Kl 002.10 Eng Student Guide Sp2 v1.0.1

Unit I. Deployment Unit II. Protection Management Unit III. Endpoint Control Unit IV. Maintenance

SP Version 

Kaspersky Lab www.kaspersky.com

I-1 Unit I. Deployment

Unit I. Deployment Introduction .................................................................................................................... 4 Course Outline .............................................................................................................................................................. 4 Unit Outline .................................................................................................................................................................. 6 Chapter 1. Organizational Issues ................................................................................... 6 1.1 Problem Definition ................................................................................................................................................. 6 1.2 Procedure ................................................................................................................................................................ 8 Potential difficulties ............................................................................................................................................... 8 Procedure ............................................................................................................................................................. 10 Testing .................................................................................................................................................................. 10 Chapter 2. Installing Kaspersky Security Center ........................................................ 12 2.1 System Requirements for Administration Server ................................................................................................. 12 Software requirements ......................................................................................................................................... 12 Supported virtual platforms ................................................................................................................................. 14 Hardware requirements ....................................................................................................................................... 14 2.2 Standard Installation ............................................................................................................................................. 16 Installation files.................................................................................................................................................... 16 Installation progress ............................................................................................................................................ 18 Installing plug-ins ................................................................................................................................................ 22 2.3 Custom Installation ............................................................................................................................................... 24 Components.......................................................................................................................................................... 24 Installation path ................................................................................................................................................... 24 An account for the main Administration Server service ....................................................................................... 26 An account for other Administration Server services ........................................................................................... 26 SQL server ........................................................................................................................................................... 28 Shared folder ........................................................................................................................................................ 32 Connection ports .................................................................................................................................................. 34 Connection address .............................................................................................................................................. 34 Management plug-ins ........................................................................................................................................... 36 Installation results................................................................................................................................................ 36 2.4 Quick Start Wizard ............................................................................................................................................... 38 Keys and codes ..................................................................................................................................................... 40 Update installation statistics ................................................................................................................................ 40 Notifications ......................................................................................................................................................... 42 Vulnerability and patch management .................................................................................................................. 42 Policies and tasks ................................................................................................................................................. 44 Proxy server ......................................................................................................................................................... 48 Wizard completion ............................................................................................................................................... 48

I-2

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.5 Additional Components of Kaspersky Security Center ......................................................................................... 50 Components .......................................................................................................................................................... 50 Administration Console ........................................................................................................................................ 50 Chapter 3. Installation on Computers .......................................................................... 56 3.1 System Requirements ............................................................................................................................................ 56 Requirements for installation of Kaspersky Endpoint Security 10 for Windows .................................................. 56 Network Agent installation requirements ............................................................................................................. 58 3.2 Typical Installation Using Wizard ........................................................................................................................ 60 Selecting the product ............................................................................................................................................ 60 Selecting the computers ........................................................................................................................................ 62 Installation method ............................................................................................................................................... 62 Key ....................................................................................................................................................................... 64 Computer restart .................................................................................................................................................. 64 Uninstallation of incompatible applications ........................................................................................................ 64 Computer relocation ............................................................................................................................................ 66 Selecting account.................................................................................................................................................. 66 Installation process monitoring ............................................................................................................................ 66 3.3 Possible Installation Issues .................................................................................................................................... 68 Installation specifics ............................................................................................................................................. 68 Possible obstacles ................................................................................................................................................ 70 Preparing the computer with the riprep.exe utility .............................................................................................. 72 Configuring access using the domain policy ........................................................................................................ 72 3.4 Uninstallation of Incompatible Applications ........................................................................................................ 76 Uninstallation tools .............................................................................................................................................. 76 Uninstallation using Kaspersky Endpoint Security 10 installer ........................................................................... 76 Uninstallation using Network Agent .................................................................................................................... 78 3.5 Other Installation Methods .................................................................................................................................... 86 Installation methods: overview ............................................................................................................................ 86 Installation using standalone packages ................................................................................................................ 86 More installation-related settings ........................................................................................................................ 92 Installation using Active Directory ...................................................................................................................... 94 3.6 Installation Packages ............................................................................................................................................. 98 Network Agent installation parameters ................................................................................................................ 98 Kaspersky Endpoint Security installation parameters ....................................................................................... 102 Creating installation packages ........................................................................................................................... 106 3.7 Deployment Monitoring ...................................................................................................................................... 112 Software version report ...................................................................................................................................... 114 Protection Deployment Report ........................................................................................................................... 114 General deployment status ................................................................................................................................. 114 Discovering new computers ............................................................................................................................... 114 Chapter 4. Management of Computer Structure ........................................................ 116 4.1 Discovering Computers ....................................................................................................................................... 116 Discovery management ...................................................................................................................................... 116 Windows network polling ................................................................................................................................... 118 Active Directory polling ..................................................................................................................................... 120 IP subnet polling ................................................................................................................................................ 122

I-3 Unit I. Deployment

4.2 Creating Group Structure .................................................................................................................................... 126 Computer groups................................................................................................................................................ 126 Managing groups ............................................................................................................................................... 128 How to add computers to groups ....................................................................................................................... 128 Importing groups................................................................................................................................................ 130 4.3 Computer Relocation Rules ................................................................................................................................ 132 Where to move to................................................................................................................................................ 134 When to move ..................................................................................................................................................... 134 What to move ...................................................................................................................................................... 134 Tags .................................................................................................................................................................... 138 Rule application order ....................................................................................................................................... 140 Rule use example ................................................................................................................................................ 140

I-4

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Introduction Course Outline This course aims to explain how to plan, deploy and maintain an endpoint protection system based on the flagship Kaspersky Lab products: Kaspersky Endpoint Security and Kaspersky Security Center. Kaspersky Endpoint Security is designed to protect computers. Kaspersky Security Center enables the administrator to manage protection of all corporate computers. Upon completion of this course you will see that these products can do much more than just protect and manage protection. Kaspersky Endpoint Security has encryption capabilities and can restrict the users' actions; while Kaspersky Security Center is able to manage not only Kaspersky Endpoint Security for Windows, but also other Kaspersky Lab products designed for Mac OS X, Linux, mobile devices, etc. Kaspersky Security Center can also manage some functions of the operating system and software installed on the managed computers, in particular discover vulnerabilities and automatically install updates and fixes. Studying all of those capabilities takes more than a week, and falls outside the scope of this course. Instead, we will study protection of a small local-area network, which will take us 2 to 3 days. The course consists of four units. Unit I is devoted to planning and deploying a protection system. We will study a typical deployment plan and elaborate on its steps. Deployment includes not only installation, but also initial configuration, i.e. all the actions to be taken once and for all, after which the maintenance stage starts. Unit II describes endpoint protection: the tools implemented in Kaspersky Endpoint Security, how to fine-tune them if necessary, and how you can find out whether they do their job properly. Unit III introduces the control tools: Device, Web and Application Control. It is devoted to their capabilities, typical use cases, settings and monitoring tools. Unit IV comprises all the rest: maintenance specifics and fine-tuning the created protection system. We will study how to update signatures and product components, renew and replace a license, configure backup copying and recover after a failure, and adjust the tools available to the user and the administrator.

I-5 Unit I. Deployment

I-6

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Unit Outline Unit I focuses on the deployment process, which starts from planning. Any large-scale project involves not only clicking buttons but also coordination of time and effort of all the stakeholders. Therefore, from Chapter 1 we will learn how deployment is organized, including planning, testing and implementation. After the organizational issues, we will describe in detail all the steps of a typical deployment plan and product configuration. Chapter 2 is devoted to the installation and initial setup of the Administration Server. This is the core component of Kaspersky Security Center, which is necessary for deploying and managing Kaspersky Endpoint Security on the computers. Chapter 3 tells how to use Kaspersky Security Center Administration Server to remotely install Kaspersky Endpoint Security on the computers. It describes the most popular remote installation method and briefly introduces the alternatives. Chapter 4 explains network discovery and organization of computer management groups. Theoretically, computers should be discovered prior to the remote installation; in practice, however, within a small network, computers are discovered automatically and this process does not require any special effort. Group creation may either precede or follow the deployment. Computers can be moved to the proper groups automatically according to the conditions specified by the administrator; the course explains how to configure this.

Chapter 1. Organizational Issues 1.1 Problem Definition In a deployment, all network computers must be protected, and the administrator must be able to manage protection centrally. To achieve this, it is necessary to install Kaspersky Security Center 10 (KSC 10) centrally and Kaspersky Endpoint Security 10 for Windows (KES 10) on the computers. In order to provide centralized protection management, and also simplify the deployment process, there must be at least one Kaspersky Security Center Administration Server installed. Large networks or networks having an unusual architecture may benefit from more than one Administration Server. The Kaspersky Administration Console is installed automatically along with the Administration Server. Additional consoles can be installed on the administrators’ computers and remotely connect to the Administration Server. However, administrators often connect to the console installed locally on the Administration Server via Remote Desktop. In order to protect the network, Kaspersky Endpoint Security is to be installed on every eligible computer. Kaspersky Endpoint Security alone cannot interact with Kaspersky Security Center, which is why the Network Agent must be installed on every computer to make centralized management possible.

I-7 Unit I. Deployment

I-8

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

1.2 Procedure Potential difficulties Endpoint protection installation takes time, which is always scarce. In a large network that consists of many computers, more time is necessary, even if there is an administrator who is solely responsible for endpoint protection. In a middle-size network, less time is necessary. Usually such networks lack a dedicated endpoint protection administrator. IT employees responsible for the deployment also perform other IT infrastructure maintenance tasks. In small networks, comparatively little time is necessary, but a full-time administrator is not always available. An ordinary employee who has other work to do may be entrusted with the deployment; or there may be a part-time administrator who works several hours a week. The labor intensive deployment problem is aided by remote installation, which can present new problems in turn. First, remote installation involves data transfer over the network, and network load will increase. Second, remote installation very rarely works for 100% of the network computers. A computer may temporarily be off of the organization’s network, or turned off, or unreachable over the network; remote access may be restricted by a security policy or other protection tools. Compatibility problems may also arise during the deployment. Protection tools by other manufacturers may hamper installation or operation of Kaspersky Endpoint Security. These protection tools need to be uninstalled before the installation of Kaspersky Endpoint Security. This makes the deployment even more time consuming. Kaspersky Endpoint Security with the default settings may sometimes hamper other programs. This is not the case with widespread, standard programs; but rare and unusual ones, for example, medical software and other special systems can be at risk. These interaction issues must be identified during the preparation stage and taken into consideration when adjusting Kaspersky Endpoint Security settings.

I-9 Unit I. Deployment

I-10

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Procedure The recommended procedure for deploying Kaspersky Endpoint Security in a network is as follows: 1.

Study Kaspersky Endpoint Security capabilities and try to identify compatibility problems through preliminary testing

2.

Install the Kaspersky Security Center Administration Server. The Administration Server can serve as a remote installation tool and is necessary for managing protection on the computers when the deployment is finished

3.

Connect and protect client computers 3.1. Distribute and install Network Agents. These will make the computers manageable via Kaspersky Security Center; in particular, they enable the administrators to delete protection tools by other manufacturers and install Kaspersky Endpoint Security. Network Agents almost never conflict with other programs 3.2. Uninstall protection tools by other manufacturers. We recommend using uninstallation tools included either in the operating system or in the program to be uninstalled. As a last resort you can uninstall third-party software using the corresponding capabilities implemented in Kaspersky Security Center and Kaspersky Endpoint Security installer 3.3. Install Kaspersky Endpoint Security. In simpler cases, this step can be performed simultaneously with the previous two steps; that is, you can uninstall protection tools by other manufacturers and install Network Agent and Kaspersky Endpoint Security with a single task. The decision on whether to join or separate these steps is to be made at the preparation stage

4.

Create group structure. All computers are gathered into one group after the deployment, which may be inconvenient, especially in large networks. Principles and methods of dividing computers into groups in Kaspersky Security Center are described in Chapter 4 of this Unit

Testing Preliminary tests are performed during the preparation stage to help detect problems and either solve them or find a workaround in advance. The time spent on pre-testing saves the time that will have to be spent on solving the same issue network-wide. Depending on the organization’s size and available resources, preliminary tests can be obligatory or optional, and may be broken down into several stages that take various forms. In most cases, testing includes two key stages: 1.

Studying capabilities. Best performed on virtual machines or, for lack of resources, on the administrators’ computers. During this stage, the administrator learns how to install, manage and maintain the product, etc. It also provides the administrator a way to test facets of the deployment plan: order, methods, and technicalities.

2.

Operation testing. Best performed on several production computers or, again, on the administrators’ computers. During this stage, the administrator tests the planned deployment methods, and monitors Kaspersky Endpoint Security operation. The purpose is to find all possible problems before the product is deployed company-wide. At the end of this stage, the administrator should have a more detailed deployment plan, and also, if necessary, a list of changes to the default settings of Kaspersky Endpoint Security that are to be made prior to the installation.

In small networks, preliminary tests are often neglected, as the testing cost is comparable to the cost of solving the issues in the network as they arise. In large companies, the opposite is true and preliminary testing usually must be performed before new software is deployed or any other changes are introduced in the network.

I-11 Unit I. Deployment

I-12

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 2. Installing Kaspersky Security Center 2.1 System Requirements for Administration Server Software requirements The supported operating systems and requirements for them are listed below: — — — — — — — — — — — — — —

Microsoft Windows Server 2008 x86/x64 Standard / Enterprise / Datacenter Microsoft Windows Server 2008 SP1 x86/x64 Standard / Enterprise / Datacenter Microsoft Windows Server 2008 SP2 x86/x64 Foundation Microsoft Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter Microsoft Windows Server 2008 R2 SP1 Foundation / Standard / Enterprise / Datacenter Microsoft Windows Server 2012 Foundation / Essentials / Standard / Datacenter Microsoft Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter Microsoft Windows Small Business Server 2008 Standard / Premium Microsoft Windows Small Business Server 2011 Essentials / Standard / Premium Add-on Microsoft Windows 7 x86/x64 Professional / Enterprise / Ultimate Microsoft Windows 7 SP1 x86/x64 Professional / Enterprise / Ultimate Microsoft Windows 8 x86/x64 Professional / Enterprise Microsoft Windows 8.1 x86/x64 Professional / Enterprise Microsoft Windows 10 x86/x64 Home / Pro / Enterprise / Education

All of the aforementioned Microsoft Windows Server editions also support Core installation without the graphic interface. It is better to use server hosts for the Administration Server. In small networks (up to a couple of hundred computers), a powerful workstation will do. In addition to the operating system, the following software is necessary: — — — —

Microsoft.NET Framework 2.0 (is included in the distribution) Microsoft Data Access Components 2.8 Windows Data Access Components 6.0 Windows Installer 4.5 (is included in the distribution)

An SQL server is also necessary for the Administration Server. The distribution of Kaspersky Security Center 10 includes Microsoft SQL Server 2008 R2 SP2 Express Edition—a free version of Microsoft SQL server. It is automatically installed during the Typical installation of the Administration Server, and is sufficient for testing and production use in small networks. Detailed information on SQL servers is given later in this chapter. Note that the computer selected for the Administration Server must not have a pre-installed Network Agent. The installer automatically detects the Network Agent and reminds the administrator to uninstall it.

I-13 Unit I. Deployment

I-14

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Supported virtual platforms Many companies use virtualization to improve hardware efficiency and for other reasons. Quite often, even business-critical servers are located on virtual machines instead of physical ones. In some companies, all servers are virtualized, and only hypervisors remain physical. There's nothing preventing you from installing the Administration Server on a virtual machine. The following virtualization platforms are supported: — — — — — — — —

VMware vSphere 5.5, 6 VMware Workstation 9.x, 10.x Microsoft Hyper-V Server 2008, 2008 R2, 2012, 2012 R2 Microsoft VirtualPC 2007 (6.0.156.0) Citrix XenServer 6.1, 6.2 Parallels Desktop 7 Oracle VM VirtualBox 4.0.4-70112 KVM integrated with: — RHEL 5.4 or later — SLES 11 SPx — Ubuntu 10.10 LTS

It goes without saying that the operating system, software and hardware requirements must be met.

Hardware requirements Minimum hardware requirements are as follows: — 1 GHz or higher processor (1.4 GHz for 64-bit systems) — 4 GB of RAM — 10 GB of free hard drive space (if you plan to use the Systems Management functionality, 100 GB of free hard drive space will be necessary) The specified requirements for the equipment are really minimal. A more powerful server will be necessary for any significant number of clients. The recommendations based on synthetic tests are available in the Deployment Guide. Practical experience of using Administration Server in large networks is summarized in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills.

I-15 Unit I. Deployment

I-16

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.2 Standard Installation Installation files Installation files for Kaspersky Security Center 10 can be downloaded from Kaspersky Lab web site (http://www.kaspersky.com/product-updates/security-center) or from the product page on the technical support site (http://support.kaspersky.com/ksc10#downloads). Two distributions are available: — ksc10.3.407ru.exe—the full distribution of Kaspersky Security Center 10 that includes a complete set of its own components, installation packages of Network Agent and Kaspersky Endpoint Security 10 for Windows, SQL Server 2008 R2 Express, .NET Framework and other software, as well as the management plug-ins for all supported products. The size of this distribution is about 1 GB. — ksc10.3.407lite_ru.exe—the lite version of the distribution that lacks the installation packages of Kaspersky Endpoint Security 10 for Windows, SQL Server 2008 R2 Express, .NET Framework and some other software, and includes only the management plug-ins for Kaspersky Security Center 10 components. The size of this distribution is about 130 MB. This distribution can be used for upgrading components. When the full distribution version is run, the installation shell starts. The installation shell allows selecting the components to install, for example, the Administration Server or the Administration Console. You can also extract installation files of all the components into the specified folder. Unpacked installation files are grouped in several subfolders: — Server—installation files of the Administration Server — Console—installation files of the Administration Console to be installed separately from the Administration Server — NetAgent_10.3.407—installation files of the Network Agent — KES_10.2.4.674—installation files of Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows — Plugins—installation files of the Kaspersky Lab products’ plug-ins for the Administration Console — NapShvui—installation files of Kaspersky Security Center SHV—the component that provides interaction with Microsoft NAP — MDM4Exchange—installation files of the Mobile Devices Server for Exchange ActiveSync — MDM4iOS—installation files of the iOS MDM Mobile Device Server The last two folders concern mobile device management and are described in course KL 010.10.

I-17 Unit I. Deployment

I-18

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Installation progress Installation of the Administration Server can be either custom or typical 1. During the typical installation, the administrator is prompted to: — Accept the license agreement for Kaspersky Security Center — Select installation type (Typical) — Specify network size The custom installation enables the administrator to select: — — — — — —

1

Components Installation folder SQL server type and connection parameters Location of the Administration Server shared folder Ports and connection address of the Administration Server Management plug-ins for the products

When installing on Windows Server in the Core mode, typical installation is unavailable

I-19 Unit I. Deployment

I-20

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Four options are represented for the network size: — — — —

Fewer than 100 computers on network From 100 to 1,000 computers in the network From 1,000 to 5,000 computers in the network More than 5,000 computers in the network

The following Administration Server parameters depend on the selected option: The number of computers in the network

Fewer than 100

From 100 to 1,000

From 1,000 to 5,000

More than 5,000

Automatically randomize task start

–

+

+

+

Display slave Administration Servers

–

–

+

+

Display security settings sections

–

–

+

+

Automatic randomization of the task start relates to the schedules of virus scan, update, vulnerability search, and other group tasks. If a task starts simultaneously on many computers, the load on the network and Administration Server drastically increases. To even out the peak, tasks can start on the computers with a random delay. The administrator can enable randomization and then specify the randomization range manually or select automatic randomization. On each computer, the delay is selected randomly within the specified or automatically chosen range. If automatic randomization is used, the randomization range depends on the number of computers where the task is to run: The number of computers 0-200 200-500 500-1000 1000-2000 2000-5000 5000-10000 10000-20000 20000-50000 50000+

Randomization range 0 minutes 5 minutes 10 minutes 15 minutes 20 minutes 30 minutes 1 hour 2 hours 3 hours

Other parameters affected by the network size, such as visibility of Slave Administration Servers and security settings, are described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills. These functions are rarely used in small and middle-size networks. The default settings are the same when the administrator selects either “From 1000 to 5000” or “More than 5000 computers on network.” The only difference is that when the “More than 5000 computers on network” option is selected, the installation wizard warns that the use of free versions of MS SQL server is not recommended, and the administrator should get acquainted with the documentation on deploying the administration system in large networks. Course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills covers these issues. The network size selection only influences a couple of interface settings, which can easily be modified after the installation. The threshold value that actually makes the difference is 1000 computers. Administration Server operation parameters do not depend on the selected network size.

I-21 Unit I. Deployment

I-22

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Installing plug-ins During the typical installation, management plug-ins for Kaspersky Security Center 10 components and Kaspersky Endpoint Security 10 for Windows are installed. Plug-ins are installed in the very end of the Administration Server installation. After the Kaspersky Endpoint Security 10 plug-in is installed, the installation is finished. On the last page, the administrator may accept starting the Administration Console. If you need plug-ins for other Kaspersky Lab products, you can install them from the installation shell.

I-23 Unit I. Deployment

I-24

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.3 Custom Installation The custom installation allows you to select: — — — — —

Additional components of Kaspersky Security Center The accounts for starting the Kaspersky Lab Administration Server services SQL server type and connection parameters Administration Server connection address and ports Plugins for managing Kaspersky Lab programs

Components Within the framework of Administration Server installation, you can additionally install the following components: — SNMP agent — Mobile devices support The SNMP agent is necessary for the Administration Server to be able to send notifications over SNMP. This component needs the SNMP service (a Windows component) to be installed on the computer. If the SNMP service is absent from the computer, the SNMP agent will not be shown in the list of Administration Server components during the installation. The Mobile devices support option adds the components necessary for managing Kaspersky Endpoint Security for Mobile via Kaspersky Security Center. Detailed information is available in KL 010.10 course. These are the components of the Kaspersky Security Center that can be selected in the Administration Server installer. Other components can be installed from the installation shell.

Installation path Under the list of components, you can change the location of Administration Server program files. If the only reason for relocation of program files is their volume, consider moving only the shared folder. It can be relocated independently of the program files, and it takes up much more space than the other program files. Also remember about the %ProgramData%\KasperskySC folder that contains the backup copies of the Administration Server. These copies consume much space, up to several gigabytes, depending on the settings.

I-25 Unit I. Deployment

I-26

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

An account for the main Administration Server service By default, the installer creates a new account named KL-AK- for starting the Administration Server service. It is a local account. Although it is not included in the computer administrators’ group, in is granted the same permissions. Also, it is added to the KLAdmins group. Members of this group have full access to all the functions and settings of the Administration Server. For security reasons, this account cannot log on to the system locally. If the administrator decides to use another account, he or she must grant it all the necessary permissions. The Administration Server service account must have administrator permissions on the computer selected for the installation. If the database is planned to be stored on a Microsoft SQL server installed on a remote computer, the account must have Read and Write permissions for the Administration Server database on the Microsoft SQL server. If the Administration Server account has domain administrator permissions, some operations are simplified, for example, remote installation. In other cases, permissions are not that important.

An account for other Administration Server services The KL-AK-* account is used only for starting the Kaspersky Security Center Administration Server service. This is not the only service created during the Administration Server installation though. The others are: — — — — —

Kaspersky Lab activation proxy server Kaspersky Lab web server Kaspersky Security Network proxy server Kaspersky Security Center Network Agent Kaspersky Security Center automation object

The Network Agent operates under the Local System account. The automation object operates under the Network Service account. The first three services are running under another account created during the installation. It is named KlScSvc and is similar to KL-AK-*, meaning, is a local account granted the permissions equivalent to administrative less the right to log on locally. The installation wizard allows selecting another account instead of KlScSvc.

I-27 Unit I. Deployment

I-28

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

SQL server Requirements for SQL server Administration Server uses a database for which an SQL server is necessary. The following versions of SQL servers are supported: — Microsoft SQL Server Express — — — — —

2005 32-bit 2008 32-bit (is included in the distribution) 2008 R2 64-bit 2012 64-bit 2014 64-bit

— Microsoft SQL Server — — — — — —

2005 (all editions) 32-bit / 64-bit 2008 (all editions) 32-bit / 64-bit 2008 R2 (all editions) 64-bit 2008 R2 Service Pack 2 (all editions) 64-bit 2012 (all editions) 64-bit 2014 (all editions) 64-bit

— Microsoft Azure SQL Database — MySQL — MySQL Enterprise Server 5.0.60 SP1, 5.0.70, 5.0.82 SP1, 5.0.90 — MySQL Community Server 5.0.67, 5.0.77, 5.0.85, 5.0.87 SP1, 5.0.91 Microsoft SQL Server 2008 R2 Express SP2 is included in the distribution kit of Kaspersky Security Center and is automatically installed during the typical installation. Remember that Express editions have significant limitations and must not be used for managing a large number of computers. Detailed information about this is provided in the KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills course. The supported versions of MySQL server are not the latest ones and not the ones routinely offered at the MySQL web site. If possible, we recommend using Microsoft SQL server. SQL server can be installed either on the same computer as the Administration Server or on any other network computer. The important thing is that Administration Server have Read and Write privileges for the SQL database. If the Administration Server and SQL server are installed on the same computer, access issues do not arise.

I-29 Unit I. Deployment

I-30

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Microsoft SQL Server The administrator can select to install a new local instance of Microsoft SQL 2008 R2 Express (similarly to typical installation), or use a pre-installed remote SQL server. To access Microsoft SQL server over the network: — — — —

Specify the necessary address Specify the necessary port Specify the necessary SQL server instance Specify the name and password of an account having SQL server access

Kaspersky Security Center installer tests connection to Microsoft SQL server before the installation starts. Also, during the installation the installer connects to the Microsoft SQL server and creates a database for the Administration Server. The installer operates under the account of the user who runs it. Generally, installation should be started under an account allowed to create databases on the Microsoft SQL server. In some organizations, however, administrators’ rights are strictly separated and include only the minimum permissions necessary for their job. A security administrator may not have the permissions for database creation. Then they can specify a name of an empty database created on the specified server by the database management system administrator on request. In this case, the Write permission for the database will be enough for the security administrator. For the Administration Server to be able to work with a remote Microsoft SQL server, specify its name and address in the installation wizard. The installer can automatically detect available Microsoft SQL servers. To view them, click the Browse button. However, the necessary Microsoft SQL server may not be detected automatically. If this is the case, the administrator enters the server and instance names manually. Even if the Microsoft SQL server name and address are specified correctly, and a Microsoft SQL server administrator account is used for access, the installer may fail to establish connection. The possible reasons include: — Windows firewall—by default, it blocks access to Microsoft SQL server ports. Create rules allowing these ports — Simple File Sharing or User Account Control—hampers correct authentication of the administrator; if simple file sharing is used, all users connected over the network are granted guest privileges — Microsoft SQL Server Browser service—if it is not started, remote connections to Microsoft SQL server may fail. In Microsoft SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2014, it is disabled by default — Microsoft SQL server settings—by default, Microsoft SQL Server 2005 / 2008 / 2008 R2 / 2012 / 2014 allows only local access. Enable remote access over TCP/IP

I-31 Unit I. Deployment

I-32

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

MySQL Server Connecting to a MySQL server is simpler. Specify server address and port, and administrator name and password explicitly. Make sure remote access to MySQL server is allowed and the connection port (usually 3306) is not blocked by the local firewall. Since MySQL server itself, not Windows, is responsible for the authentication, the permissions granted to the account used for installation are not important, as well as simple file sharing enabled on the MySQL server host. The Check connection button tests the ability to connect to the MySQL server with the specified parameters, and also checks whether the MySQL server version meets the system requirements.

Shared folder By default, the installer creates the shared folder of the Administration Server in the folder with program files. The local name of this folder is Share, and the network name—KLSHARE. The shared folder contains update files and installation packages, including standalone install packages (if created). Right after the installation and initial setup, the shared folder takes up about 400 MB. Its size may increase up to several gigabytes depending on how Kaspersky Security Center is used. That is why it might be worthwhile to place the shared folder of the Administration Server on a drive other than the system. The location of the shared folder can be changed later via the Administration Console.

