protection from MAC spoofing prevents unauthorized modification of ARP tables on the devices protected by Kaspersky Endpoint Security. The following methods protect ARP tables against unauthorized modifications: — Ignore an incoming ARP reply unless it answers an ARP request sent — After an ARP request has been sent, accept only the first ARP reply and ignore all others; log information about them — Wait for an ARP reply for some time. Ignore belated answers — Reply an incoming ARP request without adding a record to the system ARP table Protection from MAC spoofing is regulated by two options available in Essential Threat Protection | Network Protection. You can enable or disable protection (it is disabled by default); and configure reaction to potentially dangerous attacks. How to unblock a blocked computer II–67 Unit II. Protection management When a client computer blocks another client computer because of a network attack, the administrator can see only an event informing of a network attack in the console. There is no list of blocked computers, or events informing that a computer was blocked and later unblocked. You can find the list of blocked computers in the local interface of Kaspersky Endpoint Security: 1. In Kaspersky Endpoint Security window, click Protection components and select Network Monitor 2. In the Network Monitor window, open the Blocked computers tab 3. To unblock a computer, select it and click Unblock To unblock a computer from the Administration Console, restart the Network Threat Protection component on the computer that blocked an attack: 1. Find the event informing about the attack and check which computer sent the event (not which computer attacked) 2. Find this computer in the console and open its properties 3. Switch to the Tasks tab and find the Network Threat Protection component 4. Stop the component and start it anew (use its shortcut menu or the buttons to the right of the list) II–68 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 5.5 Network protection: Summary At the network level, packets are scanned by the Firewall and Network Threat Protection components. Other essential protection components (Web Threat Protection and Mail Threat Protection) scan data at the application level. Firewall protects computer services in public networks, and also does not allow Untrusted and High Restricted programs to use network. Thus it prevents unknown malware from connecting to its control center. Network Threat Protection analyzes sequences of packets within allowed connections and blocks known types of attacks. If these components impede a program: — Make the program trusted for Host Intrusion Prevention. The Firewall uses the same reputations as Host Intrusion Prevention. — Open ports and addresses with which the program works using simple packet rules — Add the application’s address to exclusions of Network Threat Protection II–69 Unit II. Protection management Chapter 6. How to protect a computer outside the network 6.1 Which local networks to trust The risk of computer infection is lower within a corporate network than outside. Thus, applying different settings to the computers that are taken out of office seems reasonable. Specifically, by default, the policy considers all networks that have addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 to be local and permits access to shared folders, Windows services and RDP within them. However, outside the corporate network, addresses 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 may belong to hotels, bars, airports and other public places. It is dangerous to trust them similarly to local networks. Use a special out-of-office policy to change Kaspersky Endpoint Security settings when a computer is taken outside the corporate network. 6.2 How to create a policy for computers outside the office Out-of-office is the third possible policy status, in addition to the Active and Inactive status. An out-of-office policy may be created for any group. There can be only one out-of-office policy for each version of Kaspersky Endpoint Security in a group. That policy is propagated in exactly the same manner as an active policy. However, while an active policy is enforced immediately, a policy for out-of-office computers starts working only when the computer meets the specified conditions (which will be described later). II–70 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if an out-of-office policy exists in both parent and child groups, they are not related in any way. Whichever settings are locked in the parent group policy, they do not restrict the policy of the out-of-office users within the child group. In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy, where the locked settings are inherited by the policies of child groups. Out-of-office policies are inherited only completely by those subgroups where an out-of-office policy is not configured. How to create a policy for computers outside the office To create an out-of-office policy: 1. Start the policy creation wizard: Open the tab Devices | Policies and profiles and click Add 2. Select the Kaspersky Endpoint Security for Windows application Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for Windows. Policies of the Network Agent or, for example, Kaspersky Security for Windows Servers Enterprise Edition do not have such an option. 3. 4. 5. 6. Accept the KSN agreement Name the policy comprehensibly Create a policy with the default settings Select the policy status: Out-of-office To modify the status of a ready policy, open the General section in its properties. II–71 Unit II. Protection management When computers switch to the out-of-office policy By default, computers will never switch to the out-of-office policy. To make them switch to such a policy, specify conditions in the Network Agent policy using either of the following methods: 1. Select Enable out-of-office mode when Administration Server is not available A computer will switch to the out-of-office policy if it is not connected to any network, or if the Network Agent cannot synchronize with the Administration Server three times in a row. In practice, this happens when a computer is disconnected from the corporate network. By default, the synchronization period is 15 minutes. Therefore, a client will switch to the out-of-office mode instantly after disconnected from the network or in 30 to 45 minutes if the network has not been disconnected. 2. Configure network locations for the <Offline mode> profile Configuring network locations is the best choice. They can describe more precisely when a computer is located in a corporate network, and when it is not. If there are many computers in the network and the Administration Server is overloaded, some of the computers may fail to connect to the Server at every regular synchronization. It might happen that a computer fails to synchronize three times in a row and will switch to the out-of-office policy within the corporate network. Depending on the out-of-office policy settings, such a computer can, for example, block access to its shared folders, which would make quite a lot of trouble if it happens to a file server or a domain controller. Certainly, if computers cannot synchronize with the Administration Server, it is an issue that must be solved8. However, improperly configured conditions of switching to the out-of-office mode may aggravate the issue. 8 Course KL 302 explains how to correctly scale Kaspersky Security Center to large networks. II–72 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management How to set conditions for switching to the out-of-office policy Instead of using the option Enable out-of-office mode when Administration Server is not available, configure network locations that precisely describe when a computer is located within the corporate network, and when outside. Network Agents can use different connection profiles in different network locations. See course KL 302 for details. To make computers switch to the out-of-office mode, configure network locations for the <Offline mode> profile. The Network Agent policy provides various conditions to describe network locations. Many of them are simple and clear, for example, subnet address or main gateway address. However, they may fail to unambiguously define the corporate network. Suppose, subnet 192.168.0.0/24 is used in the internal network. However, there can be the same network in a hotel, bar or a free hotspot in the street. That is why the conditions by subnet, gateway or DNS server address are insufficiently reliable. It is best to use the Condition for name resolvability and specify a name that can only be resolved on the internal DNS server of the company. Configure computers to switch to the out-of-office mode when they cannot resolve this name: 1. In the Network Agent policy, open Application Settings | Network and in the Connection profiles area, click the Settings button 2. Add a network location description: Click the Add button above the upper list 3. Name the network location comprehensibly, for example, “<an internal DNS name> unresolvable” and select the check box Description enabled 4. In the Use connection profile drop-down list, select the <Offline mode> profile 5. Add a Name resolvability condition 6. Add a name that can only be resolved in the internal network to the list 7. Below the DNS or NetBIOS device name list, switch the parameter to Does not match any of the values in the list. This means that the condition is met if the specified name cannot be resolved 8. Save the condition II–73 Unit II. Protection management 6.3 Which settings computers should use outside the office The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer restrictions. This may not be a safe assumption out of office. These can be networks in hotels, bars or other public places which cannot be trusted. Make these networks public in the out-of-office policy. Alternatively, if you trust the users, delete all networks from the policy: Firewall will check the statuses of networks in the operating system, which are specified by the user. A policy for out-of-office computers must take into account the fact that while the host is outside the corporate network, it is the user who manages Kaspersky Endpoint Security. Consequently, the policy must allow the user access to the information about the protection status and to the product management tools. The user should at least be allowed to scan suspicious files/drives and start updates. For this purpose, allow the user to manage group or local tasks, or both. The corresponding settings are located in the policy section Local tasks. II–74 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management To help the users make rational decisions about protection, you need to provide them with more information about incidents. The user should be warned about detected threats, the need for advanced disinfection and about outdated databases: — Open the list of local Kaspersky Endpoint Security events in the policy: Go toApplication Settings | General Settings | Interface, and in the Notifications area, click the Notification rules link — Select a component and then tick all events that are important for the user in the Notify on screen column Make Kaspersky Endpoint Security warn the user about the issues that it experiences with a red triangle on the application icon in the notification area. Select about which issues to inform the user in the Interface section of the policy, Warnings area. 6.4 Out-of-office policies: Summary When the users work outside the corporate network, they need other settings for Kaspersky Endpoint Security. Kaspersky Security Center has out-of-office policies for this purpose. By default, out-of-office policies are not used. To make them used, configure conditions in the Network Agent policy. Configure network locations for the <Offline mode> profile. In the network location descriptions, specify the conditions that reliably describe when a computer is located within the corporate network, and when outside. Use Modify condition for name resolvability and Modify condition for SSL connection address accessibility. In the out-of-office policy, strengthen the protection settings: — Configure the Firewall not to trust networks 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/12 Give the users more information and more control over Kaspersky Endpoint Security: — Inform about threats on the computer screen — Signal about issues on the icon in the notification area — Allow the user to start and stop tasks II–75 Unit II. Protection management Chapter 7. What else is there in protection and why? 7.1 What Self-Defense does and why it is necessary What Self-Defense does II–76 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management A self-defense technology is implemented within Kaspersky Endpoint Security, which prevents unauthorized product disabling and other attempts to hamper its operation. Self-defense is configured using two options in General Settings | Application Settings: — The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security processes in the computer system memory, its files on the hard drive and its registry keys — The Disable external management of the system services option does not permit stopping Kaspersky Endpoint Security services unless the command is carried out via the product interface If self-defense is disabled, the computer protection level decreases. By default, both parameters are enabled and locked. It makes sense to disable self-defense only if compatibility problems arise (for example, with remote management utilities, though there are better ways for handling those) or for troubleshooting. How to manage KES over Remote Desktop To prevent malware from disabling protection by simulating the user’s commands in the product window, selfdefense accepts mouse and keyboard events only directly from a device rather than from other processes by default. Therefore, when the administrator tries to manage Kaspersky Endpoint Security via a remote access program, such as UltraVNC or TeamViewer, self-defense does not permit clicking anything in the Kaspersky Endpoint Security window. If you need to manage Kaspersky Endpoint Security via a remote access program, and self-defense will not allow this, configure an exclusion. Add the executable file of your remote access tool to the list of trusted applications. The process that the administrator starts on his or her computer is not necessarily the same as the process on the remote computer that accepts the connection and provides access to the desktop. Add the process that runs on the remote computer In the properties of the trusted program, select the check box Do not block interaction with the application interface. Clear the other check boxes. Do not allow programs more than they need for their work. II–77 Unit II. Protection management What BadUSB Attack Prevention does Firmware of any USB flash drive can be modified. When such a USB flash drive is connected to a computer, the operating system may recognize it as another device and perform functions designed by criminals. For example, a USB flash drive can be identified as a keyboard and send commands on behalf of the user logged on to the system. In practice, it is may be absolutely any action: hidden malware downloading or intercepting and sending out confidential data. And even if the user does not possess system administrator permissions, it will not solve the issue, because there are various methods of elevating privileges, and permissions of an ordinary user are typically enough to organize a data leakage. The BadUSB Attack Prevention component does not permit USB devices to connect as a keyboard without the user’s authorization. It works as follows. When a USB device is connected, if the operating system recognizes it as a keyboard, BadUSB Attack Prevention notifies the user and requires that the user authenticates the device. By default, the BadUSB Attack Prevention component is not installed on the computers. If necessary, you can add it using the Kaspersky Endpoint Security task Change application components. The BadUSB Attack Prevention component is recommended to be installed on notebooks. It is controlled by two parameters in Application Settings | Essential Threat Protection | BadUSB Attack Prevention: — BadUSB Attack Prevention can either be Enabled or Disabled; by default, it is enabled — The parameter Prohibit use of On-Screen Keyboard for authorization of USB devices permits (or disallows) the user to authenticate devices via on-screen keyboard. By default, the use of on-screen keyboard is blocked If BadUSB Attack Prevention is planned to be used on notebooks: We recommend that you allow the use of onscreen keyboards in the out-of-office policy to avoid issues with wireless pointers and presenters. II–78 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management 7.2 How to protect Kaspersky Endpoint Security from the user How the user can stop protection The default settings provide the users with at least two methods to disable the protection. — Close Kaspersky Endpoint Security (click Exit on the shortcut menu of the product icon in the notification area.) This action doesn’t even ask for elevated permissions, any user can do this. — Uninstall Kaspersky Endpoint Security, which requires administrative permissions. However, some users may have them, especially on laptops. To prevent the users from weakening or stopping Kaspersky Endpoint Security, configure password protection for the mentioned actions in the policy and make these settings required (close the lock). Though a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which doesn’t allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and processes in the memory. Together, password protection and self-defense are mostly able to prevent any damage a user might try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas password protection is not. Another (a less evident) way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and the user will be able to change any setting. There is password protection for the Network Agents too, and it is not enabled by default either. II–79 Unit II. Protection management How to enable password protection Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: Editing its settings, exiting, and uninstalling. To enable password protection for Kaspersky Endpoint Security: 1. Open the policy, switch to the Application Settings tab, in General Settings | Interface, enable Password protection 2. Set a password 3. Configure permissions for the group Everyone. Select which operations will not prompt the user for password: — Configure application settings—protects against any attempts to modify Kaspersky Endpoint Security settings, including the options that enable and disable the components (e.g. File Threat Protection); but the user will still be able to stop a component via its shortcut menu — Remove / modify / restore the application—the password prompt is added to the uninstall wizard of Kaspersky Endpoint Security — Disable Kaspersky Security Center policy—adds the option to temporarily disable the policy via the shortcut menu of Kaspersky Endpoint Security icon after entering the password. — Exit the application—protects the Exit command on the shortcut menu of the product's icon. Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its processes or files — View reports—prompt for the password prior to showing events in the local interface of Kaspersky Endpoint Security The password protects both graphic interface of Kaspersky Endpoint Security and the command line interface. — Restore access to data on encrypted drives—prevents the user from starting the data recovery tool. It is the administrator’s job to recover data, not user’s — Restore from Backup—prompts for the password when restoring files from backup II–80 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management — Disable protection components—the user can start protection components and local tasks (if they are displayed); the password window appears only if the user attempts to stop them. The update tasks lack this protection — Disable control components—the password is necessary to disable the Device Control, Application Control, or Web Control This capability is useful for local troubleshooting. When a policy is active, the administrator can’t change Kaspersky Endpoint Security parameters to see which component or which particular setting is causing troubles for the user. Moving a problem computer to a special group for diagnostics and then returning it back after the problem is solved is an awkward solution, especially if different IT units are responsible for centralized protection management and local diagnostics. The capability to temporarily disable a policy using a special password on a computer helps to carry out diagnostics without changing the settings on the Administration Server. — Remove key—the user cannot stop protection by deleting the key unless the password is entered The advantage of password protection is that it remains active even when the policy is disabled. Once the password protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product without a valid password even if the administrator disables the policy. Password protection permits configuring permissions for each user or group of users. Configuring password protection for Network Agent The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges, the attempt will succeed. To protect the Network Agent, set an uninstallation password in its policy. The Quick Start wizard creates the Network Agent policy automatically. The password for Network Agent uninstallation is to be set in the Settings section. By default, it is not specified. Enable the Use uninstall password option, enter the password and don’t forget to lock this group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’ has zero effect on the local Network Agent settings. Once the policy is applied, the password prompt is added to the Network Agent uninstallation wizard. An attempt to uninstall the Network Agent using the command line without the password will also fail. II–81 Unit II. Protection management 7.3 Which other protection settings are available Kaspersky Endpoint Security policy has more settings than we have described in this chapter. Actions For most of the protection components, you can select what to do with malicious files and other threats. By default, all components try to disinfect malicious files, and if disinfection fails or is impossible, delete them. The administrator can select to delete all malicious files immediately, or only block them rather than delete. Blocking instead of deleting makes sense only if you are testing something. On the protected computers, use the action that deletes malicious files. We recommend that you leave the default action. Prior to disinfecting or deleting a file, Kaspersky Endpoint Security copies it to the Backup. It is a special folder on the computer, where to Kaspersky Endpoint Security stores encrypted copies of malware. If Kaspersky Endpoint Security deletes a file mistakenly, the administrator will be able to restore it from the Backup after configuring an exclusion. Other settings The settings that we have not mentioned usually should not be changed. They are described in the help system of Kaspersky Endpoint Security. The following table briefly describes some of the settings: II–82 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management General Settings | Exclusions | Objects for detection Viruses and worms (cannot be disabled) Trojans (cannot be disabled) Malicious tools (enabled) Adware (enabled) Auto-dialers (enabled) Other (disabled) Packed files that may cause harm (enabled) Multi-packed files (enabled) Do not change these settings. All these objects at least hamper the user, and may cause significant harm if worst comes to worst. If the administrators use testing utilities that the antivirus considers to be malicious, configure exclusions for them instead of disabling detection of the whole category of objects. The Other category includes remote management utilities, such as RAdmin, UltraVNC, DameWare, etc. Criminals may use these legitimate tools for unauthorized access to computers. However, administrators and users may need them for their work. Configure as necessary. <Component name> | Action on threat detection Disinfect Delete if disinfection fails Do not modify the action settings. Let the components delete all malicious objects. If false positives occur, configure exclusions. Restore erroneously deleted files from the Backup repository after configuring an exclusion. Local tasks | Removable drives scan Action when a removable drive is connected: (by default) Do not scan Maximum removable drive size: (by default) 4096 MB Change the action to Quick Scan or Detailed scan. Although File Threat Protection scans everything the user starts or copies from a removable drive, it is not recommended to leave passive malicious files on removable drives. The user may, for example, take this drive to a customer and accidentally infect a computer. To save employees’ time and prevent Kaspersky Endpoint Security from scanning large drives, limit the maximum size of the drive to be scanned, for example, to 32 MB. Local tasks | Task management (By default) Is disabled Do not enable. Local tasks are difficult to manage with the Administration Server and they confuse the administrator. If you need to enable the users to start updates or stop virus scanning, it is best to select the check box Allow group tasks to be displayed in this list. General Settings | Application Settings | Performance | Postpone scheduled tasks while running on battery power (By default) Is enabled Lots of contemporary laptops boast 10-plus hours battery life. It may be dangerous to postpone virus scanning, let alone updates, until the user plugs the notebook in. Disable this option for such computers. At the same time, old laptops may have short battery life; this parameter was designed for them. Place old and modern notebooks into different groups and specify proper settings for them via dedicated policies. General Settings | Application Settings | Performance | Concede resources to other applications (By default) Is enabled Do not disable. General Settings | Reports and Storage | Reports Store reports no longer than: (by default) 30 days Maximum file size: (by default) 1024 MB For most companies, event history of 30 days is enough. If you need to store events longer, increase the storage time and maximum file size. Think about sending events to a SIEM system (see course KL 009). General Settings | Reports and Storage | Backup Store objects no longer than: (by default) 30 days Maximum storage size: (by default) is not specified If you suspect a file to be malicious, but Kaspersky Endpoint Security does not react to it, receive its reputation from KSN in real time or send the file to technical support via the companyaccount.kaspersky.com portal. II–83 Unit II. Protection management General Settings | Reports and Storage | Data transfer to Administration Server About files in Backup About unprocessed files About installed devices About started applications About file encryption errors Enable the first two lists: They inform about threats and false positives Send the lists of devices and encryption errors only if you use Device Control and Encryption. We recommend that you send the list of started applications only from individual computers, do not enable it for the whole network. General Settings | Interface | Notification rules | Component | <Event> Save in local log Save in Windows Event Log Notify on screen Notify by email Store all events in the local log. In Windows log, store at least functional failure events to be able to view them if Kaspersky Endpoint Security does not work. Notify on screen only about control events. The less messages by Kaspersky Endpoint Security the user sees, the better. Do not configure email notifications here. To receive email notifications, click the link Email notification settings General Settings | Interface | Interaction with user Display full interface: Is enabled by default Simplified interface: Is disabled by default Select No interface if users complain that Kaspersky Endpoint Security hampers them If the corporate policy prohibits completely hiding software interface from the users, select With simplified interface: The users will see the Kaspersky Endpoint Security icon in the notification area, but will not be able to open its window or understand which components and tasks are running General Settings | Interface | Warnings Active threats Computer restart required Problems with signature databases Problems with protection level Problems with license Updates available Disable on the network computers. It is the administrator who needs to be informed about issues rather than the user, and they are to be displayed in the Administration Console rather than in the local interface. Enable in an out-of-office policy to permit the users take care of protection on notebooks. II–84 KASPERSKY LAB™ KL 002.11.1 Kaspersky Endpoint Security and Management Computer protection: Summary All protection components in Kaspersky Endpoint Security either detect and block threats, or reduce the attack surface, meaning, prevent the user and applications from taking actions that are potentially dangerous to the computer. Therefore, do not disable the protection components. Instead, create exclusions for those programs that are slowed down by the antivirus. Configure regular virus scanning. First, it detects passive threats. Second, it updates the cache of scanned files, after which File Threat Protection and other components work faster. All components do well with the default settings. Usually, these settings can hardly be improved, and should not be changed. However, to better counter ransomware, you can configure Host Intrusion Prevention to guard your documents. The default settings can be improved for notebooks, which are taken outside the corporate network. Create an outof-office policy for them. Finally, protect not only computers from malware, but also Kaspersky Endpoint Security from the user. Configure password protection for Kaspersky Endpoint Security and Network Agent. Unit III. Security Controls Chapter 1. Overview ....................................................................................................... 