I-33 Unit I. Deployment

I-34

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Connection ports Administration Server accepts connections from the Network Agents on two TCP ports: one for encrypted SSL connections, the other for non-encrypted ones. By default, all connections are encrypted in Kaspersky Security Center, so only the SSL port is used. The other port might be used only if the administrator disables connection encrypting for troubleshooting purposes. The default ports are: — 13000 for SSL connections — 14000 for non-SSL connections If you plan to use other ports instead of the default ones (for example, for security reasons or because of network restrictions), it is better to introduce these changes when installing Kaspersky Security Center. Modifying the ports after the client computers are connected to the server is possible, but takes much time. In addition to these two ports, Kaspersky Security Center uses several other ports for various purposes. They cannot be selected in the installation wizard, but you can modify them later in the Administration Server settings. One of the additional ports is TCP 13291 that is used for accepting Administration Console connections. Web server and activation proxy server services use 4 more ports. To be able to establish SSL connections, the Administration Server generates a new certificate valid for 10 years during the installation. To save and restore the certificate after failures or after Administration Server reinstallation, use the backup procedure (see Unit IV Maintenance).

Connection address The client computers where the Network Agent is installed will connect to the Administration Server using the address and port specified during the installation. The Server address can be specified in the form of an IP address (IPv4 only), DNS or NetBIOS name. The choice depends on the network configuration. Even though an IPv6 address can’t be specified, Network Agents can connect to the Administration Server via IPv6 if the Administration Server address is specified as a NetBIOS or DNS name. If the Administration Server has a static IP address that will not be changed in the near future, it is the best choice. In this case, the ability to connect depends only on the routers, not on the name resolution system. If the IP address is assigned dynamically (or is static but is changed often), you should not use it as the connection address, as you will need to modify the client connection settings often. In this case, it is better to specify the server name: either DNS or NetBIOS. If the DNS service reliably functions in the network, use the DNS name as DNS name resolution is not usually blocked by local firewalls. NetBIOS name resolution is based on broadcast queries and answers, which may be blocked by local firewalls. Therefore, the NetBIOS name should only be used for connections if the other methods are unable to be used. After the installation, the Server connection address can be changed in the properties of Network Agent installation package. The default Server connection address, which will be automatically added to new Network Agent packages, is specified in the properties of the Advanced | Remote installation | Installation packages node.

I-35 Unit I. Deployment

I-36

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Management plug-ins The distribution kit of Kaspersky Security Center includes the management plug-ins for all current versions of Kaspersky Lab products. The custom installation enables the administrator to select the plug-ins of the products that are used or will be used in the network. The plug-ins can also be installed later from the Kaspersky Security Center installation shell. Plug-in installers are also included in the distributions of the corresponding products. Every plug-in is installed by its own short installation wizard. Some plug-ins are installed automatically, while others require administrator’s attention, for example, to accept the license agreement. If a product has been upgraded to a new version with a new plug-in, the old plug-in can be uninstalled. The following knowledgebase article explains how to remove unnecessary plug-ins: http://support.kaspersky.com/faq/?qid=208280749

Installation results If you select the Custom option when starting the wizard, but agree to the default settings on all wizard pages, the result will be the same as with the Typical option: — Kaspersky Security Center is installed; specifically, the Administration Server, Network Agent and Administration Console — SQL server—a local instance of Microsoft SQL Server 2008 R2 SP2 Express is installed, which is included in the distribution kit of Kaspersky Security Center; the instance is named KAV_CS_ADMIN_KIT, and the database name is KAV — Program files of Kaspersky Security Center are located in the %Program Files%2\Kaspersky Lab\Kaspersky Security Center folder — Data files of Kaspersky Security Center are located in the %ProgramData% folder, mainly in the %ProgramData%\KasperskyLab\adminkit directory — Another folder is created, %ProgramData%\KasperskySC\SC_Backup, where backup copies of the Administration Server are copied by default — The following services are created: — — — — — —

Kaspersky Security Center Administration Server service Kaspersky Security Center Network Agent Kaspersky Security Center automation object Kaspersky Security Network proxy server Kaspersky Lab web server Kaspersky Lab activation proxy server

— KLAdmins and KLOperators security groups are created (their purpose is described in detail in course KL 302.10) — The following user accounts are created: — KL-AK-*—a local account for starting the Kaspersky Security Center Administration Server service; it is included in the local KLAdmins group and has broad permissions (comparable to administrative) on the computer

2

On 64-bit systems, program files are installed into the %ProgramFiles(x86)% folder

I-37 Unit I. Deployment

— KlScSvc—an account for starting Kaspersky Lab Web Server, Kaspersky Security Network proxy server and Kaspersky Activation Proxy services, has the same properties as the KL-AK-* account — KlPxeUser—a service user for the Systems Management functionality (see course KL 009.10 for details) — The shared folder of Administration Server—the Share subdirectory of the program files folder (its share name is KLSHARE)

I-38

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

— Administration Server connection address is selected as the DNS name of the computer — Administration Server connection ports are chosen as follows: — — — — — — —

8060—http port of Kaspersky Lab Web Server 8061—https port of Kaspersky Lab Web Server 13000—for SSL connections of Network Agents 14000—for non-SSL connections of Network Agents and Administration Consoles 13291—for SSL connections of Administration Consoles and Web Consoles 13111—port of Kaspersky Security Network proxy server service 17000—port of Kaspersky Lab Activation Proxy Server

— Management plug-ins — — — — — — —

Kaspersky Security Center Administration Server Kaspersky Security Center 10 Network Agent Kaspersky Endpoint Security 10 Service Pack 1 for Windows Kaspersky Endpoint Security 10 Service Pack 1 for Mobile Kaspersky Mobile Device Management 10 Service Pack 1 Plug-in for management of mobile iOS devices Plug-in for Exchange ActiveSync

— Installation packages — — — —

Kaspersky Endpoint Security 10 for Windows Kaspersky Security Center Network Agent iOS MDM Mobile Device Server Exchange ActiveSync Mobile Device Server

Note that the Kaspersky Security Center Network Agent service is started under the Local system account after the installation; while the Kaspersky Security Center automation object service, under the Network Service account. Most of these settings can be modified either during the custom installation, or in the product settings after the installation is finished, or both ways. However, some of the settings cannot be edited at all after the product is installed; some others are very difficult to change. You should consider them very carefully before the installation: 1.

The path to data files cannot be modified at all, which complies with Microsoft requirements

2.

The path to the program files, as well as the SQL server address, cannot be modified unless you reinstall Kaspersky Security Center

3.

The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any supported way

2.4 Quick Start Wizard When the Console connects to the Server for the first time, the Quick Start wizard launches. It continues with the installation creating the default settings. In the Quick Start wizard, the administrator adds the key (license), specifies whether to use Kaspersky Security Network, configures e-mail notification and report delivery, chooses vulnerability search and fix modes, and enters proxy server settings; then the wizard creates basic tasks and policies and downloads updates to the server repository.

I-39 Unit I. Deployment

I-40

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Keys and codes The first step of the Quick Start wizard is activating the products. Most Kaspersky Lab products require activation and some, particularly Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different levels of functionality. That is, depending on the license, some functions may be unavailable. To activate a product, you need a key or a code. Both can represent the customer’s license with all relevant restrictions. The difference is that a key is a file and its validity and restrictions can be verified locally by the product. A code is just a string and the product needs to connect to Kaspersky Lab Activation service online to verify its validity and restrictions. Historically, keys were the earlier method of activation and codes were introduced later. The codes are used more and more often compared to the keys, but the two methods are not completely independent. Having a code, it is possible to obtain the corresponding key or keys from the Activation Service by Kaspersky Lab. In fact, if any corresponding keys are available, the Administration Server will automatically download them and put into the Advanced | Application management | Kaspersky Lab licenses node. By virtue of being a more recent implementation, codes are more versatile. Usually the customer receives just one code regardless of the license. That is, any license can be represented by a single activation code. This, however, is not the case with keys. Depending on the license, the customer may get two or more key files for activating different products and components. In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all simple, just choose the relevant option, enter the code and wait for the verification. The Administration Server must be able to connect to the Internet at this stage. If you have a key, than most probably you have more than one of them, and you need to decide which one to feed to the wizard. It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out which one it is by looking into the CompatibilityList.txt file that usually comes along with a key or a code. Other keys can be added later either in the properties of the Administration Server or in the Advanced | Application management | Kaspersky Lab licenses node. For more information on the activation methods, refer to Unit IV. Maintenance.

Update installation statistics This step appears in the Quick Start wizard only if the administrator either specified a license that covers the Systems Management functionality (for example, Kaspersky Endpoint Security for Business Advanced) at the first step, or selected to add key later. If the administrator specified KES for Business Select, this page will not be displayed. The wizard prompts the administrator whether to send anonymous statistics to Kaspersky Lab and thus to participate in improving the functionality that installs updates and patches. This statistics concerns only the updates and patches installed through Kaspersky Security Center. Whether to send to KSN anti-malware statistics, which helps to improve malware detection functionality and reduce false positives, will be configured later, when creating Kaspersky Endpoint Security policy.

I-41 Unit I. Deployment

I-42

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Notifications The next step is the e-mail notification and report delivery setup. To have notifications about important events sent to the administrator’s mailbox, specify the e-mail address and SMTP server parameters (address, port and, if necessary, authorization data). The specified parameters will be used for notifications and reports. By default, event notifications are not sent. To receive the information about events by e-mail, turn on notifications in the event properties. The parameters of Kaspersky Security Center events are available in the Administration Server properties, and parameters of Kaspersky Endpoint Security events—in the Kaspersky Endpoint Security policy. If the notification parameters are left blank, the wizard will not create the Send reports task. If they are filled in, the wizard will create the task and configure it to send the report about protection status to the administrator on a weekly basis. The wizard does not check correctness of the specified settings, but allows the administrator to do it with the Notify with message button. A test message will be sent to the specified recipient. If the wizard fails to connect to the SMTP server or fails to authenticate, the corresponding error will be displayed. Then it is up to the administrator to check the inbox and make sure that the message is actually there.

Vulnerability and patch management This step appears in the Quick start wizard only if the administrator specified a key or code that activates the Systems Management functionality of Kaspersky Security Center (or selected to add key later). The choices define how application fixes and Microsoft updates are installed. Kaspersky Security Center can automatically detect vulnerable programs and operating system modules on the computers, and automatically install the necessary updates and fixes. Additionally, Kaspersky Security Center can function as a local source of Microsoft updates (WSUS Server). This functionality is described in detail in KL 009.10: Systems Management course.

I-43 Unit I. Deployment

I-44

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Policies and tasks After all parameters are specified, the Quick Start wizard creates the policies and tasks necessary for endpoint protection. The following policies and tasks are created: — Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows—a policy created for the Managed computers group, sets the default parameters for Kaspersky Endpoint Security 10 — Kaspersky Security Center Network Agent—a policy created for the Managed computers group, which sets the Network Agent parameters — Install update—a task created for the Managed computers group that sets the update parameters for Kaspersky Endpoint Security 10; by default, uses the Kaspersky Security Center source and the When new updates are downloaded to the repository schedule. The use of the randomized task start depends on the network size selected during the installation — Quick Virus Scan—a task created for the Managed computers group; it sets the settings and schedule for regular on-demand scan tasks running on the protected computers. By default, scans critical areas every Friday at 19:00 — Find vulnerabilities and required updates—a task created for the Managed computers group; it sets the settings and schedule for the regular vulnerability scanning performed on the protected computers (refer to KL 009.10: Systems Management course for details). By default, starts on Tuesdays at 07:00 PM — Download updates to the repository—an Administration Server task, sets the settings and schedule for downloading updates to the Administration Server (further on, they will be distributed to the Managed computers). By default, uses the Kaspersky Lab update servers as the primary source and is scheduled to start hourly; the list of updates is set up automatically — Backup of Administration Server data—an Administration Server task; it sets the settings and schedule for creating a copy of the Administration Server database and settings, by default saves the copies in the %ProgramData%\KasperskySC\SC_Backup folder daily at 2 a.m. — Database Maintenance is an Administration Server task that improves the performance of its database: cleans up errors, optimizes indexes, updates statistics, shrinks the database, etc. Runs every Saturday at 13:00 The following three tasks are created depending on the parameters specified earlier: — Deliver reports—an Administration Server task that is created if e-mail notification parameters are specified. Sets the schedule and the list of reports to be e-mailed; by default, delivers the standard Protection status report daily at 8:00AM — Install required updates and fix vulnerabilities—a task for the Managed computers group that automatically fixes critical vulnerabilities, and also installs the most important Microsoft updates and the updates selected by the administrator. The task starts daily at 01:00 AM — Perform Windows Update synchronization—an Administration Server task that downloads information about Microsoft updates (update packages themselves are not downloaded). Network Agents may use these data when searching for vulnerabilities on the client computers. The task starts daily at 3:00 AM

I-45 Unit I. Deployment

I-46

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Kaspersky Security Network When creating the Kaspersky Endpoint Security policy, the wizard displays two more windows. In the first of them, the administrator can agree to use Kaspersky Security Network (KSN). KSN is the name for the cloud-assisted protection technologies of Kaspersky Lab. KSN provides extra protection for the computers by receiving the latest information about new threats before this information is added into the traditional Anti-Virus databases. In return, Kaspersky Lab will receive anonymous information about the files and URL addresses processed on the client computers. The KSN service is described in detail in Unit II Protection Management. If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy are activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be disabled in the Kaspersky Endpoint Security 10 policy; however, the use of KSN proxy will be enabled nevertheless. The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server. In the Administration Server, the KSN proxy function is implemented as a service named Kaspersky Security Network proxy server. By default, the use of KSN proxy is enabled in the Administration Server properties.

Default exclusions In the other window, the administrator can choose the default exclusions from scanning. There are two options that help to create recommended exclusions for workstations and servers according to Microsoft and Kaspersky Lab guidelines. They are enabled by default. Additionally, there are exclusion templates for remote management software. These templates should be enabled if the listed software is used in the company. Otherwise, remote management using this software may be partially disrupted by Kaspersky Endpoint Security.

I-47 Unit I. Deployment

I-48

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Proxy server The last step that prompts the administrator for data contains proxy server settings for the Internet access. The Administration Server connects to the Internet to download updates and communicate with KSN servers of Kaspersky Lab. Both features use common proxy server parameters. The settings are rather typical: the address, the port, optional user name and password for authorization, and an option to bypass proxy server for local addresses.

Wizard completion The task that downloads updates to the repository starts immediately after selecting proxy server settings to provide client computers with the current updates. Also, it downloads the information necessary for vulnerability scanning and categorization information necessary for the control components. The Quick Start wizard displays the task progress, but you don’t need to wait for it to finish. If you proceed to the following page of the wizard, updating will still be going on in the background. The last page of the Quick Start wizard displays the check box that allows starting the remote installation wizard for deploying Kaspersky Endpoint Security on the network computers. This check box is selected by default, but it is preferable to adopt a deployment plan and stick to it rather than rush into action. If necessary, the administrator can start the Quick Start wizard again from the shortcut menu of the Administration Server. In this case the wizard will create only the tasks and policies that are missing.

I-49 Unit I. Deployment

I-50

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.5 Additional Components of Kaspersky Security Center Components The following components are included in the Kaspersky Security Center 10 distribution kit, but can be installed independently of the Administration Server: — — — — — —

Kaspersky Security Center Administration Console Kaspersky Security Center Network Agent Kaspersky Security Center Web Console Kaspersky Security Center System Health Validator (for Microsoft Network Access Protection) Exchange ActiveSync Mobile Device Server iOS MDM Mobile Device Server

Kaspersky System Health Validator is a component that provides interaction of Kaspersky Security Center and Microsoft Network Access Protection. With this component, the network access protection system Microsoft NAP defines the access level taking into account the Kaspersky Endpoint Security status. Kaspersky Security Center SHV is similar to Kaspersky Lab Cisco NAC Posture Validation Server: both of them provide integration with external network access control systems. Kaspersky Security Center 10 is able to provide network access control by itself too. For details, refer to course KL 009.10: Systems Management. The Exchange ActiveSync and iOS MDM Mobile Device Server components are designed for managing mobile devices: smartphones, tablets, etc. Mobile device management is described in course KL 010.10. All of the above components can be installed from the installation shell of Kaspersky Security Center, which also allows installing plugins for the Administration Console. The Web Console is not included in the Kaspersky Security Center 10 distribution and should be downloaded separately. The Web Console provides somewhat limited management options via a web browser and is useful in some deployment scenarios.

Administration Console Use The Kaspersky Security Center Administration Console enables you to remotely work with the Kaspersky Security Center Administration Server: view reports, modify settings, run tasks, etc. The Administration Server can accept connections from the Consoles on port 13291. The remote console interface is absolutely the same as that of the local Kaspersky Security Center console. The Administration Console is not the only method of managing the Administration Server remotely. Many administrators prefer to connect to the remote desktop of the computer where the Administration Server is installed and work within the local console.

I-51 Unit I. Deployment

Remote desktop connection uses port 33893. This remote management alternative tends to generate more traffic than the remote Administration Console. On the other hand, an Administration Console requires installation and supports only Windows, while remote desktop access does not involve installation of additional tools and is platformindependent. An Administration Server is often installed on a virtual machine. In this case, the virtual computer desktop can be accessed via the console of the corresponding virtual infrastructure.

3

Here we mean the built-in Windows remote desktop. There are also many alternative tools with similar capabilities that connect using other protocols and ports. For example, programs based on the VNC protocol usually employ port 5900.

I-52

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Installation requirements The Administration Console can be installed under the same operating systems as Administration Server. Since the Administration Console is an MMC snap-in, Microsoft Management Console 2.0 or later must be installed on the computer. This requirement is automatically met on all supported operating systems. Windows Installer 4.5 is also necessary for the installation. Internet Explorer 7 or later is necessary for correct representation of the Administration Server interface on Windows XP/Vista/2003/2008/2008 R2. Internet Explorer 8 or later is required on Windows 7. Internet Explorer 10 or later is required on Windows 8 and 10. On Windows 10, the Microsoft Edge browser is also enough. If the computer doesn’t have the appropriate browser version, the interface may be represented incorrectly. Hardware requirements for the Administration Console are as follows: — Processor: 1 GHz or higher for 32-bit systems; 1.4 GHz or higher for 64-bit systems — 512 MB of RAM — 1 GB of free hard drive space

Installation The Console installer can be launched from the Kaspersky Security Center installation shell. The installation wizard allows modifying only the default location of the program files folder: %ProgramFiles%4\Kaspersky Lab\Kaspersky Security Center Console. Also, the installation wizard will prompt you to accept the license agreement and inform you about the start of the installation of the necessary components and the console. The console distribution includes the complete set of management plug-ins for all Kaspersky Lab products, but installs only the plug-ins for managing Kaspersky Security Center components and Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows. Custom installation is not available. The missing plug-ins can be installed later from the installation shell of Kaspersky Security Center or from the folder.

4

%ProgramFiles(x86)% on 64-bit systems

I-53 Unit I. Deployment

I-54

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Connection to the Administration Server When the console starts, the connection parameters window opens. Here you need to specify the Administration Server address and account of the administrator. In order to adequately manage the server, the account should be either a local administrator on the computer where the Administration Server is installed, or an account that is included in the KLAdmins group (which is automatically created when the Administration Server is installed). The access control system is described in detail in KL 302.10. Kaspersky Endpoint Security and Management: Advanced Skills course. By default, the console tries to connect on behalf of the current user, but allows the administrator to specify another username and password. The Administration Server accepts SSL connections from the Consoles on port 13291 by default. This port can be modified in the Administration Server properties. If you do that, specify the connection port after the server address followed by a colon in the connection window. If SSL is disabled, the console does not permit specifying the user in the connection window and always connects on behalf of the local user for security reasons. You should not disable SSL unless you want to troubleshoot connection issues. The Advanced button allows the administrator to specify additional connection settings: — Use data compression — Use proxy server, if there is a proxy server between the computer where the console is installed and the Administration Server One console can be used for connecting to several Administration Servers. To add an Administration Server to the console, select the Kaspersky Security Center node and click New, Administration Server on its shortcut menu. After that, you will be prompted for the server address, the connection parameters, and additional parameters.

Certificate Encrypted connections are established over SSL. The authentication phase relies on the Administration Server certificate. A new certificate is generated when the Administration Server is installed 5 and is used for authentication on every encrypted connection. This certificate is valid for 10 years. When the first encrypted connection is established, the Console computer does not have the Server certificate and authentication is impossible. The easiest way out is downloading the certificate from the Server and using it for further connections. In this case, the certificate guarantees that the Console connects to the same Server from which the certificate was downloaded. To avoid server substitution when the first connection is established, the administrator can copy the Server certificate to a portable carrier and specify its path when prompted for. The server certificate named klserver.cer is located in the %ProgramData%\KasperskyLab\adminkit\1093\cert folder. This folder may also contain other certificates that are necessary for managing mobile devices.

5

A certificate that has 1024-bit RSA key is created by default. You can also create a certificate with a 2048-bit key. To achieve this, start the Administration Server installation with the /v“SERVERCERT2048BITS=1” parameter.

I-55 Unit I. Deployment

I-56

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 3. Installation on Computers 3.1 System Requirements Requirements for installation of Kaspersky Endpoint Security 10 for Windows Kaspersky Endpoint Security supports installation on the following Microsoft Windows operating systems: — Client — — — — — —

Windows 10 Pro, Enterprise x86 / x64 Windows 8.1 / 8.1 Update Pro, Enterprise x86 / x64 Windows 8 Pro, Enterprise x86 /x64 Windows 7 / 7 SP1 Professional, Enterprise, Ultimate x86 / x64 Windows Vista x86/x64 SP2 Windows XP Professional x86 SP3

— Windows 8.1 tablets6. The following devices have been tested: — Samsung ATIV Smart PC Pro XE700T1C-A03 (Windows 8.1 x32) — Lenovo ThinkPad Tablet 2 (Windows 8.1 x64) — Microsoft Surface Pro 2 128 (Windows 8.1 x64) — Embedded6 — — — —

Windows Embedded 8.1 Industry Pro x64 Windows Embedded 8.0 Standard x64 Windows Embedded POSReady 7 x86/x64 Windows Embedded Standard 7 SP1 x86/x64

— Server — — — — — — — —

6 7

Windows Server 2012 R2 Foundation, Essentials, Standard 7 Windows Server 2012 Foundation, Essentials, Standard 7 Windows Server 2008 R2 / 2008 R2 SP1 Foundation, Standard, Enterprise Windows Server 2008 SP2 Standard, Enterprise x86/x64 Windows Server 2003 SP2 / 2003 R2 SP2 Standard, Enterprise x86 / x64 Windows Small Business Server 2011 Essentials, Standard x64 Windows Small Business Server 2008 Standard, Premium x64 Windows MultiPoint Server 2011 x64

Tablets and embedded versions of Windows do not support encryption The ReFS file system is supported with limitations; Server Core and Cluster Mode configurations are not supported.

I-57 Unit I. Deployment

This list includes most Windows versions from Windows XP SP3 / Windows Server 2003 SP2 to Windows 10 / Windows Server 2102 R2. An important thing to remember is that Datacenter editions of Windows Server are not supported. Kaspersky Security for Windows Server is designed for their protection. Kaspersky Endpoint Security 10 Service Pack 1 for Windows can be installed on the following hardware platforms: — — — — —

VMware ESXi 5.5 Update 1, Update 2 Microsoft Hyper-V 3.0 (Windows Server 2012) Citrix XenServer 6.2 Citrix XenDesktop 7.5 Citrix Provisioning Server 7.1

On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1 command line switch.

I-58

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

To install Kaspersky Endpoint Security, administrator permissions are necessary; protection tools by other manufacturers must be uninstalled from the computers. General hardware requirements for Kaspersky Endpoint Security 10 Service Pack 1 are as follows: — CPU: 1 GHz — RAM: 1 GB8 — Available disk space: 2 Gb Internet Explorer 7.0 and Windows Installer 3.0 are also necessary for the installation.

Network Agent installation requirements The Kaspersky Security Center Network Agent can be installed on all systems supported by Kaspersky Endpoint Security 10 for Windows. Hardware requirements for Network Agent installation are as follows: — CPU: — 1 GHz or higher for 32-bit systems — 1.4 GHz or higher for 64-bit systems — RAM: 512 MB — Hard drive space: 1 GB RAM requirements are actually recommendations. The Network Agent can be installed on a computer with less RAM.

8

The absolute bare minimum for the installation is 384 MB for Windows XP and embedded versions of Windows, and 768 MB for the other versions.

I-59 Unit I. Deployment

I-60

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.2 Typical Installation Using Wizard There are many methods of starting a remote installation in Kaspersky Security Center. All of them are based on the same mechanism. The difference is in the location of their starting points in the Console and the number of available settings. The most popular one, especially among novices, is using the ordinary remote installation wizard. Its typical use is described below. The Administration Server detects computers where protection tools are not installed. This information is displayed on the Monitoring tab of the Administration Server node, in the Deployment area: the indicator is yellow and a warning is shown. The administrator clicks the Install Kaspersky Anti-Virus link. The Advanced | Remote installation node opens, where the administrator can start the remote installation wizard. The deployment wizard prompts the administrator for the installation package to be installed, target computers and the installation method.

Selecting the product The product to be installed is selected from the list of available installation packages. The standard installation of the Kaspersky Security Center includes installation packages for the current versions of the Network Agent, Kaspersky Endpoint Security for Windows and two components for mobile device management, which are described in training course KL 010.10. You can manage installation packages, delete or create new ones in the Installation Packages repository (in the Advanced | Remote Installation node). See further sections for details. If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the Network Agent. The wizard not only installs the selected package, but also connects the computers to the Administration Server by installing the Network Agent on them. If the computers are already connected, the Network Agent is not reinstalled (overwritten). Installation packages of Kaspersky Endpoint Security 10 for Windows and Network Agent can be installed on any supported operating system. You need not run the wizard separately for server and desktop versions of Windows or for 32-bit and 64-bit editions. The same wizard can install the products on computers with different operating systems. Due to this universality, the installation package of Kaspersky Endpoint Security 10 is relatively large: about 290 MB. There are no supported ways to reduce this size. The Network Agent package is much smaller: about 40 MB.

I-61 Unit I. Deployment

I-62

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Selecting the computers You can select groups or separate computers for installation. Groups are comprised of managed computers. To install the products on unassigned or even undiscovered computers, click Select computers for installation. Then you will be able to either select the computers detected by Administration Server, or specify computers’ addresses manually. When a group is selected, the wizard does not show its contents, so the administrator must remember which group the target computers are in. When selecting computers, the administrator can select among those discovered, and also add arbitrary names, IP addresses and IP subnets in the list. The Administration Server will try to perform installation on all specified computers. As you will see later, the remote installation wizard creates a remote installation task based on the gathered data. If a group is selected, a group task is created; if computers, a task for specific computers.

Installation method The wizard always tries to install products using the Network Agent. If the Network Agent is not yet installed on the computer, installation using Windows tools is tried. Both these methods are described further in this chapter. If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard first installs the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 10 using Network Agent.

I-63 Unit I. Deployment

I-64

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Key Kaspersky Endpoint Security, unlike the Network Agent, needs activation to operate properly. In the installation wizard, you can explicitly select which code or key should be used to activate the product from the list of codes and keys added to the Kaspersky Lab licenses storage of the Administration Server. If necessary, you can add another code or key to the repository without quitting the wizard. This step can be skipped if the repository contains a code or a key configured to be distributed automatically. It will be automatically installed on all computers where Kaspersky Endpoint Security needs to be activated. Activation is described in detail in Unit IV Maintenance.

Computer restart The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor Kaspersky Endpoint Security 10 installation requires restarting the computer. The Network Agent installation almost never requires it. During Kaspersky Endpoint Security installation, the necessity to restart arises if another protection program has been installed on the computer. The default choice, Prompt user for action, is all right for workstations. When installing the product on servers, we recommend selecting Do not restart the computer. At a server, a user is unlikely present and so no one will react to the prompt. The restart parameters are described in more detail later in this chapter.

Uninstallation of incompatible applications An important capability of the Kaspersky Endpoint Security 10 installer is the ability to detect and uninstall incompatible applications (various protection tools, including Anti-Viruses, firewalls, etc.), which are not recommended to be used concurrently with Kaspersky Endpoint Security, because this can result in serious problems for users and computers. The administrator usually knows which potentially incompatible protection tools are installed in the network and should coordinate their uninstallation beforehand. The programs are recommended to be uninstalled either by their built-in uninstallers or by Windows tools. The corresponding capability of the Kaspersky Endpoint Security installer should be regarded only as a contingency measure. Detection of incompatible applications cannot be disabled9, since it is intended to prevent conflicts. You can modify uninstallation settings in the remote installation wizard; this is described in detail later in this chapter.

9

Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible programs; if necessary, it can be added to the package description file for remote installations.