3 1.1 Purpose of the control components ......................................................................................................................... 3 1.2 Licenses and installation types................................................................................................................................ 3 1.3 Installing the Control components .......................................................................................................................... 5 Chapter 2. Application Control ....................................................................................... 6 2.1 How Application Control works ............................................................................................................................. 6 Operation principles .............................................................................................................................................. 6 How to configure Application Control ................................................................................................................... 7 2.2 How to configure application categories................................................................................................................. 7 A category that is created and updated manually .................................................................................................. 9 Automatically filled folder-based category .......................................................................................................... 16 Category based on a reference computer ............................................................................................................ 17 What you can do with programs and categories after the initial configuration .................................................. 19 2.3 How to create control rules ................................................................................................................................... 25 Application Control modes .................................................................................................................................. 25 Application Control rules..................................................................................................................................... 26 2.4 How it will work ................................................................................................................................................... 27 How to find out what a particular user is prohibited from .................................................................................. 27 Local notifications and user requests................................................................................................................... 28 User requests selection ........................................................................................................................................ 29 Events ................................................................................................................................................................... 30 Report on blocked runs ........................................................................................................................................ 30 2.5 Default deny mode ................................................................................................................................................ 31 Chapter 3. Device Control ............................................................................................ 33 3.1 What can be blocked and how .............................................................................................................................. 35 Additional options ................................................................................................................................................ 37 USB flash drive access log ................................................................................................................................... 38 How to specify trusted Wi-Fi networks ................................................................................................................ 39 What Anti-Bridging does ...................................................................................................................................... 40 3.2 How to specify a trusted device ............................................................................................................................ 41 3.3 How to configure interaction with users ............................................................................................................... 43 3.4 How to configure temporary access ...................................................................................................................... 44 How can the user send a request to get access to a blocked device? ................................................................... 45 How to create activation code.............................................................................................................................. 46 How to activate temporary access ....................................................................................................................... 47 3.5 Monitoring Device Control ................................................................................................................................... 47 III-2 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Chapter 4. Web Control ................................................................................................ 49 4.1 Blocking criteria ................................................................................................................................................... 51 4.2 Configuring exclusions and trusted servers .......................................................................................................... 53 4.3 Diagnostics and testing ......................................................................................................................................... 54 4.4 Configuring interaction with users ........................................................................................................................ 55 4.5 Web Control statistics ........................................................................................................................................... 57 4.6 Web control report ................................................................................................................................................ 58 Chapter 5. Adaptive Anomaly Control .......................................................................... 59 5.1 How to configure Adaptive Anomaly Control ...................................................................................................... 60 5.2 Configuring interaction with users ........................................................................................................................ 63 5.3 Adaptive Anomaly Control statistics .................................................................................................................... 63 5.4 Reports about Adaptive Anomaly Control operation ............................................................................................ 65 III-3 Unit III. Security Controls Chapter 1. Overview 1.1 Purpose of the control components In addition to anti-malware protection, Kaspersky Endpoint Security 11.1 contains control components that restrict actions harmful to the computers or the company in general. — Application Control monitors users’ attempts to start programs and regulates software start through the rules configured by the administrator. — Device Control brings the use of various devices to conformity with the company policy. The AntiBridging component prohibits unauthorized network connections — Web Control limits access to websites depending on their content; you can also block addresses by masks — Adaptive Anomaly Control contains a set of pre-configured rules and monitors non-typical behavior on the device that usually precedes an infection, and helps nip it in the bud 1.2 Licenses and installation types There are five functional areas in Kaspersky Security Center 11: — — — — — Protection against threats Control components Encryption Systems management Mobile device management The control components require a KESB Select license and are automatically installed if the Standard installation type is selected. Except the new Adaptive Anomaly Control component, which requires a KESB Advanced license. III-4 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management In ММС console, Encryption settings and Control components are not displayed in the Kaspersky Endpoint Security policy 11.1 by default. To enable representation of these settings, in the main window of the Console, click the link Configure functionality displayed in user interface: — Display data encryption and protection—displays the Encryption settings — Display endpoint control settings—displays the settings of the Control components Web Console does not need to be reconfigured, all functionality is immediately accessible. III-5 Unit III. Security Controls 1.3 Installing the Control components Control components are enabled by default in the properties of the Kaspersky Endpoint Security 11.1 package, which is created automatically during the Administration Server installation. The only technicality is that not all of the components will be installed on a server operating system. If some components are not installed on the computers, the administrator can add them. Use the Change application components task of Kaspersky Endpoint Security. This task is designed especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product. The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on the client computer during the initial installation. In the task properties, you can select the components to be installed, just like in an installation package. However, you cannot select individual components while creating the task in the wizard. To specify the necessary components, complete the task creation wizard and then open the task properties: the choice of components is not limited there. III-6 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Chapter 2. Application Control Application Control helps to implement the corporate security policy; in particular, restrict software start on the endpoints. At the same time, Application Control reduces the computer infection risk by decreasing the attack surface. 2.1 How Application Control works Operation principles Application Control allows the administrator to restrict which programs the users can run on the computers. Software start permissions are specified in special rules. When a program starts, Application Control checks: — The category the program belongs to (the categories are configured by the administrator) — The account under which the program was started — Whether the Kaspersky Endpoint Security policy contains any rules that regulate the start of this program category for this account Application Control can operate in either of the two modes: — Black list: Everything is allowed by default. Only the programs that belong to categories that the administrator prohibited in the Kaspersky Endpoint Security policy are blocked. Meaning, if there is no matching block rule, the program will be permitted to start — White list: Everything is prohibited by default. Only the programs that belong to categories that the administrator allowed in the Kaspersky Endpoint Security policy are permitted to start. If there is no matching allow rule, the program will be blocked The white list mode is used in the default deny approach. It is described in the respective section of this chapter, and much more detail is available in a dedicated training course KL 032 Default Deny. III-7 Unit III. Security Controls How to configure Application Control In two stages: 1. Create application categories 1.1. Make up the list of categories. For example, Web browsers, Games, Third-party messengers, Allowed programs, etc. 1.2. Add all programs that we want to control to these categories. How to do it is described in the next section. Categories are configured for the whole Administration Server at once in Operations | Third-Party Applications | Application Categories 2. Make up the list of rules: In the Kaspersky Endpoint Security policy, you can specify what Kaspersky Endpoint Security is to do with the applications that belong to each application category: allow, block, or just notify Kaspersky Security Center about each start. Note that categories are specified for the whole server, while different rules may be configured for different computer groups. For example, Skype can be prohibited for everybody except individual users; additionally, marketers can be allowed to use it, but every time when they start it, the administrator will receive the respective notification. 2.2 How to configure application categories Categories are created on the Kaspersky Security Center Administration Server and are transferred to client computers similarly to policies and tasks. You can send the complete list and contents of categories every time, or only the changes. This is configured in the Administration Server properties, in the Application categories section. This transfer option appeared in Kaspersky Security Center 10 SP2 MR1 and Kaspersky Endpoint Security 10 SP2; in earlier versions, the full set of categories is always transferred, even if changes are few and minor. That is why everything is transferred by default; otherwise, if there are older clients in the network, they will not be able to receive changes only, and will receive nothing. III-8 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management An application category is a list of conditions and exclusions that allows identifying a program or a group of programs. The list is displayed in the Operations | Third-Party Applications | Application Categories and is empty by default. New categories are created using a special wizard. There are three types of categories: — Filled manually—their conditions are added and changed only manually. For example, all programs that have “zombies” in their names, or all programs signed with the specified certificate — Filled automatically from a folder—the administrator selects a directory, which is scanned for the following files: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL, HTML, HTM, DRV, OCX, SCR. The Administration Server will also check the contents of this directory on schedule, calculate checksums of executable files (SHA256 and/or MD5), and update the list of the category criteria. A network folder whereto all prohibited or allowed programs are copied may come in handy — Filled automatically from the selected devices—the administrator selects one or several managed computers, and the Administration Server automatically includes executable files found on these computers into the category. Meaning, you can specify a reference computer where, for example, all allowed programs are installed III-9 Unit III. Security Controls At the first step, the New Category Wizard prompts you for the category name and creation method. If you are not happy with the category contents when it is ready and want to modify the method, you will have to re-create the category. A category that is created and updated manually For a manually filled category, conditions for the programs are specified in the list; each condition can contain several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set by various methods, but all of them can be boiled down to the following general types: — KL category—Kaspersky Lab experts group white lists into categories according to programs’ purpose. The category catalog helps to categorize an application or an individual file. In most cases, Kaspersky Endpoint Security defines the category locally using the signature database or requests the verdict from Kaspersky Security Network. — Certificate—this function is available since Kaspersky Endpoint Security 10 SP2. You can specify a folder on a client device that contains executable files signed by certificates. Certificates of executable files will be added to the category conditions. You can also add certificates from a certificate store — Application folder—all programs from the specified directory will be added to the category III-10 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management — Removable drive—a special parameter that allows the administrator to create a separate category for the files started from a removable drive — Metadata—file name, its version, name of the program and manufacturer. The version does not have to be specified exactly. You can select all files older or younger than the specified version. Various file characteristics constitute a single condition, rather than several individual conditions. When specifying metadata, you can allow only files signed with a valid certificate, or those for which KSN returns the Trusted verdict — Checksum—the checksum returned by SHA-256 function that allows unambiguous identification of the file (the checksums of different files are different) Note: In Kaspersky Endpoint Security version 10 SP1 MR3 and earlier, MD5 checksum was used for file identification in Application Control instead of SHA-256. Starting with Kaspersky Endpoint Security 10 SP2, only SHA-256 is used. If there are various Kaspersky Endpoint Security versions in the network, select the corresponding check box in the category properties, for example, collect not only SHA-256, but also MD5. Then the same category will be usable for policies configured for different Kaspersky Endpoint Security versions. On the other hand, if application categories become too large as a result, you can create different categories for different versions of Kaspersky Endpoint Security. From the executable files list The administrator can create a condition based on the Executable files list. It is a list of executable files that have been started on the client computers or detected by an Inventory task. Note: In Kaspersky Endpoint Security 11.1, information about started executable files will be transferred only after you enable the Application Control component. This list of files is displayed in the Operations | Third-Party Applications | Executable Files. III-11 Unit III. Security Controls From applications registry The Applications registry node contains programs installed on computers and displayed in their Programs and Features. Network Agents gather names and attributes of these programs and transfer them to the Administration Server. The gathered information about the installed programs does not contain data about the program executable files, but it is the data about executables that is necessary to create a condition. That is why the Administration Server compares data about installed programs and data about executable files detected on the computers, and after that creates a condition based on the hash sum of the program executables. It might happen that a program is considered to be installed by mistake, or a program is installed but started extremely rarely and the data about its executable file is missing on the Administration Server. In this case, a condition for this program may fail to be created. On the other hand, if a program has several executable files, the applications registry simplifies rule creation. The Administration Server automatically adds conditions for all executable files associated with the program. If a program is installed but its executable files haven’t been reported to the Administration Server yet, the administrator may consider running an Inventory task to speed up the process. We will describe inventory tasks in detail later. From file properties When selecting a file on the drive, the administrator can specify a simple SHA-256 (MD5) condition for it, or a more flexible condition based on metadata or certificate. A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For example, hash sums are used in automatically filled categories described earlier, because it is important to allow starting the exact file versions installed on the reference computer or included in an approved distribution. Any changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file start. Hash sums are also convenient if you need to prohibit renamed files from starting. Renaming does not influence the hash sum and the blocking rule will still work. III-12 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management At the same time, you may need to include several application versions in a category. In this case you should create a condition based on file attributes, such as name, manufacturer name, and version number. The version number may not only coincide with the specified value, but also be more or less than the specified value, or start from it, etc.; so you will be able to block old program versions or recent releases that have not been approved yet. Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create a condition based on the file name and then be surprised that a file with a matching name is not treated as expected. Most probably, this means that the file has no digital signature. In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by the vendor’s certificate. To control open-source and freeware programs, use other condition types. Use metadata or checksum of files in an MSI If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be scanned once when creating the category, and later will not be rescanned. The administrator can add any other condition to such a category. III-13 Unit III. Security Controls Use KL categories The described conditions enable the administrator to allow or prohibit known programs—programs whose hash sum, or attributes, or location on the drive, etc. are known or can be found out. In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for one, etc. This task is not easy to solve using the described tools. The solution is to use KL categories. These categories define program class or type: email programs, web browsers, development tools, electronic payment systems, etc. ‘KL category’ means that the programs are categorized by Kaspersky Lab experts. The program categorization information is a part of the downloadable databases. That is why the Download updates to the repository task must run at least once before you can create conditions based on KL categories. Programs started on each computer are independently scanned for correspondence to the conditions, and if different database versions are used on different computers, application control rules can work to different effects. Also, if the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time. Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All uncategorized files are automatically associated with the Other Software KL category. III-14 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Specify the path to the files explicitly So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file location. Copying or moving the executable file would not influence the file start regulations based on these conditions. The following two types of conditions consider only the file location: — Application folder—defines the local path to the file. The administrator can, for example, prohibit starting executable files from the desktop or from the whole user’s home directory. Alternatively, the administrator can permit starting executable files from the system folders: C:\Windows, C:\Program Files and prohibit from all other computer locations. The condition is recursive, meaning, it works for the files in subfolders of the specified folder. — Device type—can have only one value: Removable device. Essentially, its purpose is to enable the administrator to prohibit starting programs from removable drives. III-15 Unit III. Security Controls Specify certificates A more reliable method than using file path, but less reliable than SHA-256, is selecting files by certificates. You can select from among the certificates on the Administration Server. How to specify exclusions from a category If you need to prohibit all programs that match the specified conditions except for one, add an exclusion to the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion condition will be excluded from the category. III-16 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Automatically filled folder-based category The contents of an automatically filled category are updated when the source folder contents change (executable files are deleted or added). Also, you can make a category update to schedule. If the specified folder contains archives or installation packages (for example, *.msi), the Administration Server will automatically unpack them (into a temporary folder) and include data about the executable files within the archive or package into the category. So, if you place program distribution into the folder, the category will include not only the installation file, but also program files. This method of creating a category is useful if the company has a repository of program distributions to be installed on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add programs to the list or replace them with newer versions. To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make the Administration Server automatically monitor the changes and add parameters of the detected files to the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in the policy to allow start of all the used programs. III-17 Unit III. Security Controls You can also select to Include dynamic-link libraries (.DLL) in this category. If this check box is selected, Kaspersky Security Center will calculate checksums of DLL files and add them to the category along with executable files. It makes sense to care about DLL files because Windows permits starting processes from them through the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others blocked. In this regard DLL files are similar to script files (*.js or *.vbs), which are not executable, but are started via the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked. To include scripts into a category, select the check box Include script data in this category. Similar to other category types, you can use hash sums. If various KES versions are installed in the network, 10 SP2 and older, you can select both check boxes. Then the category will be larger, but will work for all Kaspersky Endpoint Security versions. Category based on a reference computer In addition to the repository of allowed program distributions, there may be a reference computer in the organization where all the programs used in the company are installed. Such a reference computer is usually necessary for creating images to be deployed on new computers. As a result of such a deployment, the operating system and all programs necessary for work are installed on the computer, and the whole process takes much less time than installing everything from distributions. The administrator periodically upgrades programs on the reference computer and updates the image accordingly. With this approach, it is logical to automatically make all programs installed on the reference computer allowed. For this purpose, you need to scan the computer, add all programs to a category, and then create an allow rule for it in the policy. This is what a category automatically filled with files from selected computers is designed for. Sometimes it is necessary to break down the files found on the reference computer into a few categories. For example, separate Windows files from those found among Program Files. In this case, you can configure a filter based on the folder where a file is located. The category will include only the files that are located in the specified folder of the reference computer. III-18 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky Endpoint Security. This means that a reference computer must be equipped with the Application Control component of Kaspersky Endpoint Security, which will draw up the list of executable files, and with Kaspersky Network Agent, which will send the data to the Administration Server. There will be more details on how this works later in this chapter. The administrator can specify the scanning interval, the same way as within a category filled from a folder. The detected files will be added to the category and will later be identifiable by SHA-256 (for the latest versions of Kaspersky Endpoint Security) or MD5 sums (for Kaspersky Endpoint Security 10 SP1 MR3 or earlier)—depending on the Kaspersky Endpoint Security version installed on the reference computer. Note: Unlike for a folder-based category, here you must select either SHA-256 or MD5 (depending on the Kaspersky Endpoint Security version installed on the reference computer). Which means that if Kaspersky Endpoint Security of different versions is installed in the network, you need to use two reference computers for a category A computer-based category will include the list of found files and SHA-256 or MD5 checksum of each file. III-19 Unit III. Security Controls What you can do with programs and categories after the initial configuration How to find out which KL category a file belongs to If the administrator wants to know which KL category includes a specific executable file, they can find this information either in Kaspersky Endpoint Security interface on the client computer, or in the Administration console. The local verdicts (which may vary slightly on different computers because of different database versions) are available in the Application Activity Monitor window. Information in the Administration Console can be used for troubleshooting as well as for planning the rules. This list of files is displayed in the Operations | Third-Party Applications | Executable Files. The administrator can view the attributes and KL category of each file. Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering options may help finding the necessary one. The administrator can search for a file using a part of its name, or apply a filter and search by the values of various file attributes. III-20 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as when the file was first detected on the computers, but also to add or exclude the file to or from an administratordefined category. There is a button that adds the file to administrator-defined categories. You can add the file to an existing category or create a new one. And when modifying an existing category, you can either add the file to the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the file’s SHA-256 or MD5 sum or certificate data. How to add a program to an existing category If the administrator notices something new when looking through the list of executable files detected on computers connected to Kaspersky Security Center, and decides to add the program to a category, he or she does not need to memorize its name and go to the container with program categories. You can simply select the necessary executable file or program and carry out the Add to category command. Then select how to add: To an existing category or create a new one. Where to add: You can add programs to categories or exclusions. The program will be added by hash sum or certificate with which its executable file is signed. III-21 Unit III. Security Controls How to find out which category a file belongs to Via the applications registry There are two handy lists in Kaspersky Security Center Administration Console: Applications registry and Executable files. When you need to do something with a specific program, it is logical to use the Applications registry. However, a program may have several executable files. Kaspersky Endpoint Security can be configured to work with individual executable files as well as with programs at the same time. Select the necessary program in the Applications registry, open its properties, and go to the list of executable files that correspond to this program. Via the list of all executable files The list of executable files that we can see on the Kaspersky Security Center Administration Server consists of all executable files detected by Kaspersky Security Center and Kaspersky Endpoint Security on all computers connected to this Administration Server. Meaning, this list can be very long. III-22 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management However, when you know what you are looking for, it is very handy. You can sort it by names, or use filters. Which other useful information is available about a file On which computers and when it was detected for the first time (but not how), when it undertook network activity for the first time, whether it is signed with a certificate. How to make sure that all files have been collected Where to enable sending information about found executable files Right after the installation, the Executable files container will be empty on the Administration Server. Gradually, when new clients are connected, new data will be sent to the Administration Server on the condition that the Application Control component is enabled in Kaspersky Endpoint Security 11.1. III-23 Unit III. Security Controls Important: If Application Control is disabled, data about executable files will not be transferred when applications start. Except for that, there is an option for sending information about found executable files; it is enabled by default. You can find it in the Kaspersky Endpoint Security policy: Application Settings | General Settings | Reports and Storage, the option About started applications. This check box enables sending information about running applications, as well as results of the Inventory task. Note: we recommend that you do not enable sending information about installed applications for all client computers; exclude, for example, weak computers or non-persistent virtual machines. How to view all executable files found on a computer There is a list of executable files in the properties of each managed computer. This list is supplemented by: 1. The Inventory task, which scans the client computers’ folders specified in it properties 2. Application Control which, when enabled, collects information about all executable files started on the client computers. III-24 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Network Agent also gathers information about software, but only about installed applications, for which it scans the registry. Inventory task It is not created by default. This means that the list of executable files will include only those files that have been started on computers where the Application Control component is enabled. However, some files start very rarely. It may take a very long time until all executable files are intercepted and reported to the Administration Server. A faster way to detect files is by using an Inventory task. This is a Kaspersky Endpoint Security task, which can be created for a group or computer selection. With standard settings, the task searches for executable files in the following directories: — %SystemRoot% — %ProgramFiles% — %ProgramFiles(x86)% The list of folders is configurable. The information about discovered files is sent to the Administration Server and is available in the Web Console on the Operations | Third-Party Applications | Executable Files page. III-25 Unit III. Security Controls Unlike the monitoring components, this task can detect executable files within archives and installation packages. Select the Scan archives and Scan distributions check boxes. When executable files are being searched for, their checksums are calculated, which may slow down the computers. To reduce resource consumption, you can use the option to Scan only new and changed files. The information about changes is obtained using the iSwift technology and requires almost no calculations. Alternatively, you can schedule the task to run during nonworking time, or use the option that suspends scheduled scanning when the computer is being used and resumes it when screensaver is on and the computer is locked. 2.3 How to create control rules Application Control modes Note that Application Control is disabled by default in Kaspersky Endpoint Security starting with version 10 Service Pack 1. That is why the information about executable files is not sent by default. The first thing the administrator needs to do before configuring rules is to enable the component and select the mode: White list or Black list (for detailed information about these modes, see section 2.1 “How Application Control works”.) By default, right after you enable Application Control, the Notify mode will be used. It is recommended to test the rules first. Instead of real denies, only events will be sent to the Administration Server: Application startup prohibited in test mode or Application startup allowed in test mode. You can generate a report based on these events, analyze it, adjust the rules if necessary, and then switch them to the block mode. Later, to test new rules without interrupting those already applied, the administrator can add a rule with the Test status. After you make sure that the new rules do not interrupt useful applications, Enable them. Each rule (regardless of the selected mode, white or black list) can use one of the following three statuses: — On means that the Application Control component uses the rule. — Off means that the Application Control component does not use the rule. — Test means that Kaspersky Endpoint Security will always permit starting the programs to which this rule applies, but will send information about starting these programs to the Administration Server. III-26 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management The check box Control DLL and drivers enables you to restrict start of DLL libraries and drivers, but increases the load on the computer, and is recommended to be used only if it is really indispensable. For example, with rigid Default Deny. Application Control rules There can be as many rules as you wish; prohibition always has a higher priority. The black and white lists have different sets of rules. For example, if you first selected the Black list, added a rule, and then switched to White list, your rule will not be there. Each rule has the following parameters: — Category—an application category created on the Administration Server beforehand. A policy may contain only one rule for each category — Users and/or groups that are granted permission—the list of local or domain users and groups who are allowed to start the programs belonging to the selected category. If more than one entity needs to be specified, separate them with a semicolon (;) — There is a related option Deny for other users. When enabled, it automatically denies permission to all unlisted users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this III-27 Unit III. Security Controls option were always enabled. In Kaspersky Endpoint Security 11, this option is configurable and disabled by default. Unlisted users are granted or denied permission based on the rest of the rules — Users and/or groups that are denied permission—this parameter explicitly defines the list of users and groups who are prohibited from starting the programs — Trusted updaters—consider all programs of this category to be trusted updaters1 Denial has a higher priority than permission. For example, if a rule is configured to allow program start to all users and prohibit for the Tom user, this user will not be able to start the program according to this rule. The list of rules is initially empty for the black list mode; for the white list, it contains two system rules that cannot be deleted: — Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not be blocked even if there are no allowing rules for them. It is a special KL category2 that includes programs that download and install module updates, for example, Adobe Updater, Chrome Component Updater, etc. The rule is enabled by default, meaning, Trusted updaters are allowed. — Golden Image—contains the executable files necessary for the operating system, as well as executable files supplied with the system—various standard utilities and applications, To prevent Kaspersky Endpoint Security from accidentally blocking files important for the operating system The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of different application categories; but some programs may belong to several categories at once. If there is at least one rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say. If a program does not belong to any category, in the black list mode, it will be allowed, and in the white list mode, blocked. 2.4 How it will work How to find out what a particular user is prohibited from 1 2 This option is described in detail later in this chapter. This KL category cannot be selected when configuring program category conditions. III-28 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management There is the Static analysis button next to the list of startup control rules in the Kaspersky Endpoint Security policy. It opens the window where you can select a user or a group; in the right pane, the list of prohibited categories and blocked files will be displayed. Static analysis is available only in the MMC console. Local notifications and user requests When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up notification so that the user is not confused about the reason for the application behavior. If the user needs this program for work, the pop-up notification permits sending the administrator a request to allow program start. The user should click the Request access link in the notification window and then click the Send button. The text of the pop-up notification, as well as the request to allow a program to start, can be modified in the Kaspersky Endpoint Security policy. You can use variables there, which provide information about a specific event, for example, the name of the blocked program, the computer where the event was registered, etc. III-29 Unit III. Security Controls User requests selection The standard User requests event selection contains the Application startup blockage message to administrator events registered over the last 7 days. The Application startup blockage message to administrator event is registered when a user sends a request to allow program start, and contains the request text along with the information about the computer, username and the program in question: Complete information necessary for the administrator to make a decision. It may happen that a user would need a program urgently. That is why, if the administrator rarely opens User requests, it might be worthwhile to configure email notification for the event Application startup blockage message to administrator. This will enable the administrator to process the requests as soon as possible. It is possible to use the request events to modify application categories. An event contains complete important information about the blocked file, including its SHA-256 (MD5 for older versions of Kaspersky Endpoint Security). The administrator can use the Add file to category link to immediately add the blocked file to an existing or a new category either as an inclusion condition or as an exclusion. III-30 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Events Application Control generates five types of events: — — — — — Application startup allowed Application startup prohibited Application startup allowed in test mode Application startup prohibited in test mode Application startup blockage message to administrator By default, all the events except for Application startup allowed are transferred to the Administration Server. If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup prohibited in test mode events. Report on blocked runs III-31 Unit III. Security Controls Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked runs, which shows the distribution of the number of blocked starts on the client computers by applications. Switch to the Details tab to consult information about all computers and programs detected by Application Control. Starting with Kaspersky Security Center version 10 SP2 MR1, you can generate a report on program starts blocked in the test mode. It will contain only events about blocked starts, regardless of the selected mode: Black list or White list. 2.5 Default deny mode Default deny is a scenario when Application Control prohibits devices from running any programs except those specified in allow rules configured in the white list of Application Control. The main difficulty when working in the white list mode (when the start of uncategorized programs is prohibited by default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked along with other programs. That is why there is an allow rule for operating system files in the white list by default. For example, there can be a policy for using programs on the computers that are used as point-of-sale (POS) terminals. Only special programs must be allowed to start on them, and all unknown programs must be prohibited. III-32 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Various configurations of allow rules are possible; it will be necessary to create one or several categories for system executable files and configure allow rules for them using one of the following methods: Use a reference computer with the operating system and allowed programs installed for creating an automatically filled category Use a directory with distributions of allowed programs for creating an automatically filled category To prevent blocking programs for which allow rules are configured after upgrades, use the standard rule Trusted updaters. This rule exists by default in the list and cannot be deleted; but it is disabled by default. When enabled, the programs downloaded and installed by the applications included in the Trusted updaters category will not be blocked even if the corresponding allow rules are not configured. The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allow rule. For more details about configuring Kaspersky Endpoint Security to default deny, refer to course KL 032. III-33 Unit III. Security Controls Chapter 3. Device Control The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various devices in the corporate network and, if necessary, prohibit using some of them. The Device Control component allows the administrator to enforce the corporate security standards, by specifying who, when and which devices can use on the computers. The rules may be applied to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc. The most popular use case for this component is blocking USB flash drives. A user may bring an infected file from home; accidentally or deliberately, a user can take away files that are of commercial value for the company on a USB drive or other removable media. Users could also connect a workstation to the internet via a smartphone. Restrictions help prevent such problems. III-34 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Different settings are available for different device types. The following storage devices boast the most flexible settings: — — — — Hard drives Removable drives Floppy disks CD/DVD drives You can specify the accounts allowed / prohibited to access the devices, you can permit only copying information from the devices and prohibit writing, or you can configure a schedule to allow access to devices only during business hours. Other device types can only be allowed or blocked, without any flexible settings. Wi-Fi devices deserve specific mention, but we will tell about them later. More globally, Device Control can block a connection bus completely, meaning, any devices that will be connected to a specific physical port of the computer will be inaccessible. Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules. To protect against attacks when an infected USB flash drive pretends to be a keyboard, install and use a special component, BadUSB Attack Prevention. III-35 Unit III. Security Controls The Device Control component permits you to draw up a list of trusted devices that will always be accessible, regardless of the rules. Plus, you can specify the users who will be allowed to work with each specific trusted device. Also, the administrator will be able to grant temporary access to a prohibited device if a user needs to work with it. 3.1 What can be blocked and how Device Control is configured in Kaspersky Endpoint Security policy. From the component properties, you can open the rules for device types, connection buses’ settings, the list of trusted devices, or configure Anti-Bridging. Some devices can be allowed, but with limitations: You can explicitly specify the prohibition schedule, restrict only writing operations, or make exclusions for some users but not others. You can do that for: — — — — Hard drives Removable drives Floppy disks CD/DVD drives III-36 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management All other device types you can only disable completely: — — — — — — — — — — Printers Modems Tape devices Multifunctional devices Smart card readers Windows CE USB ActiveSync devices Cameras and scanners Smart card readers Portable devices (MTP) Bluetooth Access to Wi-Fi networks is special, we will tell about it later. Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as removable drives, if connected as external data carriers. The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking their connection buses. Kaspersky Endpoint Security allows blocking connected devices by interface type (bus): — — — — — — USB FireWire Infra Red Serial Port Parallel Port PCMCIA The administrator can totally block, for example, all USB devices. Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash drive will work correctly. By default, all devices work in the “Depends on bus” mode, and all buses are allowed. III-37 Unit III. Security Controls Additional options Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list cannot be edited to add new devices. You can flexibly restrict the use of removable drives, CD/DVD, hard drives, and floppy disks. The following options are available: What can be done: You can select to prohibit only reading or writing The list of accounts that are allowed to use the device type. You can select accounts from the domain to which the computer where the Administration Console is started belongs, or among local users if there is no domain. The rule will work on any computer where the policy is enforced. The Everyone universal account is always available. Operation types and access schedule. You can manage Read and Write permissions independently. The schedule is specified by hours and days of the week. For example, you can allow Read operations for removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to the Administrators and only during business hours III-38 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means “always allow everyone to perform any operation.” You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for the administrators: allow them using USB flash drives during business hours. The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable as soon as the policy is enforced and the next operation will be blocked. USB flash drive access log If USB flash drives are allowed at the company in principle, but the company does not welcome using them, you can configure logging access to USB flash drives. Then for each of the selected operations the corresponding event will be sent to the Administration Server, File operation performed. It will specify who (which account) copied or deleted a file. Unlike other events, this event will not be stored locally. By default, logging access to USB flash drives is disabled. To enable it, click the Logging button. It is available only for removable drives. You can select which operations to log (writing and/or deleting), and file formats: Text files Video files Audio files Graphic files Executable files Office files Database files Archives III-39 Unit III. Security Controls How to specify trusted Wi-Fi networks Device Control permits you to regulate access to Wi-Fi networks. Three actions can be taken when a device connects to a network: 1. 2. 3. Allow Block Block with exceptions— contains additional settings, which permit to draw up a list of trusted Wi-Fi networks based on network name, authentication type, and encryption type. A network is considered trusted only if all the specified parameters are matched. If network name is not specified, it may vary. Connecting corporate notebooks to public Wi-Fi networks is not always desired. You can use Device control to disable Wi-Fi. However, for notebooks, which the users may take home, it is not the most optimal solution. It will be more logical to use the option Block with exceptions, and specify trusted networks, for example, corporate and home. III-40 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management What Anti-Bridging does Device control includes the Anti-Bridging component, which enables the administrator to prohibit users from establishing two network connections simultaneously to prevent unauthorized bridges to the internal network that bypass perimeter protection. For example, a user’s computer is connected to the corporate network. The user has connected a Wi-Fi adapter to the computer and configured it to act as a wireless access point. This access point may be used not only by those for whom it was created, but also criminals who can use exploits for the adapter, bruteforce username and password, or employ other methods to bypass protection. As a result, the user’s computer will be compromised and criminals will have a stepping stone for further development of the attack vector. In this case, Anti-Bridging is a part of protection that stops criminals from gaining access to the internal network, because as soon as the user turns on the Wi-Fi adapter, Anti-Bridging will automatically disrupt all network connections, including access to the local network, and only the Wi-Fi network will be active. A similar threat to corporate network security may arise if a user’s notebook is connected to the organization’s network using a wired connection. The user may create a hotspot on the smartphone to bypass the organization’s protection solutions and connect the notebook to it over Wi-Fi. After that, accidentally or intentionally open a webpage that contains an exploit pack, which will compromise the notebook, and criminals will receive the capability to attack the organization’s internal network from the internet. In both cases, there are two networks—local and Wi-Fi—on the user’s computer, which is connected to the organization’s network. To eliminate simultaneous operation of two networks and give preference, for example, to a wired connection, the administrator is to turn On all controls in Anti-Bridging settings and give maximum priority to the network adapter. In this case, the user will not be able to turn on Wi-Fi network on a computer unless disables the wired network. The Anti-Bridging component is disabled by default; to enable it, in the Device Control properties, click the corresponding link and Enable Anti-Bridging in the window that opens. After Anti-Bridging is enabled, Kaspersky Endpoint Security will block already established connections according to the connection rules. The higher the rule on the list, the higher its priority. Anti-Bridging can block all connections except the one that has maximum priority. For this purpose, in the Anti-Bridging window, turn On all controls and define priorities for all devices: — Network adapter — Wi-Fi — Modem Note: If several wired connections are configured, only one of them will be allowed (arbitrary). If the Wi-Fi adapter is not connected to a network, it will not be blocked until the user tries to connect. III-41 Unit III. Security Controls 3.2 How to specify a trusted device If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile to make them trusted. Devices can be made trusted by their ID, a mask of ID or by model. Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device Control | Trusted devices. To make information about a device accessible in a policy, first connect the device to a workstation where Kaspersky Endpoint Security is installed with the Device control component enabled; then wait for the connection event to reach the Administration Server. III-42 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Three options are available when adding trusted devices: — Devices by ID — Devices by model — Devices by ID mask The first two options allow you to select the device that you want to make trusted and its ID and model will be added to the list. The Administration Server must have the device in its database. If the Administration Server is unaware of this particular device you can’t make it trusted. The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on the Administration Server knowledge of the device, only on the administrator’s knowledge of the device ID. Device ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of the Device Instance Path property. It looks somewhat like USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0 When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple devices, e.g., ‘NEC*CDR??’. This helps when a company has a lot of devices with similar IDs that should be trusted. Adding a device by model can also help in this case, if all devices are from the same vendor and of the same type. There is also a Comment field when adding a trusted device, which the administrator can fill in to describe why this trusted device (or a group) is added. To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some time till the information about the device makes it to the Administration Server. To simplify the search for the necessary device, you can choose the device type and also specify the name of the computer where it is or was connected. Then click the Refresh button to display the filtered results. III-43 Unit III. Security Controls You can also import /export the list of trusted devices in XML format. This capability may come in handy, for example, when you need to edit the name of a trusted device displayed in Kaspersky Security Center interface, add many similar devices, save a backup copy of the list of trusted devices, or move the list to another server. Before adding the device, you can also restrict the list of users that will have access to it. You may want to have trusted devices, but you may not necessarily want everybody to have access to them. Perhaps only administrators should be able to use them. You can import or export the list of devices only in the MMC console. 3.3 How to configure interaction with users When the user attempts to connect a prohibited device, a pop-up notification is displayed. If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add the contact information of the person responsible for device access. III-44 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Notification Templates are available in the Kaspersky Endpoint Security policy in the Device control settings. You can use variables in the notification text, for example, the name of the device or the blocked operation. If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled nor hidden. If the user sends a request, it will be sent to the server as a Warning event. Similar to the other control components, requests are displayed in a special selection named User requests. The administrator does not have to react to a request; but if they want to, they can, for example, configure the corresponding email notifications in the Kaspersky Endpoint Security policy. 3.4 How to configure temporary access III-45 Unit III. Security Controls Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as follows: 1. 2. 3. The user finds out that the necessary device is blocked Generates a request file for it in the Kaspersky Endpoint Security local interface Emails the request access file to the administrator 4. The administrator examines the request, and in the case of an affirmative answer, creates and sends the user a special access key Important: You can create a special access key only in the MMC console. 5. The user activates the received key. After this, the selected device (and only that device) becomes accessible for the time span specified by the administrator. The user cannot pause temporary access to use it later; and the administrator cannot remotely revoke temporary access It goes without saying that many users may believe that their devices are blocked by mistake, and will ask the administrator for temporary access. To avoid numerous requests, you can disable this capability: In the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access check box. How can the user send a request to get access to a blocked device? In the local interface of Kaspersky Endpoint Security, click the button Settings, and go to section Security Controls | Device Control. Click the button Request access. The window that opens by default lists the currently connected devices, including blocked ones (to display all devices ever connected to the computer, apply the filter For the entire runtime). Select the device that you need to access, and click the button Generate request access file. Specify how long you will need to access the device (by default, 24 hours), click the button Save, and send the .akey file to the administrator. Note: If the administrator prohibits requesting temporary access, the button Request access appears dimmed. III-46 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management How to create activation code Temporary access is granted to a specific user for the specified device on the specified computer. That is why the key is generated using the client computer’s shortcut menu, neither in the policy nor in the group properties. Important: You can create a special access key only in the MMC console. A client computer can be conveniently found in the Administration Console by the Search utility. Then the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode command. In the window that opens, switch to the Device Control tab and click the Browse button to select the .akey file received from the user. The Administration Server checks the file integrity and whether it belongs to the selected computer, and then displays the request. If necessary, the administrator can change the access duration and activation window. Both periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours. Then the administrator is to save the generated key into an .acode file and send it to the user. So, the key is generated for the exact device and the computer where the user generated the request access file. Any other devices will still be blocked; also, the device for which the access was granted will be blocked on other computers. The key is also bound to the username. Another user will not be able to access the same device on the same computer using this access key. If temporary access is activated by the user who requested it and another user logs on to the computer during the allowed period, they will not be able to use the device. III-47 Unit III. Security Controls How to activate temporary access In the same window where the request key was generated, the user clicks the Activate access key button, and specifies the received .acode file. The device can be used immediately. Neither restart, nor synchronization with the Administration Server is necessary. The key must be activated before the specified activation window expires, and the access duration countdown starts at the moment of activation. The device may be connected at any time (or even several times) during this period, or not connected at all. The access countdown cannot be paused. When temporary access is activated, a notification is sent to the Administration Server, but it is not included either in the selection of user requests, or in the report on Device Control events. 3.5 Monitoring Device Control III-48 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and the account that initiated it. The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of Critical events. If necessary, the administrator can make a separate selection for blocked device access attempts. The Operation with the device allowed event having the Info severity will be sent if a non-prohibited device is connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners, removable drives, etc. All events, including requests, are stored on the server for 30 days by default. The Report on Device Control events provides the general view of the device control work. It displays a chart with the distribution of its responses by user names. By default, the report includes all actions—device connecting, disconnecting and blocking. To generate a report about device blocking only, leave only the Device connection blocked check box selected in the Settings section of the report properties. If necessary, the administrator can configure receiving daily email statistics about who and when tried to connect, for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV Maintenance. III-49 Unit III. Security Controls Chapter 4. Web Control The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is used to block social networks, music, video, non-corporate web mail, etc. during business hours. If a user tries to open such a website, either a notification that the access is blocked or a warning about an unwelcome website can be displayed, depending on the settings in the policy. Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule properties include addresses or content types, user accounts, schedule, and the action. Only HTTP and HTTPS traffic is scanned. Web Control is configured in Kaspersky Endpoint Security policy. The rules are applied in the order specified by the administrator, and a page is processed according to the first applicable rule. There are two default rules, which also regulate the operation mode: — Allow all except the listed rules—the Black list mode — Deny everything except the listed rules—the White list mode III-50 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management By default, the Allow all universal rule is used and nothing is blocked. Each rule has a name and the following attributes: — Rule status — Active — Inactive — Action — Allow — Block — Warn — Filtering type — By content categories — By types of data — List of addresses — Apply to all addresses — Apply to individual addresses and/or groups — Users — Apply to all users — Apply to individual users and/or groups — Schedule III-51 Unit III. Security Controls 4.1 Blocking criteria First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*. Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following categories: — Online stores, banks, payment systems — Shops and auctions — Banks — Payment systems — Internet communication — Web-based email — Social networks — Chats and forums — Blogs — Dating sites — Religions, religious associations — Job search — Weapons, explosives, pyrotechnics — News media — Software, audio, video — Torrents — File sharing — Audio and video — Anonymizers — Banners — Profanity, obscenity — Violence — Computer games — Adult content — Alcohol, tobacco, narcotics — Gambling, lotteries, sweepstakes The content can also be categorized by data types: — Video — Sound — Office files — Executable files — Archives — Graphic files III-52 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and data types. Filtering by category and type can be combined within a rule: For example, you can block office files and archives received by web mail. Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic analysis of page content. URL reputation can also be requested from Kaspersky Security Network. Data types are hard-coded in Kaspersky Endpoint Security and include the following file types: Category Category contents Executable files Win32 PE—exe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files Microsoft Installer Archive—msi Video Adobe Flash Video—flv, f4v Audio/Video Interleave—avi MPEG4 ISO format—3gp, 3g2, 3gp2, 3p2 MPEG4—divx, mp4, m4a Matroska—mkv Apple Quicktime—mov, qt Microsoft Container—asf, wma, wmv RealMedia CB/VB—rm, rmvb MPEG2 (DVD) format—vob VCD (MPEG 1)—dat, mpg Bink Video—bik Sound MPEG-1 Layer 3—mp3 Lossless Audio—flac, ape OGG Vorbis Audio—ogg Advanced Audio Coding—aac Windows Media Audio—wma AC3 multichannel audio—ac3 Microsoft Wave—wav Matroska Audio—mka RealAudio—rm, ra, ravb MIDI—mid, midi CD digital Audio—cdr, cda Office files Open XML documents—docx, xlsx, pptx, dotx, potx, and others Office 2007 macro enabled docs—docm, xlsm, pptm, dotm MS Office documents—doc, xls, ppt, dot, pot Adobe Acrobat—pdf Archives ZIP archive—zip, g-zip 7-zip archive—7z, 7-z RAR archive—rar ISO-9660 CD Disk—iso Windows Cabinet—cab Java (ZIP) archive—jar BZIP2 archive—bzip2, bz Graphic files JPEG/JFIF—jpg, jpe, jpeg, jff GIF—gif Portable Graphics—png Windows Bitmap (DIB)—bmp Targa Image File Format—tif, tiff Windows Meta-File—emf, wmf Post-Script Format—eps Adobe Photoshop—psd Corel Draw—cdr III-53 Unit III. Security Controls Let’s mention some specifics of Kaspersky Endpoint Security types and categories: The type is defined by the file format rather than extension. Data types inside archives are not checked—if executable files are prohibited while archives are not, archived executable files will be allowed PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites that use pdf may display incorrectly In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web Control Flash videos in SWF format can be blocked only by extension mask—usually it is *.swf 4.2 Configuring exclusions and trusted servers Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network, or online trainings can be blocked because of video files. In this case, it is easier to create an allow rule instead of creating a separate group with a special policy. You can configure an allow rule giving access to some categories or data types located on the specified servers. To have such a rule applied before the blocking rules, place it higher on the list. The organization policy can even prohibit the Internet during business hours and allow only the corporate site. An exclusion can be made only for the IT department. In this case, the administrator creates the general rule: During business hours, deny everything to everybody. Then adds two allow rules above it: The first allowing any content to the IT department employees, and the second allowing everybody to access the corporate site. III-54 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management 4.3 Diagnostics and testing When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control. To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens the window where you can specify the conditions of a presumed request: — — — — — Select categories Select data types Specify day and time Select accounts Type site address (the * wildcard is allowed) and get the web control verdict with the list of rules applicable to these conditions. For example, the administrator can check whether access to a personal home mail server of an employee is blocked by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you can find out which rule works incorrectly. III-55 Unit III. Security Controls 4.4 Configuring interaction with users If Web Control blocks a part of page contents, the user may overlook it. If the page is completely forbidden, a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or a message about blocking. If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of the links in the warning message: The link to the specific page that was requested, the link that enables access to all pages of the website, or all pages of the website and its sub sites (meaning, *.amazon.com/* rather than only www.amazon.com/*). If the site is blocked by Web Control, there are no links to proceed, access is completely denied. There is also a Request access link in Web Control messages to disagree with the policy and request a policy change to be able to access the blocked website freely. Requests are sent to the Administration Server as events and fall into the User requests selection. III-56 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management Notification Templates are available in the Kaspersky Endpoint Security policy in the Web control settings. When editing, you can use variables. III-57 Unit III. Security Controls There is the Email address field in the webpage request template in case the Administration Server is inaccessible. In this case, a request will be sent to the server in an email message rather than event. 4.5 Web Control statistics When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with Warning severity, respectively. In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web Control verdict. If the rule was created for a category or data type, they are also specified. Note: Web Control independently processes each object of which the site consists. That is why, for example, when graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses the Internet day and night. That is why these events are not transferred to the Administration Server by default. III-58 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully attempted after warning event with the Warning severity is sent to the server. 