I-65 Unit I. Deployment

I-66

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Computer relocation As a result of installing the Network Agent and protection tools, computers become manageable. That is why if computers, not groups, are selected, the wizard will ask whether it is necessary to relocate the computers to an administration group, and if yes, into which one. The managed computers must be included in administration groups for tasks and policies to be applied to them. If a computer has the Network Agent installed, but is not included in an administration group, it will neither send its events to the Administration Server, nor will it be included in the reports, nor use the centralized settings specified by the administrator. It is manageable only nominally. De facto it is not. The selection affects only unassigned computers. If both unassigned and managed computers are on the installation list, the managed ones will remain in their groups. This step is displayed only if Network Agent is installed together with Kaspersky Endpoint Security 10.

Selecting account Initially, the Network Agent is installed by Windows tools and needs an account for accessing the target computers. The deployment wizard allows you to specify several accounts, in case different administrator passwords are used on the target computers. The installer tries the accounts in succession. If the first account has insufficient privileges, the next one is tried, and so on. Before the specified accounts are tried, the installer attempts to act on behalf of the Administration Server service account, which you don’t actually see on the account list. However, if the administrator used the default settings when installing the server, the server service account cannot be used for remote installation. As a result of installation with default settings, the server service starts on behalf of the KL-AK-* account that is created automatically and receives the rights of a local administrator (not literally, but effectively the same). It has no rights on remote computers. So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain environment, a domain administrator account is the best choice for remote installations. In large companies, there is usually a special account for remote installations, or the IT personnel accounts have the necessary rights.

Installation process monitoring The installation wizard uses the settings specified by the administrator to create and immediately start the product installation task on the selected computers. After that, it automatically opens the task page in the Administration Console. The task page displays the task progress on the selected computers. An installation can be ready for execution, running, wait for reboot, complete successfully or return an error. The number of computers in every status is displayed on the pie chart and in the table.

I-67 Unit I. Deployment

I-68

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

To view the task log, click the View results link under the statistics on the task page. The upper part of the results window contains the list of all target computers and the current task status for every one of them; and the lower part shows the task log for the selected computer. The task log contains the history of each task status changing on the computer. The status can be the same, while its description may vary. For example, an installation task log usually contains several records of the Running status, where the first one informs of starting file copying to the remote computer, the second one—of starting the installer, and the third one—of the installation completion. The typical installation history of a computer shows that first the Network Agent is installed, and then Kaspersky Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on the computer, and then the Administration Server waits for the connection with the installed Agent to start the installation of Kaspersky Endpoint Security.

3.3 Possible Installation Issues A remote installation consists of two main stages: — Copying the files onto the computer — Starting the remote installation Most problems arise at the first stage, and usually these are access problems. Typical problems depend on the method of copying, or, in other words, on the selected installation method.

Installation specifics Installation using Windows tools This term implies the following sequence of actions: — The Administration Server copies installation files over the network into the admin$\Temp shared folder on the remote computer (i.e. \\COMPUTER\Admin$\Temp) — The Administration Server sends the command to start the copied setup.exe file with the necessary parameters over RPC (Remote Procedure Call protocol) TCP ports 139 and 445 are used for copying, and TCP port 135—for starting. The operations are performed either on behalf of the Administration Server service account, or on behalf of the accounts specified by the administrator in the installation wizard.

I-69 Unit I. Deployment

I-70

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Installation using Network Agent In this scenario, the Network Agent does everything: — Downloads the installation files from the Server and saves them into the Windows temporary folder — Starts the setup.exe file with parameters on behalf of the local system10 To download the files, the agent connects to the Administration Server over TCP port 13000 (by default).

Possible obstacles An installation using Network Agent is usually trouble-free. If the Agent can connect to the Administration Server, it can usually download the files and install the product10. An installation failure using Windows tools is typically related to access problems. Windows operating system would not allow anybody and everybody to remotely copy files and start programs on the computer. There are several obstacles here. Windows Firewall blocks access to shared files and printers by default on the computer. In the task details, the access error is explained by the failure to connect to the computer over the network. In some cases, the Administration Server cannot resolve the computer name into its IP address; this information is also logged in the installation task details. User Account Control in Windows Vista / 7 / 8 / 10 prompts the user to confirm the action, which is impossible to do remotely, and consequently the files are not copied. The task returns an error of insufficient rights for accessing the folder. The Simple File Sharing setting in Windows XP has the same effect. In this mode, all users connected over the network receive guest rights. The result is insufficient rights for copying the files. Sometimes the insufficient access rights error arises because the administrator either did not specify a user account having administrator permissions on the computer in the remote installation wizard or mistyped the password. There are also two rather unusual obstacles that need attention: — The Server service is not installed or is not started. Without this service, shared files and folders cannot be accessed — An account with an empty password is used for the installation. Windows security policy by default denies network access to the user accounts with empty passwords, even administrators In both cases, the task returns the same error of insufficient rights to access the shared folder. You can see that various obstacles result in the same installation task problems. Usually, they cannot be solved remotely since most of them are related to the local computer settings. An installation error often means that the remote installation using Windows tools is impossible on the computer. Another method should be tried. Obviously, this does not apply to those situations when the computer is temporarily turned off, or when the administrator mistyped the user name and password.

10

This approach does not work for remote installation on a server with the Remote Desktop Services (Terminal Services) role. On these servers, the local system account has no administrative permissions. We recommend that you manually install Kaspersky Security for Windows Server on terminal servers.

I-71 Unit I. Deployment

I-72

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Preparing the computer with the riprep.exe utility If remote installation is impossible on a computer, a local installation is the next logical choice. As an alternative to the local installation, the computers can be prepared for remote installation. For this purpose, Kaspersky Security Center includes the riprep.exe utility (RIPrep = Remote Installation Preparation). The utility is started locally and can solve most access problems: — — — — —

Disables Simple File Sharing Starts the server service Opens the necessary ports in Windows Firewall Creates an account having the necessary rights for remote installation Disables User Account Control

riprep.exe relieves the administrator of investigating why the Administration Server cannot access the admin$ folder. The utility removes most potential obstacles. Sometimes, system administrators e-mail the utility to the users for them to prepare the computers for remote installation. This will only work if the users have local administrator rights. If the users do not have local administrator permissions, the system administrators must have the groundwork for deploying programs on the computers.

Configuring access using the domain policy The above described problems usually arise on those computers that are not members of the domain. The administrator has more control of the domain computers and can prepare them for the remote installation using the domain policies. User Account Control, Simple File Sharing and Firewalls can be set up via group policies. To disable simple file sharing within a policy, open Computer Configuration, Policies, Windows Settings, Security Settings, find Network access: Sharing and security model for local accounts and select Classic Local users authenticate as themselves. Simple file sharing will be disabled on the domain computers.

I-73 Unit I. Deployment

I-74

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

User Account Control settings are also located there, at the end of the list. If necessary, you can disable UAC. Windows XP Firewall parameters are located in Computer Configuration, Administrative Templates, Network, Network Connections. In the Windows Firewall parameters, allow the file and printer sharing exception in the domain profile. Windows Vista / 7 / 8 / 10 Firewall parameters are located in: Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with advanced security. Here, creating the necessary exception is more difficult. You can open the necessary ports, or export the necessary rules from the local Firewall settings and import them into the policy, but usually it is easier to disable the firewall for the domain profile.

I-75 Unit I. Deployment

I-76

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.4 Uninstallation of Incompatible Applications Uninstallation tools Kaspersky Endpoint Security is not compatible with other protection tools. Before the installation, the conflicting programs must be uninstalled. If for some reason the incompatible applications cannot be uninstalled using regular tools, the administrator may use Kaspersky Security Center functionality for this purpose: — The Uninstall incompatible applications automatically option in the installation wizard of Kaspersky Endpoint Security, or — An Uninstall application remotely task

Uninstallation using Kaspersky Endpoint Security 10 installer The installer of Kaspersky Endpoint Security 10 for Windows always detects incompatible applications. The installer can uninstall most of the incompatible applications it can find. If uninstallation of incompatible applications is disabled and a conflicting application is found during Kaspersky Endpoint Security 10 installation, the installer returns an error. The error description explains that the product cannot be installed if incompatible applications are installed on the computer. The administrator needs to uninstall the conflicting programs and re-start the installation. Security software by other manufacturers is not incompatible with the Network Agent and does not hamper its installation. You can configure uninstallation of incompatible applications in the remote installation wizard. There is a step with the list of programs whose uninstallation is supported, where you can select the Uninstall incompatible applications automatically check box. If uninstallation is enabled, as soon as Kaspersky Endpoint Security 10 installer detects an incompatible program, it automatically deletes it and proceeds with Kaspersky Endpoint Security 10 installation. After the installation is finished, the installer will prompt for restarting the computer. Incompatible application uninstallation parameters are actually a part of Kaspersky Endpoint Security 10 installation package properties, which are described later in this chapter.

I-77 Unit I. Deployment

I-78

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Uninstallation using Network Agent Detecting incompatible applications An alternative approach to uninstallation of incompatible applications is as follows: 1. 2. 3. 4. 5.

Install Network Agent without Kaspersky Endpoint Security 10 for Windows Generate a report on incompatible applications Create a selection of computers with incompatible applications Create and run an incompatible application uninstallation task for the selection Install Kaspersky Endpoint Security

The Network Agent can detect incompatible applications and inform the Administration Server about them. This information is available in the computer properties: System Info, Applications registry. The Network Agent reports all installed programs, not just the incompatible ones, but in the computer properties window you can select to view incompatible applications only. To view information about incompatible applications on all managed computers, open the corresponding report on the Reports tab of the Administration Server node.

I-79 Unit I. Deployment

I-80

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Creating a computer selection To uninstall incompatible applications, you need to create an uninstallation task and run it on the computers where these programs are installed. The easiest way to do it is to use computer selections. They are located in the corresponding node at the root level of the console tree. There are quite a few default computer selections, but none of them shows computers with incompatible applications. To draw up a list of these computers, it will be necessary to create a new computer selection. In the properties of this new computer selection, modify its conditions: in the Applications registry section, specify the name of the incompatible application. The computer selection results will contain only the computers where this program is detected. To include computers with different incompatible applications in one selection, specify several search conditions in the selection properties.

Incompatible application uninstallation task The following step is to create an uninstallation task for this selection. Start a generic task creation wizard in the Tasks node, follow the wizard and when prompted for the target computers, choose the selection object. Every time the task runs it will check the contents of the selection and update the target computers list accordingly.

I-81 Unit I. Deployment

I-82

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

To uninstall incompatible applications, select the Kaspersky Security Center Administration Server | Advanced | Uninstall application remotely task type in the task creation wizard. This task is used in various scenarios concerning uninstallation of programs and service packs. Here, we are interested in the Uninstall incompatible application option. After this step, specify the name of the incompatible application to be uninstalled. You can select several programs or even all of them. This increases the task run time though, because such a task executes, step by step, the uninstall scripts for all the selected programs. The uninstallation task also has computer restart parameters. The restart is often necessary to finish the uninstallation. By default, the user is prompted to restart the computer. If they choose to postpone the restart, the prompt reappears every 5 minutes, and in half an hour the restart is forced. The administrator can modify these intervals and the message text. If the administrator selects a forced restart, the user’s data may be lost. Another alternative is to wait for a regular restart, which may happen, for example, the next morning; however, the task will remain uncompleted for a while.

I-83 Unit I. Deployment

I-84

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The administrator should also select the target computers. The available options include: — — — —

Picking computers from the Managed computers group and the Unassigned devices node Typing the names or addresses of the computers Specifying a computer group name Pointing to a selection of computers

The last option is convenient for computers that can be defined by conditions relatively easily, e.g., computers where incompatible applications are detected. The task creation wizard also prompts for the account. In our scenario, the account is not necessary, because Network Agent is already installed on the computers and will run the uninstallation task under the local system account. The account does need to be specified if the task is run either on computers without a Network Agent, or on computers where the Network Agent has no administrator permissions. At the last steps of the wizard, select the schedule, task name, and whether to start the task immediately. Once the incompatible programs are uninstalled, Kaspersky Endpoint Security can be deployed by running the remote installation wizard or an automatic installation task, which are described later in this chapter.

I-85 Unit I. Deployment

I-86

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.5 Other Installation Methods Installation methods: overview Remote installation using Windows tools does not work in some cases. This means that the initial deployment of Kaspersky Endpoint Security by the standard remote installation wizard of Kaspersky Security Center might fail. At the same time, Kaspersky Endpoint Security is typically not the only program to be deployed within a network. The administrators regularly install and update programs on the computers, and they must have the corresponding tools and methods. Those vary widely: from local installation on the computers performed by IT employees, to the use of IT infrastructure management systems like Microsoft SCCM, or installation using Active Directory tools or login scripts. Support of Kaspersky Security Center is not especially important if these alternative methods are used, but comes in handy if available. For example, for manual installation, Kaspersky Security Center allows integrating all installation files and parameters into one installation file. Also, installation using Active Directory tools can be selected right in the installation wizard.

Installation using standalone packages A standalone package in Kaspersky Security Center is a file that includes the installation files and installation parameters of the product (for example, Kaspersky Endpoint Security). A standalone package can include Network Agent installation files and the Administration Server connection parameters. This package is designed for local installation by the IT employees, administrators or users who have sufficient rights. It saves time and reduces the number of errors. An extremely simple installation procedure is an advantage of standalone packages. No parameters need to be specified during the installation, as they are already included in the package. This helps to save time and prevent errors, for example, when specifying the Server connection address. Also, since the standalone package is a single file, it is easier to handle than the standard distribution. This eliminates the risk of missing some files, and reduces the overall time necessary.

I-87 Unit I. Deployment

I-88

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Creating a standalone package The Administration Server signs standalone packages with its certificate by default. This certificate is self-signed, and Windows will display a warning when the package is run. The administrator can select to sign packages with another certificate. Specify the necessary certificate in the properties of the Advanced | Remote installation | Installation packages node, in the Signing stand-alone packages section. Standalone or ‘1–click’ packages are created from regular installation packages available in the Advanced, Remote installation, Installation packages node of the Administration Server. A special wizard is used that prompts for the installation parameters. When the Kaspersky Endpoint Security standalone installation package is created, the wizard will prompt to include the Network Agent, so that the target computer could immediately connect to the Administration Server. Regardless of the selected product, computers should be moved into the managed category right after the installation. Leaving protected computers in the unassigned category usually does not make much sense. This step appears in the wizard if the Network Agent is installed together with the main package. If it is necessary to modify the default settings of Kaspersky Endpoint Security or select the specific components to be installed, it needs to be done within the properties of the regular installation package, before starting the standalone installation package wizard. The parameters of the installation packages are described later in this chapter. After all the parameters are specified, the wizard generates the setup.exe installation file and places it in the PkgInst subdirectory of the shared folder on the Administration Server.

I-89 Unit I. Deployment

I-90

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The wizard suggests that the administrator takes one of the following actions: — Open the folder containing the package—for example, to copy it on a flash drive — E-mail users an invitation to run the package—Administration Server starts the default e-mail client and automatically fills in the message subject and body providing a link to the package located in the shared folder; the only thing the administrator has to do is to specify the recipient addresses — Place a link to the package on a web resource—a text window opens, which contains HTML code of the link to the package that can be added to a web page Later, the list of created standalone packages can be opened from the Installation packages node within the Advanced, Remote installation container. You can delete unnecessary packages or send another e-mail message to the users. The HTML link offered by the package wizard contains the path to the shared folder on the Administration Server. If non-domain users who are not registered on the Administration Server try to click it, they will not be able to access the resource. The link to the network folder should be replaced with an http link to the package that can be copied from its properties. There is a built-in web server on the Administration Server where any user can download the package. Each standalone package gets a unique http link based on the package id. The administrator can find the link in the package properties in the list of all standalone packages. If standalone package creation wizard is started for a package repeatedly, the administrator can either re-create the standalone package or create another one.

Installation from a standalone package When the users receive the message inviting them to install the product, they should click the link to download the standalone package, run it and wait for the installation to finish. If Kaspersky Endpoint Security is installed over the previous version or a protection tool by another manufacturer, the computer may need to be restarted. In either case, the user will be prompted for this. To start the standalone package in a silent mode, you can use the /s command-line switch.

I-91 Unit I. Deployment

I-92

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

More installation-related settings Previously we described using a wizard for remote deployment. And we mentioned that the result of completing the remote deployment wizard is a task that actually does all the job. Such a task has more settings than the remote deployment wizard, and we are going to discuss these settings now.

Schedule Kaspersky Security Center allows configuring almost any sensible schedule for an installation task: — — — — — — — —

Manually—without schedule Immediately—right after creating Once—on the specified day, at the specified time Every N hours—including every hour Daily—every N days, at the specified time Weekly—on the specified weekday, at the specified time Monthly—on the specified day, at the specified time On completing another task

As a rule, single launch is used for installation; usually, Manually. The Immediately option can also be used (as in the deployment wizard), or Once, for example, to run installation on servers at night. Occasionally, the administrator might want to restart a deployment task, for example, to force deployment to the computers where the task failed the first time around. This will not cause the reinstallation on the computers where the task succeeded. If Kaspersky Security Center detects that the packages are already installed on the computer, the task immediately completes for this computer. If some of the computers selected for the installation are shut down, but they support the Wake-on-LAN function, the Administration Server can send the turn-on signal to these computers before running the task. To use this technology, enable the corresponding option in the installation task’s schedule parameters. You can stop a task after some time. A task might hang in the Running status if the computer is powered off unexpectedly. With the automatic stop option enabled, the task will be stopped and can be started again later, to repeat the installation attempt.

Storing the results The information that the administrator can see in the task results window is transferred to the Administration Server and stored in the events database. Initially, it is the installer that transfers the events, but once the Network Agent is installed, it handles the information transfer. Remote installation events are stored in the Administration Server database for 7 days. This lifetime can be modified in the task properties, along with the other storage settings. The results can be stored in the Administration Server database and in the Windows event log. By default, all task events are stored. You can select to store only the execution events: in this case, the Applied and Ready for execution statuses will not be logged. Alternatively, you can select to store only the task results. Also, you can enable the notification of task completion here. They will be sent using the general notification parameters specified on the Administration Server.

I-93 Unit I. Deployment

I-94

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

File transfer over the network If an installation starts on a thousand computers simultaneously, and they all try to download the installation package from the Administration Server at the same time, the network is likely to be overloaded to the extent that some computers will not be able to connect to the Server and install the product. Other network applications used in the organization may also encounter problems as a result of mass data transfer over the network. This doesn’t happen however, because there is a limit on the number of simultaneously downloaded installation packages in the task properties. By default, it is set to 5, but you can adjust it if necessary. At any moment the package will be downloaded by not more than 5 computers. Other computers will be waiting for their turn. When the package is completely downloaded to one of the computers, the next computer will be permitted to start downloading. Sometimes installation is aborted because of temporary obstacles, and its immediate restart results in success. So as not to make the administrator start the task again manually, the task makes several installation attempts before informing of an error. By default, 3 attempts are made. If installation is aborted 3 times, a persistent problem likely exists.

Program reinstallation By default, reinstallation is disabled. The task gets the information about the installed programs from the Administration Server database. If the database reports that the Kaspersky Endpoint Security version installed on the computer is the same as the one to be installed by the task, the installation will finish with the Program already installed verdict. Vice versa, if the server has the data that Kaspersky Endpoint Security is not installed on the computer, the installer will install Kaspersky Endpoint Security even if the same version is actually installed on the computer. In some cases, the administrator may want to reinstall an already installed program. For example, the Network Agent can be reinstalled with the purpose of editing its connection settings. To perform reinstallation, disable the Do not install application if it is already installed parameter. Installation of a newer product version than what is already installed on the computer is not considered to be reinstallation and is always allowed. Installation of an older version is treated as a re-installation and is regulated by the same option.

Installation using Active Directory The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a shared folder for which the domain computers have Read permissions. In Active Directory, the package is assigned to a group policy that is applied to the domain computers. When a client computer starts and logs in the domain, the policy is applied and the installation package is automatically installed, even before the user logs on to the system. This installation method can be comparatively easy when implemented manually. Nevertheless, Kaspersky Security Center makes it even more convenient. Just select the Assign Network Agent installation in the Active Directory group policies check box in the task. The method is applicable for the Network Agent only, because after the Agent is installed, other programs are supposed to be installed using the Agent.

I-95 Unit I. Deployment

I-96

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

If this option is selected, the Administration Server creates a new group in Active Directory named Kaspersky_AK{GUID} and includes within it the accounts of the computers to which the task applies. Also, the Administration Server creates a new group policy object of the domain level that is named Kaspersky_AK{a different GUID} in Active Directory and assigns within it the installation of the Network Agent MSI package located in the shared folder on the server. The permission to apply the policy is granted only to the created group which contains the accounts of the target computers. So, the domain level policy will be applied to the selected domain computers, not all domain computers. After this, the standard installation is performed. The policy eventually applies to the computers. At the next restart, computers download the Network Agent MSI package from the shared folder on the Administration Server and install it. The installation parameters, which include server address and ports, are taken from the answer file located in the same folder as the MSI package. Thus computers automatically connect to the Administration Server. If the task is configured to install not only the agent, but also another program, for example, Kaspersky Endpoint Security, the installation will resume after the agent connects to the server. The security group and group policy object created by the task persist in the Active Directory until the task is removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active Directory group policies option is cleared in the task properties.

I-97 Unit I. Deployment

I-98

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.6 Installation Packages Installation packages in Kaspersky Security Center represent the products ready to be installed. A package includes installation files along with the installation parameters and some product setup parameters. Installation package parameters in a sense replace the local installation wizard and local setup wizard. Every product has its own settings. As you know, installation packages are used in the remote installation wizards and tasks, and for creating standalone installation packages. Kaspersky Security Center includes all packages necessary for deploying the protection system: — Network Agent — Kaspersky Endpoint Security for Windows Available packages are stored in the Advanced, Remote installation, Installation packages repository. This node shows the following information on each package: name and version of the product, and the unique name of the package. Packages can be created, modified and removed. If a package is used in a current installation task, it cannot be removed until the associated task is deleted. You can create and use various installation packages in Kaspersky Security Center. You can use them to install operating systems, programs, updates and critical fixes, and also to start various scripts and utilities on the computers. This is described in more detail in KL 009.10: Systems Management course. Within the framework of this chapter, we describe only the installation packages created for Kaspersky Lab programs.

Network Agent installation parameters The General section of the package properties shows the program version and file size, and also the path to the package file in the shared folder of the Administration Server. If necessary, an IT employee can download the installation files over the network and install the Network Agent locally.

I-99 Unit I. Deployment

I-100

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The Settings section allows changing the installation folder and also setting the uninstallation password. If the Network Agent installation folder is not specified explicitly, the standard path is used: %ProgramFiles%\Kaspersky Lab\NetworkAgent Agent uninstallation can be protected with a password that can be specified in the package properties. Even users with administrator permissions will not be able to uninstall the agent using regular tools unless they know the password. However, users with administrator permissions can make the agent inoperative if they really want to. The same password protection function is also available in the Network Agent policy. The Connection section of the Network Agent installation package properties contains the Administration Server connection parameters. The Network Agent installation wizard prompts for these settings during the local interactive installation. The main connection parameters are the Administration Server address and ports. Initially they take the values specified during the Administration Server installation. If the client computers and Administration Server belong to different subnets connected via a proxy server, the proxy server parameters can also be specified in the installation package properties. These standard parameters include the proxy server address and port, and also the user name and password for authorization. Remember that these parameters will be used by Network Agents when connecting to the Server, not vice versa. When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it uses a UDP port. So that the Windows Firewall would not block requests on this port, the Network Agent can automatically create the necessary exception. To modify this behavior, clear the Open Network Agent ports in Microsoft Windows Firewall check box. By default, Network Agent accepts connections on UDP port 15000. This value can be changed both in the package properties and later in the Network Agent policy. Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-encrypted connections to the Server. By default SSL is enabled. Network Agents automatically download and use the Administration Server certificate. The certificate can be specified manually in networks with strict security requirements to exclude the possibility of Administration Server substitution. None of the Network Agent parameters are specified in the deployment wizard. The Network Agent is installed and connected to the Server using the standard settings from the package. The advanced parameters of the Network Agent installation package are useful in networks with complicated infrastructure. These are described in KL 009.10. Systems Management and KL 302.10. Kaspersky Endpoint Security and Management: Advanced Skills courses. The Tags section is described later in this unit.

I-101 Unit I. Deployment

I-102

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Kaspersky Endpoint Security installation parameters General The general properties of Kaspersky Endpoint Security package are similar to those of the Network Agent package. The only difference is the Update databases button. For Kaspersky Endpoint Security to be able to work right after the installation, its installation package includes antivirus databases. They become obsolete over time. This is not actually a problem, because right after Kaspersky Endpoint Security is installed, the update task starts and downloads the new databases. Sometimes, it is necessary that the product is installed with up-to-date databases. For example, an IT employee may take a standalone package to a small branch office with poor Internet access. In this case, the size of the package that the engineer carries on the removable drive is not that important. Decreasing the traffic of the update task is more important, since it may constitute tens of megabytes if the package contains outdated databases. In this case, databases can be updated in the package prior to the installation. The date of the last update is also shown in the general package properties, in the Databases updated field. The Update databases button copies a complete set of databases from the Server storage to Kaspersky Endpoint Security package. Initially, the databases are supplied within the bases.cab archive in the installation package. After an update using the Update databases button, the archive is replaced with a folder named bases. The folder's volume is comparable to the size of the archive, since the database files are encrypted and cannot be compressed. Kaspersky Security Center updates databases in the packages automatically when updates are downloaded to the repository. But this is performed only once for each package. If databases have ever been updated automatically in a package, they will not be updated automatically any more. Actually, automatic update is performed for the Kaspersky Endpoint Security package that is added to the storage during the installation (it is updated shortly after the installation), and for any other newly created Kaspersky Endpoint Security package soon after it is created.

Parameters Other parameters of Kaspersky Endpoint Security package duplicate the interactive installation parameters. The main parameters are the list of components and the program files folder. The set of components depends on the Installation type parameter. The administrator can select one of the two preset installation types: — Basic installation: all components whose names includes the Anti-Virus word, Firewall, Network Attack Blocker, System Watcher and Application Privileges Control — Standard installation: all components except encryption If you need some other configuration, choose the Custom installation type and select the components you want to be installed. The Encryption and BadUSB Attack Prevention components can only be installed through Custom installation. By default, the Standard installation is selected, which includes all components except for Encryption and BadUSB Attack Prevention. The administrator may switch between the preset installation types, or choose Custom installation and select individual components on the list. Remember that some of the components only work on workstations, while a package can be installed on any supported operating system. On server systems, only the following components can be installed: — — — —

File Anti-Virus Firewall Network Attack Blocker BadUSB Attack Prevention

I-103 Unit I. Deployment

Although Application Privilege Control settings will also show up in Kaspersky Endpoint Security on servers, the component is not actually installed. Kaspersky Endpoint Security won’t control application privileges on servers, e.g., it won’t block Untrusted applications on servers. The reason why Application Privilege Control settings are visible on servers is that a part of these settings are also used by the Firewall component. Application Privilege control and Firewall are described in more detail in Units II and III of this course. In addition to the components, local tasks are installed. They cannot be selected in the package properties and are installed on all operating systems: — Updates — Update rollback — Virus Scan tasks — Full scan — Critical areas scan — Custom scan — Background scan — Scan removable drives on connection — Integrity check — Vulnerability scan

I-104

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

By default, the Kaspersky Endpoint Security components are installed to: %ProgramFiles%\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1 If necessary, the administrator can modify this path. The encryption module is also included in the installation package. Even though it is installed together with Kaspersky Endpoint Security, technically, it is a separate application and you can specify another installation path for the encryption module. The encryption module is not installed if none of the encryption components is selected. Encryption is described in detail in KL 008.10 course. Those administrators who often use the command line interface can select to automatically add the installation folder to the %PATH% environment variable. Then they will be able to carry out product management commands via avp.com, without specifying the complete path. The package has two additional parameters that provide compatibility settings. One of them, Do not protect the installation process, disables self-defense during the installation. It is enabled by default, i.e. self-defense does not run during the installation. When self-defense is disabled, installation files may be modified by malicious programs or malevolent users. This parameter should be used when installing on a potentially infected computer. The other parameter disables installation of the NDIS5 driver that is used for intercepting network connections in Windows XP/2003. If the Do not install the NDIS5 driver option is enabled, alternative network drivers klin.sys and klick.sys will be installed on these operating systems, which perform the same functions: intercept network packets. The option is used if NDIS5 driver causes compatibility problems. On Windows Vista/2008/7/2008 R2/8/2012/2012 R2/10 this option plays no role, a NDIS-type driver is installed on them anyway, but NDIS6 instead of NDIS5. One more parameter is the Configuration file. This file defines the configuration settings used by Kaspersky Endpoint Security after the installation. To create it, install the product on a computer, configure it as needed, and save its configuration using the application settings management feature in the local interface. The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If the configuration file is not specified, the product will work using the default settings. However, as soon as the Network Agent connects to the Server, the Kaspersky Endpoint Security policy will be enforced which will override the protection settings. So, the configuration file is necessary if the policy does not affect some of the product settings, or for unmanaged computers.