4.6 Web control report Reports come in handy for regular control and general information. It provides aggregate statistics on the number of warnings and blockages for each rule. Allowing rules are not included. III-59 Unit III. Security Controls Chapter 5. Adaptive Anomaly Control A new Adaptive Anomaly Control component has appeared in Kaspersky Endpoint Security 11.1. The component contains a set of activity patterns (heuristics), which are updated together with antivirus databases. These patterns describe most common behaviors characteristic of malware that may indicate possible attempts to compromise security. On the other hand, some of these activities may be legitimate for a specific computer or group of computers. For example, PowerShell run from another program is quite an ordinary event on an administrator’s or developer’s computer. Obfuscated PowerShell scripts may also be used for automating various tasks at a company. The administrator is to instruct Adaptive Anomaly Control which activity is typical for a specific computer and which is not; that is why the component works in the training mode (Smart Mode) for two weeks by default. During this time, it monitors activities, informs the administrator about them, and it is the administrator (rather than the component) who makes the decision whether a specific activity is normal for a computer. Training in Smart Mode goes independently for each rule on each computer; meaning, on some computers it will complete sooner, while on some others, later. Note: Unlike other control components, Adaptive Anomaly Control needs at least KESB Advanced license. III-60 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management 5.1 How to configure Adaptive Anomaly Control The Adaptive Anomaly Control component is installed and enabled by default; however, it works in the Smart mode. Adaptive Anomaly Control is configured in Kaspersky Endpoint Security policy. From the component’s properties, you can open its reports and the list of rules. Adaptive Anomaly Control uses rules (activity patterns), which are supplied together with antivirus databases, meaning, are updatable. The rules comprise several categories: — — — — Activity of office applications Use of Windows Management Instrumentation (WMI) Activity of script engines and frameworks Abnormal program activity When the administrator opens the rules, there is the message that updates are to be approved. On the one hand, the approval does not influence the component’s operation, rule matches will be controlled anyway. On the other hand, the administrator will not be able to create an exclusion unless clicks Approve updates first. III-61 Unit III. Security Controls If a new rule is added later, the update approval message will appear again to draw the administrator’s attention. Rules have the following settings: On/Off status, Smart/Block/Notify operation mode, and exclusions. You can explicitly specify the Block or Notify mode for each rule; by default, the Smart mode is enabled. The Smart Training mode is tightly related to Kaspersky Security Center and the administrator’s actions. As we already mentioned, the component learns for approximately two weeks after the installation; during this time, nothing is blocked, but information about matched rules is sent to Kaspersky Security Center. In an ideal situation when there are no matches in these two weeks, it means that the behavior described in the rules is not typical for the computer. Adaptive Anomaly Control switches to the Smart Block mode and if a non-typical activity is detected, it will be blocked. If some rules are matched during the training period, the respective events appear in Operations | Repositories | Triggering of Rules in Smart Training Mode on the Administration Server, which require the administrator’s attention. III-62 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management When an event arrives, the administrator is to process it. The administrator can confirm the verdict or add the activity to exclusions. — Confirm means that the administrator agrees that this behavior is suspicious and illegitimate — Exclude means that the administrator considers this activity to be normal and wants to create an exclusion for it in the respective rule Why process events? What if the administrator ignores them? Event processing influences only the duration of the training mode. Adaptive Anomaly Control needs about 14 days to complete training. If the administrator does not process events, the counter will be reset every time when a new event arrives. If the server receives no verdicts in 14 consecutive days, Adaptive Anomaly Control will switch to the Smart Block mode. Adaptive Anomaly Control may get looped in eternal training if a rule is matched regularly (at least once every 14 days), but the administrator does not process it. If the administrator pays enough attention to the events and processes them in a timely manner, the counter will not be reset and training will complete in two weeks. Training goes on individually for each rule on each computer and information about confirmed verdicts is stored locally on the computers; each rule has its own training duration counter. Important: The Adaptive Anomaly Control component cannot decide whether a behavior is typical on its own. For Adaptive Anomaly Control, any activity that matches a rule is non-typical, and only the administrator can tell that a suspicious activity is legitimate. For this purpose, add the activity to exclusions within the rule that detects this activity. In the Block mode, Adaptive Anomaly Control operates on the default deny principle, meaning, a nontypical activity will be blocked until the administrator creates an exclusion for it. Exclusions are added to the Kaspersky Endpoint Security policy and apply to all computers where it is enforced. The main parameters of exclusions are: — — — — — User Source process Source process hash Target process Target process hash It should be noted that the same system processes will have different checksums on different operating systems, and an exclusion created from an event logged on one computer may not be applicable to others. In this case, you need to either create additional exclusions, or adjust the current one, for example, remove the checksum and leave only the path to the process. III-63 Unit III. Security Controls 5.2 Configuring interaction with users When non-typical activity is detected, a pop-up notification is displayed. If notifications are disabled, the user might think that something is wrong with an application or the operating system, contact the technical support, or even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add the contact information of the person responsible for device access. Notification Templates are available in the Kaspersky Endpoint Security policy in the Adaptive Anomaly control settings. If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither disabled nor hidden. 5.3 Adaptive Anomaly Control statistics III-64 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management If the user sends a request, it will be transferred to the server as a Warning event. Similar to the other control components, requests are displayed in a special selection named User requests. The administrator does not have to react to a request; but if they want to, they can, for example, configure the corresponding email notifications in the Kaspersky Endpoint Security policy. Every time when a rule is matched in the Block, Smart Block, or Notify mode, Adaptive Anomaly Control sends the corresponding Critical or Information event to the Administration Server. In any case, an event contains the rule name, description of the suspicious activity with processes and checksums, name of the user, computer name, date, and time. The administrator can study an event and if the activity is legitimate, add an exclusion to the Kaspersky Endpoint Security policy for the Adaptive Anomaly Control component right from the event. For this purpose, select the event and carry out the Exclude from Adaptive Anomaly Control command. If several policies are configured for Kaspersky Endpoint Security, the wizard will prompt you to select the necessary one. Adaptive Anomaly Control has two types of events: — Process action skipped—Information — Process action blocked—Critical III-65 Unit III. Security Controls The former event is generated if an Adaptive Anomaly Control rule is matched in the Notify mode. The latter, if an Adaptive Anomaly Control rule is matched in the Block or Smart Block mode. If Adaptive Anomaly Control is used in the network, we recommend that the administrator creates an individual selection for its events. All events, including requests, are stored on the server for 30 days by default. 5.4 Reports about Adaptive Anomaly Control operation Reports come in handy for regular control and general information. Adaptive Anomaly Control has two types of reports: — Report on Adaptive Anomaly Control rules state — Adaptive Anomaly Control report The former shows in which mode a rule works. By default, an aggregate chart displays how many rules are operating in each mode. The Details tab provides particularized information about rules’ status on each specific computer. Also, this report is the only place where you can see which rules have switched from the Smart Training mode to Smart Block. III-66 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management The Adaptive Anomaly Control report shows which rules have been matched and in which mode: Block or Notify. The Summary tab shows an aggregate chart for rule matches; and the Details tab, detailed information for each computer. If a rule switches to the Smart Block mode, information about its matches will also be included in the report. IV-1 Unit IV. Maintenance Unit IV. Maintenance Chapter 1. How to maintain protection ......................................................................... 3 Chapter 2. What to do daily ............................................................................................ 5 2.1 How to create a custom dashboard ......................................................................................................................... 6 How to answer all questions at a glance................................................................................................................ 6 How to fill the dashboard with statistics ................................................................................................................ 7 How understand that important protection components are disabled in the policy ............................................... 8 2.2 How to email reports............................................................................................................................................... 9 Which reports to email ......................................................................................................................................... 10 How to create a custom report ............................................................................................................................. 11 2.3 How to email notifications .................................................................................................................................... 12 Where to enable notifications............................................................................................................................... 12 Where to modify the addressee and the mail server ............................................................................................. 13 About which events you need to know .................................................................................................................. 14 Chapter 3. What to do if something has happened ...................................................... 16 3.1 What to do with malware ...................................................................................................................................... 16 Where to learn about threats................................................................................................................................ 17 How to find computers with threats ..................................................................................................................... 17 How to understand what has happened to the threats ......................................................................................... 18 How to find computers with non-disinfected threats ............................................................................................ 19 How to scan critical areas ................................................................................................................................... 20 How to isolate a computer and eliminate an active infection .............................................................................. 20 How to reset virus counter ................................................................................................................................... 22 3.2 What to do if Kaspersky Endpoint Security does not work .................................................................................. 22 Where to find out that KES does not work ........................................................................................................... 23 How to start protection remotely ......................................................................................................................... 24 3.3 What to do if databases are outdated .................................................................................................................... 26 Where to find out that databases are out of date ................................................................................................. 27 How to find out whether a computer has an update task ..................................................................................... 28 How to find out whether the Server has an update task ....................................................................................... 30 Where to specify proxy server parameters ........................................................................................................... 32 How to disable automatic assignment of distribution points ............................................................................... 33 How to check whether KSN is used ...................................................................................................................... 33 IV–2 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 3.4 How to check the client-server connection ........................................................................................................... 34 How to distinguish powered off computers .......................................................................................................... 34 What to do if a computer has not connected for a long time ................................................................................ 35 How to make a computer connect to the Server ................................................................................................... 36 How to reconnect a computer to the Server ......................................................................................................... 37 3.5 How to contact technical support .......................................................................................................................... 38 When and how to contact technical support......................................................................................................... 38 How to remotely collect Windows and GetSystemInfo logs ................................................................................. 39 How to remotely collect trace logs ....................................................................................................................... 40 How to collect logs locally ................................................................................................................................... 40 How to send a request to technical support ......................................................................................................... 42 Chapter 4. What to do from time to time ...................................................................... 43 4.1 How to install program updates ............................................................................................................................ 43 Program update types .......................................................................................................................................... 43 Where to find out that an update has been issued ................................................................................................ 44 How to install only approved updates .................................................................................................................. 44 How to find out that a new version has been released ......................................................................................... 46 4.2 How to renew a license ......................................................................................................................................... 48 When to renew a license ....................................................................................................................................... 48 How to find out that the license expires ............................................................................................................... 49 How to find out that the number of activations is exceeded ................................................................................. 50 How to switch over to a new license .................................................................................................................... 51 How to replace the active license ......................................................................................................................... 53 4.3 How to configure backup ...................................................................................................................................... 54 Why back up? ....................................................................................................................................................... 54 How to configure backup ..................................................................................................................................... 55 How to restore from a backup .............................................................................................................................. 56 How and why maintain the database.................................................................................................................... 57 4.4 Maintenance: Summary ........................................................................................................................................ 58 IV-3 Unit IV. Maintenance Chapter 1. How to maintain protection After you have installed Kaspersky Endpoint Security and Network Agent on the computers, created the necessary policies and tasks, and configured them as necessary, you need to monitor the system to make sure protection works, and react to incidents. To keep protection working, you have to perform routine maintenance; some things have to be done often, and some infrequently. Most of the actions are obvious, but we will tell about them nevertheless, just in case. What to do daily Check the most important things. What to check Why so often There are no unprocessed threats on the computers You install protection to repel threats. Kaspersky Endpoint Security blocks most of them automatically. But if protection cannot handle the threat, you should be informed about this as soon as possible and neutralize it manually. The longer a threat is active, the more damage it can do. This is obvious enough. Protection is installed and works on the computers If protection does not work, you do not know whether there is malware on the computer. And the longer protection does not work, the more chances that malware infects the computer. What to do weekly Solve issues that affect protection. If time permits, do it daily; otherwise, solve secondary issues weekly. What to check Why so often The computers have the latest signature databases Almost all protection components use signatures to detect malware. If signatures are old, Kaspersky Endpoint Security will not be able to detect new viruses. The older the signatures, the greater the risk. If signatures are two days old, it is bad, but not critical. And if they are two months old, it is almost as dangerous as if protection was not running at all IV–4 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals Protection uses Kaspersky Security Network Kaspersky Security Network informs about known malicious files and helps to detect them even if signatures are obsolete. Moreover, Kaspersky Security Network informs about new malicious files earlier than signatures are issued for them. Without Kaspersky Security Network, protection works not so well. But still works and protects against most of the threats. What to do monthly Perform preventive maintenance on the Administration Server. What to check Why so often Make sure that you can recover the Server from a backup copy You spent quite a lot of time to install protection. If you lose the Administration Server because of a hardware failure, you will have to spend almost as much time to install and configure protection once again. Backup copying can prevent this. The crucial point about backup copying is that making a copy is not enough. You must verify that you will be able to restore the configuration. Spend half an hour per month for maintenance to make sure that you do not find yourself in a critical situation with a misconfigured backup from which you cannot restore data. Optimize the Administration Server database If the database is not optimized, eventually it grows in size and becomes fragmented. You will have to spend more time generating reports or displaying a computer selection, especially in a large network or if the resources are scarce on the Administration Server (to be more precise, database server, but it is often the same computer). What to do quarterly Install updates and patches. What to check Why so often If there are any updates or patches for Kaspersky Lab products Kaspersky Security Center patches and Kaspersky Endpoint Security maintenance releases are issued approximately once every quarter or two. They correct errors, improve performance and sometimes add new functions that are important for protection. You do not need to put much effort into installing patches, but do not forget to test them beforehand. What to do yearly Renew the license and install new versions. What to check Why so often The license has not expired and the node limitation has not been exceeded Commercial licenses are typically issued for 1 year. Without a license, protection keeps working, but the update task stops downloading signatures and Kaspersky Endpoint Security stops using KSN. Eventually, protection will be affected. Whether there are any new versions of Kaspersky Lab products New versions or service packs are issued once every year or two. They correct errors, improve performance, and also change settings and products’ operation logic. New technologies, components, interception methods, etc. appear in new versions or service packs. If an old version is not updated for too long, it will not be able to fight the latest threats even with up-to-date signatures and KSN. A few years after release, a version’s support ends. IV-5 Unit IV. Maintenance Chapter 2. What to do daily During a daily inspection: 1. Find out which threats Kaspersky Endpoint Security has detected since your last inspection. If you perform inspection daily, you can focus on detections in the last 24 hours. 2. Check whether Kaspersky Endpoint Security has neutralized all threats. If there are unprocessed threats, remediate them immediately. 3. Check whether protection works on all computers. If protection is not running or is not installed, run or install it. Find out why it has happened. To save time, configure the console to be able to quickly learn what you need about threats and protection. IV–6 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 2.1 How to create a custom dashboard How to answer all questions at a glance Kaspersky Security Center console provides a lot of information: — — — — — — — Reports Events Computer statuses Computer properties Statistics of installed applications in computer properties Repositories Task logs However, these sources are either insufficiently clear as, for example, lists of events, or cannot be reviewed all together as reports. To get a general idea of the overall protection status, open the Monitoring & Reporting | Dashboard page of the Web Console. The administrator selects which charts to show, which chart types to use and how to organize them. To save time, customize the Dashboard and add to it web widgets that inform about: — — — — — — — Protection status Types of detected viruses and disinfection results New devices Network attacks History of network attacks Types of detected viruses and disinfection results And other important data of your choice, for example, signature versions Types of web widgets are hardcoded, but abundant and can answer most of your questions. IV-7 Unit IV. Maintenance How to fill the dashboard with statistics By default, the Dashboard includes 7 web widgets devoted to various network status aspects: Protection status, New devices, Threat activity, Most frequent threats, Most heavily infected devices, Threat detection. Usually, a web widget contains a chart with a legend or a table. By default, they represent events from all managed computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties window, which opens with the button. The dashboard consists of several web widgets. The administrator can add, delete and move web widgets on the dashboard, modify their settings and representation. Overall, there are more than 25 types of web widgets grouped into five categories for the administrator to choose from. To modify dashboard contents, click Add or restore widget. IV–8 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals In the web widget settings, depending on its type, you can modify the time interval for the displayed data and select the computers whose data will be shown. There are only two options for the computers: Either an administration group, or computers from a specified selection. You can also modify chart type and appearance in the web widget settings. The web widgets’ capability to display the history of changes over the specified period can be useful. For example, you can view how many viruses were detected during each hour of the last day. These data may help to select the threshold for the Virus outbreak event. Reports lack this capability. How understand that important protection components are disabled in the policy Starting with Kaspersky Endpoint Security version 11, there is a protection level indicator in the policy interface, which helps the administrator to evaluate the level of threat prevention, and provides a hint which components should be enabled to improve it. For example, if administrator enables all Essential Threat Protection and Advanced Threat Protection components in the policy, but (by mistake or intentionally) disables a critically important component Behavior Detection, which pinpoints threats by analyzing software activities (in particular, it can detect complex threats such as ransomware). Once the Behavior Detection component is disabled, Protection level indicator will immediately turn red and show the status Low protection level. The following information will appear to the right of the Protection level indicator after the settings are saved: Some of the recommended protection components are disabled, and a link Learn more. If you click it, the Recommended protection components window will open, which allows you to enable the recommended components to maximize threat counteraction. If the administrator ignores the caution and clicks Save in the policy window, Kaspersky Security Center will display an information window and suggest that you fix the settings. Protection level indicator can have one of the following values: — High protection level. The indicator turns green if the following components are enabled: — Critical File Threat Protection; Behavior Detection; Exploit Prevention; Remediation Engine. IV-9 Unit IV. Maintenance — Important Kaspersky Security Network; Web Threat Protection; Mail Threat Protection; Host Intrusion Prevention — Medium protection level. The indicator turns yellow, if an important component is disabled. — Low protection level. The indicator turns red if: — One or several critical components are disabled; — Two or more important components are disabled. 2.2 How to email reports Some of the administrators open the Console only when they need to find out or configure something, and prefer to be informed about issues by email. This way they use a single tool, mailbox, to learn about issues of various subsystems instead of opening a dozen of various consoles. Kaspersky Security Center can email notifications and reports. Reports that show what is happening in the network better fit daily inspections. Notifications inform about specific threats that need immediate attention. To receive reports by email, use the corresponding task: 1. Select the Monitoring & Reporting | Reports tab and click New report delivery task 2. If a task of this type has already been created, the Web Console will inform you about it. To reconfigure it, open the properties of the Deliver reports task and switch to the Application settings tab. 3. If there is no task of this type yet, the Console will start the report delivery task creation wizard 4. Select the types of reports that you want to receive. The task shows all report templates available on the Reports tab. However, those are not all of the report types that Kaspersky Security Center can create. If some reports are missing, create them beforehand on the Reports tab in Monitoring & Reporting. 5. Select the format (html, xls, or pdf) in the task parameters. IV–10 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 6. Select the action to be applied to reports: Reports can be emailed and/or saved to a folder. 7. Switch to the Schedule tab and select when to receive reports. To select where to email reports, in the task properties, open the Application Settings tab, and in the Action to apply to reports area, select the checkbox Send report by email; then click the Settings button. Specify the recipient’s address and message subject. Check the sender’s address and mail server parameters in the Administration Server properties. Note: Unlike its MMC counterpart, the Quick Start Wizard of the Web Console does not create a report delivery task automatically even if you specify the mail server in it. Which reports to email For daily inspections, you will need reports that show threats and protection status: — Threats: — — — — Viruses (over the last day) Network attacks (over the last day) Phishing attempts (over the last day) Host Intrusion Prevention rule triggered (over the last day) — Protection — Protection status — Anti-virus database usage — Errors (over the last day) All pre-configured reports available on the Reports tab either do not have any period, or show events over the last 30 days by default. 30-day reports are not very useful for daily inspections. It is difficult to understand what has changed since yesterday. You need to create one-day reports manually. Delete all the reports you are not going to use. For example, reports about encryption errors if you do not have an encryption license. IV-11 Unit IV. Maintenance How to create a custom report How to create a report over the necessary period of time Formally, the Reports page contains report templates, which describe report type and parameters, rather than reports themselves. The Administration Server generates reports from templates when emailing them, or when the administrator clicks the button Show report. To create a report (report template): 1. On the Reports tab, click the Add button 2. Name the report comprehensibly, for example Threats report over the last day 3. Select the report type. There are more than 50 types of reports in Kaspersky Security Center 4. Select a scope for the report. A report can cover a group, individual computers (a list), or a computer selection. Most of the reports should cover the whole network; for this purpose, select the All networked devices scope. 5. Select the reporting period. For the daily reports, specify one day Template settings also include the list of information fields to constitute the report tables. Some fields contain insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes little sense in a report if virtual Administration Servers are not used in the network1. How to create a report about events The administrator can use information field settings in a report template to create complex filters for the events to be included in the report. Allowed values can be specified in the field properties. For example, for the Detected object field, you can specify the malware name. As a result, you will get a report based on the events related to The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your 1 Administration Server runs in a virtual machine, it is still an ordinary Administration Server, not a virtual server. Virtual servers in the reports and other parts of the Console are something else entirely. Virtual Administration Servers are described in course 302. IV–12 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers with the specified version of the protection software, even if these computers belong to different groups. For example, there is no report type to display all phishing attempts. Instead, you can use an Event report: 1. 2. 3. 4. Create a new report template of the Event report type Open the template properties and switch to the Fields tab Select the Event field and click Edit Select the Filter check box and in the Filter value field, type *Dangerous link* This is a part of description of events informing about blocked phishing attacks. This way, you will receive a report that shows the number of such events. In addition to filtering by field value, you can change sort order: Ascending, descending, or unsorted. 2.3 How to email notifications Where to enable notifications Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also in the Administration Server properties, on the Event configuration tab. The events are grouped by four severity levels: Critical, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event, it cannot be modified. Each program has its own events with their default settings. An event has three storage settings: — On the Administration Server—meaning, in the server database This storing method is enabled for most critical and error events, as well as for many warning and some info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for all events (naturally, except for the events whose storage is disabled). The Administration Server events’ default lifetime depends on their severity levels. For Information events, it is 30 days; for Warning, 90; and for Critical and Error, 180. IV-13 Unit IV. Maintenance You can export events of the Administration Server and other Kaspersky applications installed on the managed devices to a SIEM system. For this purpose, select the check box Export to SIEM via Syslog (standard RFC 5424). — In the OS event log on device—makes sense only for the Network Agent events. Kaspersky Endpoint Security already has this capability in the settings of local event processing. — In the OS event log on Administration Server—similarly to local Kaspersky Endpoint Security events. If the Administration Server becomes inaccessible, the administrator will be able to find information in the Windows log. — When the specified lifetime is over, events are automatically deleted from the Administration Server database (but not from Windows logs, which have their own settings). Increasing the lifetime will also increase the number of events stored in the database, and this will affect the time required to process operations on events. On the other hand, when the administrator decreases event lifetime, the maximum reporting period also decreases. To be informed about important events, configure notifications. This is configured in the properties of every particular event type that you want to be notified about. Kaspersky Security Center supports four notification channels: — — — — Email SMS Running an executable file or script SNMP Notifications help to draw the administrator’s attention to the most important events. By default, notifications are not sent. To start receiving notifications, open the event properties and select notification methods. Where to modify the addressee and the mail server By default, all events are delivered with the same parameters, which are specified in the Administration Server properties. To send different notifications to different addresses or with different text, open the event properties and disable the option Use Administration Server settings. After that, change the recipients’ addresses, text template and other notification parameters. At first, email notification delivery parameters are specified in the Quick Start wizard. You can also modify them later, in the Notification section of the General tab in the Administration Server properties. IV–14 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals Email notification delivery parameters include: — — — — — Recipients—email addresses separated by semicolons SMTP server—name or IP address SMTP server port Use DNS MX lookup Text of the notification message These parameters are sufficient if the selected SMTP server does not require authorization. The recipient address is also used for the sender address, and the subject of the sent notifications is made of the event severity level and its type, for example, Critical event: Threats have been detected Additionally, you can configure the following: — — — — Message template subject Authorization username and password Sender address Specify a certificate for SMTP server authentication When configuring the notification subject and text, you can use macros, which will be replaced by the corresponding event attributes in the notifications: — — — — — — — — — — — %SEVERITY%—event severity level %COMPUTER%—the sender computer %DOMAIN%—Windows domain %EVENT%—event %DESCR%—event description %RISE_TIME%—event time %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name %KL_PRODUCT%—program %KL_VERSION%—version number %HOST_IP%—IP address %HOST_CONN_IP%—connection IP address About which events you need to know It is up to the administrator to decide about which events to receive notifications. However, prime candidates are events about active threats and potentially successful attacks. IV-15 Unit IV. Maintenance Event What does it mean? Active threat detected. Advanced Disinfection should be started The malicious file is not running on the computer, but Kaspersky Endpoint Security cannot terminate it. The user or the administrator must confirm starting the Advanced Disinfection procedure Malicious object detected (KSN) A malicious object was detected using a request sent to KSN rather than signatures. This means that it is a new threat, and the administrator should carefully monitor what is happening in the network. Maybe even switch to a policy with stricter protection settings Previously opened dangerous link detected Information that the link is dangerous has appeared only after a user opened it (data about previous actions is stored in the KSN cache and Remediation Engine’s logs). The user could have downloaded and started new malware Process terminated Malware was running on a computer. Although Kaspersky Endpoint Security terminated it, it could have done harm Network attack detected If the attacking computer is located within the network, it may mean that it is infected with unknown malware, or that protection does not work there Host Intrusion Prevention rule triggered If you have configured Host Intrusion Prevention to protect documents against ransomware, these events will inform when unknown programs try to edit or delete the user’s documents All these events pertain to Kaspersky Endpoint Security. Configure the respective notification settings in the Kaspersky Endpoint Security policy, on the Event configuration tab. The last event is an Info event. The others are Critical events. Some events (including important) may occur too frequently to send a notification for each of them. For example, the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications. To make each notification draw your attention, limit the number of notifications. For this purpose, in the Administration Server properties, open the Notification section and click the link Configure numeric limit of notifications. Set the limit as the maximum number of notifications over a time span. As soon as the limit is reached, notifications are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew. The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for the Threats have been detected event hit the limit, notifications for other event types will not be affected. IV–16 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals Chapter 3. What to do if something has happened 3.1 What to do with malware If no new events about threats have appeared on the computers over the last day, you do not need to do anything. But what to do if there are some events? First of all, find out what has happened to the detected threats. If Kaspersky Endpoint Security deleted, disinfected, or blocked a threat, you do not need to do anything. Just reset the virus counter on the computer to be able to see when new threats appear. If malware is not treated or removed, act according to a plan. Prepare the plan beforehand. A typical plan may include the following steps: — Run the critical areas scan task to understand whether the computer is infected — If a computer is infected or you suspect that it may be infected with unknown malware: — — — — — Isolate the computer from other computers in the network Disable the policy using the password Raise the heuristics level and enable Advanced Disinfection technology Check integrity of Kaspersky Endpoint Security by a local task Perform full scan on the computer If this does not help, restore the computer from an image. If all computers are installed from images at the company, and the users’ data are stored in the network rather than on the computers, restoring from an image may be the first step of your plan to save time. If you find suspicious files during an investigation, send them to Kaspersky Lab for analysis via the portal companyaccount.kaspersky.com. Also, invite internal or external experts if you suspect a targeted attack against your organization. IV-17 Unit IV. Maintenance Where to learn about threats You can find out that viruses have been found from events, reports, statistics and computers’ statuses. Next to statistics, statuses draw your attention first of all. Threat detection and their processing results define the computer status in the Administration Console: OK, Warning or Critical. This allows the administrator to easily notice problematic computers when looking through the groups. The Many viruses detected status tells that viruses were found on the computers. This status is related to the virus counter parameter. Every time malware is detected on the computer, the counter increases its value by 1. The counter value is transferred to the Administration Server during the synchronization. The status is activated if the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled. To enable the status to show the computers where malware was found, open the properties of the Managed devices node. Switch to the Device status tab and activate the status Too many viruses detected. To make computers receive the Warning status and be displayed yellow, activate the status in the Warning section. To make computers receive the Critical status and be displayed red, activate the status in the Critical section. To paint computers yellow when there are a few viruses on them, and red when the number of viruses exceeds, say, 5, configure different thresholds for the status Many viruses detected (select the status and click the Edit button). How to find computers with threats If at least one of the managed computers receives either There are active threats or Many viruses detected status, the global Protection status also changes on the Dashboard. The statuses OK, Warning , and Critical are links. If you click the Critical status, the selection of devices that have the corresponding status will open. All statuses behave this way on the Dashboard page. In the selection,you can find out why the device has received the corresponding status. A selection is a dynamic set of computers selected by an attribute. There are standard selections on the Administration Server, which show computers with various statuses. For example, There are active threats and Many viruses detected You can take group actions on the computers joined into a selection, for example, start update and search tasks, move into a group, etc. So, selections are very useful when dealing with the computers having a problem status. IV–18 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to understand what has happened to the threats The Threats report shows statistics of processing the malware detected on the managed computers: How many objects were treated, how many blocked (by Web Threat Protection), how many deleted and how many still remain unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics are available for each type of malware. The Threats report can show which malware KES detected, and using which technology. To be able to see this information, add the By KSN verdict column to the Details table. You can also add the Detection technology that pinpointed the malicious code and SHA-256. For this purpose, in the properties of Threats report, open the Fields tab, click the Add button, and select the necessary data in the Field name list. Report on most heavily infected devices and Report on users of infected devices may also come in handy. If some computers have been infected considerably more than others, it might be worthwhile to find the reason and take appropriate measures. Network attacks are not included in the Viruses report. To see the big picture of all attacks, consult the Network attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking computers. Knowing the address, the administrator can investigate the incidents and better solve the problem. IV-19 Unit IV. Maintenance The Network attack report is not created by default. To view it, create a new template on the Reports tab. In addition to reports, check computer events to understand how Kaspersky Endpoint Security copes with threats. Events show what was happening simultaneously with threat detection, whether there were other threats or errors in components’ operation. To understand where a threat ended, always check the last event about it. It is normal for Kaspersky Endpoint Security to first inform that it cannot disinfect a file, and in a second, report that the file was deleted successfully. How to find computers with non-disinfected threats You do not have to study reports and events to be able to understand whether any computers are infected. Usually, if Kaspersky Endpoint Security cannot neutralize a malicious file, it informs the server about this using the status There are active threats. This status is enabled by default and is displayed on the web widget Types of detected viruses and disinfection results. It gives computers the Warning status, and is displayed on the Dashboard page. This status is assigned to computers where malware programs were detected and were not cured. The Active threats category can be comprised of widely different objects. It can be a virus in memory, which actively counters the attempts to delete it. Or it can be an infected object on a network drive where Kaspersky Endpoint Security has no Write permission to disinfect or delete the file. When a user accesses a malicious file in a shared folder on a file server, the protection solution installed on the server may block access and delete the file. Meanwhile, the protection software installed on the user’s computer detects the threat at the same time, but cannot delete the file from the folder and informs that there is an unprocessed threat, although in reality it has been processed on the server. This is a reason for paying attention anyway, since malicious files must not appear in shared folders, and you need to find out how it got there. To reset computer status, neutralize the detected objects. If an object cannot be neutralized, as in the described situation with malware in a shared folder, delete the record about the unprocessed object from the list of unprocessed objects: 1. In the Web Console, open the Operations | Repositories | Active threats page 2. Find the file in the shared folder and carry out the Delete command on it IV–20 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to scan critical areas If many viruses or a previously opened malicious link have been detected on a computer, or a malicious process has been terminated, it may mean that the computer can still be infected. To scan a computer for known threats, run critical areas scan there. There are a few ways to achieve this. The one which is always available is as follows: 1. 2. 3. Open the computer properties Open the Tasks tab Find the task Critical Areas Scan and run it Critical Areas Scan is a local task, which is available in each installation of Kaspersky Endpoint Security. Local means that it is displayed only in the computer properties, but is not shown in groups or in the Tasks node. This makes it less useful. To start it on several computers, you have to open their properties one by one. You can also use the group Virus Scan task, which has to be created manually. However, it will scan all computers, and why slow down the computers where there are no threats? To quickly scan critical areas on those computers where threats have been detected, make a virus scan task for specific computers or the corresponding computer selection. How to isolate a computer and eliminate an active infection Usually, even if malware is running, Kaspersky Endpoint Security can terminate it. Host Intrusion Prevention, Behavior Detection, and Exploit Prevention components are responsible for this. File Threat Protection does not scan programs in the memory. If a computer is infected and Kaspersky Endpoint Security cannot stop malware, use the Advanced Disinfection technology. This technology is disabled by default, because it blocks start of all programs and restarts the computer, which would hamper the users. The user can agree to perform the Advanced Disinfection procedure and take the risk of losing data, or refuse to start the procedure and leave the computer infected. Anyway, it should be the administrator who makes the decision rather than the user. IV-21 Unit IV. Maintenance If you suspect that a computer is infected, it is best to reinstall it from the image. If it is unacceptable or impossible, try to disinfect the computer: — Disconnect the computer from the corporate network — Disable the policy using the command Disable policy on the shortcut menu of KES icon To use this command, enable password protection in the Kaspersky Endpoint Security policy — Open Kaspersky Endpoint Security window and click Settings — Go to General Settings, Application Settings and select the check box Enable Advanced Disinfection technology — Run a Virus scan task: Return to the main window of Kaspersky Endpoint Security and click the Tasks area — If Kaspersky Endpoint Security finds a threat and prompts you to perform a special disinfection procedure, agree With Advanced Disinfection technology enabled, Kaspersky Endpoint Security does not permit new programs to start, scans memory, takes more aggressive methods when terminating processes, tries to delete malicious files at restart IV–22 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals — Restart the computer, connect it to the Internet and update the signatures — Scan the whole computer once again How to reset virus counter After all threats have been neutralized, reset the virus counters on the computer. The virus counter can only increase without interference from outside, and the only method of changing this status is to manually reset the counter. For this purpose, open the computer properties: On the General tab, in the Protection section, there is the button Reset virus counter. 