I-105 Unit I. Deployment

I-106

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Key Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place, the code or key can be specified in the setup wizard. Remote installation implies several ways for activating the installed product. One of them is to specify the key file in the installation package properties. This is a reliable, although not always the most convenient way for key distribution. License management is described in detail in Unit IV Maintenance.

Uninstallation of incompatible applications The aim of uninstalling incompatible applications and the corresponding Kaspersky Security Center tools were described earlier. Uninstallation of incompatible applications is disabled by default. It means that if an incompatible application is found, the installation will be aborted with an error.

Creating installation packages Installation packages included in Kaspersky Security Center are usually enough for protecting most networks. Additional packages can be necessary in the following cases: — A new version of Kaspersky Endpoint Security has been released. For version updating, just like for the initial installation, an installation package is necessary. The administrator can either create the package manually or download the new version of Kaspersky Security Center that includes new package version and reinstall Administration Server over the old one (all settings will be saved). — It is necessary to remotely install a Kaspersky Lab product that is not included in the distribution of Kaspersky Security Center, for example, Kaspersky Security for Windows Server. Such a package needs to be created manually. — Different parameters are needed in several network parts. For example, according to the deployment plan, some computers do not need Web Anti-Virus and Mail Anti-Virus components. To be able to deploy the system simultaneously on both categories of computers, create an additional installation package with those non-standard settings. An installation package is created from installation files by a wizard started from the Advanced, Remote Installation, Installation packages repository. The wizard will ask for the package type, installation files’ location, and some installation parameters depending on the application. It may also ask to accept the license agreement of the application. Creating a package requires the management plugin for the same application to be installed in the Kaspersky Security Center console. The plugin installation file is usually found among the installation files of the application and sometimes the wizard detects the plugin installer and installs it automatically. If this is not the case, you will need to install the plugin before creating the package.

I-107 Unit I. Deployment

I-108

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The wizard starts with a choice of the package type. There are three (or four, depending on the Kaspersky Security Center interface settings), options: — A package for a Kaspersky Lab application. This package type requires a special package description file, which is included in the distribution of most Kaspersky Lab applications. A description file can be created manually, but this is an advanced topic outside the scope of this course. — A package for an executable file. This package type allows running the specified file (not necessarily an installer, it could be a script or a utility) on remote computers. — A package for a 3rd-party application based on Kaspersky Lab application database. This allows installing 3rd-party applications without the need to look for and manually download their installation files. The feature is described in course KL 009.10 Systems Management. The fourth option which may not be visible depending on the settings is a package for operating system deployment based on a disk image. It is also explained in course KL 009.10 Systems Management. Now, we are interested in the first option. After you select it, the wizard prompts for the package name and path to the folder that contains the installation files and the package description file.

I-109 Unit I. Deployment

I-110

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Installation files may be unpacked (this is how they are usually supplied on CD), or packed into a self-extracting archive (in this form they are available for downloading from Kaspersky Lab web site). The package creation wizard supports both formats. If a self-extracting archive is specified, the wizard will automatically unpack it into a temporary folder and extract all necessary files. Installation packages for Kaspersky Lab products are created based on description files having a .kpd or .kud extension. The files are identical, except for the character encoding: .kpd files use ANSI encoding, while .kud files are in Unicode. The files contain the product version, the name of the installer, installation parameters, error descriptions and additional options depending on the application. A .kpd/.kud file alone is not enough to create a package. It is just a description, not an archive. The description files are located within the distribution package, and must not be separated from it. To create an installation package correctly, select the .kpd/.kud file located within the corresponding distribution package. It is a common mistake to copy just the description file into a separate folder and try to create a package from it. This will not work. A way to avoid this mistake is to point the wizard to the self-extracting installer of the application downloaded from the Kaspersky Lab website. This option is not apparent in the wizard though. What you need to do is when prompted for the description file, change the file type from .kpd/.kud to Self-extracting archive. And then point to the downloaded installer. The package creation wizard will automatically unpack the specified file to a temporary folder and extract the description file from it. After the package description file is selected, the wizard will show the application name and version for you to check that it is exactly the application you want. At the next step, the wizard may ask to accept the license agreement. Then, depending on the application, the wizard may ask for some installation parameters. In the case of Kaspersky Endpoint Security, the wizard prompts for the installation type: Basic or Standard. This can be modified later in the package properties, especially if you need a custom selection of components.

I-111 Unit I. Deployment

I-112

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

To create an installation package for a Kaspersky Lab program, the administrator does not need to search for and download the installation files. Kaspersky Security Center monitors current versions of Kaspersky Security Center, Kaspersky Endpoint Security and Kaspersky Security for Windows Server and allows the administrator to create installation packages right from the distributions available on Kaspersky Lab servers. In the Installation packages node, there is the Additional actions button, and the View current version of Kaspersky Lab applications link beneath. It opens the list of available distributions for various versions and localizations11. The administrator just selects the necessary distribution and clicks the Download applications and create installation packages button; and the Administration Server automatically completes the job. Kaspersky Security Center also notifies the administrator about new versions of distributions. When they are issued, the corresponding message appears on the Monitoring tab of the Administration Server node, in the Deployment area.

3.7 Deployment Monitoring Task results and the information available on the Managed computers group do not always provide comprehensive information on the protection deployment in the network. Deployment by a single task on all computers, as well as managing all computers within one group, is characteristic of small networks only. For a complete picture, reports are the natural information source. Reports relevant to the deployment stage are: — Incompatible applications report (was described earlier) — Kaspersky Lab software version report — Protection deployment report Selections are also very useful at the deployment stage: — New computers found — Kaspersky Anti-Virus is not installed — Unassigned computers with Network Agent

11

English, French, German and Russian localizations of Kaspersky Security Center, Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server are displayed.

I-113 Unit I. Deployment

I-114

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Software version report Reports are available on the corresponding tab of the Administration Server node. The software version report shows the number of Kaspersky Lab programs installed on managed computers. In particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint Security instances. Various versions (builds) of the products are represented separately, which is convenient when upgrading the products. The report shows how many computers use the current versions of the programs, and how many run older versions. The graphic part of the report illustrates the statistics table, which lists all versions of managed products and the number of installations for each of them. The Details table gives information on every computer: which products are installed, which versions, etc.

Protection Deployment Report This report shows three categories: — Computers with Network Agent and protection tools — Computers with Network Agent, but without protection tools — Computers without Network Agent Computers with protection tools, but without the Network Agent are included in the last category. If the Network Agent is not installed, the Administration Server has no way to detect the protection tools. This category also includes the computers where the Network Agent is installed, but is not connected to the Administration Server. The chart and the Summary table show the number of computers in every category. The Details table, just like in the software version report, shows the version of Network Agent and Kaspersky Endpoint Security on every computer. This report is especially useful if the administrator first moves all of the computers into the Managed computers group, and then starts the deployment tasks. In this case, the report explicitly displays how many of the managed computers are not connected to the server, and how many of those connected are not yet protected with Kaspersky Endpoint Security. If the administrator uses the remote installation wizard for the deployment and always selects the computers from unassigned computers area, this report is less useful as it does not cover unassigned computers.

General deployment status The information about protection deployment is also available on the Monitoring tab of the Administration Server node. The Deployment area contains the number of managed computers where Kaspersky Endpoint Security is not installed. If it is non-zero, a link to the selection that includes all these computers is also displayed. If there are any computers with Network Agent in the Unassigned devices node, this will be reflected in the Computer management area with another link to the corresponding selection of computers.

Discovering new computers The administrator can configure notifications about new computers found in the network. The corresponding event is in the properties of the Administration Server, and you can enable e-mail notification in the event properties. How computers get found in the network is described in the next chapter.

I-115 Unit I. Deployment

I-116

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 4. Management of Computer Structure 4.1 Discovering Computers In the deployment wizard or when creating a deployment task, the administrator can select computers from a list. The Administration Server makes up this list by polling the network. Polls are performed periodically in several different ways. — Windows network polling — Active Directory polling — IP subnet polling

Discovery management Polling results are shown in the Advanced | Network poll node separately for each discovery method: — Domains—computers detected during Windows network polling; workgroups and domains are represented as folders containing computers — Active Directory—domains and organizational units are represented as folders containing computers — IP subnets—IP subnets are represented as folders The discovered computers are also displayed in the Unassigned devices node. One computer can be shown in more than one detection area. If a computer is detected in the HQ domain and its address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node in the corresponding folders. To modify the poll settings for every method, go to the Advanced | Network poll node and then click the respective Edit polling settings link. You can also start any type of polling manually on this page.

I-117 Unit I. Deployment

I-118

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Windows network polling Quick poll The Administration Server collects the list of Windows network computers just like the operating system itself. When a user opens the computer’s network places, the list of neighborhood computers grouped by domains and workgroups is shown. The Administration Server can acquire the same list. This polling method is called quick Windows network polling. It places hardly any extra load on the network. The Computer Browser service is responsible for making up and representing the list of computers. In every network segment there is the main computer that stores the general list and provides it when requested. To receive the list, Administration Server only needs to send a request. Quick poll is performed every 15 minutes. The results are names of domains, workgroups and their computers.

Full poll During the full Windows network polling, the Administration Server goes through the list received as a result of the quick poll, and then tries to connect to every computer using the NetBIOS protocol. The purpose of this poll is identifying computers’ IP addresses and operating systems. As the number of requests is proportionate to the number of computers, the network activity is much higher than with quick poll. That is why full poll is performed hourly by default.

I-119 Unit I. Deployment

I-120

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Windows network polling parameters The main parameters of each type of polling are the polling schedule and the check box enabling the polling. If the check box is cleared, this polling method will not be used. After all of the computers are detected and no changes in the network are expected, the network polling can be disabled. Additionally, for Windows network polling the administrator can specify the life span for the information on the detected computers. By default, this period is 7 days. If in 7 days a computer can no longer be detected by Windows network polling, the information about this computer is deleted from the server database. This interval can be specified independently for every domain or workgroup. Also, you can specify a common life span and use it for the whole windows network. Additionally, you can disable polling of a domain or a workgroup in its properties. Polling schedule is defined as a start time and an interval. The interval can be as small as several minutes or as large as several days or weeks. It is possible to run missed polls. If polling is performed often, this is not necessary; but will be useful if polling is performed once a week or a month.

Active Directory polling This method shares many features with quick Windows network polling. The Administration Server sends a request to the domain controller and receives the Active Directory computer structure. Active Directory polling is performed hourly.

I-121 Unit I. Deployment

I-122

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Active Directory polling parameters Polling parameters for Active Directory are similar to those for Windows network polling. There is an option to turn off this polling method entirely and the schedule to use when the method is turned on. There is no explicit lifetime parameter for the polling results. The implicit lifetime is equal to the polling interval. The data received at the next polling completely replaces the old data. In the Advanced polling parameters, the administrator can select the polling scope: — The Active Directory domain to which the Administration Server belongs (the default choice) — The domain forest to which the Administration Server belongs — The specified list of Active Directory domains To add a domain to the scanning scope, specify the address of the domain controller, and the name and password of the account for accessing it. You can selectively disable polling for some organizational units in their properties.

IP subnet polling IP subnet polling is more complicated than it may seem to be. The Administration Server tries to perform reverse name resolution for every address from the specified range into a DNS name using standard DNS requests. If this operation succeeds, the server sends an ICMP ECHO REQUEST (the same as the ping command) to the received name. If the computer responds, the information about it is added in the Server database. The reverse name resolution is necessary to exclude network devices other than computers, such as network printers, routers and other devices that can have an IP address but are not endpoints that require protection. This polling method relies upon a correctly configured local DNS service. It must have a reverse lookup zone. If this zone is not configured, IP subnet polling will bring no results. At the same time, such a zone is not necessary for many network services, and is often neglected in small networks. In the networks where Active Directory is used, such a zone is maintained automatically. But in these networks IP subnet polling does not provide more information than Active Directory polling. Due to all those complications, IP subnet polling is disabled by default. Initially, the Administration Server gets IP ranges for polling from the network settings of the computer where it is installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is 255.255.255.0, the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan list and polls all addresses from 192.168.0.1 to 192.168.0.254.

I-123 Unit I. Deployment

I-124

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

IP subnet polling parameters IP subnets polling parameters include the list of polled IP subnets, the enabling check box and the schedule. When this polling method is enabled, the default period is 420 minutes (7 hours). Life span for the polling results is 24 hours by default. If an IP address is not verified by polling in 24 hours, it is removed from the results. Such a short life span tries to account for dynamic IP addresses (assigned over DHCP protocol), which can change frequently. When modifying the settings, make sure that the information life time exceeds the polling interval.

Configuring subnets In order to poll subnets to which Administration Server does not belong, you need to add them to the list manually. You can specify a subnet using either its address and mask, or the first and last IP address of the IP range. Also, the name of the subnet should be specified. One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties. Whereas named subnets are not allowed to overlap, unnamed ranges inside a subnet have no such restrictions. You can enable and disable scanning independently for every subnet.

I-125 Unit I. Deployment

I-126

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Polling statistics When the network is polled, the Advanced | Network poll page displays the progress. Detailed information is available in the Administration Server statistics. There you can find the time of the last poll performed by each method, polling progress percentage and the name of the polled domain for Windows network polling.

4.2 Creating Group Structure Computer groups After the initial installation, there is only one group on the Administration Server—Managed computers. With a single group, the same protection policy is applied to all computers, which is not always preferred. Even in small networks, it may be necessary to use different protection settings for servers and workstations. In large networks, where different groups of users use various types of software, the capability to create policies with different exclusions for different users is extremely useful. The computers must be placed into different groups to be able to apply different policies12. From a practical point of view it is convenient when computers in Kaspersky Security Center are organized into the same groups as in Active Directory, or into groups corresponding to IP subnets used in the organization. In this case the fact that a computer belongs to a group makes the administrator aware of its physical location. There are other examples of group use. Often, especially in large networks, the administrators create groups to organize the deployment process. Computers without the Agent and protection tools are placed into the Deploy Agent group, where the Network Agent automatic installation task is created. The computers with installed Agent are moved into the Uninstall Incompatible Apps group, where the task for uninstalling incompatible applications is configured. The computers without incompatible applications are moved into the Deploy KES group, where the task of automatic installation of Kaspersky Endpoint Security is created. Finally, the completely protected computers are moved into the permanent management structure.

12

Kaspersky Security Center 10 Service Pack 1 provides the capability to apply different policies (to be more precise, different configuration profiles) to different computers within the same group. For more details, refer to course KL 302.10.

I-127 Unit I. Deployment

I-128

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Managing groups Creation of groups in the Administration Console is as simple as folder creation in Windows Explorer. First, groups are created within the Managed computers node. Then you can create new groups either in the same node or inside the created groups. In the Administration Console interface, you can use any of the following methods to create a new group: — Select the Managed computers node or an existing group and click the New group button on the Computers tab of the group management page — On the shortcut menu of the necessary node, click New, Group Enter the name of the group in the displayed dialog window: it will then appear as a subfolder in the structure of managed computers. Each group page contains tabs for managing the hosts included into the group, group tasks and group policies. If a group is no longer necessary, you can delete it on the condition that there are no computers in either the group or subgroups. Groups can also be moved within the hierarchy of managed computers. For example, if the structure of groups reflects physical computer locations and the HR department moves from Building 1 to Building 2, the HR subgroup can be easily relocated together with its computers from the Building 1 group to the Building 2 group. The task can be accomplished using traditional Cut and Paste or Drag and Drop methods.

How to add computers to groups In the Administration Console, you can use any of the following methods to move computers: — Drag and Drop—select a computer among the managed or unassigned hosts and drag it with the mouse to the necessary group. You can move several computers at once — Cut and Paste—the procedure is almost the same, but you cut the selected computers (using the shortcut menu or CTRL+X keyboard shortcut) and then paste them into the necessary group (once again using the shortcut menu or CTRL+V keyboard shortcut) — Select one or several computers in the Unassigned devices node or a selection of computers (the method does not work within the groups), open the shortcut menu, select the Move to Group command and specify the necessary group — Select the destination group and launch the Add client computers wizard using the Add computers link on the Computers tab of the group management page. In the wizard, you can either select the computers from the polling results or specify their names or addresses manually

I-129 Unit I. Deployment

I-130

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Regardless of the method, you can add only the computers that have been discovered by the Administration Server after polling the network. Even in the Add client computers wizard, if you specify a name or an address of a computer that is missing from the Administration Server polling results, the wizard will inform about the inability to add the unidentified computer. If a computer exists in the network but cannot be discovered—for example, its firewall allows only outbound connections—install Network Agent there. As soon as the Network Agent connects to the Server, the computer will be added to the database.

Importing groups If the network is large enough and the planned structure of managed computers requires a large number of groups, creating a hierarchy using the methods described above can be very labor-intensive. In some cases you can use the automation tools available in Kaspersky Security Center to reduce the amount of work. If administrators want to arrange the managed computers in the exact same order as their network, to combine them into the same workgroups or domains and subdivisions, they can use the structure import functionality. You can import the structure of your Windows network, Active Directory or a structure defined in a text file. In the first two cases you may import either the entire structure (groups including computers) or just groups. When importing the topology from a text file, only groups can be created. Computer import affects unassigned hosts only. If some computers from a workgroup or an Active Directory unit that is being imported are already present in a group of managed computers, the wizard will not relocate them. To run the wizard, right-click the Managed computers group and select the All tasks, Create group structure command on the shortcut menu. In the wizard, specify the structure to be imported and the destination group. For a structure to be imported from the Windows network or Active Directory, you may disable importing the computers. Windows network topology and a structure defined in a text file are always imported completely. When importing an Active Directory structure, you can select the domain or unit to be imported. The other domains and units will be ignored.

I-131 Unit I. Deployment

I-132

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

A structure import via a text file must be prepared manually. Every group or subgroup must be specified on a separate line within the text file. Subgroups are specified using their full paths. Use the backslash path delimiters, for example: Office1\Subdivision1\Department1 Office1\Subdivision1\Department2 Office2 Office3\Subdivision1 If a subgroup path contains groups that do not exist yet, they are created. Groups created during the import procedure are completely identical to the groups created manually. You can rename, move, delete them, etc. The structure creating wizard is designed for initial creation of the structure of managed computers. It is not intended for regular synchronization of structures of Kaspersky Security Center, and, for example, Active Directory. If you need to synchronize, configure the computer relocation rules.

4.3 Computer Relocation Rules If groups in Kaspersky Security Center correspond to IP subnets or Active Directory units, the administrator can easily automate the computers’ distribution into the groups. Computer relocation rules serve this purpose. A relocation rule consists of the following basic settings: — What to move—a set of conditions the computers must meet to be relocated — Where to move—the name of the group in the structure of managed computers where the hosts matching the rule conditions will be relocated — When to move—the conditions that will trigger automatic relocation To open the list of relocation rules, click Properties on the shortcut menu of either the Unassigned devices or Advanced | Network Poll node. Alternatively, you can follow the Configure rules of computer allocation to administration groups link in the bottom of the Advanced | Network Poll page. In some cases, the Kaspersky Security Center automatically creates computer relocation rules. For example, when the administrator selects to move unassigned computers into a group in the remote installation wizard or when creating a standalone package, the Administration Server creates a relocation rule for this operation. These rules can be viewed on the list and can be disabled, but not deleted or edited. The server deletes them automatically when the corresponding task or standalone package is deleted.

I-133 Unit I. Deployment

I-134

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Where to move to When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are shown on the rule list. Also, you will need to select the destination group—where to move the computers.

When to move After this, decide when to apply the rule to the computers. Three capabilities are available: — Run once for each computer—as soon as the rule is created, it will be applied to all computers in the server database, and then it will be applied only to new computers when they are discovered — Run once for each computer, then at every Network Agent reinstallation on computer—is similar to the previous option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such a host — Rule works permanently—the rule is permanent; if a computer matching its conditions is manually moved to another group, the Administration Server will immediately return it to the location specified in the rule. If the computer attributes are changed, a permanent rule will react accordingly, while a one-time rule will not The rules created by the Administration Server for installation tasks and standalone packages are Run once for each computer, then at every Network Agent reinstallation on computer. Permanent rules are somewhat more convenient, but create a persistent computational load on the Administration Server.

What to move Other rule settings specify the conditions the computer must meet for the rule to be applied. The first condition is located in the General section and is named Move only computers not added to administration groups. With this option selected, a rule—even a permanent one—will not hamper the administrator to manually move computers in the groups. It affects only unassigned computers. To apply such a rule to a computer within a group, just delete the computer from the group. When deleted from the managed computers structure, the computer becomes unassigned and the rule applies to it. If this check box is cleared, the rule applies to all computers in the server database and the corresponding computers are moved into the specified group no matter what happens. This does not prevent the administrator from deleting these computers from the Administration Server database, though. Other conditions are located in additional sections in the rule properties.

Network Many of the relocation conditions are related to the network attributes of the computers: — — — — — —

NetBIOS name Name of the domain or workgroup DNS name DNS domain IP address Server connection IP address (if a computer is behind a NAT gateway, the connection address is the gateway address)

I-135 Unit I. Deployment

To be able to apply a rule to several computers, IP addresses can be specified as ranges, and names can be specified as masks with “*” and “?” wildcards. If these options are not enough, you can always create several rules with different conditions that will move computers to the same group. If the rule is to be applied to unassigned computers, the conditions can be specified in the terms of unassigned computer representation in Kaspersky Security Center: — IP subnets specified in the Advanced | Network poll node — Subgroups in the Domains structure of the Advanced | Network poll node—these are names of the domains and workgroups detected by the Administration Server when polling the network

I-136

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Active Directory There are similar conditions for the computers within the Active Directory structure: — Active Directory unit name — Active Directory group name Relocation rules allow configuring synchronization with Active Directory. For this purpose, enable additional options under the Apply rule to Active Directory organization unit condition: — Including child organization units—if the selected unit has child units, computers within them will be moved into the destination group — Move computers from child organizational units to corresponding subgroups—if the selected unit has child units, and the destination group has the corresponding subgroups, computers from the child units will be moved into the corresponding subgroups — Create missing subgroups—if the selected unit has child units, and the destination group has no corresponding subgroups, the Administration Server will create these subgroups and move the computers of the child unit there — Delete subgroups that are not present in Active Directory—the opposite of the previous option. When an organizational unit is deleted in the Active Directory, this option will remove the respective group from the Kaspersky Security Center. If all the four options are enabled, an updatable copy of Active Directory structure will be created in the destination group. If a unit is created or deleted in Active Directory, or computers are moved from one unit to another, Kaspersky Security Center will automatically repeat these changes in its group structure.

Software Conditions for computers may include operating system version, architecture and currently installed Service Pack. Several operating systems can be specified within a rule. If the administrator wants to automatically move all servers into the Servers group, it will be necessary to create only one rule that will take care of all servers of all versions used in the network. For example, Windows Servers 2008 R2 and Windows Servers 2012. Also, there is the Network Agent is running condition. This condition can separate the computers already connected to the Administration Server from those that need to be connected.

I-137 Unit I. Deployment

I-138

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Tags Relocation rules support a limited number of conditions, which might be insufficient for performing some tasks. For example, the administrator might need to move computers having a particular hardware configuration (e.g., with SSD drives) to a special group. Or it might be necessary to prohibit some computers from being relocated by rules. This cannot be configured with standard conditions, but tags can be of help here. Tags are manually assigned to computers by the administrator. Any word or phrase can be used as a tag. After the administrator assigns a tag to a computer, the tag is automatically added to the global tag list. Tags from the global list can be used in the relocation rules and assigned to other computers. A condition specified for a tag in a relocation rule can be including or excluding, depending on whether the Apply to computers without specified tags check box is selected under the list of tags. It is cleared by default, which means that the rule will be applied to the computers having the specified tag assigned. If you need the rule to be applied to all computers except those having the selected tags, select the check box. For example, you can assign, say, “Don’t move!” tag to some computers and then configure relocation rules to be applied only to the computers without this tag. If several tags are selected in the rule, the condition can apply either to the computers that have all of these tags or to the computers that have at least one of them. This depends on the Apply if at least one specified tag matches check box, which is not selected by default. To assign a tag to a computer, open its properties and switch to the Tags section. Here you can either select tags from the global list (i.e. tags that have already been assigned to other computers), or write a word or phrase for a new tag under the list and click the Add button. This word or phrase will be assigned as a tag to the current computer and will also be added to the global list. You can do the same to several computers at once. Just select them and then choose the Properties option on the shortcut menu. The collective Properties window would open, which has only the Tags section. You can add tags to computers when installing the Network Agent. To do this, select or create the necessary tags in the Network Agent installation package properties. It is a typical example of why you may need to have several packages for the same application (e.g. Network Agent): this way, it is easier to assign different tags to different computers. Tags can be renamed and deleted. If a tag is renamed, it will be updated on all computers to which it is assigned. If a tag is deleted, it will be unassigned from all computers and removed from the global list. If you need to just take a tag off a machine, open the computer’s properties and clear the corresponding check box. Starting with version 10 Service Pack 2, you can create tagging rules in Kaspersky Security Center. The list of tagging rules is located in the properties of the Administration Server node. The Administration Server will assign tags to computers automatically according to the specified conditions. The tagging conditions are similar to those of computer relocation rules. You can automatically assign a tag to computers within the specified subnet or computers running Windows 10. You can also automatically assign a tag to computers where the specified application is installed. Tagging is described in more detail in course KL 302.10 Kaspersky Endpoint Security and Management. Advanced Skills.

I-139 Unit I. Deployment

I-140

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Rule application order The created rules are organized into a list where their order makes a difference. Permanent rules have a higher priority than the others. Among rules of the same type, the higher the rule in the list, the higher its priority. In other words, if a computer meets the conditions of several rules, only the top one is applied. Rule order can be changed by arrows on the right. Also, a rule can be applied manually using the Force button at the bottom of the window. This allows re-applying a non-permanent rule. For the permanent rules, the button does nothing, since permanent rules are constantly forced anyway. The Rule execution wizard will prompt for the group where the rule is to be applied, and move the computers that meet the rule conditions from the selected group to the group specified in the rule. There is an option that allows skipping the computers to which this rule has already been applied and only force the rule on new computers.

Rule use example In many organizations, employees use portable computers as workstations. They take them home and on business trips. Outside the corporate perimeter, they connect to the local network via VPN. As a rule, different ranges of addresses are allocated to computers inside the corporate perimeter and hosts connected through VPN. This fact can be used to configure the corresponding relocation rules. If a host address is within the range of internal IP addresses, it may be added to a group with ‘softer’ security restrictions because the computer is additionally guarded by the protection tools installed on the gateways and mail servers. If, on the contrary, an address belongs to a range assigned for the VPN, such a computer will automatically be transferred to a group with ‘stricter’ security settings.

I-141 Unit I. Deployment

I-142

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

II–1 Unit II. Protection Management

Unit II. Protection Management Chapter 1. Basics of Kaspersky Endpoint Security 10 .................................................. 4 1.1 Protection and Management Tools ......................................................................................................................... 4 Components............................................................................................................................................................ 4 Protection components ........................................................................................................................................... 6 Policies ................................................................................................................................................................... 6 Tasks .................................................................................................................................................................... 12 1.2 General Protection Parameters .............................................................................................................................. 14 Automated start and self-defense of the protection .............................................................................................. 14 Categories of detectable threats ........................................................................................................................... 16 Kaspersky Security Network ................................................................................................................................ 18 Chapter 2. File System Protection ............................................................................... 22 2.1 File Anti-Virus ...................................................................................................................................................... 22 Scanning technologies.......................................................................................................................................... 22 Scanning parameters ............................................................................................................................................ 24 Actions.................................................................................................................................................................. 28 Configuring exclusions......................................................................................................................................... 30 2.2 Virus Scan Tasks .................................................................................................................................................. 32 Scanning: parameters and specifics ..................................................................................................................... 34 Common parameters of scan tasks ....................................................................................................................... 40 Centralized use of virus scan tasks ...................................................................................................................... 40 Standard group task ............................................................................................................................................. 41 2.3 Advanced Disinfection Technology ...................................................................................................................... 42 Chapter 3. Network Protection .................................................................................... 44 3.1 Network Traffic Interception ................................................................................................................................ 46 3.2 Mail Anti-Virus..................................................................................................................................................... 46 Actions.................................................................................................................................................................. 48 Security level ........................................................................................................................................................ 48 Configuring Exclusions ........................................................................................................................................ 52 3.3 Web Anti-Virus..................................................................................................................................................... 52 Actions.................................................................................................................................................................. 54 Security level ........................................................................................................................................................ 54 Configuring exclusions......................................................................................................................................... 56

II–2

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.4 IM Anti-Virus ....................................................................................................................................................... 58 Settings ................................................................................................................................................................. 58 3.5 Network Attack Blocker ....................................................................................................................................... 58 Settings ................................................................................................................................................................. 60 3.6 Firewall ................................................................................................................................................................. 60 Settings ................................................................................................................................................................. 60 Standard filtering rules ........................................................................................................................................ 70 Chapter 4. System Monitoring ...................................................................................... 72 4.1 System Watcher .................................................................................................................................................... 72 Purpose and Principles ........................................................................................................................................ 72 Settings ................................................................................................................................................................. 73 Exclusions ............................................................................................................................................................ 74 4.2 BadUSB Attack Prevention................................................................................................................................... 76 What is a BadUSB attack? ................................................................................................................................... 76 How to enable protection against BadUSB attacks? ............................................................................................ 76 What is the user to do? ......................................................................................................................................... 76 Chapter 5. Threat Diagnostics ...................................................................................... 78 5.1 Event Generation and Transfer ............................................................................................................................. 78 Local detection events .......................................................................................................................................... 78 Events in the Administration Console .................................................................................................................. 78 5.2 Centralized Processing of Detection Events ......................................................................................................... 80 Reports ................................................................................................................................................................. 80 Anti-Virus statistics .............................................................................................................................................. 82 Virus outbreak ...................................................................................................................................................... 84 5.3 Threat Processing Statuses .................................................................................................................................... 86 Statuses connected with threat processing ........................................................................................................... 86 Global statuses and selections ............................................................................................................................. 86 5.4 Repositories........................................................................................................................................................... 88 Local repositories ................................................................................................................................................. 88 Centralized repositories ....................................................................................................................................... 90 Chapter 6. Protection Status Diagnostics .................................................................... 94 6.1 Computer Statuses and General Statuses .............................................................................................................. 94 Possible statuses ................................................................................................................................................... 94 Virus scan status................................................................................................................................................... 94 Real-time protection status ................................................................................................................................... 94 Kaspersky Anti-Virus is not running .................................................................................................................... 96 6.2 Statistics and Protection Status Report .................................................................................................................. 98

II–3 Unit II. Protection Management

II–4

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 1. Basics of Kaspersky Endpoint Security 10 1.1 Protection and Management Tools Components Kaspersky Endpoint Security consists of components, each of which is responsible for protection against a particular type of threat. When considering the components’ purpose, they can be organized into three groups: — Anti-Virus protection — Endpoint control — Encryption This is how the components are grouped in Kaspersky Endpoint Security 10 policy. The Anti-Virus protection includes Firewall and Network Attack Blocker; and control components limit both user actions and program activities. The complete list of components is in the table below. There are three installation types and respective license bundles in Kaspersky Endpoint Security 10: — Basic—corresponds to the KESB Core license — Standard—corresponds to the KESB Select license — Custom—corresponds to the KESB Advanced license

II–5 Unit II. Protection Management

The third method of components’ classification considers the operating system class. Some components can be installed on any supported Windows version, while others cannot be installed on embedded or server operating systems. This is due to the fact that server systems are less vulnerable to some threats (for example, web threats) in a corporate environment, and at the same time have stricter requirements for software compatibility. The table below represents the system components, their grouping in the policy, the corresponding functionality levels and supported operating system types. Workstations

Embedded

Servers

Installation type

File Anti-Virus

+

+

+

Basic

Virus Scan

+

+

+

Basic

Mail Anti-Virus

+

+

Basic

Web Anti-Virus

+

+

Basic

IM Anti-Virus

+

+

Basic

Firewall

+

+

+

Basic

Network Attack Blocker

+

+

+

Basic

System Watcher

+

+

BadUSB Attack Prevention

+

+

Vulnerability Monitor

+

+

Vulnerability Scan

+

+

+

Basic

Application Privilege Control

+

+

1

Basic

Application Startup Control

+

+

Standard

Device Control

+

+

Standard

Web Control

+

+

Standard

Anti-Virus protection

Basic +

Custom

Control components Basic

Data protection (Encryption) Disk encryption

+

Custom

Encryption of files and folders

+

Custom

It should also be noted that installation types (license bundles) and functionality levels nearly coincide. The Basic installation includes all components of the Anti-Virus protection minus BadUSB Attack Prevention, but plus Application Privilege Control. The Standard installation includes all of the Anti-Virus protection and Control components, again without BadUSB Attack Prevention. The Custom installation additionally includes Encryption and BadUSB Attack Prevention.

1

Although the Application Privilege Control section is displayed in the settings of Kaspersky Endpoint Security for Windows under all operating systems, this component does not work on servers. It will not block programs or restrict their activities. In the settings, this section is displayed only because some of these options influence the Firewall component configuration.

II–6

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Protection components This Unit is devoted to the Anti-Virus protection components. These components can be broken down into three groups: — File System Protection — File Anti-Virus — Virus Scan (tasks) — Network protection and traffic scanning — Mail Anti-Virus — Web Anti-Virus — IM Anti-Virus — Network Attack Blocker — Firewall — Proactive Defense — System Watcher — BadUSB Attack Prevention They are directly responsible for antivirus protection, that is, they prevent computer infection and minimize probable harm. Control components are described in Unit III, and Encryption is explained in course KL 008.10.

Policies Policies are the main remote management tool for Kaspersky Endpoint Security. The policies help to specify parameters for the product in general, for its interface and protection components. A policy helps to set up parameters and control their use on the computers. After the administrator ‘locks’ a setting in the policy, the user cannot change this setting using the local interface of Kaspersky Endpoint Security. The Network Agent transfers policy parameters to the client computers within the framework of a special procedure called synchronization. By default, the Administration Server tries to synchronize with the clients right after the changes are made to the policy by sending a signal to UDP port 15000 of the computers. Clients in their turn connect to the server every 15 minutes to check for changes in policies and tasks. So if the Server fails to synchronize with a client right after the changes are made, the synchronization will take place during the planned connection initiated by the client.

Active and inactive policies A policy is created for a group of computers (management group). It can be either active or inactive. Active policy is sent to client computers during the synchronization. So, after the synchronization is completed, the active policy will exist locally and its settings will be used regardless of whether the computer remains connected to the Administration Server. A product cannot apply more than one policy at the same time; that is why there can be only one active policy for each product in a group. There can be any number of inactive policies. Inactive policy settings do not affect network computer parameters but do allow the Administrator to prepare and save settings for various emergencies, such as a virus outbreak, in advance. Several different inactive policies can be prepared for different virus outbreak situations. Several different inactive policies can be prepared for different virus outbreak situations. For example, a policy blocking access to USB drives can be prepared for malware attacks that spread via removable drives. An inactive policy can easily be made active. In this case, the policy which has been active, automatically becomes inactive. So, with some preparatory work, the administrator can promptly react to emergencies by quickly changing some security parameters.

II–7 Unit II. Protection Management

Even in case of an unforeseen situation, it can be easier and faster to create a new policy with special settings than to modify the current active policy. Then, after the problem has been resolved, just activate the old policy instead of trying to remember which settings have been modified and rolling back the changes to return to the regular settings.

II–8

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Policy inheritance By default, a policy applies to all computers within the group and its subgroups. For example, the policy for Kaspersky Endpoint Security created by the Quick Start wizard in the Managed computers group initially applies to all managed computers. If active policies for Kaspersky Endpoint Security exist in both parent and child groups, the child group policy is used. However, the settings which are locked in the parent policy will be enforced on the subgroup policy. So, the policy of the child group inherits all locked settings of the parent group, and at the subgroup level you can specify only additional restrictions. This behavior may not always be desired. The optimal balance between the protection and usability may vary considerably on different computers. If you want the policy of a child group to override the values of the locked settings of the parent group's policy, disable the Inherit settings from parent policy check box within its settings. After this, the settings of the child group policy can be changed as if the parent group policy did not exist. If a subgroup does not have an active policy of its own, the active policy of the parent group will be applied, as we mentioned earlier. This is called policy inheritance (as distinct from inheritance of policy settings, which was described earlier). Inherited policies are displayed by default. To conceal them, click the Hide link next to the Inherited policies text above the list of policies. This option controls representation of inherited policies within the current group. To make inherited policies visible again, click the Show link. Compared to a policy created in the group, an inherited policy is visually different: its icon is dimmed, Inherited from “Group name” is written in the Inherited column, and in the properties, there is a warning that you can modify this policy only in its native group. To jump to the group from which the policy is inherited, click Show policy in group where it was created on the shortcut menu of the policy.

Policy profiles In Kaspersky Security Center 10 Service Pack 1, a new approach to policies was additionally implemented. The previously described approach presumes that if some computers need special settings, they need to be joined into a dedicated group. Starting with Kaspersky Security Center 10 Service Pack 1, there is also an alternative approach. To apply special settings to a set of computers, you can create a profile in a policy and specify these special parameters there, along with the profile applying conditions. If a computer meets those conditions, the profile will be applied to it.

II–9 Unit II. Protection Management

II–10

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Profiles are supported in the policies of Kaspersky Endpoint Security 10 SP1 for Windows and Kaspersky Endpoint Security 10 SP1 for Mobile. The Policy profiles section in the policy allows configuring profiles. By default, there are no profiles in a policy. Profiles are described in detail in course KL 302.10. Advanced Skills. In the Fundamentals course, the following recommendations are appropriate: — Do not use policy profiles and child group policies concurrently. This structure will be too complicated. We recommended either using one policy with profiles configured in the Managed computers group, or setting up policies in the child groups without any profiles. However, if profiles are configured in a parent policy and a child policy is created within it, the child policy will by default inherit all the locked parameters of the parent policy, including profiles (entirely). Thus profiles configured in a parent group will be applied to all subgroups except those where inheritance is disabled in the policies. — Tag-based conditions are most useful for activating the profiles. If you need to apply special settings to some computers, assign a common tag to them and configure a profile for computers having this tag. The special settings are to be specified in the profile. — A profile is enforced over the policy rather than instead of it. By default, all parameters are unlocked in a profile and are not applied. In a profile, you need to configure only those settings that differ from the policy settings. When you specify those special parameters, close the respective locks. As a result, a profile is applied as follows: if the lock related to a parameter or a group of parameters is open, the policy settings are enforced. If the lock is closed, the profile parameters are used. — Avoid situations when several profiles are applied to a computer. The resulting settings are hard to control, especially if two or more overlapping profiles assign different values to the same parameter. In case of a conflict, the higher a profile is located on the list of profiles, the higher its priority.

Global list of policies After a while, especially in a large company with a lot of computers, the computer structure and the number of policies can grow quite large and difficult to comprehend at a glance. It’s easy to imagine policies being made for smaller subgroups to address some performance or compatibility issues. In a large company, these policies can be introduced by different employees and nobody will have a good idea of how many different policies there are and what purposes they serve. This can affect smaller companies too. Employees come and go and a new administrator has to make sense of what his or her predecessor has left in terms of different groups and settings. Traversing the group structure manually looking for policy objects is tiresome and error-prone. The global list of policies comes to save the day. It is located in the Policies node and includes all the policies, active and inactive, that exist in the structure of managed computers. You can see for which group a policy was created. You can also click the corresponding link to jump there, for example, to find out which computers belong to this group and understand whether the specified settings fit them. You can modify policy settings, create or delete a policy right there on the list.

II–11 Unit II. Protection Management

II–12

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Tasks Policies affect all protection components except for Virus Scan and Vulnerability Scan. Scanning is performed by tasks that can be started either by command or as scheduled. Tasks can run on multiple computers at once and they can differ in how the list of target computers is defined: — Tasks for specific computers apply to a selection of computers that can belong to different groups. These tasks are displayed only in the Tasks node. In such a task, the list of target computers can be specified either explicitly, or implicitly as a name of a computer selection. In the latter case, at each start, the task will check which computers belong to the selection, and then run. — Group tasks, just like policies, apply to all computers of their respective groups and subgroups. The number of scan tasks of the same type within a group is unlimited. There may be several scan tasks running simultaneously on a computer (which is not recommended though) Sometimes scanning parameters of a group task do not fit all of the computers in the group. The administrator can then specify the subgroups where the task must not be run in the Exclusions from task scope in the task properties. The administrator can also use this section to exclude computers with either server operating systems or workstation operating systems if this makes sense for a task. Just like policies, task settings (of group tasks and tasks for specific computers equally) are transferred to client computers during the synchronization. After the settings are transferred, the task will run on schedule regardless of whether the computer remains connected to the Administration Server.

II–13 Unit II. Protection Management

II–14

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Similar to a global list of policies, there is also a global list of all tasks. It is located in the Tasks node and exhibits the same behavior as the list of policies. The list includes all tasks created on the Administration Server: Administration Server tasks, group tasks, and tasks for specific computers. The tasks can be viewed, created, modified and deleted here. For group tasks, the target group is displayed, and the Show task in group where it was created shortcut menu command takes you directly to that group.

1.2 General Protection Parameters By ‘general’ parameters, we mean the settings that affect Kaspersky Endpoint Security as a whole, as well as the settings shared by several or all protection components. These parameters are specified in the policy of Kaspersky Endpoint Security.

Automated start and self-defense of the protection The Launch Kaspersky Endpoint Security 10 for Windows at computer startup setting is one of the main protection parameters. It controls the automatic start of the product after each restart, and therefore it should be enabled and locked. There is a self-defense technology implemented within Kaspersky Endpoint Security, which prevents unauthorized product disabling and other attempts to hamper its operation. The self-defense is regulated by two options, which can be found under Advanced Settings, Application Settings: — The Enable Self-Defense parameter is responsible for protecting the Kaspersky Endpoint Security processes in the computer system memory, its files on the hard drive and its registry keys — The Disable external management of the system service option blocks the attempts to stop the Kaspersky Endpoint Security service unless made via the product interface If self-defense is disabled, the computer protection level decreases; that is why both parameters are enabled and locked by default. It makes sense to disable self-defense only if compatibility problems arise (for example, with remote management utilities, though there are better ways for handling those) or for troubleshooting.

II–15 Unit II. Protection Management

II–16

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Categories of detectable threats This is a common parameter for the components that use Anti-Virus databases to detect malware (File Anti-Virus, Virus Scan, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus). Kaspersky Endpoint Security can detect not only malware, but also so-called “potentially unwanted programs.” They include, for instance, modules displaying advertising messages in shareware programs. It often happens that a shareware program has already been uninstalled, yet the advertising module remains in the system and annoys the user with obtrusive advertising messages. To improve the balance between the protection and efficiency on the managed computers, detection of some program categories can be disabled. The categories of detectable threats are divided into three groups. The Malware group includes three categories: — Viruses and worms — Trojans — Malicious tools Programs falling in the first two categories are always detected. Even the Administrator cannot disable detection of viruses, worms or Trojan programs. Malicious tools include so-called virus constructors—programs that automate creation of new viruses. Such programs are not viruses and are not widespread, but must be detected and deleted nevertheless. The second group includes the following categories: — Adware — Auto-dialers — Other As a rule, adware does not impose any direct threat to the computer; however, it can interfere with the user's work. Automatic dialers are used to connect to remote computer networks via a phone network using a modem. This technology is nearly obsolete today. This category also includes pornware. Unlike malware, these programs inform the user about the actions taken. The Other category includes remote administration utilities, for example, remote desktop utilities, such as RAdmin, UltraVNC, DameWare and others. These legitimate tools can be installed on a computer using a Trojan program and then used by intruders in order to obtain unauthorized access to the computer. In order to protect against it, you can enable the feature that ensures detection of these utilities. On the other hand, large networks often use remote desktop tools to control computers and solve problems remotely. If you do not wish these tools to conflict with Kaspersky Endpoint Security, you can create exclusions for these tools. Detection of the programs in this category is disabled by default, since such conflicts are highly probable. The Compressed files group includes two more categories: — Packed files that may cause harm — Multi-packed files Malware programs often use file compression tools in order to confuse antivirus programs. Using compression with various settings, intruders can easily create arrays of seemingly different, but, in essence, identical copies of a malware program. It is not uncommon for a malware program to undergo several compression stages. Many legitimate programs use compression, too; but as a rule, they employ well-known commercial or freeware compression utilities that do not have a function of parametric compression. Therefore, programs compressed with non-standard packagers, especially those that are packed many times, raise understandable suspicions. Kaspersky Endpoint Security regards these objects as suspicious rather than malicious. The decision regarding which program categories Kaspersky Endpoint Security should skip or detect, of course, should not be made by the user. Therefore, no matter which settings are specified in this area, they must be locked.

II–17 Unit II. Protection Management

II–18

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Kaspersky Security Network Kaspersky Security Network (KSN) is a cloud-assisted technology that helps increase the accuracy of verdicts for all protection components. In a nutshell, the technology analyses the information received from the users of Kaspersky Lab products and from Kaspersky Lab partners, makes up a list of programs and web resources, and defines their reliability level based on geographical distribution patterns, frequency of use and, importantly, expert analysis. Later on, this information is used by various Kaspersky Endpoint Security components for their verdicts. This technology has been used in Kaspersky Lab products for some time now and has proved its value. A part of the KSN database is cached locally, on the computer with Kaspersky Endpoint Security. If information about an executable file or a web resource is missing from the local cache, a request is sent to the KSN servers of Kaspersky Lab. When a file is checked, the request contains its MD5 checksum, for a URL address it is an encrypted mask of the address. The answer from the KSN is saved in the local cache of Kaspersky Endpoint Security. Every record has an expiration date; after that, if the corresponding file or link is accessed again, a new request is sent to the KSN. The computer may be disconnected from the network when a request is sent to the KSN servers. After the timeout period elapses, the component that sent the request will treat the program or the web resource as uncategorized. The use of the information received from KSN is described in detail in the sections devoted to protection components. The administrator initially decides whether to use KSN in the Quick Start wizard. Later, the KSN use settings can be changed in the properties of the Kaspersky Endpoint Security policy. The administrator can enable or disable the use of KSN altogether, or specifically for file classification or URL classification. Additionally, the administrator can enable the use of KSN proxy, a feature of Kaspersky Security Center that is described in the next section.

II–19 Unit II. Protection Management

II–20

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

KSN proxy To reduce the traffic volume induced by KSN requests from protected computers, the Administration Server can act as KSN proxy. As KSN proxy, the Administration Server becomes an intermediate between the managed computers and the Kaspersky Lab KSN servers. The information requested by a managed computer is saved in the Administration Server cache and when other computers need this record, it is taken from the server cache without accessing the external servers. Unlike client computers where KSN cache is stored on the hard drive, the Administration Server stores KSN cache in RAM and it is lost when the server is reset. If KSN use is enabled in the policy, the administrator can either completely prohibit the managed computers from directly connecting to the Kaspersky Lab KSN servers, or allow using external servers when the Administration Server is inaccessible. When using KSN via the Administration Server proxy, client computers connect to the Administration Server over TCP on port 131112. You can change the port number in the Administration Server properties. Network Agents deliver this port number to the computers along with the policy settings. In KSN requests, the Network Agent does not participate: Kaspersky Endpoint Security connects to the KSN proxy directly. KSN proxy settings are located in the properties window of the Administration Server node. There, in the KSN proxy server section, the administrator can opt out of using KSN proxy and decide which KSN to use: global or private. In this section, the administrator can also enable sending the statistics of update and patch installations to Kaspersky Lab (the I agree to participate in Kaspersky Security Network checkbox). This data helps to improve the vulnerability and patch management subsystem, a part of the Systems Management functionality, which is described in course KL 009.10. If the Use Administration Server as proxy server check box is cleared, KSN proxy will be disabled and managed computers would either be unable to use KSN or resort to using KSN directly without a proxy. Global or private KSN determines the destination of KSN requests redirected by the KSN proxy. With global KSN, the requests are redirected to Kaspersky Lab KSN servers. If private KSN is used, requests will be sent to the KSN infrastructure deployed at the customer’s site. This option is described in more detail in course KL 302.10. Kaspersky Endpoint Security and Management. Advanced Skills. The Network Agents inform the client computers which KSN to use. Even if KSN proxy is inaccessible for some reason, Kaspersky Endpoint Security will keep using the same KSN, global or private, depending on the Administration Server settings. Unmanaged computers cannot use private KSN. Deployment and configuration of a private KSN infrastructure requires inviting Kaspersky Lab experts. The customer’s administrator must not and cannot do it alone.

2

UDP port 15111 was used by the old version of Kaspersky Security Network module and is incompatible with the KSN module implemented in Kaspersky Endpoint Security 10.

II–21 Unit II. Protection Management

KSN proxy server statistics The KSN proxy server statistics section is located under the KSN proxy server settings in the Administration Server properties. This section shows: — Cache records: the number of KSN cache records on the Administration Server — Packages processed in cache: the number of requests from protected computers that were served from the cache — Received packages: the total number of requests received from protected computers There is also the Check KSN connection button here. It helps the administrator to make sure that the Administration Server receives answers from KSN.

II–22

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 2. File System Protection The file system protection level largely defines the overall computer security. In most cases, malware saves its code within the computer file system. That is why a proper file system protection defends the computer from most viruses. In Kaspersky Endpoint Security, File Anti-Virus and Virus Scan components are responsible for file system protection.

2.1 File Anti-Virus File Anti-Virus intercepts all file operations (such as reading, copying, executing) using the klif.sys driver and scans the files being accessed. If the file is infected, the operation is blocked, and the file is either disinfected or deleted by default. Even if Mail Anti-Virus and Web Anti-Virus are disabled, the user will not be able to start an infected file received by e-mail or downloaded from the Internet, because a file cannot be started either from an attachment or from a web page without being saved to the hard drive; and when the file is saved on the disk, it will be detected and blocked by the File Anti-Virus. So, File Anti-Virus is of primary importance for the file system protection, which makes it the most important protection component in general.

Scanning technologies File Anti-Virus uses the following scanning technologies: — Signature analysis is a malware detection method that uses signatures. A signature is a part of executable code, a checksum, or some other binary string, which helps to detect whether the file is infected by the corresponding malware. Consecutive file checks against the signatures of known malware returns the verdict whether the file is infected in general. This scanning method is very reliable, but only allows detecting the malware whose signatures have been added to anti-malware databases. — Heuristic analysis. This scanning method applies only to executable files. Kaspersky Endpoint Security starts the scanned file in a virtual environment isolated from the operating system—a so-called ‘sandbox’— and monitors the file’s behavior. This method requires more time when compared with the signature analysis, but helps to detect some new viruses — Check against KSN lists. This method also applies to executable files only. A checksum is calculated for every scanned file, which is compared with the records in the local KSN database. Further, the following alternatives exist:

II–23 Unit II. Protection Management

— If neither signature nor heuristic analysis has detected an infection, the decision is made based on the information available in the local KSN cache on the client computer. If the local cache lacks information about this file, access to the file is allowed, and a background request is simultaneously sent to the KSN cloud. If the answer is received that the file is dangerous, File Anti-Virus scans it again. If KSN returns information that the file is harmless or if KSN servers cannot be reached, file scanning is finished — If either signature or heuristic analysis has detected that the file is infected, File Anti-Virus sends the request to KSN. If the local database lacks information about the file, File Anti-Virus will wait for the answer from the KSN cloud. If KSN considers the file to be clean, it is treated as non-infected despite the verdicts of signature and heuristic analysis. If the verdict is reaffirmed or information cannot be received from KSN (connection with KSN servers cannot be established), the file is processed as an infected one As you can see from the scanning algorithm, the check against the KSN database complements the signature analysis and helps to decrease the probability of false positives.

II–24

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Scanning parameters Scanning parameters and other File Anti-Virus settings that define the protection scope are gathered in the Security level group of parameters. In the policy, these parameters have a common lock, that is, they are locked or unlocked together. Considering the importance of File Anti-Virus, the users should not be allowed to change the scanning parameters and the lock should be closed in the Security level area.

Protection scope By default, Protection scope of the File Anti-Virus includes: — All removable drives — All hard drives — All network drives In other words, all drives from which malware can be run. A protection area allows adding individual drives and folders instead of drive groups. However, disabling any standard scan scope considerably decreases the protection level. That is why this group of settings should be modified very cautiously. For example, if Cisco NAC, Microsoft NAP or another tool guarantees that all network nodes are protected with Anti-Viruses, then All network drives can be removed from the protection scope. In this case, if a file from a network drive is accessed, it will be scanned by the Anti-Virus installed on the local computer where the drive is located.

Types of files to be scanned The File types setting can take one of the following three values: — All files — Files scanned by format—i.e. files that can contain executable malware code3; in this case the file format is determined as the result of the file header analysis rather than by the file extension — Files scanned by extension—i.e. files with extensions characteristic of infected formats The optimum value for the File Anti-Virus is the middle one. Scanning of all files requires considerably more resources without a dramatic improvement of protection. The scanning based on the file extensions is fraught with skipping a renamed malware object or a non-typical extension may result in opening or even running such a file.

Heuristic analysis Heuristic analysis parameters are configured in the Scan methods group. Heuristics levels—Light, Medium or Deep—define the period of observing the object in the virtual environment. In the context of the File Anti-Virus operation this means an increased delay when a program is run. Therefore, completely disabling heuristic analysis within the File Anti-Virus component is acceptable.

3

These include not only executable files but also, for example, Microsoft Office documents that may contain infected macros and some graphic formats that may contain active executable elements.

II–25 Unit II. Protection Management

II–26

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Scan optimization The Scan only new and changed files option ultimately decreases the number of scans performed by File AntiVirus. If an object was scanned and has not been modified ever since, it will not be scanned again. Kaspersky Endpoint Security receives information about the changes using iSwift and iChecker technologies, whose settings are located in the Additional tab.

Scan of compound files It is not recommended to scan compound files using File Anti-Virus. Unpacking of these files consumes a lot of resources and they do not impose any direct threat. Even if an archive contains a virus, you cannot run any infected file without unpacking it. During unpacking it will be detected and blocked as a regular file. It is sufficient to scan compound files with on-demand scan tasks4.

iSwift and iChecker iSwift and iChecker scanning technologies are responsible for collecting data about the changes made to files. The iSwift technology extracts the data about changes from the NTFS file system. The iChecker technology is used for executable files located on the drives with non-NTFS file systems, for example, FAT32. For this purpose, iChecker calculates and saves the checksums of the scanned executable files. If the checksum remains the same during the next check, it means that the file has not been changed. Both technologies save information about the file scan date and the version of the databases used for the scanning. If the Scan only new and changed files checkbox is selected, the iSwift Technology and iChecker Technology check boxes are of no importance. Even if you clear them, these technologies will still be used because without them Kaspersky Endpoint Security will not be able to determine which files have already been scanned and which of them have not been changed since the last scanning. If the Scan only new and changed files setting is disabled, the iSwift Technology and iChecker Technology settings are relevant. In this case, a certain quarantine5 or a trust period is associated with each file. During the quarantine periods the file will be scanned even if it has not been modified, while during the trusted periods the file will not be scanned. The quarantine period is assigned to all files which have not been scanned yet or which have changed since the last scanning. During the quarantine period, the file will not be scanned if it was already scanned with the same database version. For this purpose, the iSwift and the iChecker technologies register the version of the antivirus databases used for the scanning. In all other cases, standard scanning is performed. Once the quarantine period is over, the trusted period is assigned to the file. During the trusted period, the file is not scanned if it has not changed. Once the trusted period is over, the file is scanned once again when the necessity arises, and if it is not infected, a new trusted period is assigned, longer than the previous one. In case of any change, the file gets a quarantine period and everything begins from scratch. When the Scan only new and changed files setting is enabled, the trusted period is not restricted in time. The trusted period expires only if the file is changed. Disabling the iSwift and iChecker technologies makes no sense in File Anti-Virus. This will either have no effect (if the Scan only new and changed files feature is enabled) or will lead to more scans and a general decrease of computer performance.

4

These scan tasks are described later in this chapter. This ‘quarantine’ term is not related to the Quarantine repository.

5

II–27 Unit II. Protection Management

Scan mode The Scan mode determines the file operations that trigger scanning. It is simpler to describe them in the reverse order of their appearance: — On execution—only executable files are scanned and only when they are started. Copying an infected executable file will remain unnoticed. Switching File Anti-Virus into this mode decreases the security level considerably — On access—files are scanned when they are opened for reading or execution. The user may download malicious code from a website but will not be able to do anything with this file — On access and modification—files are scanned when any operation is performed on them. This is the safest mode, yet the most resource-consuming — Smart mode—the order of operations performed with the file is analyzed. If a file is opened for writing, the scan will be performed after it is closed and all changes to it are made. Intermediate changes made to the file are not analyzed. If a file is opened for reading, it will be scanned once on opening, but will not be rescanned on intermediate read operations until the file is closed Essentially, Smart mode ensures the same protection as On access and modification, but consumes less resources. Therefore it is recommended for most computers. On access or On execution modes can be used on the computers where efficiency is more important than security, understanding that the probability of infection or virus spreading increases.