3.2 What to do if Kaspersky Endpoint Security does not work IV-23 Unit IV. Maintenance If protection does not work, it may be caused by various reasons. Before contacting technical support, please make sure that: The Network Agent is installed on the computer The user could have uninstalled Network Agent; then the Console would show the last data which the Agent had sent to the Server. Reinstall the Agent and protect it from the user: Set an uninstallation password Kaspersky Endpoint Security is installed on the computer The user may have uninstalled Kaspersky Endpoint Security. Reinstall it and protect from the user: Set a password A policy is applied to the computer A computer may belong to a group without a policy, or a Kaspersky Endpoint Security version for which there is no policy on the server can be installed on the computer. Create policies in all groups and for all used versions of Kaspersky Endpoint Security Policy settings are locked If the locks are open, the user can modify parameter values and potentially can disable components or even start of Kaspersky Endpoint Security. Close the locks for all important parameters in the policy Password protection is enabled If password protection is not enabled, the user can exit Kaspersky Endpoint Security even without administrative permissions After you’ve checked for trivial causes, look at the errors. If Kaspersky Endpoint Security will not run because of failures, collect diagnostic logs and contact the technical support of Kaspersky Lab. Where to find out that KES does not work The following computer statuses may mean that protection does not work: Security application is not installed This condition is enabled by default for the Warning and Critical statuses Real-time protection level differs from the level set by the administrator It is disabled by default. You can set one of the following values: Stopped, Paused, Running Protection is disabled This condition is enabled by default for the Critical status Security application is not running It is enabled by default for the Critical status IV–24 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals The status Real-time protection level differs from the level set by the administrator, although disabled by default, is more useful than the status Protection is disabled. The status ‘Protection is disabled’ does not show what is wrong: The application is malfunctioning or the user has exited it. The status Real-time protection level differs from the level set by the administrator shows this difference. We recommend that you enable the condition Real-time protection level differs from the level set by the administrator for the Critical status and select the Running value for it. There are standard computer selections for the statuses Protection is disabled and Security application is not installed. The administrator can create custom selections for other statuses. The status Security application is not running is always accompanied by the status Protection is disabled, but not the other way around. If Kaspersky Endpoint Security works, but all protection components are disabled, the computer’s status will be Protection is disabled without the status Security application is not running. Protection is considered to be running in Kaspersky Endpoint Security if at least one of the protection components works. Even if it is only Mail Threat Protection To understand that components have not started on the computer because of a failure, consult the Errors report or an event selection. To check all errors: — Open the Monitoring & Reporting | Event selections tab — Tick the checkbox next to the Functional failures selection and click Start. To understand which components are running on a computer, open the Tasks tab in the computer properties. Components are listed among other tasks and the list shows which ones are running and which are not. How to start protection remotely How to start protection on a single computer The Protection is disabled status is one of the most critical protection statuses. To solve this problem, carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications tab of the computer properties. If individual components are not running, you can start them on the Tasks tab. IV-25 Unit IV. Maintenance How to start protection on a few computers Another method of starting Kaspersky Endpoint Security—the Start or stop application task. This task is an advanced task of Kaspersky Security Center that can be created for groups or specific computers. A group task is convenient if the Virus outbreak event is registered—it can start protection on all network computers, in case the protection is stopped somewhere. A task for specific computers can better serve the purpose of rectifying the Protection is disabled status. To create a task that starts Kaspersky Endpoint Security: 1. Run the task creation wizard on the Devices | Tasks tab 2. Select Kaspersky Security Center and task type Start or stop application 3. Specify the devices to which the task is to be assigned—Selection 4. Specify the computer selection Protection is disabled 5. Select the Kaspersky Endpoint Security versions that need to be run and the command Start application IV–26 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 3.3 What to do if databases are outdated If protection does not work, it is very bad. However, if it works with old signatures, it is not any better. Pay attention to computers that have old signatures, update them and find out why the signatures have not been updated. First, solve trivial issues. Check the following: The computers have an update task This task is created by default. However, when groups and tasks become numerous, it may turn out that some computers do not have an update task for the necessary version of Kaspersky Endpoint Security Task schedule If the administrator created update tasks manually, he or she may failed to set a schedule for them by mistake Task source Within the network, the Kaspersky Security Center source must be specified The Administration Server has a “Download updates to the repository” task It is created by default, but may have been deleted by mistake Schedule and source of the “Download updates to the repository” task It is created by default, but may have been deleted accidentally, or its schedule may be misconfigured The Administration Server can access the selected source Probably, the internet is accessible only through a proxy server, but its address and authentication data (username and password) are not specified or need to be updated After that, check for update task errors. If errors result from Kaspersky Endpoint Security failures, collect logs and contact the technical support. Specifically consider whether you need distribution points. They are not of much help in a small network, and complicate diagnostics. The Administration Server automatically assigns distribution points by default. You can disable this. IV-27 Unit IV. Maintenance Where to find out that databases are out of date The web widget Distribution of antivirus databases on the Dashboard page provides the most important information about the databases in use. If everything is fine, the web widget will display a green pie chart and the time when the latest updates were downloaded to the server repository. If there is an issue, a part of the chart will become yellow or red and the value of the corresponding counter will increase. Database statuses displayed in the web widget are links that open the respective device selections: — — — — — Devices with up-to-date databases Devices with databases updated in the last 24 hours Devices with databases updated in the last 3 days Devices with databases updated in the last 7 days Devices with databases that have not been updated for more than 7 days More detailed information about the databases in use and computers with issues is available within the appropriate reports. The Database usage report shows the number of computers where databases are 1-day old, 3-day old, 7, and more. If the databases became obsolete on the computer not because it was off, but because of update task errors, the administrator would need to view update task events to find out the reason. The events sent to the Administration Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint Security usually contains more events. Computer statuses inform about old signature databases. Computers with old databases receive a Warning or Critical status depending on how old their databases are. The status criteria are configured in the group properties. By default, the Warning status is given to the computers whose databases are 7 or more days old, and Critical is assigned after 14 days. To understand why the computer status is not OK, consult the Status description column of the Devices | Managed devices page, or the Protection section of computer properties. To view detailed information about the signatures and, specifically, the last update date, open the properties of the Kaspersky Endpoint Security program on the Applications tab of computer properties. IV–28 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to find out whether a computer has an update task Updates from the Administration Server repository are distributed to the client computers by group update tasks. To ensure coverage of all managed computers, the update task must be created as a group task within the Managed devices group. The Quick Start wizard creates this type of task: Install update. If computers are combined into groups and the optimal updating procedure is different for various groups, you can create a customized update task for each group. If both parent and child groups have tasks of the same type, the computers of the child group will run both tasks. This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their own tasks from the parent group task scope. Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac or Kaspersky Security for Windows Servers) are used in your network, they need separate update IV-29 Unit IV. Maintenance If there are many groups in the Web console, and different versions of Kaspersky Endpoint Security are installed on the computers, it is hard to immediately understand whether all computers have update tasks. If signatures are outdated on a computer, to understand whether it has an update task: 1. Open computer properties and switch to the Applications tab 2. Memorize the complete name of Kaspersky Endpoint Security, including the Service Pack version 3. Go to the computer’s group 4. Switch to the Tasks tab 5. Look for a task that has the Update type and Kaspersky Endpoint Security version coincides with that displayed in the computer properties If there is no such a task, create it in this group or in a parental group. Try to create as few tasks as possible. One update task per each version of Kaspersky Endpoint Security created in the root group Managed devices is often sufficient. Schedule Each product update task has a specific schedule and settings, including: — — — — The list of update sources Update parameters The settings used to copy updates to a specified folder The list of subgroups on whose computers the task will not run The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts the task regardless of whether the Administration Server can be reached or not, the When new updates are downloaded to the repository schedule means that the task is always started by the Administration Server command. The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect to the Administration Server and download whatever new settings are available. Upon connection to the Server, IV–30 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals the Agent receives the command to start the task and transfers it to Kaspersky Endpoint Security, which carries it out. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned synchronization performed every 15 minutes by default (the period is defined in the Network Agent policy). The schedule When new updates are downloaded to the repository guarantees that the client computers will receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple periodical schedule can be used (for example, once an hour). To prevent serious peak loads on the update source and the network at the moment of task start, randomization of the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin the next scheduled update after a random delay ranging from 0 to 5 minutes. By default, the Administration Server automatically defines the randomization interval depending on the number of computers the task pertains to. The administrator can also specify it manually. If signatures are outdated on the computers, check the update task schedule. If the schedule is set to Manually, weekly or monthly, change it to When new updates are downloaded to the repository or Once every N hours Source To specify the list of sources, open the task properties and switch to the Application Settings | Local mode tab. Updates can be retrieved from the following sources: — Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most natural source for the When new updates are downloaded to the repository schedule — Kaspersky Lab update servers—the recommended source for the computers outside the corporate perimeter or a backup source if the specified Administration Server is not accessible. However, the administrators often prefer the computers to wait for the Administration Server connection rather than create extra Internet traffic — Local or network update folder—another option for backup update sources. You can specify an HTTP or FTP address instead of a shared folder. For example, if there are several Administration Servers in the network (this case is described in course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources A task can have several different sources organized in a list. If the first source turns out to be inaccessible, the task will attempt to download updates from the next. Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky Lab or other FTP or HTTP locations, updates are downloaded by Kaspersky Endpoint Security without the Agent. If signatures are outdated on the computers, check the update task source. Select the Kaspersky Security Center source. If you want to use a folder or FTP server, make sure that updates are accessible at this address, and the computers can access the files In the update task properties you can configure copying updates into a separate folder. This mode can be used for creating an update source in small networks or subnets without their own Administration Server. In larger networks, distribution points are used to create intermediate update sources. The Administration Server assigns distribution points automatically (for more details, refer to course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills.) How to find out whether the Server has an update task The task that updates the Administration Server repository is named Download updates to the repository. The Quick Start wizard automatically creates this task. You can find it in the console, on the Devices | Tasks tab of the <Administration Server name> group. IV-31 Unit IV. Maintenance If databases are outdated on the computers, check whether the Administration Server has an update task. Open the Devices | Tasks tab within the Administration Server and look for the Download updates to the repository task You can have only one task of this type. If it is present already, the task creation wizard doesn’t allow creating another one. However, it is possible to delete the automatically created Download updates to the repository task and create a new one for troubleshooting. The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be downloaded and a few additional options. Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging from 15-20 minutes to several hours. The default value is 1 hour. The following update sources are possible: — Kaspersky Lab update servers—a list of FTP and HTTP servers officially maintained by Kaspersky Lab. These servers are located in various countries worldwide to ensure high reliability of the update procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of servers is downloaded together with the other updates — Master Administration Server—this option is used if there are several Administration Servers and they are connected in a hierarchy (described in detail in course KL 302 Kaspersky Endpoint Security and Management. Advanced Skills) — Local or network folder—an update source created by administrators. You may specify not only a network folder, but also an FTP or HTTP address The task can have several different sources organized in a list. If the first source turns out to be inaccessible2, the task will attempt to download updates from the next. 2 The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available. IV–32 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals Where to specify proxy server parameters Where to specify proxy server parameters for the Administration Server You may need to specify the proxy server parameters for the Administration Server update source. All sources would share the same proxy server. If some sources are accessible without it, enable the Do not use proxy server option in their properties. The proxy server is not specified by default. The Quick Start wizard prompts for the proxy server parameters. To specify a proxy server later: 1. In the Administration Server properties, open General | Configuring Internet access 2. Specify the proxy server address, port and authentication parameters: User name and password These settings will be used for downloading updates and for KSN requests. Where to specify proxy server parameters for the computers If an FTP or HTTP server address is selected in a computers’ update task and it is accessible via a proxy server, specify the proxy server parameters in the Kaspersky Endpoint Security policy. Open the properties of policy on the Application Settings tab, select the General Settings section and click the link Network settings. By default, an automatically detected proxy server is used. This means that Kaspersky Endpoint Security will take the proxy server settings specified in the Internet options in Windows Control Panel. The administrator can explicitly specify the address, port and account for authentication. IV-33 Unit IV. Maintenance How to disable automatic assignment of distribution points Distribution points are additional update sources in a network. Any computer where the Network Agent is installed can act as a distribution point. The Administration Server automatically selects the computers to which it assigns the distribution point role. The administrator can disable automatic allocation and assign distribution points manually. Automatically selected distribution points multicast update files and you cannot disable multicasting. Network administrators often do not like uncontrollable traffic in the network. Also, in a small network of a few hundred machines, the Administration Server can cope with updates alone, without distribution points. To disable automatic assignment of distribution points: 1. 2. Open the Distribution points section in the Administration Server properties Select Manually assign distribution points With this option selected, the administrator can manually specify the computers to be assigned distribution points. For more details about distribution points, please refer to course KL 302. Advanced Skills. How to check whether KSN is used Kaspersky Security Network learns about new malicious files quicker than update tasks. If computers have no access to KSN, they are more likely to get infected. How to find out that computers have no access to KSN If Kaspersky Endpoint Security has no access to KSN, it informs the Administration Server about this via the event KSN servers unavailable. To quickly find all computers that have no access to KSN, create a custom computer selection. By default, Kaspersky Endpoint Security accesses KSN via the Administration Server service named Kaspersky Security Network proxy server. The service accepts connections on TCP port 13111. If computers cannot access KSN, make sure that: — The service Proxy server Kaspersky Security Network is running on the Administration Server — Port 13111 is not closed by a firewall IV–34 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals — 3.4 How to check the client-server connection How to distinguish powered off computers In a large network, computers are almost never turned on simultaneously. Some are off at any moment in time. They differ by the icon in the console: Powered off computers have a red triangle icon with an exclamation mark in the Visible in the network column. Also, check the columns Network Agent is installed, Network Agent is running, and Last connected to the Administration Server. If the Agent is not running, and the last connection was established long ago, do not pay attention to the computer protection status, it can be inaccurate. IV-35 Unit IV. Maintenance What to do if a computer has not connected for a long time If a computer remains powered off for a long time, Administration Server assigns one of the following two statuses to it: Network Agent has been inactive for a long time By default, computers receive this status in 14 days. You can change this in the status settings, in the properties of the Managed devices node This status means that the Network Agent has not connected to the Server all this time, and the Server was not able to connect to the computer during the full network poll either Device has become unmanaged This status means that the Network Agent has not connected to the Server, but the Server connected to the computer during the full network poll If a computer has the status ’Network Agent has been inactive for a long time’, investigate what has happened. If the computer does not exist anymore, delete it from the group and then once again from the Discovery & deployment | Unassigned devices node. If its owner is on vacation, do nothing. IV–36 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals If employees may not connect to the network for a long time (months), increase the period after which the Administration Server automatically deletes computers from groups (60 days by default). Open the properties of the Managed devices group, switch to the Settings tab, and in the Device activity section, change the value of the parameter Remove the device from the group if it has been inactive for longer than (days). Or disable this parameter at all, if employees may work out of office for an indefinitely long time. To enable computers to connect to the Administration Server, to receive settings, and inform about threats when outside the office, configure access to the Administration Server ports from the Internet. How to do it is described in course KL 302 Kaspersky Endpoint Security and Management: Advanced Skills How to make a computer connect to the Server If the computer has the status Not connected for a long time, make sure that: — Network Agent is installed — Network Agent is running If the user has uninstalled the Network Agent, configure password protection in the Network Agent policy. If the Agent is installed and running, check its settings. Use the utility klnagchk.exe from the Network Agent’s folder %ProgramFiles(x86)%\Kaspersky Lab\NetworkAgent: — Run the command line interface (cmd.exe) as an administrator — Go to the Network Agent’s folder — Start the klnagchk.exe utility When run without parameters, the utility outputs the Network Agent settings, tries to connect to the Administration Server with these settings, publishes the result, and finally outputs the connection statistics. During the test connection, the Agent neither checks whether new settings are available on the server nor sends its data to the server. To make the Agent synchronize with the Server, carry out the command klnagchck.exe –sendhb This command must be executed locally on the client computer. IV-37 Unit IV. Maintenance The Web Console also has commands for checking connection to a computer: Check device accessibility (This command is available only in the MMC Administration Console) Verifies the computer status Visible in the network against the Administration Server database. Does not try to connect to the computer, and therefore adds nothing to what the computer icon shows Force synchronization (Device properties, the General tab, section General) Sends a signal to UDP port 15000 of the computer. How to reconnect a computer to the Server If the Network Agent has incorrect Server connection parameters, modify them using the utility klmover.exe that is located in the same folder of Network Agent: — Run the command line interface (cmd.exe) as an administrator — Go to the Network Agent’s folder — Run the utility klmover.exe with the parameter –address and Server address: klmover.exe –address 10.28.0.20 If the Server’s port is non-standard, add the parameter –ps and the port number. To fix incorrect connection parameters remotely, reinstall the Network Agent. Before that, check the settings of the Network Agent package. If an Agent has incorrect parameters, they may also be incorrect in the package. IV–38 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 3.5 How to contact technical support When and how to contact technical support If Kaspersky Endpoint Security does not work or works differently from what the administrator has configured, and simple measures cannot help, contact the tech support. To receive an answer quicker, collect all logs and attach them to your request: — — — — Kaspersky Endpoint Security logs Trace logs of Kaspersky Endpoint Security around the moment when the issue arises Windows logs GetSystemInfo log—information about the computer To contact the technical support: 1. 2. 3. 4. Create a request at https://companyaccount.kaspersky.com Select the product and functional area Describe the steps that result in the issue Attach the logs You can collect logs locally on the computer, remotely using the Kaspersky Security Center remote diagnostics utility, or via the MMC Kaspersky Security Center console. IV-39 Unit IV. Maintenance How to remotely collect Windows and GetSystemInfo logs To collect logs remotely, connect to the computer using the remote diagnostics utility: 1. Start the utility from the Kaspersky Security Center folder in the Start menu. 2. Specify the target Device and the Administration Server address 3. Click the Sign In button 4. To receive information about the computer, click the link Load system information in the upper-left corner of the window 5. To receive Windows logs, select the log and click the link Download event log… in the upper-left corner of the window Download Kaspersky Event Log and any other logs that contain events concerning the issue The diagnostics utility saves the files in a folder on the desktop. Open it using the link Download folder in the lower-left corner of the window. IV–40 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to remotely collect trace logs To collect trace logs using the diagnostics utility: 1. 2. 3. 4. 5. 