Pausing File Anti-Virus File Anti-Virus can be paused while a resource-consuming operation is performed using the settings in the Pause task area: — By schedule—the schedule (daily only) is set by specifying the time when the File Anti-Virus is to be paused and when it is to resume its normal operation. The time is specified in hours and minutes — At application startup—File Anti-Virus will pause when the specified program loads in the memory and will resume its operation when this program is unloaded from the memory

II–28

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Standard security levels The security levels can be managed using the three-position switch: Low, Recommended and High. Depending on the switch position, the File Anti-Virus settings adopt the following values: Level Low

Recommended

High

Setting File types

Files scanned by extension

Files scanned by format

All files

Protection scope

All removable drives All hard drives All network drives

All removable drives All hard drives All network drives

All removable drives All hard drives All network drives

Heuristic analysis

Light scan

Light scan

Medium scan

Scan only new and changed files

+

+

–

Scan embedded OLE objects Do not unpack large compound files. Maximum file size: 8 MB

Scan new archives Scan new installation packages Scan all embedded OLE objects

Scan of compound files

Scan mode

Smart

Smart

Smart

Scan technologies

iSwift technology iChecker technology

iSwift technology iChecker technology

iSwift technology iChecker technology

Pause task

–

–

–

If any setting is modified, the security level is changed to Custom. In order to return to the Recommended level, click the By default button.

Actions Malware detected by File Anti-Virus should not be left unprocessed. That is why the settings that regulate File AntiVirus actions should be locked. The optimal choice is to disinfect and if disinfection is impossible, delete infected files6. Most malicious files cannot be disinfected, because they contain nothing but the infected code. Before a file is disinfected or deleted, its copy is placed into the Backup repository or Quarantine, depending on the verdict. That way, if it contains important information or is deleted because of a false positive, the file can be recovered. If the Roll back malware actions during disinfection option is enabled within the properties of the System Watcher component, Kaspersky Endpoint Security not only deletes malicious files, but also rolls back their actions 7.

6 7

The Select action automatically option is equivalent to the Disinfect. Delete if disinfection fails option. The rollback procedure is described in Chapter 4 of this Unit.

II–29 Unit II. Protection Management

II–30

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Configuring exclusions Scan exclusions Sometimes File Anti-Virus erroneously returns the “infected” verdict. Such cases are rare, and usually concern tailor-made software. This problem is reduced by creating exclusion rules for objects. Exclusions are configured in the General protection settings and are used by all protection components. A scan exclusion consists of three attributes: — File or folder—the name of the file or folder to which the exclusion applies. The name of the object may include environment variables (%systemroot%, %userprofile% and others) and also “*” and “?” wildcard characters — Object name—the name of the threat to be ignored (usually corresponds to a malware name), which can also be specified using wildcard characters — Protection components—the list of protection components to which the rule applies Of the three attributes, one of the first two attributes and the third one are mandatory. You can create a scan exclusion for a file or folder without specifying the threat type; then the selected components will ignore any threats in the specified file or folder. Conversely, you can create a scan exclusion for a threat type, for example, for the UltraVNC remote administration tool, so that the selected protection components would not respond to this threat regardless of where it is detected. All three attributes can also be specified simultaneously. For example, the exclusion list contains a set of rules for widespread remote administration tools: UltraVNC, RAdmin, etc. In these rules, both the threat type and the object (typical location of the executable file) are specified. According to such an exclusion, Kaspersky Endpoint Security would allow running a remote administration tool from the Program Files folder, but if the user runs the tool from another folder, Kaspersky Endpoint Security would consider it a threat.

Trusted applications Security level settings can be adjusted so as to achieve the optimal performance-reliability balance for an average computer. But if the computer runs resource-consuming programs, their operation can be slowed down by the File Anti-Virus. This is especially true for the programs that perform numerous file operations, for example, backup copying or defragmentation. To avoid slowdowns, a number of measures can be taken. The first thing to do is to configure an exclusion so that File Anti-Virus ignores file operations performed by the program. When adding exclusions under Trusted applications, within the Scan exclusions for Application window, specify the path to the executable file of the program and select the Do not scan opened files action. The path may contain environmental variables and “*”, “?” wildcards. If the program has many processes, and the data files are located in one directory, it might be worthwhile to exclude this directory from the File Anti-Virus scan scope: Under Scan exclusions, add the rule, specify the necessary directory in the File or folder parameter, do not specify any Object name, and select File Anti-Virus in the list of components to apply the rule.

II–31 Unit II. Protection Management

II–32

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

If the desired effect is not achieved by setting up exclusions, as a last resort, configure pausing File Anti-Virus while the program runs (in the Security Level settings, on the Additional tab). Exclusion settings should be locked. Users are often unable to properly configure their exclusions and may abuse such a capability and considerably weaken the protection of the computer. When a policy is applied, all local exclusions are disabled and replaced with centralized ones. In order to create a useful set of exclusions, the administrator should find out which exclusions are required to minimize impact to the users, and to set them up in the policy. The best way to do this is to create exclusions in the local Kaspersky Endpoint Security interface and then import them into the policy.

2.2 Virus Scan Tasks Virus scan tasks check objects using the same methods as File Anti-Virus: signature and heuristic analysis and KSN. The difference is that File Anti-Virus checks files on-the-fly when they are accessed while virus scan tasks inspect the files by schedule or on demand. File Anti-Virus works with the user. The more actively work the user’s applications, the more files are scanned by the File Anti-Virus and the more resources it consumes. Therefore, it is recommended to optimize the File AntiVirus settings to ensure protection against immediate threats only. If an archive is being copied, there is no immediate infection risk and it may be skipped. Virus scan tasks can be started during off hours, when more resources are available and a more thorough scan can be performed. That is why the scan task will wait for the answer from KSN before returning the final verdict, regardless of the signature and heuristic analysis results. Also, the task may check the objects that are excluded from the scan scope of the File Anti-Virus—archives, installation packages, files in non-infectable formats, etc. One more aspect of the File Anti-Virus implies that it scans files on disk before their launch but it does not check the processes that are already present in the memory. So, if a new virus manages to load its code to the memory before the product downloads updates with the corresponding signatures, the File Anti-Virus will be unable to do anything until the next virus launch. A virus scan task can be configured to check the processes in the memory and be scheduled to run after each successful database update.

II–33 Unit II. Protection Management

II–34

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Scanning: parameters and specifics Scan scope Scan scope is a list of paths to folders and files that are to be scanned by the task. System variables are allowed (for example, %systemroot%), as well as * and ? wildcards in the file or folder names. For the folders, you can select whether to scan all the contents, including subfolders, or just the folder itself without subfolders. If subfolders are not selected to be scanned, the object icon is marked with the little red "minus" sign. In addition to files and directories, the following scan objects can be specified: — My email—Outlook data files (.pst and .ost) — System Memory—executable files of all running processes are scanned — Startup Objects—executable files of the programs started at the system startup. Additionally, if this object is selected in the task properties, rootkit scanning will also be performed (rootkits are hidden objects of the file system) — Disc boot sectors—boot sectors of hard and removable drives — System Backup Storage—System Volume Information folders — All removable drives—the removable drives connected to the computer at the moment — All hard drives—computer hard drives — All network drives—all network drives connected to the computer — Computer—all the above objects, except for My email and All network drives

Security level Security level parameters in virus scan tasks are almost identical to the security level parameters specified for File Anti-Virus. Different settings include a couple of additional parameters in the Scan of compound files section and the Skip files that are scanned for longer than N sec option. This timeout is necessary to avoid the task freezing when it scans archives that are deliberately corrupted by criminals for this purpose. Virus scan tasks are also used to check archives. This is important because the File Anti-Virus usually does not scan archives. A virus scan task can check the same types of compound objects as the File Anti-Virus, and two more: — — — — —

Archives Installation packages Embedded OLE-objects Email formats Password-protected archives—when scanning these, Kaspersky Endpoint Security will prompt the active user for the password to unpack the archive. Since scheduled scans usually run in off hours when there is no user, this option should be reserved for manual scans performed locally.

Processing of compound objects is regulated by another option that becomes available after clicking the Additional button—Do not unpack large compound files. The other security level parameters are identical to those of File Anti-Virus.

II–35 Unit II. Protection Management

II–36

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

You can also change the scan settings using the Security level slider. In that case the following settings will be used: Level Low

Recommended

High

Setting File types

Files scanned by format

All files

All files

Scan only new and changed files

+

–

–

Skip files that are scanned for longer than

180 sec

–

–

Scan archives

New

All

All

Scan installation packages

New

All

All

Scan embedded OLE objects

New

All

All

Parse email formats

–

–

+

Scan password-protected archives

–

–

–

Do not unpack large compound files

–

–

–

Heuristic analysis

Light scan

Medium scan

Deep scan

iChecker technology

+

+

+

iSwift technology

+

+

+

Actions A virus scan task can take almost the same actions as File Anti-Virus. There are still two main neutralization options: Disinfect and Delete. We recommended using the default values. Additionally, Virus Scan tasks include a setting that is missing from the File Anti-Virus parameters: Run Advanced Disinfection immediately. This option is described in detail at the end of this chapter. This setting has been created because the advanced disinfection procedure requires restarting the computer. By default, the user is prompted and may reject it. The Run Advanced Disinfection immediately option enables the administrator to force the start of the advanced disinfection procedure. The user will be informed of the upcoming restart and will be able to save the data, but will not be able to cancel the procedure.

Account By default, scan tasks are started on the client computers under the Local System account. If the scan scope includes network drives or other objects with restricted access, the task will not be able to scan them. To solve this problem, an account that has the necessary rights must be specified within the task properties.

II–37 Unit II. Protection Management

II–38

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Schedule Virus scan tasks may use any regular schedule: every N minutes, every N hours, every N days, weekly, monthly. They can also be started once: either automatically at the specified time, or manually. In addition, special schedule types are available: — After application update—the task will start after new threat signatures are downloaded and applied. This is convenient for the scanning of memory and other locations where active threats may appear — At application start—the task will start immediately after the launch of Kaspersky Endpoint Security (or in a few minutes). This is another opportunity for the scanning of the most vulnerable computer areas — On completing another task—a universal schedule that allows arranging tasks into a chain. From the practical viewpoint, the best approach would be to link virus scan to update completion, but there is already a special schedule option for that purpose — On virus outbreak—when the Virus outbreak event8 is registered on the Administration Server There is also an option that allows running missed tasks. If a computer is turned off at the scheduled time, the task will start as soon as the computer is switched on. If the computer is not accessible at the time of a manual task start, it will run once the computer reconnects to the Server. Please note, there are negative aspects to running missed tasks. If a scan task was scheduled during the weekend but was missed, it will start on Monday morning, which can cause slowdowns for the user working with that machine. If scan tasks are run simultaneously on many computers, numerous events are sent to the Administration Server. To help distribute load, the task start is staggered by default: the task starts with a delay rather than exactly at the specified time; a random delay is selected for each computer. By default, the Administration Server automatically selects the maximal delay. To change this, clear the Define task launch delay automatically check box and select the Randomize the task start with interval (min) check box. If a large enough interval is specified, tasks will start at different times, and the number of simultaneous connections on the server will be reduced. If both check boxes are cleared, the task will start on all computers exactly at the specified time. The Advanced window contains a few other useful settings: — Activate computer before the task is started by the Wake On LAN function (min)—the option allows you to schedule scan start for the night time or weekends without needing to worry whether the computer is on. However, to use this feature, you need to enable its support in the BIOS settings of the target computers — Turn off computer after task is complete—the option may supplement the previous one. If a scan is scheduled for the night or a weekend, the computer can be turned off after its completion. — Stop if the task is taking longer than (min)—the option allows guaranteed task completion before the working day begins, so that the running scan does not interfere with the user activity

8

This is described in detail in Chapter 5 of this Unit.

II–39 Unit II. Protection Management

Run mode also influences the task schedule: — Suspend scheduled scanning when the screensaver is off and the computer is unlocked (in the Properties section)—the option means that virus scan will only be performed if the computer is unused (if it is locked or its screensaver is active), otherwise the task will switch to the Paused mode

II–40

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Common parameters of scan tasks Some settings influence all scan tasks. They are specified in the Kaspersky Endpoint Security 10 policy, in the Advanced settings, Application settings section: — Do not start scheduled tasks while running on battery power—this setting is designed for notebooks and is enabled by default. If the laptop is not plugged in, the scan task will not start, to help extend the battery life — Concede resources to other applications—the task will increase the delay before it proceeds to the next file when the CPU load is high

Centralized use of virus scan tasks Virus scan tasks can be assigned to groups or selections of computers. Regular virus scans must be performed on all computers. Group tasks best serve this purpose. In particular, it is recommended to run a scan task that checks the most infectable areas once a week. If time and resources permit, you can run a full computer scan task instead. A task scanning the memory and other areas that may contain active viruses (equal to the local Critical Areas Scan task) after each database update will also be helpful. If you need to create a task for an individual computer, it is better to create it as a task for specific computers. This is more convenient than creating and monitoring a local task. It is also more efficient than creating a separate subgroup for this computer alone. Tasks for computer selections can also be used to solve current problems. For example, the administrator may need to urgently scan the computers where multiple viruses are detected or those that have not been scanned for a long time.

II–41 Unit II. Protection Management

Standard group task The standard virus scan task is created by the Quick Start wizard in the Managed computers group with the following settings: Parameter

Value

Schedule

Every Friday at 7:00 PM

Objects

System memory Startup objects Boot sectors %systemroot%\ %systemroot%\system \ %systemroot%\system32 \ %systemroot%\system32\drivers \ %systemroot%\syswow64 \ %systemroot%\syswow64\drivers \

Security level

Recommended

Action

Select action automatically (i.e. Disinfect; Delete if disinfection fails)

II–42

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.3 Advanced Disinfection Technology If the detected malware is already running, it can hamper disinfecting: block access to the infected files or hide them. There is a special feature for such cases: Advanced Disinfection Technology. It is enabled by a separate parameter in the Kaspersky Endpoint Security policy. Advanced Disinfection Technology is engaged when File Anti-Virus or a scan task detects a malware program and at least one of the following conditions is met: — The infected file is found on the desktop — The infected file has been started before, according to the file system data — Automatic start of the infected file is configured in the registry The conditions are not hard-coded and have the potential to be changed as a result of a regular update. This would be a rare change, though. If at least one of the above conditions is met, advanced disinfection starts: 1.

On the client computer, the user is prompted to start the advanced disinfection procedure and is warned that the computer will need to be restarted during the disinfection

2.

If the user agrees, the system is switched into a special restricted operation mode: start of new programs is blocked and registry changing is prohibited

3.

The product attempts to disinfect the file. If it fails, but the file can potentially be treated, its copy is created in the same location and is disinfected

4.

Memory scanning starts, to find running copies of the malware and stop them

5.

The records that enable auto-start of the infected file are deleted from the registry and configuration files

6.

The computer is restarted. If the file(s) have not been disinfected at step 3, when the system begins to boot, the infected file is either replaced with its disinfected copy, or deleted (if disinfection is impossible)

The main drawback of the advanced disinfection is the necessity to restart the computer, which cannot be done without the consent of the user. That is why by default the Advanced Disinfection Technology is disabled. When enabled and needs to be applied, the user is warned of the forthcoming procedure and restart. As we mentioned earlier, the Run Advanced Disinfection immediately option, which is located under the action settings in virus scan tasks, is closely related to the Advanced disinfection procedure. This option is not used until the advanced disinfection technology is enabled in Kaspersky Endpoint Security policy. When the advanced disinfection technology is enabled, this option in the task allows starting the advanced disinfection procedure automatically, without the user’s confirmation. That is, the described algorithm will start from step 2.

II–43 Unit II. Protection Management

II–44

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 3. Network Protection A network is one of the main ways of spreading a virus. That is why network protection and network traffic scanning are so important for computer security. The Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, Firewall, and Network Attack Blocker components are responsible for network protection in Kaspersky Endpoint Security. All together, these components perform the following tasks: — Block and delete malware programs at early penetration stages, before they are saved in the computer file system — Block access to phishing and malware-spreading web sites, delete links to such web sites from e-mail and instant messages — Block network attacks, including the attacks that run infected code without saving it in the file system — Prevent epidemics and data leakage, if the computer got infected

II–45 Unit II. Protection Management

II–46

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.1 Network Traffic Interception Kaspersky Endpoint Security intercepts network traffic using an NDIS filter. Under Windows XP and Windows Server 2003 operating systems, klick.sys and klin.sys drivers can be used instead of NDIS filter: in the properties of Kaspersky Endpoint Security installation package, select the Do not install the NDIS5 driver check box9. Regardless of the driver used for intercepting traffic, Kaspersky Endpoint Security works the same. Inbound network packets are processed by Kaspersky Endpoint Security before being transferred to programs and services, and outbound packets are intercepted and processed before being sent into the network. First, the traffic is processed by the Firewall and Network Attack Blocker components. The Firewall blocks packets according to the rules configured for packets and applications. Network Attack Blocker analyzes packet sequences and blocks network attacks. The analysis considers the packets blocked by the Firewall, which means that the Firewall and Network Attack Blocker work in parallel. Then, the Web Anti-Virus, Mail Anti-Virus and IM Anti-Virus components scan the data at the protocol level. Protocol interception order is configured for all components combined, in the Monitored ports area of the General Protection Settings section of the policy. The traffic allowed by the Firewall and Network Attack Blocker is analyzed by Kaspersky Endpoint Security for correspondence to the supported protocols. Mail traffic, web traffic and instant messaging traffic is redirected to the corresponding components for scanning; other packets are sent to their target programs and applications. If necessary, to reduce the load, there is a way not to analyze all traffic, but only the packets received through the specified ports or sent to the specified programs. Standard ports and programs are specified in the list of Monitored ports. If non-standard ports or programs are used, add them to the list.

3.2 Mail Anti-Virus The Mail Anti-Virus protects from e-mail threats. Messages are intercepted at the protocol level (POP3, SMTP, IMAP and NNTP), and by embedding into Microsoft Office Outlook 10 (MAPI). Mail Anti-Virus can detect and block malware programs using virus signatures, heuristic analysis and Kaspersky Security Network. Additionally, Mail Anti-Virus can block or rename e-mail attachments matching specified masks. The Mail Anti-Virus check box enables and disables the Mail Anti-Virus component. The other options, just like in File Anti-Virus, define security parameters and actions.

9

This parameter is described in detail in Unit I. The product can also be embedded into The Bat! mail client, which is not widely used.

10

II–47 Unit II. Protection Management

II–48

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Actions Mail Anti-Virus can take the standard actions: Disinfect and Delete against detected dangerous objects. Before the disinfection or deletion, a copy of the object is placed in the Backup or Quarantine repository. The files deleted by the attachment filter are also placed into the Backup repository. If an action is performed with an e-mail message, its subject is modified. The action taken is described in the message subject.

Security level Protection scope Security settings, among other options, determine the Protection scope. Mail Anti-Virus can cover either — Incoming and outgoing messages, or — Incoming messages only To ensure minimum computer protection, you can scan incoming messages only. The scan of outgoing messages can prevent inadvertent sending of an infected file contained in an archive and save the embarrassment. Additionally, scanning of outgoing messages can be used for blocking transfers of attachments of certain types, for example, music or videos.

Connectivity The Connectivity group of settings more precisely defines the protection scope: — POP3/SMTP/NNTP/IMAP traffic—enables scanning of mail and news messages transferred over the specified protocols — Additional: Microsoft Office Outlook plug-in—enables scanning of objects11 at the level of Microsoft Office Outlook client. In addition to the scanning of received and sent objects, the messages are scanned when the user opens them to read — Additional: The Bat! plug-in —enables scanning of mail messages received or sent via The Bat!12 The benefit of scanning at the protocol level is that it operates independently of the mail clients used. On the other hand, the messages transferred over unsupported protocols (for example, through Microsoft Exchange or Lotus Notes servers) will not be scanned. Conversely, scan at the mail client level works regardless of the way the message was received. However, the list of supported mail clients is rather limited. If the organization strictly limits the applications used, the administrator can disable scanning for unnecessary plugins or protocols. In other cases, it is recommended to leave all the settings enabled. Mail Anti-Virus decreases consumption of resources rather than increases. If you disable object scanning by Mail Anti-Virus, they will eventually be scanned by File Anti-Virus.

11

Not only mail messages are scanned, but also the objects of Public folders and Calendar: any objects received over MAPI from the Microsoft Exchange repository. 12 A mail client popular in some parts of the world. If you haven’t heard of it, never mind.

II–49 Unit II. Protection Management

Scanning methods These settings concern scanning attached compound files. If archives are attached, they can be unpacked and scanned. This behavior is controlled using three settings: — Scan attached archives—this setting allows the administrator to fully disable archive scanning. As a rule, it is better to leave this check box enabled and to scan archives “on the fly” using Mail Anti-Virus. It is much easier not to allow any infected archive to penetrate into the mail database than to remove it from the database later using an on-demand scan task — Do not scan archives larger than NN MB—limits the volume of archives to be scanned. Malware is rarely spread in big files. Enable this limitation to avoid waiting too long when receiving large compound files — Do not scan archives for more than NN sec.—this option implements protection against “archive bombs” whose scanning requires a very long time and a lot of resources, which slows down the computer.

II–50

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Heuristic analysis The Mail Anti-Virus uses the same heuristic analysis feature as the File Anti-Virus and Virus Scan tasks. It is applicable only to executable files and is performed by starting these files in a special emulated environment (‘sandbox’), where Kaspersky Endpoint Security controls all operations. Analysis level defines how long the file will be supervised in the emulated environment before the verdict is returned.

Attachment filter These settings concern only attached files. The administrator can: — Disable filtering—permits all kinds of non-malicious attachments — Rename specified attachment types13—is used by default and renames attachments of executable types (.exe, .bat, .cmd, etc.). This is a preventive measure against unknown malware. The user will not be able to start the attached file without consciously renaming it. This option can also be used to fight outbreaks of new viruses. If names of the attachments used by the virus are known, they can be added to the list and then renamed so that the users are unable to open these attachments as regular files. Renaming can reliably prevent infection. At the same time, if a harmless attachment matches the specified mask, renaming would not cause any serious problems. The user can consult the administrator and receive instructions on how to rename the file back — Delete specified attachment types—it is a safe way to prevent infections, which can also be used to prevent exchange of files of certain types: for example, music or video files The list of filters contains the masks of frequently used file extensions. In addition to the extensions, user-defined masks can contain parts of names. “*” and “?” wildcard characters can be used. The added masks will go to the beginning of the list and will be immediately enabled.

13

Renaming is as follows: the last character of the extension is replaced with the underscore character, e.g., file.exe becomes file.ex_

II–51 Unit II. Protection Management

Standard security levels Protection scope and message scanning parameters can be managed using the Security level switch, which has three standard positions: Low, Recommended and High. Values of these setting at each of the standard levels are tabled below: Level Low

Recommended

High

Parameter Protection scope

Incoming messages only

Incoming and Incoming and outgoing messages outgoing messages

POP3 / SMTP / NNTP / IMAP traffic

+

+

+

Additional: Microsoft Office Outlook plugin

+

+

+

Additional: The Bat! plug-in

–

–

–

Heuristic analysis

Light scan

Medium scan

Deep scan

Scan attached archives

–

+

+

Do not scan archives larger than 8 MB

+

–

–

Do not scan archives for more than 5 sec

+

–

–

Attachment filter

Rename specified attachment types

Rename specified attachment types

Rename specified attachment types

If any setting is changed, the security level switches to Custom. If later these settings are set to the values specified in the above table, the level displayed will still remain Custom. To visibly return to the standard security levels, click the By default button.

II–52

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Configuring Exclusions Exclusions for Mail Anti-Virus are configured similarly to File Anti-Virus: in the General Protection Settings, Exclusions and trusted zone. In the scan exclusion settings, specify the file name only (wildcards are allowed) to exclude all attachments with matching names from scanning. The same exclusion must be configured for File AntiVirus, or else the received attachments will not be saved or opened.

3.3 Web Anti-Virus The Web Anti-Virus component performs two important functions: — Analyzes site addresses and blocks access to phishing and malware-spreading sites — Scans the objects downloaded over HTTP (the objects downloaded over HTTPS are not scanned) and blocks malicious files Four technologies are used for scanning the links: — Check against the database of suspicious sites—comparing of the address of the site to be opened with the addresses of the web resources, which are known for hosting malware, attacking computers or other harmful activities — Check against the database of phishing sites—is similar to the previous check, but against the database of sites on which phishing pages were found — Heuristic analysis for detecting phishing sites—analysis of the site contents for HTML code characteristic of phishing — KSN check—addresses of the opened sites are checked against the local KSN cache. Dangerous links are blocked. If the local cache lacks information about the site, a background request is sent to the KSN cloud. The received answer is saved in the local cache and is used for further checks. Downloaded files (and embedded scripts) are scanned using all the available methods: signature and heuristic analysis as well as KSN.

II–53 Unit II. Protection Management

II–54

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Actions You can select the action to be taken against all detected dangerous objects: — Block download 14 — Allow download You should select the Block download action in the policy and lock it so that the users are not able to download hazardous objects or visit hazardous websites. When the user attempts to open a black-listed web resource or download an infected object, a notification will be displayed in the browser explaining that the download was blocked by Kaspersky Endpoint Security.

Security level Web Anti-Virus behavior is regulated by only a few settings: — Check if links are listed in the database of malicious URLs—we recommend that you do not disable this setting. If a website was added to the list of malicious web addresses by mistake, we recommend that you create an exception for it — Heuristic analysis for detecting viruses—enables heuristic analysis. This is the same analysis as in the File Anti-Virus: executable files are started in the virtual environment and their operations are supervised. The depth of the analysis defines the monitoring time — Check if links are listed in the database of phishing URLs—this setting is similar to the first parameter and should also remain enabled — Heuristic analysis for detecting phishing links—enables the use of heuristics when detecting phishing sites. Analysis depth defines which part of the HTML code is analyzed, and which methods are used. At the Deep scan analysis level, scanning time and thoroughness increase — Limit web traffic caching time—sets the time limit for complete downloading of the object to be scanned (one second). If an object does not download completely in the specified time, Web Anti-Virus will simulate slow connection and let out small parts while waiting for the whole object to load. If this setting is disabled, Web Anti-Virus will wait until all objects to be scanned are downloaded. This may cause problems with audio and video streams; those web addresses will require exceptions Web Anti-Virus settings can be modified using the Security level switch. The table below explains how the settings’ values change depending on the level selected: Level Low

Recommended

High

Parameter Heuristic analysis for detecting viruses

Light scan

Medium scan

Deep scan

Limit web traffic cashing time

+

+

+

Scan archives

–

+

+

Scan archives is a hidden setting. If the Security level is switched into the Low position, in addition to the visible parameter changes, archive scanning is disabled. The following three parameters:

14

The Select action automatically option works the same as Block download.

II–55 Unit II. Protection Management

— Check if links are listed in the database of malicious URLs — Check if links are listed in the database of phishing URLs — Heuristic analysis for detecting phishing links (as well as the depth of the analysis) do not depend on the Security level and do not change the position of the Security level when modified.

II–56

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Configuring exclusions Three types of exclusions are available for Web Anti-Virus: — Trusted URLs—are specified on a separate tab of the Security level settings (this list does not change the Security level). The listed site addresses and the objects downloaded from them are not scanned by Web Anti-Virus. "*" and "?" wildcards can be used in web addresses — Scan exclusions—are configured in the General Protection Settings the same way as exclusions for Mail Anti-Virus — Trusted applications—just like scan exclusions, they are specified in the Exclusions and trusted zone section of the General protection settings. An exclusion can apply either to all connections established by a program, or only to the specified IP addresses and ports

II–57 Unit II. Protection Management

II–58

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.4 IM Anti-Virus IM Anti-Virus performs the same tasks as Mail Anti-Virus for instant messaging applications. Supported programs include ICQ, MSN, AIM , Yahoo! Messenger, Jabber, Google Talk, Mail.Ru Agent, and IRC. Instant message text is scanned for: — Links to phishing and malicious sites — Infected code (signature and heuristic analysis are used) IM Anti-Virus does not scan the files sent via IM clients.

Settings By default, IM Anti-Virus scans both incoming and outgoing messages. Outgoing messages can be excluded from scanning, but there is nothing gained from it, as message scanning does not decrease computer performance in any perceptible way. Other IM Anti-Virus parameters define message scanning methods: — Check if links are listed in the database of malicious URLs—allows blocking links to the sites known to spread malware (like in Web Anti-Virus) — Check if links are listed in the database of phishing URLs—that is, block links to phishing sites — Heuristic analysis for virus source code in message text—regulates heuristic analysis use and its depth when scanning message text for infected code If a link to a dangerous site or infected code is detected, IM Anti-Virus replaces the text message with the notification about the action taken (blocked link or deleted code). By default, all IM Anti-Virus settings are required (‘locked’). The administrator may choose to unlock them. Overall security level will not decrease even if IM Anti-Virus is disabled because an attempt to open a link to a potentially dangerous web resource will be blocked by Web Anti-Virus, and File Anti-Virus will not allow saving and running malicious code.

3.5 Network Attack Blocker The purpose of the Network Attack Blocker component is to block network attacks including port scanning, denialof-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services running on the computer. Network Attack Blocker uses signatures and blocks all connections that correspond to the descriptions of known network attacks. As we mentioned earlier, malware does not necessarily save executable code in the file system in order to infect a computer. For example, malware using a buffer-overrun attack can modify a process already loaded in the memory and thus execute the malicious code. The Network Attack Blocker is the component able to prevent infections from spreading this way. That is why it must be enabled, and its settings must be locked.

II–59 Unit II. Protection Management

II–60

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Settings Network Attack Blocker has a few configurable parameters. If the component is enabled, attacks are blocked automatically. Additionally, Kaspersky Endpoint Security can block all packets from the attacking computer for a specified time. The Add the attacking computer to the list of blocked computers option regulates this behavior; by default, it is enabled and blocks computers for 60 minutes. If necessary, a blocked computer can be unblocked manually, but only in the local interface of Kaspersky Endpoint Security. Special programs that scan network computers to detect vulnerabilities are used in some companies. Their activity resembles network attacks, and the scanning computers may get blocked. To avoid this, add the addresses of the scanning computers to the list of Network Attack Blocker exclusions. Attacks from these addresses will still be blocked, but connections to these addresses will not be blocked entirely.

3.6 Firewall The Firewall controls connections at the network and transport levels. The control tools are implemented as packet rules. The Firewall analyzes inbound and outbound packets, compares them with the rules and takes one of the two actions: — Allow — Block From the security point of view, the Firewall performs two functions: — Block unauthorized network connections to the computer, thus decreasing the infection probability — Block unauthorized network activity of the programs on the client computer. This decreases the risk of an outbreak, and also limits actions of the user that consciously or unconsciously violates the security policy

Settings The decision about whether a specific packet is allowed or blocked is made based on three lists: — The list of packet rules — The list of applications, each with its own list of packet rules — The list of networks

II–61 Unit II. Protection Management

II–62

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The order of packet processing After a network packet is intercepted, the packet rules are applied in the top-down order. Firewall sequentially compares the packet parameters with the specified rules. The packet is processed according to the first matching rule. If none of the packet rules fit, application rules are applied15. The list of networks contains no rules and does not directly influence packet processing. It is an additional list that helps conveniently specify the scope for packet and application rules.

Rules for packets A default policy contains a list of packet rules that provides reasonable security for computers both on and off the corporate network. The standard settings are described in detail in the end of this chapter. Standard packet rules are not hard-coded. The administrator can edit and delete them, or add custom rules. Rules’ order on the list can also be changed to adjust their priority. The higher the rule on the list, the higher the priority. If a packet (or connection) matches several rules from the list, only the first one is applied. A packet rule contains the following attributes: — Action—the action taken on the packet to which the rule applies. Three options are available: — Allow — Block — By application rules—the packet is processed according to the rules specified for the application that sends or receives the packet — Protocol—the following values are available: TCP, UDP, ICMP, ICMPv6, IGMP, and GRE. For TCP and UDP transport protocols you can additionally specify the Local ports and Remote ports. For ICMP and ICMPv6 protocols, ICMP type (for example, Echo Request) and ICMP code are configurable — Direction—the following values are available: — — — — —

Inbound—applies to all packets transferred within a connection initiated by a remote computer Inbound (packet)—applies to all inbound packets Inbound/outbound—applies to all packets, inbound and outbound Outbound (packet)—applies to all outbound packets Outbound—applies to all packets transferred within a connection initiated by the local computer

— Network adapters—the list of network adapters to which the rule applies. If a packet is received (or sent) through an adapter that is not specified on the list, the rule will not be applied even if the other packet attributes (address, protocol, port) match the rule conditions. If the list is empty, the rule applies to all adapters. To add a network adapter to the list, specify its type, and (optionally) one or a few IP / MAC addresses. Also, specify a name for the adapter. It will be displayed on the list.

15

Application rules are made so as a packet always fits a rule.

II–63 Unit II. Protection Management

II–64

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The following adapter types are available: — — — — — — — — —

Other Loopback Wired network (Ethernet) Wi-Fi network Tunnel PPP connection PPPoE connection VPN connection Modem connection

For example, you can easily configure a rule that will block any packets sent through Wi-Fi adapters. — Maximum packet time to live—the packets’ lifetime. Some attacks, unlike normal applications, use packets with enormous lifetime. To make a rule applied to packets regardless of their lifetime, type 0 — Remote addresses—the list of remote addresses. Possible values: — Any address — Subnet address—all networks that belong to one of the following categories: Trusted, Local, Public16 — Addresses from the list—the list of remote DNS addresses, IP addresses and subnets to which the rule applies. Any can be specified either in IPv4 or IPv6 format. Additionally, if the computer has several IP addresses, you can specify the local addresses to which the rule applies — Local addresses—the list of local addresses. Possible values — Any address — Addresses from the list — Remote ports, Local ports—a rule can be narrowed further by specifying the list or range of ports on the local and/or remote computer For convenience, the protocol, ports and direction can be specified by templates (for example, Any network activity, Browsing web pages, Remote Desktop network activity, etc.) As we mentioned earlier, a rule applies to a packet whose parameters (protocol, direction, address, etc.) fit the rule conditions. Rule application will be registered in the Firewall log if the Log events check box is selected.

16

Network statuses are described in detail later in this chapter.

II–65 Unit II. Protection Management

II–66

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Rules for applications Rules for applications are similar to the rule for packets, but have an additional attribute: name of the executable file that sends or receives the packet on the local computer. By default, the Firewall categorizes each program started on the client computer: — — — —

Trusted Low Restricted High Restricted Untrusted

The category is selected based on the KSN information. If KSN servers cannot be contacted or the information about the program is missing in KSN, the category is selected using a special heuristic algorithm17. Also, three standard network rules for applications with the following attributes are created for each running program: — Any network activity in Trusted networks — Any network activity in Local networks — Any network activity in Public networks For programs from the Trusted and Low Restricted groups, all three rules use the Allow action by default, and for programs from the High Restricted and Untrusted groups—the Block action. Standard rules cannot be deleted or modified, except for the Action attribute, which can be changed by the administrator. Regarding the processing of network packets, even if the packet does not match any of the packet rules, there is always an applicable rule for applications. So, regardless of the specified settings, there is always a rule used, where the Firewall can either allow or block the packet.

17

Application trust categories are described in detail in Unit III together with the Application Privilege Control.

II–67 Unit II. Protection Management

II–68

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Managing rules for applications in the policy Rules for applications are managed differently from other policy settings in Kaspersky Endpoint Security. The problem is that the set of programs started on the managed computers eventually changes. That is why it is impossible to list all the necessary programs, specify rules and enforce the settings for them. To best manage this, rules for applications are specified at the trust group level (Trusted, Low Restricted, etc.) within the policy. As a result, the administrator sets rules for groups in the policy, and the Firewall on the client computer defines the program trust group and applies the group’s rules to the program. Rules for groups are the same as rules for applications. That is, the list contains three standard rules Any network activity for Trusted, Local and Public networks, where only the action can be changed, and the administrator can add other rules at their discretion. If general rules for groups are not enough, the administrator can explicitly specify rules for specific programs in the policy. Click the Add button, then in the window that opens select All Time for the period field and click the Refresh button. The list of programs will show all the programs found on client computers. Kaspersky Endpoint Security gathers this information on all network computers and transfers to the Administration Server during synchronizations18. To find the necessary program, you can filter them by name, manufacturer, trust group or the time when the program was added in the list.

Networks To be able to conveniently configure rules for packets and applications, you can assign statuses to networks. This allows the administrator to specify a network status instead of specifying all networks explicitly when setting up filtering rules. A network can have the following statuses: — Trusted — Local — Public If a subnet status is specified instead of an address in a packet rule, it is checked whether the packet is related to at least one subnet having this status. If yes, the rule is applied to the packet.

18

Unit III explains how the information on the executable files is gathered.

II–69 Unit II. Protection Management

II–70

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The local list of networks contains the list of all network connections. Kaspersky Endpoint Security receives information about them from the operating system. Kaspersky Security Center automatically detects the status of these networks. If necessary, it can be modified manually, but only in the local interface of Kaspersky Endpoint Security. Also, the list of locally detected networks includes a special Internet network that has address 0.0.0.0/0, which covers all addresses (includes any other network) and has a permanent status of Public network. So, any packet is related to at least one network. After the policy is enforced on the client computer, the list of networks specified in the policy is matched against the list of networks detected by Kaspersky Endpoint Security locally. If a locally detected network coincides with or is included as a subnet in a network specified in the policy, its status is ignored when processing packages. For example, the policy might contain a single network entry for 172.16.0.0/16 with the Local network status. And a managed computer might have two interfaces configured to use networks 172.16.55.0/24 and 192.168.5.0/24 respectively. Let’s say Kaspersky Endpoint Security automatically assigned the Public status to both these networks. Now when the local networks are combined with the policy, the status of 172.16.55.0/24 network effectively becomes Local network, because there is an entry in the policy for network 127.16.0.0/16 that includes 172.16.55.0/24. On the other hand, the 192.168.5.0/24 network retains its Public status because there is no matching entry in the policy. In the default policy settings, there are three network entries, all of which are assigned the Local network status: — 172.16.0.0/12 — 192.168.0.0/16 — 10.0.0.0/8 These are reasonable choices for the computers that are inside the perimeter; however, they should be reconsidered for computers outside the perimeter, e.g., those connecting via VPN or laptop computers on a business trip.

Standard filtering rules A standard policy does not contain rules for applications (except for the standard ones specified for the trust groups). That is why, by default, the ultimate network status and application trust level are defined locally in the Firewall. Packet rules are inherited from the policy, and accordingly, packets are filtered as follows: 1.

The first three rules regulate the capability to send DNS requests (over TCP and UDP protocols, external port 53) and e-mail (over TCP protocol, external ports 25, 465, 143, and 993). The By application rules action is selected in these rules, that is, programs from the Trusted and Low Restricted groups will be able to send DNS requests and e-mail, while the others will not

2.

Rule number 4 allows any network activity within trusted networks to all programs. So, in trusted networks, any activity is allowed by default, except for DNS and e-mail limitations for Untrusted and High Restricted programs

3.

Rule number 5 defines packet processing within the Local networks. Such packets are processed by application rules. According to the default application rules, the programs from the Trusted and Low Restricted groups have no limitations in local networks, while High restricted and Untrusted have no access

4.

The rest of the rules effectively regulate program behavior in the Public networks, since all packets from Trusted and Local networks are processed one way or another by the above rules. First, there is a group that blocks remote desktop connections to the computer from public networks, and also blocks connections to the local DCOM service, NetBIOS packets, access to Windows shared folders, and access to Universal Plug & Play devices

5.

The following two rules apply rules for applications to inbound TCP and UDP streams (connections). Again, considering the default application rules, this means Trusted and Low restricted applications can

II–71 Unit II. Protection Management

receive incoming connections from Public networks, whereas High restricted and Untrusted applications cannot. 6.

The remaining 5 rules block inbound diagnostic ICMP requests, while allowing ICMP packets to be sent to test connection to remote computers

To sum it up, we can say that in Trusted networks, any activity is allowed for all programs. In Local and Public networks, only Trusted and Low Restricted programs may exchange packets; in public networks, access to some computer services is additionally blocked (see no 4). Most network applications are automatically included in either Trusted or Low Restricted groups, and are allowed to exchange data over the network.

II–72

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 4. System Monitoring 4.1 System Watcher This chapter is devoted to the System Watcher component, which plays the main role in Proactive Defense. Proactive Defense is a general term for the components and technologies that either prevent new infections (those that have yet to be added to the anti-malware databases and Kaspersky Security Network), or minimize the consequences if new malware programs manage to infect a computer. Of the components described in the previous chapters, Proactive Defense incorporates Heuristic Analysis. The Control Components, which also take part in this area of protection, are described in the next Unit of our course.

Purpose and Principles System Watcher performs several functions: — Logs application activity for comparison with the behavior signatures database — Detects malware programs and blocks their actions — Rolls back actions of the malware detected by other components (File Anti-Virus and scan tasks) Malware detection is the main task. For this purpose, System Watcher monitors program actions and compares them with dangerous activity patterns: so-called Behavior Stream Signatures (BSS). The BSS database is updatable, but its updates are relatively rare. However, the efficiency of the System Watcher does not depend on frequent database updates. Various components gather data about application activity for the System Watcher: — The main information source is the klif.sys driver that intercepts file operations (the one used by File AntiVirus). The driver gathers information about file operations and the changes made to the registry. — Firewall gathers information about network activity of applications — System Watcher has its own module that reacts to complicated system events: installation of drivers, hooks, etc.

II–73 Unit II. Protection Management

Settings System Watcher has a few settings which correspond to enabling or disabling the abovementioned task components: — Enable Exploit Prevention—protects from various attacks (exploits) whose aim is to receive administrative permissions in the system or conceal code execution. Exploits typically use buffer overflow attacks. Incorrect parameters are passed to a vulnerable program or service, which processes them and therefore executes some parameters as code. Specifically, such attacks against system services running under the local system account enable the criminals to receive administrative permissions on the computer. Typically, malware tries to start itself under the administrator account as a result of such an attack. When this option is enabled, start operations are being monitored and if a vulnerable program starts another program without the user’s explicit command, the start is blocked.

II–74

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

— Log application activity for the BSS database—this parameter regulates whether the program activity log is saved on the hard drive. Log storing allows improved detection, as activity analysis can consider all the program actions, including those performed before the last system start. The maximum log size is about 200 MB — Do not monitor the activity of applications that have a digital signature—not to log events of those programs that either have a valid digital signature or have the Trusted status in the KSN — Roll back malware actions during disinfection—roll back actions taken by the programs deleted by File Anti-Virus or scan tasks or quarantined by System Watcher. Rollback means rolling back the changes made to the file system (creating, relocating, renaming files) and registry keys (the records created by the malicious program are deleted). Also, a backup copy of some files and keys is created at the time of the system start, which allows rolling back to this version, if a virus makes changes to these files and keys. These special objects include hosts and boot.ini files and registry keys responsible for starting programs and services during the system start. This option also recovers the files encrypted by malware (so-called cryptolockers). — Use behavior stream signatures (BSS)—detect dangerous behavior using updatable patterns of malicious activity and take one of the following actions: — Skip—do nothing, only record the detection of malicious activity in the report — Terminate the malicious program—stop the malware and unload it from the memory — Move file to Quarantine—stop the program and move its executable file into the Quarantine repository — Select action automatically—the same as Move file to Quarantine

Exclusions If dangerous activity is detected in the actions of a known good program, the administrator can configure an exclusion rule for the System Watcher. Exclusions are configured in the Exclusions and trusted zone using two methods: — Trusted applications—disables detecting malicious activity in the program actions — Scan exclusions—specifies the type of activity to be allowed for the program. In this case, if dangerous actions of another type are detected, System Watcher will react as usual. To exclude an application from the System Watcher’s scope, select the following checkboxes: — Do not monitor application activity—not to react to the actions performed by the application — Do not monitor child application activity—not to react to the actions performed by the application’s child processes

II–75 Unit II. Protection Management

II–76

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.2 BadUSB Attack Prevention What is a BadUSB attack? A BadUSB attack is when a device takes some actions without the user’s consent. Criminals replace the firmware of a USB flash drive and the operating system perceives it not only as a flash drive, but also as a keyboard. The operating system connects USB keyboards automatically, and the user is unlikely to notice this. Meanwhile, the malicious drive will be able to send keystrokes and commands to the operating system and thus take malicious actions.

How to enable protection against BadUSB attacks? BadUSB Attack Prevention is a special component of Kaspersky Endpoint Security 10 SP1 for Windows. To enable protection, install the component. It is not included in the Standard installation of Kaspersky Endpoint Security; you need to select it in the properties of the KES package. Alternatively, you can install BadUSB Attack Prevention using the Change application components task. The BadUSB Attack Prevention settings are located in the Advanced Settings \ Protection settings section of the Kaspersky Endpoint Security policy. There are two of them: — Prompt for USB keyboard authorization upon connection—the user will need to authorize all the new USB keyboards. Is enabled by default — Allow use of On-Screen Keyboard for authorization—enables the users to authorize devices via a visual keyboard displayed on the screen. Is disabled by default

What is the user to do? If the BadUSB Attack Prevention component is installed and the “Prompt for USB keyboard authorization upon connection” option is selected in its settings, it works as follows. If a new USB keyboard is connected to the computer, Kaspersky Endpoint Security prompts the user to authorize it. The user must enter a 4-digit code generated by Kaspersky Endpoint Security from the connected device. If a real keyboard has been connected, the user will easily enter the code and Kaspersky Endpoint Security will not block the keyboard. If the user has connected a malicious device that pretends to be a keyboard, he or she is also prompted to enter a code. But if it is a malicious flash drive, it does not have keys, and the user will not be able to enter the code from it. Kaspersky Endpoint Security will block such a device. There are also input devices that have a few buttons but no keys from which digits could be entered. For example, presentation clickers that only have left/right buttons. To allow users to authorize such devices, enable the use of the on-screen keyboard. However, the users must behave cautiously and authorize only the devices they are confident of. USB flash drives found on the street must not be authorized. The keyboards that had already been connected before BadUSB Attack Prevention was installed need not be authorized; they are automatically treated as trusted.

II–77 Unit II. Protection Management

II–78

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 5. Threat Diagnostics This chapter describes the tools that help the administrator receive information about infected objects detected on client computers, spot weak points of the protection system and adjust the settings accordingly.

5.1 Event Generation and Transfer Local detection events Kaspersky Endpoint Security logs the information about detected infected objects as events. Each detection involves a chain of events concerned with the object processing, for example: — — — —

Threats have been detected A backup copy of the object is created Disinfection impossible Object deleted

The Reports window allows viewing events locally. Events are grouped by components and tasks, for example, File Anti-Virus events are separated from Virus Scan Task or Firewall events.

Events in the Administration Console In the Administration Console, events can be viewed within the computer properties. Here it is shown as a common list instead of being grouped by components and tasks. However, if necessary, you can filter them and view only the events of the necessary component or task.

II–79 Unit II. Protection Management

II–80

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

A more general list of events that contains events from all computers is available on the Events tab of the Administration Server node. Events are sorted by severity level here. Detection events are Critical, while virus incident processing results may fall into the Warning or Info category. In order to analyze the history of object processing, it is logical to view all types of events in chronological order within the Recent events selection.

5.2 Centralized Processing of Detection Events The Administration Console provides several tools designed for various purposes in the management of events: reports, selections, and statistics.

Reports Viruses report The Viruses report shows statistics of processing the malware detected on the managed computers: how many objects were treated, how many blocked (by Web Anti-Virus), how many deleted and how many still remain unprocessed. It also shows the number of dangerous objects whose processing results are unknown. These statistics are available for each type of malware. The Viruses report can show which malware KES detected using KSN, and which threats were detected using traditional tools (antimalware databases and heuristics). To be able to see this information, add the By KSN verdict column to the Details table. In order for the administrator to be able to properly use the report, it is vital that the information about all results of the actions taken against malware be sent to the Administration Server. Unit IV Maintenance explains how to set up events, reports and other reporting tools in more detail.

Most infected computers This report shows how many dangerous objects were found on the network computers. Computers most often infected are included in the chart. The others are listed in the Summary table. If some computers got infected considerably more than others, it might be worthwhile to find the reason and take appropriate measures. Computer protection may be weakened because of the absence of security updates; this problem is easily solved by installing the updates. Another possible reason for detecting numerous viruses is the computer’s role. For instance, it could be used as a temporary workstation for visiting employees. In this case it might be worthwhile to tighten the protection parameters.

II–81 Unit II. Protection Management

II–82

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Users of infected computers Provides information about those users whose actions resulted in great number of malware detections. This report is similar to the ‘Most infected computers’ report. If some users get infected considerably more often than others, it might be worthwhile to find the reason and give them some guidance.

Network attack report Another report that shows the network protection status is the Network attack report. It shows which attack types were detected, and more importantly, the IP addresses of the attacking computers. Knowing the address, the administrator can investigate the incidents and better solve the problem. The Network attack report is not created by default, but it can easily be created. New reports are created using a special wizard that can be started from the shortcut menu of the Reports and Notifications node. There you can specify the template name and select the report type, and then, depending on the selected type, the reporting period and the computers to be covered.

Anti-Virus statistics Statistics pages present charts and tables similar to the reports. Statistics are displayed on the corresponding tab of the Administration Server node. In the upper part of the statistics tab, there are tabs for switching between the statistics pages. Each page consists of several information panes, which show aspects of protection status. The detected threats are displayed on the Anti-Virus Statistics page, which by default contains 4 panes: — Virus activity history—malware detection time distribution. By default, the last 24 hours are displayed. To modify this period in the chart properties, click the

icon

— Most frequent viruses—the chart that shows the viruses that are most frequently detected on client computers — Computers infected most often—the chart that shows most often infected network computers (similarly to the Most infected computers report) — Users causing infection most often—the chart that shows the users with the most virus detections (similarly to the Users of infected computers report)

II–83 Unit II. Protection Management

II–84

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Anti-Virus Statistics also includes other information panes, which are not displayed by default, but may be added using the page properties. The following are some notable chart panes that are available: — History of network attacks—allows quickly assessing the situation with network attacks over a period of time — Quarantine history—considering the fact that there are no reports about suspicious files, this statistics pane is the only tool that allows studying the situation with suspicious objects detected in the network — Most frequent incurable viruses—shows which types of viruses involve most problems, which is especially handy when the protection system is deployed in an infected network

Virus outbreak In addition to threat detection events on managed computers, Kaspersky Security Center has the server-level event Virus outbreak. This event is registered if many viruses are detected in the network over a short period of time. The Virus outbreak event registration parameters are specified in the Administration Server properties. A virus outbreak means that an epidemic may spread or is already sweeping through the network. To help prevent further virus spread over the network, it might be worthwhile to temporarily tighten protection parameters, for example, allowing network connections only to trusted programs. For this purpose it is necessary to create a policy with strict protection parameters in advance, and designate it in the properties of the Virus outbreak event: open the Administration Server Properties and in the Virus outbreak section, click the Configure policies to activate on “Virus outbreak” event link. In addition to policies, tasks can be started when the Virus outbreak event is registered (they have a special schedule option On virus outbreak for this purpose). For example, a task can update anti-malware databases, and then a chained task can scan system folders, system memory and startup objects on the managed computers.

II–85 Unit II. Protection Management

II–86

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

5.3 Threat Processing Statuses Threat detection and their processing results define the computer status in the Administration Console: OK, Warning or Critical. This allows the administrator to easily notice problematic computers when looking through the groups. The OK status corresponds to a green icon, the Warning icon is yellow, and Critical is red.

Statuses connected with threat processing There are many criteria for assigning a status to a computer, but only two of them are connected with malware detection: — There are unprocessed objects — Many viruses detected

There are unprocessed objects This status is assigned to computers where malware programs were detected and were not cured. The Unprocessed files category can be comprised of widely different objects. It can be a virus in memory, which actively counters the attempts to delete it. Or it can be a malicious file in an old archive detected by an on-demand scan task where automatic processing of objects is disabled. Or it can be an infected object on a network drive where Kaspersky Endpoint Security has no Write permission to disinfect or delete the file. In other words, any dangerous object that was not deleted or disinfected and is still located where it was detected is considered to be unprocessed. Potentially, it can be an active infection that requires attention. That is why an unprocessed object is a potentially more important incident than detected viruses. If all detected objects were automatically deleted, there is typically no problem. To reset this status, neutralize the detected objects. If an object cannot be disinfected, for example, because it cannot be accessed, just delete the corresponding record from the list of unprocessed objects in the local interface of Kaspersky Endpoint Security and the status will change.

Many viruses detected This status is related to the virus counter parameter. Every time malware is detected on the computer, the counter increases its value by 1. The counter value is transferred to the Administration Server during the synchronization. The status is activated if the virus counter value exceeds the specified threshold. By default, the Many viruses detected status is disabled. Since the virus counter can only increase without interference from outside, the only method of changing this status is to manually reset the counter. To do it, on the shortcut menu of the computer, click All tasks, Reset Virus Counter.

Global statuses and selections If at least one of the managed computers receives either There are unprocessed objects, or Many viruses detected status, the global Protection status also changes on the Monitoring tab of the Administration Server node. The cause of the status change is displayed in the same area. If there are computers with both statuses in the network, the Protection area will show the There are unprocessed objects status, which is more critical. The global status description displayed in the Protection area is a link that opens the selection of computers having the respective status.

II–87 Unit II. Protection Management

A selection is a temporary association of computers selected by an attribute. The standard selections There are unprocessed objects and Many viruses detected, just like the other selections, are created automatically when the Administration Server is installed. You can take group actions on the computers joined into a selection, for example, start update and search tasks, reset virus counters, move into a group, etc. So, selections are very useful when dealing with the computers having a problem status.

II–88

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

5.4 Repositories Local repositories Backup Before malicious objects are removed or disinfected, they are copied to the Backup repository. This is done as a precaution in case a removed file needs to be restored, for example, for additional analysis. The copies are stored in the %ProgramData%\Kaspersky Lab\KES10SP1\QB folder of Kaspersky Endpoint Security. Copies of dangerous files are encoded, that is why when the drive is scanned by Kaspersky Endpoint Security or any other antivirus, the malicious code is not detected in them. The objects can be recovered or deleted from the Backup repository. Also, all objects are automatically deleted from the repository after 30 days by default. You can change the default store time and also set a size limit on the storage in the Reports and Storages section of the policy. For details, see the “Object storage settings” section below.

Quarantine The suspicious objects detected are quarantined. Usually these objects are malicious, but until the corresponding records are added to the signature database, one cannot know that for sure. Quarantine is a repository similar to the Backup repository and resides in the same folder on the hard drive. The object storage time and repository size limit are specified for both repositories together. The administrator can recover or delete an object stored in Quarantine, similarly to the Backup repository. Additionally, the administrator can manually quarantine an object if it seems suspicious. This simplifies watching over the object. It will be scanned again after every update, and if new databases help to detect malicious code in it, the administrator will know it right away.

Unprocessed files The objects that were detected but were not disinfected are called unprocessed. Their hazard levels vary greatly. It can be a virus in the system memory that blocks the attempts to delete its file from the drive, or an infected file detected by on-demand scan task in an old archive, for which the Skip action was selected. The list of unprocessed objects is not a storage similar to the Backup repository or Quarantine. The detected objects remain in their locations and the list displays only the information about them. If you want to try disinfecting or deleting an unprocessed object, click Re-scan on its shortcut menu. This attempt may succeed if the object is regarded to be an unprocessed object because the Skip action was selected for it. But if it is a virus in the memory, chances are that neither disinfection nor removing will succeed. In this case the administrator can open the file’s location using the Open folder where file was initially located command, and try to deal with it using special utilities.

II–89 Unit II. Protection Management

II–90

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Another available action, Delete, can be taken for the objects that cannot be processed by Kaspersky Endpoint Security for another reason. For example, if the object is located in a network folder for which the antivirus has no write permissions.

Object storage settings The objects’ lifetime is specified in the policy. To change it, open the Reports and storages section, and in the Quarantine and Backup area modify the Store objects not longer than setting. For most computers, it is enough to limit the length of storage time. If the objects in the repository still consume too much drive space, you can additionally enable the Maximum storage size parameter. The default repository size limit is 100 MB.

Centralized repositories Management model It would be cumbersome if unprocessed and repository objects were only available locally. On the other hand, if all of the objects were sent to the repository on the Administration Server, it would create extra traffic and set additional requirements for the Administration Server disk space. Kaspersky Security Center uses another approach: only information about local repositories and unprocessed objects is sent to the Administration Server, so that the administrator could see details about these objects in the Kaspersky Administration Console and issue commands for processing them. The commands are sent to the related client computer where they are executed. Sending information about local objects is controlled by the Kaspersky Endpoint Security policy. The Reports and Storages section allows selecting the types of information to be sent to the Administration Server along with the parameters that limit repository size and object storage time. The area is named Inform Administration Server, and the parameters independently enable or disable sending information on every category of objects: — Files in Quarantine — Files in Backup — Unprocessed files In the standard policy, information sending is enabled for all objects.