6. Select Kaspersky Endpoint Security in the tree Click the link Enable tracing on the left, do not change the trace level, and click OK Reproduce the steps that demonstrate the issue Click the link Disable tracing in the diagnostics utility Expand the folder Trace files under Kaspersky Endpoint Security Select files one by one and download them using the link Download file on the left If the problem does not pertain to Kaspersky Endpoint Security or not only to it, collect trace logs of Network Agent, Administration Server, Updater component in a similar manner. When you close the diagnostics utility, it will ask whether to delete the download folder. Do not delete the folder until you send the logs to the technical support. How to collect logs locally IV-41 Unit IV. Maintenance Sometimes, an issue can be easier reproduced locally on the computer. In this case, collect the logs locally, too. To collect information about the system, download the GetSystemInfo utility from the getsysteminfo.com website. Run it and save the log in a folder. The utility also collects information about the system and Windows logs, and you will not have to add them manually. To collect the trace logs: 1. In the Kaspersky Endpoint Security window, click the button Support 2. In the Support window, click the link System tracing 3. On the drop-down list, select is enabled; in the list that will appear, select level Normal (500), and click OK (You can select traces with rotation. In this case, you will be able to limit the maximum number of trace files and the maximum size of a trace file. If the number of trace files reaches the limit, the oldest file will be deleted to free space for a new one.) 4. Reproduce the issue 5. Disable tracing: select is disabled 6. Collect the trace logs from the folder %ProgramData%\Kaspersky Lab\ The file name includes the creation date and time, select the latest logs How to locally enable trace logs for Kaspersky Security Center components is explained in the article http://support.kaspersky.com/9323 IV–42 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to send a request to technical support When you have all logs at hand, contact the technical support: 1. Log on to the website companyaccount.kaspersky.com If you have no account, sign up: Specify your email and license for Kaspersky Lab products (the activation code or key file) 2. Click the button New request and select Make a request for Tech Support 3. Select the protection scope, product, version, operating system, request type and subtype 4. Type the request subject: Define the problem briefly 5. Describe the issue: The steps that result in it, which result you expect, and which get instead 6. Attach the archive with all logs IV-43 Unit IV. Maintenance Chapter 4. What to do from time to time 4.1 How to install program updates Program update types Except for signature updates, which are issued continually, there are program updates, which are released much rarer: New versions Are released once every few years, introduce new capabilities, components, settings, etc. Are installed by Kaspersky Endpoint Security installation task and the installation wizard of Kaspersky Security Center Service Packs Are released approximately yearly, sometimes rarer. Upgrade components and drivers, may add new settings and capabilities, but the changed are not as significant as in a new version Are installed by Kaspersky Endpoint Security installation task and the installation wizard of Kaspersky Security Center Maintenance Releases For Kaspersky Endpoint Security, MRs are released once every quarter or two, fix errors, may slightly change settings, are installed by the update task For Kaspersky Security Center, a Maintenance Release is almost the same as a Service Pack: They are released in a year after a new version or Service Pack, and are installed by the installation wizard of Kaspersky Security Center Patch Are not released for Kaspersky Endpoint Security. For Kaspersky Security Center, patches are released quarterly, fix errors, slightly alter operation, are installed automatically on Network Agents Private fixes Are released by request, correct specific issues for individual customers. Usually, for customers with a Maintenance Service Agreement IV–44 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals Where to find out that an update has been issued You can learn that a minor update (Maintenance Release for Kaspersky Endpoint Security or patch for Kaspersky Security Center) has been released in Operations | Kaspersky Lab applications | Kaspersky Lab software updates and patches. Also, consult messages on the Monitoring & Reporting | Notifications page. Minor updates are installed automatically, but only after the administrator approves them. Usually, to install an update, you need to accept the license agreement. “Kaspersky Lab software updates not approved” status informs about this. To be able to install updates by other manufacturers, you need a Systems Management license, for example, KESB Advanced. This is described in course KL 009 Systems Management. The current version of Web console does not support the Systems Management functionality. How to install only approved updates How to install only approved updates of KES IV-45 Unit IV. Maintenance Kaspersky Endpoint Security can do without application updates. If there are no critical issues that impede work, you can use Kaspersky Endpoint Security until a new version or Service Pack is released. Still, module updates can be useful. They can improve computer performance, increase protection efficiency and add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing the updates and installing only approved ones. As far as module updates are concerned, the administrator has the following option in the update task of Kaspersky Endpoint Security: — Install approved application module updates—enabled by default. Can be disabled in the groups where computers are extremely sensitive to changes, e.g., groups with important servers — Automatically install critical application module updates—installs the updates marked as approved by the administrator and the updates marked as critical by Kaspersky Lab without the administrator’s approval. Installing unapproved updates may be risky because unforeseen issues might arise To approve an update: 1. 2. 3. Select the update on the tab Operations | Kaspersky Lab applications | Kaspersky Lab software updates and patches Click the Approve button above the list of updates If the update has a license agreement, the respective window will open. Accept the agreement If you approve a wrong update by mistake, open its properties and change the value of the Update approval field to Undefined or Declined. Prior to approving an update, install it on test computers and make sure that it is not causing any issues. After a program update is installed, a restart may be required. How to install only approved updates of Network Agent Approved updates of Network Agent are installed automatically without tasks. After the administrator approves an update, Agents will start downloading it during planned synchronizations and install locally. By default, the Administration Server installs all Network Agent updates rather than only approved ones. To install only approved updates: 1. On the Devices | Policies and profiles page, open the Network Agent policy IV–46 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 2. Switch to the Application Settings tab and go to the Manage patches and updates section 3. Disable the option Automatically install applicable updates and patches for components that have Undefined status To test Network Agent updates, create a group for test computers and enable installing unapproved updates in the policy of this group The administrator can always select not to install some update, even if automatic update is configured in the policy. For this purpose, open the update properties and for the parameter Update approval, select Declined. To prevent distributing Network Agent updates of older version (up to version 10 SP1 inclusive), disable the respective parameter in the task Download updates to the repository: 1. On the Devices | Tasks tab, open the properties of the Download updates to the repository task 2. Switch to the Application Settings tab and in the Other settings area, click Configure 3. Clear the check box Update Network Agent modules (for Network Agent versions earlier than 10 Service Pack 2) Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or will not be installed in the whole network. You cannot enable installation of these updates in some groups and disable in others. How to find out that a new version has been released Where to look for new versions The Updates section of the Monitoring & Reporting | Notifications tab informs about new product versions and Service Packs. Monitor the messages: — Updates are available for Kaspersky Security Center components — Updates are available for Kaspersky Lab applications — There are <N> new version(s) of Kaspersky Lab applications available for download All of them lead to the Installation packages window. IV-47 Unit IV. Maintenance To open this window in another way, go to Operations | Kaspersky Lab applications | Current application versions The window shows the list of available product versions by Kaspersky Lab, which are manageable via Kaspersky Security Center. You can download them from Kaspersky Lab servers through this window. Program versions include: — Distributions that can be downloaded to the Administration Server using the button Download and create installation package — Distributions that cannot be transformed into a package, but can just be downloaded — Management plug-ins, which can be downloaded and installed in the console How to find the necessary product, version and language The list includes numerous programs, a few versions of each program and several localizations of each version, and it’s easy to get lost. To find what you need, for example, the latest version of Kaspersky Endpoint Security in English, configure a filter: 1. Components: Controls Distributions and patches of Kaspersky Security Center and Network Agent components for various platforms Workstations Kaspersky Endpoint Security for various platforms (Windows, Mac) File Servers and Storages Distributions and plug-ins of Antivirus Kaspersky for Windows File Servers, Kaspersky Anti-Virus for Windows Servers and Kaspersky Security for Windows Server Virtualization Distributions and plug-ins of Kaspersky Security for Virtualization Light Agent Mobile Distributions and plug-ins of Kaspersky Security for Mobile (Android) Embedded Systems (ATM and POS) Kaspersky Embedded Systems Security distributions and plug-ins 2. Update type: Full distribution package, patch, plug-in, or web plug-in 3. Specify the necessary program version 4. Specify the program interface language IV–48 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 4.2 How to renew a license When to renew a license Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to overcome one of the following license limitations: — Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to renew the license to keep using it — Increase the number of computers—if the company grows and the number of computers is about to exceed the license limit — Extend functionality—if the necessity to use additional product functions has appeared in the company, for example, Encryption or automatic installation of Windows updates Also, a license may be blacklisted if it is exposed to the Internet. Kaspersky Lab blocks these licenses, and they stop working. Products receive black lists of licenses together with signature updates. Without a license, Kaspersky Endpoint Security works with limitations: Before the first license is installed Only File Threat Protection and Firewall work. If a commercial license has expired All components keep working, but update tasks will not start and KSN servers are inaccessible. Protection level gradually decreases. If a trial license has expired or a commercial license has been blacklisted Only File Threat Protection and Firewall will keep working. Protection will be resumed after you activate the product with a valid commercial license. IV-49 Unit IV. Maintenance How to find out that the license expires If the license is about to expire or has expired on a computer, the administrator should pay attention. The license expiration date is displayed in the license properties in Operations | Licensing | Kaspersky Lab Licenses. The computer statuses configured in the administration group properties may also attract the administrator’s attention. Two status conditions relate to licenses: — License term expired—sets the computer status to Critical. By default, the condition is triggered in 0 days, meaning, right after the license expires. It can be configured to trigger several days after the license expiration so that the license could update automatically rather than waste the administrator’s time — License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before the expiration, but this parameter is adjustable IV–50 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to find out that the number of activations is exceeded Most of the information about the keys that the administrator would ever need is available on the Operations | Licensing | Kaspersky Lab Licenses page. including node restriction and use percentage. The Administration Server shows how many of the managed computers are using the license. It does not receive data from Kaspersky Lab activation servers, which may have different statistics if the license is also used on computers without the Network Agent Administration Server events inform about exceeding the node limitation: — License restriction has been exceeded—there are two events with this name, critical and warning. The critical event is generated when the number of installations constitutes 110% of the license limit. The warning informs of reaching the limit (100%) — Over 90% of this key is used up—an information message The Administration Server does not impose any technical limitations if the license limit reaches either 100% or 110%. If keys are used for activation, the administrator can distribute them with a key installation task to any number of computers. From the viewpoint of the license agreement, a license entitles you to use software on the number of devices specified in the license certificate. However, if the Deploy key automatically option is enabled in the key properties, the Administration Server will not only distribute it to computers, but also remove the key from excessive computers if the license limit is surpassed. If activation codes are used, Kaspersky Lab activation servers may impose technical limitations. Each instance of Kaspersky Endpoint Security which needs to be activated, the Activation Servers issue a ticket for using the product. If the number of simultaneously issued tickets greatly exceeds the license limit (1.5 to 2 times), the activation server will stop issuing tickets. IV-51 Unit IV. Maintenance How to switch over to a new license How to renew a license on the computers When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one license to another without a time gap and without reducing the effective license period of any of the licenses. You would rather not replace the old license when there still several days left of the licensing period. However, you want to activate the new license before the old one expires. To prevent losing the validity period of neither old nor new license, use one of the following approaches: 1. Distribute a new key to the computers using a key installation task beforehand. In the task settings, specify that it is an additional (backup) key Additional keys and codes can be added in almost all products by Kaspersky Lab. Once the active key expires, the product is automatically activated with the additional key or code. 2. Add the new license to the Administration Server and enable in it properties the option Deploy key automatically When the previous key expires on the computers, they will receive the new automatically distributed key from the Administration Server. Automatically deployed keys are sent to all computers. If a computer does not have an active license, the automatically distributed key will be activated on it. If an active license is already available, the automatically distributed key will be deployed as an additional one. If a computer has both an active and an additional license, the automatically distributed key will not be installed. The key or code to be distributed can be added in the Quick Start wizard. To add keys later, on the Operations | Licensing | Kaspersky Lab Licenses page, click the button Add. Registered keys and codes can be imported from the storage as key files or text files with the code (This functionality is available only in the MMC Administration Console.) These can be used for local activation, if necessary, or for backup purposes. IV–52 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals How to renew an Administration Server license Only the extended functions of Kaspersky Security Center Administration Server available in KESB Select and KESB Advanced licenses require activation. The operations described in this course do not require activating the Administration Server. To replace the active key or add another one to the Administration Server, open the Keys section in the Server properties. You can specify the active and additional license in this section. You can also replace or delete licenses as necessary. You can select a license for the Administration Server from among those added to the Kaspersky Lab Licenses storage. To add a key to the Administration Server, select a key specifically designed for Kaspersky Security Center. Check what is written in key table in the Application name column. There is usually a descriptor there: Security Center or Kaspersky Endpoint Security that indicates the key purpose. If you are adding a code, you do not need to check the name, the same code activates all products covered by the license: Kaspersky Endpoint Security and Kaspersky Security Center. IV-53 Unit IV. Maintenance How to replace the active license Sometimes you need to install a specific key on a specific computer or a group of computers. Automatic distribution would not serve this purpose. Instead, you can create an Add key task. This task can be created using the typical task creation wizard on the Devices | Tasks page. If two products require different Console plugins to be managed, they would require different Add key tasks as well. For example, Kaspersky Endpoint Security 10 Service Pack 2 and Kaspersky Endpoint Security 10 Service Pack 1 have independent plugins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP2 wouldn’t run on Kaspersky Endpoint Security 10 SP1 and vice versa. In the task creation wizard or later in the task properties, you can select a license from the list of keys and codes (those available on the Operations | Licensing | Kaspersky Lab Licenses page). There is an option in the task that allows installing the selected key or code as an additional key. This option is enabled by default, because the main license is supposed to be installed through the automatic installation feature (an option in the key or code properties). IV–54 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 4.3 How to configure backup Why back up? Creating backup copies is a good practice that can save you a lot of trouble. The administrator will be able to restore the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important to store backups in a reliable location. A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This includes the event database (which contains more than just the events), administration group structure, tasks and policies, report templates, installation packages3, selections of computers and events, the Administration Server certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to keep an old copy. Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more important. The Administration Server configuration now includes the encryption key store that contains master keys for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost irretrievably. Encryption and the risks involved are described in course KL 008 Encryption. However, even if we leave encryption out of consideration, losing Administration Server data can result in many hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, which means that Network Agents, even if they use the correct address, will not be able to establish a connection to the new Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be reinstalled. A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all the settings, and the encryption key store. Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create 3 Including standalone, but excluding operating system image packages (These packages are described in detail in course KL 009 Systems Management.) IV-55 Unit IV. Maintenance a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore its configuration from the backup. You can use this method when it is necessary to upgrade not only the software components of the Administration Server, but also its hardware configuration. In a similar manner, you can use backups to move the Administration Server to a different computer. First create a backup copy, and then install the Administration Server on another system. Restore the Administration Server settings from the backup copy. In this case, it is important to ensure that the same SQL server type (Microsoft SQL or MySQL) is installed for both new and old instances of the Administration Server. If you move the Administration Server to another system and want to change the Server’s name, you must make this change before the migration. For details, refer to course KL 302 Kaspersky Endpoint Security and Management. Advanced Skills. The most important thing about backup copying is to regularly make sure that you can restore the system from a backup copy Spend half an hour once a month or at least quarter to restore Administration Server data on a test computer. This way, you will make sure that the backup copies are not corrupted and sharpen your skills. In case of a real failure, you will be able to restore systems quickly and easily. How to configure backup To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data. Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure. The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the Administration Server. The task launches the utility with the specified options, which then creates a backup copy. Starting with Kaspersky Security Center version 10 SP3, when creating a backup copy, the klbackup.exe utility does not stop any services; it copies the Server settings and data, then instructs the SQL server to back up the database. Only one parameter is required for the backup task: the location of backup copies. This folder will contain subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default location of backup copies is the SC_Backup folder in the Administration Server data directory (%ProgramData%\KasperskySC\SC_Backup). IV–56 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals It is risky to store backup copies on the disk where the Administration Server is installed, because in the event of a hardware failure, both the current system and its backup copy will suffer. We strongly recommend that you store backup copies in another location. The administrator can either specify a network location or use an additional process to move backup copies to a safer place for storage. It is important to realize that backup copies of the Administration Server data are created under the Administration Server account, whereas backups of the database are created under the database server account. If you specify a network path as the target location for backup copies, both the Administration Server and SQL server must have access to this folder. Also, the specified drive must have enough free space. Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup copies is three. The Administration Server certificate is stored in an encrypted form for security reasons. This security measure prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption, you need to provide a password. By default, the password is empty. The backup data copying task is scheduled to start every two days at 2 a.m. by default; therefore, only three backup copies of the last six days are stored. How to restore from a backup There is no task in Kaspersky Security Center that would restore data from a backup copy. This is done by design, because an accidental launch of such a task would result in the loss of newly added settings and data. In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from the Start menu. When started without command line options, this utility works as a wizard that prompts you to choose the restore option and enter the path to the backup copy and the password for decrypting the Administration Server certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if you specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to c:\backups\klbackup2018-12-27#02-00-02 The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To do so, at the Choose Action step, select Backup of Administration Server data. Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can be used, for example, when you only need to restore connection between the Network Agents and the Server, but want to create the structure and settings from scratch. This limited backup is not available in the backup task. IV-57 Unit IV. Maintenance The klbackup.exe utility can be launched from the command line with the following parameters: — –path—backup copy destination folder, or the source folder during a recovery — –restore—the option that instructs the utility to restore data; without it, the utility will create a backup copy — –use_ts—the option that creates a subfolder with a name consisting of the time and date of creation; without it, the utility will create a backup copy right in the folder specified by the path option — –password—the option that specifies the password for encrypting the Administration Server certificate How and why maintain the database With time, the Administration Server database may slow down. In particular, the reports may be generated slowly, and lists of events or computers may be displayed only after a noticeable pause. To speed up the console’s work with the events stored in the database, the database is to be optimized. Before Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize the database using the database server tools. To speed up the Administration Server database, the Database maintenance task performs the following: — — — — Looks for errors in the database and fixes them Rebuilds indexes Updates the database statistics Optionally shrinks the database The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases the database size. The database is recommended to be optimized once a week. If the Administration Server works slowly because its resources are scarce, the Maintenance database task will not help There can be only one Maintenance database task. It is created by the Quick Start wizard. By default, the task starts every Saturday, at 1 a.m. IV–58 KASPERSKY LAB™ KL 002.11.1. Kaspersky Endpoint Security and Management. Fundamentals 4.4 Maintenance: Summary To keep protection working on the computers, monitor important events: — Configure notifications about possibly infected computers — Configure reports to be emailed — Organize daily inspections of the protection status: Customize the Dashboard Investigate grave incidents, such as an infection, immediately. Solve less important issues once a week. Do not allow them to pile up; otherwise, it will soon be difficult to notice something important among them. If you cannot solve an issue, contact the technical support. To receive a precise answer earlier, collect logs and attach them to your request. Install updates and new versions. They correct errors and improve performance and protection. Back up the Administration Server data. Regularly make sure that you can restore data from a backup. Do not forget to renew the license. Configure statuses and notifications to be informed of its expiration beforehand. v1.0.1