Objects’ representation In Kaspersky Administration Console, the information about locally stored objects is represented in the Advanced | Repositories node. Every category of objects has the corresponding repository: Backup, Quarantine and Unprocessed files.

II–91 Unit II. Protection Management

II–92

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The Administration Console shows more information on the objects than the local interface. With the default settings, the following data is displayed for every object: — — — — — — — — — —

Computer where the object was detected and is stored Name of the file Status of the object, for example, Infected, or Suspicious, or Placed by user, or Deleted Current action, if the administrator has sent a command to scan, recover or delete the object Date of placement of the object to the repository (or to the list, if we speak of unprocessed files, which are not moved anywhere) Virus name (the column title is Object) Size of the object, bytes User logged on to the system when the object was detected Restoration folder, that is, the full path to the object’s original location Description added by the administrator for this object in Kaspersky Administration Console

The description can be added in the object properties window. Also, this window compactly represents the complete information on the object.

Processing objects The Administration Console allows taking the same actions with objects as the local interface. The command is just transferred to the client computer, and the current action is displayed in the corresponding column until the command results are received. Let us cover the actions that cannot be performed from the console. First, you cannot manually quarantine a file. However, you can do this from the local antivirus interface. Second, you cannot scan an individual quarantined file. You can only scan all quarantined objects on the computer. Actually, the Scan Quarantined Files command runs the system task for scanning the quarantine storage. It is a hidden task that also starts after updates, if the corresponding option is enabled. This task is neither visible in the local interface, nor in Kaspersky Administration Console. Its existence is revealed only in the local reports. Also, you cannot open the folder where an unprocessed file is located. However, some actions are available in the console that may provide additional information on an object moved into the repository. These actions are Go to computer and Computer properties. The former opens the group to which the computer with the corresponding object belongs. The latter opens the properties of this computer without leaving the repository. From the computer properties, you can open the list of latest events on this computer and have an overview of the incident context. It is especially important for unprocessed files. If computer events show that the Skip command was applied to the file, simply initiate the Disinfect command. On the other hand, if the events show that disinfection and deletion have already been attempted in vain, this can likely be an active infection and the incident needs close attention.

Searching for the objects The number of objects in the centralized storages, depending on the network size, may reach tens of thousands, and searching for an object or a group of objects might be challenging. The filtering parameters above the list come in handy here. The administrator can search by object status (suspicious, disinfected, false positive etc.), performed action and a word or a part of word in the object description. For example, you can search by the virus name or a part of the file name or computer name.

II–93 Unit II. Protection Management

II–94

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 6. Protection Status Diagnostics The main tools for monitoring the general protection status are the statuses and their respective selections, reports and statistics. In addition to the statuses related to threat detection, there are other computer statuses that indicate its protection. Computer status is set based on the information transferred during the synchronization with the Administration Server and does not depend on the events.

6.1 Computer Statuses and General Statuses Possible statuses The following statuses define the computer protection status: — — — — —

Kaspersky Anti-Virus is not installed Real-time protection level is different from the level set by the administrator Not scanned for a long time Protection is disabled Kaspersky Anti-Virus is not running

Virus scan status There is a status called Not scanned for a long time. By default, a computer receives the Warning status in 7 days after the last antivirus scanning, and the Critical status in 14 days. The date of the last antivirus scanning is shown in the computer properties, in the Protection section. The scan date is updated by any virus scan task that scans local drives or the entire computer. The default group task created by the Quick start wizard does not do this.

Real-time protection status There are two conditions connected with real-time protection that may influence the computer status: — Real-time protection level is different from the level set by the administrator—this condition can be used for assigning the Warning and Critical statuses, but is disabled by default — Protection is off—this condition is used only for the Critical status and is enabled by default Let us examine how these two conditions work. Protection is considered to be running in Kaspersky Endpoint Security 10 if at least one protection component works: File Anti-Virus, or Firewall, or System Watcher, or any other. The protection is considered to be off only if none of the installed protection components is running. Control and Encryption components are not taken into account.

II–95 Unit II. Protection Management

II–96

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

As far as the real-time protection status is concerned, there are two of them: Running or Stopped. In old versions of Kaspersky Anti-Virus, there was one real-time protection task instead of a set of protection components; in addition to the two mentioned statuses, it could have been paused; and could have had several security levels, including custom. Kaspersky Endpoint Security 10 omitted all those features. The Real-time protection level is different from the level set by the administrator condition is configurable. The administrator can select the statuses to be considered as “normal”, and this condition will change the computer status if its real-time protection status differs from the selected values. The settings include three values—Stopped, Paused and Running. The Paused value can be ignored, because it is not used in Kaspersky Endpoint Security 10. All things considered, the only reasonable configuration for this condition is to select the Running status; and in this case the Real-time protection level is different from the level set by the administrator condition will work the same as the Protection is off condition. That is why only the Protection is off condition is enabled by default, and the other condition is disabled. If the administrator disables the Protection is off condition and enables Real-time protection level is different from the level set by the administrator condition, he or she will be able to select the status to be given to the computer when the condition is met: Warning or Critical. Also, the status description provided for the latter condition contains more details. Protection can be disabled for the following reasons: — Failure—status description in the Protection section of computer properties is: "Real-time protection status is 'Stopped' though it should be 'Running'." The administrator should employ diagnostic tools to deal with failures. — The components are stopped by the user—it means that either the computer is not controlled by the policy, or components’ start is not required in the policy settings (the locks are not closed). To solve this issue, make sure that the policy is correctly configured and applied to the computer. — The components are stopped by the administrator—it is not a problem if planned If the Protection is off condition is used, the same status description will be shown in all the three described cases. In contrast, if the Real-time protection level is different from the level set by the administrator condition is used, the status description will specify whether protection is just stopped or does not work as a result of a failure.

Kaspersky Anti-Virus is not running The Kaspersky Anti-Virus is not running status is one of the most critical protection statuses. To solve this problem, carry out the command for the Network Agent to start Kaspersky Endpoint Security on the Applications tab of the computer properties. Another method of starting KES—the Start or stop application task. This task is an advanced task of Kaspersky Security Center that can be created both for groups and for specific computers.

II–97 Unit II. Protection Management

II–98

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

A group task is convenient if the Virus outbreak event is registered—it can start protection on all network computers, in case the protection is stopped somewhere. A task for specific computers can better serve the purpose of rectifying status. You can create a selection for the computers where Kaspersky Endpoint Security is not running, and a then a task for specific computers to start protection.

6.2 Statistics and Protection Status Report Statistics charts and the Protection status report are based on computer statuses. The report shows how many network computers have each of the protection statuses. The report considers all computer statuses, not only the most critical. If you click a status name in the Summary table or in the Details table, a browser window will open with the report on all computers having this status. On the Statistics tab of the Administration Server node, the Protection status page displays the following charts: — Current computer statuses—shows distribution of all managed computers by their overall status: OK, Warning and Critical — Real-time protection status—shows distribution of all computers by the status of real-time protection: Unknown, Stopped, Paused, Starting, Running, and Failure — History of computers statuses—shows how the numbers of computers with Warning and Critical statuses changed over time — Distribution of vulnerability levels—not really relevant to the protection components and is explained in course KL 009.10 Systems Management

II–99 Unit II. Protection Management

II–100

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

III-1 Unit III. Endpoint Control

Unit III. Endpoint Control Chapter 1. Introduction .................................................................................................. 4 1.1 Purpose of Control Components ............................................................................................................................. 4 1.2 Licenses and Installation Types .............................................................................................................................. 4 Changes in the Administration Console interface .................................................................................................. 6 1.3 Installing Control Components ............................................................................................................................... 6 Adding control components.................................................................................................................................... 8 Chapter 2. Application Startup Control .......................................................................... 9 2.1 Operation Principles ............................................................................................................................................... 9 2.2 Settings ................................................................................................................................................................... 9 Application categories ......................................................................................................................................... 10 Configuring conditions manually ......................................................................................................................... 16 Category exclusions ............................................................................................................................................. 22 How to find out which KL-category a file belongs to ........................................................................................... 22 Inventory task ....................................................................................................................................................... 26 Application startup control rules ......................................................................................................................... 28 2.3 Monitoring Startup Control................................................................................................................................... 30 How to find out what a particular user is prohibited from .................................................................................. 30 Local notifications and complaints ...................................................................................................................... 30 User requests selection ........................................................................................................................................ 30 Events ................................................................................................................................................................... 32 Report on blocked runs ........................................................................................................................................ 32 2.4 Default Deny Policy.............................................................................................................................................. 32 Chapter 3. Application Privilege Control ..................................................................... 36 3.1 Operation Principles ............................................................................................................................................. 36 3.2 Automatic Categorization ..................................................................................................................................... 36 3.3 Application Control Rules .................................................................................................................................... 38 3.4 Protected Resources .............................................................................................................................................. 40 3.5 Policy Specifics..................................................................................................................................................... 42 3.6 Configuring Exclusions ........................................................................................................................................ 44 Chapter 4. Device Control ............................................................................................ 46 4.1 What Can Be Blocked and How ........................................................................................................................... 46 4.2 Advanced Settings ................................................................................................................................................ 48 4.3 Trusted Devices .................................................................................................................................................... 50

III-2

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.4 Configuring Interaction with User ........................................................................................................................ 52 4.5 Temporary Access ................................................................................................................................................ 54 How to send a request .......................................................................................................................................... 54 How to create activation code.............................................................................................................................. 56 How to activate temporary access ....................................................................................................................... 56 4.6 Monitoring Device Control ................................................................................................................................... 58 Chapter 5. Web Control ................................................................................................ 60 5.1 Blocking Criteria................................................................................................................................................... 60 5.2 Configuring Exclusions and Trusted Servers ........................................................................................................ 66 5.3 Diagnostics and Testing ........................................................................................................................................ 66 5.4 Configuring Interaction with User ........................................................................................................................ 68 5.5 Web Control Statistics .......................................................................................................................................... 72 5.6 Web Control Report .............................................................................................................................................. 72

III-3 Unit III. Endpoint Control

III-4

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 1. Introduction 1.1 Purpose of Control Components In addition to anti-malware protection, Kaspersky Endpoint Security 10 contains control components that restrict actions harmful to the computers or the company in general. Primarily, Application Control, which can be used to prohibit computer games, movies, and other activities that have little to do with work. Device Control enables the administrator to bring the use of various devices to conformity with the company policy. In particular, blocking removable drives considerably impedes unauthorized data copying; the prohibition to connect mobile phones and players helps reduce the temptation of listening and copying music; also, Wi-Fi connections and external network adapters can be blocked. If network connections are allowed, they can be regulated by Web Control, which allows restricting access to social networks and non-corporate web e-mail, communications with recruiting agencies or browsing job sites.

1.2 Licenses and Installation Types There are three functional areas in Kaspersky Security Center 10: — Antivirus protection — Control components — Encryption The control components require KESB Select license and are automatically installed if the Standard installation type is selected. (Except for Application Privilege Control, which belongs to the Basic functionality level and requires KESB Core license.) Under KESB Core license, the control components will not work. Licenses and activation are described in more detail in Unit IV.

III-5 Unit III. Endpoint Control

III-6

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Changes in the Administration Console interface Since control components are not included in the Basic functionality, their settings are not displayed in the Administration Console1 by default. To be more precise, their settings are not displayed in Kaspersky Endpoint Security 10 policies. To be able to change the settings of the control components within a policy, the corresponding interface elements must be activated in the Administration Console. This is found in the interface settings window: click the Configure functionality displayed in user interface link located in the Administration Server area on the Monitoring tab of the Administration Server node. An alternative method to open this window is to select the Administration Server node on the tree, then on the View system menu, click Configure interface. In the interface settings window, select the Display endpoint control settings check box. To apply these settings, restart the Administration Console.

1.3 Installing Control Components To install the control components on the computers, Standard installation or Custom installation type must be selected in the properties of the Kaspersky Endpoint Security 10 installation package that will be used for deployment.

1

Except for the Application Privilege Control, which is displayed always

III-7 Unit III. Endpoint Control

III-8

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Adding control components If only Basic components are installed on the computers, the administrator can upgrade the installation type to Standard. Using the Change application components task of Kaspersky Endpoint Security 10. This task is designed especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling the product. The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security, which was saved on the client computer during the initial installation2. In the task properties, you can select either the installation type or the components that you need to be installed, just like in an installation package. However, you cannot select individual components while creating the task in the wizard. To specify the necessary components, complete the task creation wizard and then open the task properties: the choice of components is not limited there.

2

You can find the package in the %ProgramData%\Kaspersky Lab\KES10SP1\Setup folder on the protected computers.

III-9 Unit III. Endpoint Control

Chapter 2. Application Startup Control Application Startup Control allows the administrator to restrict the program start on the endpoint. At the same time, Application Startup Control reduces the computer infection risk by decreasing the attack surface.

2.1 Operation Principles Application Startup Control allows the administrator to restrict the program start on the client computer. Program start permissions are specified in special rules. When a program starts, the following conditions are checked: — The categories to which the program belongs — The account that starts the program — The rules regulating the start of programs in categories with regards to the user account If there are no matching blocking rules, and at least one rule that allows 3 starting the program is met, the start is allowed. If there are no allowing rules, or there are both allowing and blocking rules for this account to start a program of this category, the start is prohibited.

2.2 Settings Application Startup Control settings are organized as follows: — Program categories—specified at the Administration Server level in the Advanced | Application management | Application categories container — The list of rules—specified at the computer group level, in Kaspersky Endpoint Security policy

3

By default, there is an 'Allow all' rule that allows starting any program to any account.

III-10

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Application categories An application category is a list of conditions and exclusions that allows identifying a program or a group of programs. The list is displayed in the Advanced | Application management | Application categories container and is empty by default. New categories are created using a special wizard. There are three types of categories: — Filled manually—their conditions are added and changed only manually — Filled automatically from a folder—the administrator selects only the directory where executable files of programs belonging to this category are located; the Administration Server checks the contents of this directory on schedule, calculates checksums of executable files (MD5) and updates the list of the category criteria — Filled automatically from computers—the administrator selects one or several managed computers, and the Administration Server automatically includes executable files found on the computers into the category Categories are created on the KSC Administration Server and are transferred to client computers similarly to policies and tasks. You can monitor categories’ delivery to computers using the chart in the upper-right corner of the Advanced | Application management | Application categories page.

III-11 Unit III. Endpoint Control

III-12

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Automatic filling from a folder The contents of an automatically filled category are updated when the source folder contents change (executable files are deleted or added). Also, you can make a category update to schedule. If the specified folder contains archives or installation packages (for example, .msi), the Administration Server will automatically unpack them (into a temporary folder) and include in the category data about the executable files within the archive or package. So, if you place program distribution into the folder, the category will include not only the installation file, but also program files. This method of creating a category is useful if the company has a repository of program distributions to be installed on the corporate computers. Start of these programs must be allowed. The administrator may occasionally add programs to the list or replace them with newer versions. To avoid manual updating of the category rules for the allowed distributions, place them into a folder and make the Administration Server automatically monitor the changes and add parameters of the detected files to the dedicated category. Afterwards, the administrator will only have to create one allowing rule for this category in the policy to allow start of all the used programs. You can also select to Include dynamic-link libraries (.DLL) in this category. If this check box is selected, Kaspersky Security Center will calculate checksums of .dll files and add them to the category along with executable files. It makes sense to care about .dll files because Windows allows starting processes from them through the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while others blocked. In this regard .dll files are similar to script files (.js or .vbs), which are not executable, but are started via the cscript.exe (or wscript.exe) utility, and can be allowed or blocked selectively. The Calculate SHA-256 for files in this category parameter is not applicable to Kaspersky Endpoint Security 10 Service Pack 1 for Windows. It is designed for the Kaspersky Critical Infrastructure Protection product, which falls out of the scope of this course.

III-13 Unit III. Endpoint Control

III-14

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Automatic filling from computers In addition to the repository of allowed program distributions, there may be a reference computer in the organization where all the programs used in the company are installed. Such a reference computer is usually necessary for creating images to be deployed on new computers. As a result of such a deployment, the operating system and all programs necessary for work are installed on the computer, and the whole process takes much less time than installing everything from distributions. The administrator periodically upgrades programs on the reference computer and updates the image accordingly. With this approach, it would only be logical to automatically make all programs installed on the reference computer allowed. For this purpose, it is necessary to scan the computer, add all programs to a category, and then create an allowing rule for it in the policy. This is what a category automatically filled with files from selected computers is designed for. Sometimes it is necessary to categorize the files found on the reference computer. For example, separate Windows files from Program files. In this case, you can configure a filter based on the folder where a file is located. The category will include only the files that are located in the specified folder of the reference computer. Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with a computer-based category, the Administration Server relies on the detection of executable files by Kaspersky Endpoint Security. That means that a reference computer must be equipped with Kaspersky Endpoint Security for file detection and with Kaspersky Network Agent for sending the data to the Administration Server. There will be more details on how this works later in this chapter. Similar to a category filled from a folder, the administrator can specify the scanning interval. The detected files will be added to the category and later identified by MD5 hash sum.

III-15 Unit III. Endpoint Control

III-16

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Configuring conditions manually For a manually filled category, conditions for the programs are specified in the list; each condition can contain several parameters. If a program matches at least one condition, it is included in the category. Conditions can be set by various methods, but all of them can be boiled down to five general types4: — MD5 hash of the file—the checksum returned by MD5 hash function that allows unambiguous identification of the file (the checksums of different files are different) — Metadata—file name, its version, name of the program and manufacturer. The version does not have to be specified exactly. You can select all files older or younger than the specified version. Various file characteristics constitute a single condition, rather than several individual conditions — Application folder—the path to the folder that contains program executable files — Device type—a special parameter that allows the administrator to create a separate category for the files started from a removable medium — KL category—application category according to Kaspersky Lab classification, for example, Browsers, Games, Drivers, etc.

Adding from the applications registry Most of the available condition adding options boil down to a condition based on MD5 hash sum or metadata. For example, the Add button by default opens a window where you can select a program from the applications registry. This registry contains programs installed on the computers, namely, the programs displayed in the Programs and components (Windows Vista / 7 / 8 / 10) or the Add or Remove Programs (Windows XP) tool. Network Agents gather names and attributes of these programs and transfer them to the server. The gathered information about the installed programs does not contain data about the program executable files. But it is the data about executables that is necessary to create a condition. That is why the Administration Server compares data about installed programs and data about executable files detected on the computers, and after that creates a condition based on the hash sum of the program executables. It might happen that a program is considered to be installed by mistake, or a program is installed but started extremely rarely and the data about its executable file is missing on the Administration Server. In this case, a condition for this program may fail to be created. On the other hand, if a program has several executable files, the applications registry simplifies rule creation. The Administration Server automatically adds conditions for all executable files associated with the program. If a program is installed but its executable files haven’t been reported to the Administration Server yet, the administrator may consider running an Inventory task to speed up the process.

4

You can create a condition based on a file certificate in a category. This capability was implemented for the Kaspersky Critical Infrastructure Protection product, which falls out of the scope of this course. Kaspersky Endpoint Security 10 Service Pack 1 does not support these conditions and will ignore the categories that include certificate-based conditions.

III-17 Unit III. Endpoint Control

III-18

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Adding a file-based condition If necessary, the administrator can create a condition based on individual files. The files can be selected using several methods: — From the executable files list—the list of executable files that have ever been started on the client computers or detected by an Inventory task. This list of files is displayed in the Advanced | Application management | Executable files container — From file properties—you can add a checksum or metadata of a local or network file to the condition list When selecting a file on the drive, the administrator can specify a simple hash-sum condition for it (MD5 hash), or a more flexible condition based on the attributes. A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is important. For example, hash sums are used in automatically filled categories described earlier, because it is important to allow starting the exact file versions installed on the reference computer or included in an approved distribution. Any changes made to the file by malware or malevolent users will result in changing the hash sum and blocking the file start. Hash sums are also convenient if it is necessary to prohibit renamed files from starting. Renaming does not influence the hash sum and the blocking rule will still work. At the same time, you may need to include several application versions in a category. In this case you should create a condition based on file attributes, such as name, manufacturer name, version number. The version number may not only coincide with the specified value, but also be more or less than the specified value, or start from it, etc.; so you will be able to block old program versions or too new, which have not been approved yet. Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks file metadata to determine if the condition applies, it ignores files without digital signatures (certificates). Unsigned files will never match a metadata-based condition. This applies to many open-source and freeware tools. You may create a condition based on the file name and then be surprised that a file with a matching name is not treated as expected. Most probably, this means that the file has no digital signature. In general, you should use metadata-based conditions for commercial software that is likely to be digitally signed by the vendor’s certificate. To control open-source and freeware programs, use other condition types.

Conditions for a group of files You can select not only a file, but also a folder. If a file or several files are located within an MSI package, you can specify this MSI package. The wizard will scan the specified folder or package for executable files and create a condition for each of them. The condition can be created based on the hash sum or on the attributes. These capabilities are similar to creating an automatic category based on folder; but in an automatically filled category, the Administration Server monitors the changes within the folder and updates the condition correspondingly. An automatically filled category cannot have conditions other than those retrieved from the files located in the folder. If a folder or an MSI package is specified when creating a condition manually, the selected folder or package will be scanned once when creating the category, and later will not be rescanned. The administrator can add any other condition to such a category.

III-19 Unit III. Endpoint Control

III-20

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Conditions based on file location So far, all conditions checked the hash sum or attributes of the files. These conditions were independent of the file location. Copying or moving the executable file would not influence the file start regulations based on these conditions. The following two types of conditions consider only the file location: — Application folder—defines the local path to the file. The administrator can, for example, prohibit starting executable files from the desktop or from the whole user's home directory Alternatively, the administrator can allow starting executable files from the system folders: c:\Windows, c:\Program Files and prohibit from all other computer locations. The condition is recursive, meaning, it works for the files in subfolders of the specified folder. — Device type—can have only one value: Removable device. Essentially, its purpose is to enable the administrator to prohibit starting programs from removable media.

Conditions based on KL categories The described conditions enable the administrator to allow or prohibit known programs—programs whose hash sum, or attributes, or location on the drive, etc. are known or can be found out. In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers except for one, etc. This task is not easy to solve using the described tools. The solution is to use KL categories. These categories define program class or type: e-mail programs, web browsers, development tools, electronic payment systems, etc. ‘KL category’ means that the programs are categorized by Kaspersky Lab experts. The program categorization information is a part of the downloadable databases. That is why the Download updates to the repository task must run at least once before you can create conditions based on KL categories. Programs started on each computer are independently scanned for correspondence to the conditions, and if different database versions are used on different computers, Startup Control rules can work to different effects. Also, if the use of KSN is enabled on a computer, it will try to receive the latest data about KL categories in real time. Kaspersky Lab experts, certainly, cannot process and categorize all executable files that exist in the world. All uncategorized files are automatically associated with the Other Software KL category.

III-21 Unit III. Endpoint Control

III-22

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Category exclusions If it is necessary to prohibit all programs corresponding to the specified conditions except for one, add an exclusion to the category. Exclusions can use the same types of conditions. The programs that meet at least one exclusion condition will be excluded from the category.

How to find out which KL-category a file belongs to If the administrator wants to know which KL category includes a specific executable file, they can find this information both locally on the computer and in the Administration console. The local verdicts (which may vary slightly on different computers because of different database versions) are available in the Application Activity Monitor window. Information in the Administration Console can be used for troubleshooting as well as for planning the rules. The list of executable files is located in the Advanced | Application management | Executable files node. The administrator can view the attributes and KL category of each file. Since there can be a lot of files on the list (reported from all the computers in the network), search and filtering options may help finding the necessary one. The administrator can search for a file using a part of its name, or apply a filter and search by the values of various file attributes. You can use the list of executable files not only to view KL categories, file attributes and various statistics, such as when the file was first detected on the computers, but also to add or exclude the file to or from an administratordefined category. There is a button that adds the file to administrator-defined categories. You can add the file to an existing category or create a new one. And when modifying an existing category, you can either add the file to the inclusion conditions or to the exclusions. In all cases, the resulting condition will be based on the file’s MD5 hash sum.

III-23 Unit III. Endpoint Control

III-24

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

III-25 Unit III. Endpoint Control

III-26

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Inventory task This task is not created automatically. Executable files are reported to the Kaspersky Security Center by Kaspersky Endpoint Security via the Network Agent. When a file is launched, either Application Startup Control or Application Privilege Control intercepts the file, collects its data and sends it to the Administration Server. However, some files may start very rarely. It may take a very long time until all executable files are intercepted and reported to the Administration Server. A faster way to detect files is by using an Inventory task. This is a Kaspersky Endpoint Security task, which can be created for both groups and computer selections. With standard settings, the task searches for executable files in the following directories: — %SystemRoot% — %ProgramFiles% — %ProgramFiles(x86)% The list of folders can be modified. The information about discovered files is sent to the Administration Server and is available in the Advanced | Application management | Executable files container. Unlike the monitoring components, this task can detect executable files within archives and installation packages. In the task settings, in the Properties section, click the Additional button and select the Scan archives and Scan installation packages check boxes. When executable files are being searched for, their checksums are calculated, which may slow down the computers. To reduce resource consumption, you can use the option to scan only new and changed files. The information about changes is obtained using the iSwift technology and requires almost no calculations. Alternatively, you can schedule the task to run during nonworking time, or use the option Suspend scheduled scanning when the screensaver is off and the computer is unlocked. Kaspersky Endpoint Security can send information about executable files to the Administration Server. There are settings in the Kaspersky Endpoint Security policy that control which types of data are sent and which are not. It is critically important that informing the Administration Server about executable files is disabled by default. The settings are located in the Reports and Storages section of the policy. As a result, all lists of executable files will be empty. Even a successful execution of an Inventory task will not change this, unless you enable sending information About started applications in the Kaspersky Endpoint Security policy.

III-27 Unit III. Endpoint Control

III-28

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Application startup control rules Note that Application Startup Control is disabled by default in Kaspersky Endpoint Security 10 Service Pack 1. That is one of the reasons why sending the information about executable files is disabled. The first thing the administrator needs to do before configuring rules is to enable the component. A rule contains the following parameters: — Category—an application category created on the Administration Server beforehand. A policy may contain only one rule for each category — Users and/or groups that are granted permission—the list of local or domain users and groups who are allowed to start the programs belonging to the selected category. If more than one entity needs to be specified, separate them with semicolon (;) — There is a related option Deny for other users. When enabled, it automatically denies permission to all unlisted users. All versions of Kaspersky Endpoint Security earlier than 10 Service Pack 1 acted as if this option were always enabled. In version 10 Service Pack 1 this option is configurable and disabled by default. Unlisted users are granted or denied permission based on the rest of the rules — Users and/or groups that are denied permission—this parameter explicitly defines the list of users and groups who are prohibited from starting the programs — Trusted updaters—consider all programs of this category to be trusted updaters5 Denial has a higher priority than permission. If a rule is configured to allow program start to all users and prohibit for the Tom user, this user will not be able to start the program according to this rule. There are some predefined rules in the list that cannot be deleted, only enabled or disabled: — Allow all—a rule allowing start of all programs. The rule is enabled by default. Disabling it is dangerous, it can result in programs’ failures on the client computers if alternative allowing rules are not configured — Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not be blocked even if there are no allowing rules for them. It is a special KL category6 that includes programs that download and install module updates, for example, Adobe Updater, Chrome Component Updater, etc. The rule is disabled by default—it is used only in a default deny policy described later — Golden Image—this category contains the executable files necessary for the operating system, as well as executable files supplied with the system—various standard utilities and applications, also intended for use in a default deny policy — Each rule can be in the On, Off or Test state. In the Test mode, the rule does not block the program start; when enabled, it only generates Application startup prohibited in test mode or Application startup allowed in test mode events. This mode and these events help the administrator evaluate the policy operation without hampering the users.

5

6

This option is described in detail later in this chapter. This KL category cannot be selected when configuring program category conditions.

III-29 Unit III. Endpoint Control

To test what would happen if you disable the Allow all rule, select the Generate test verdict for the default rule check box, but don’t disable the Allow all rule just yet. This way, you will get events about the files that would be blocked if the Allow all rule were disabled. The list lacks the up and down buttons, because the order of rules does not matter. When a program starts on a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules regulate start of different application categories; but some programs may belong to several categories at once. If there is at least one rule according to which program start must be prohibited, it will be prohibited regardless of what the other rules say. If a program does not belong to any category for which rules are configured and enabled, it will be processed according to the Allow all rule (will be allowed to start). This operation mode is called ‘default allow’ or ‘black list’ mode. The administrator can disable the Allow all rule and thus switch to the ‘default deny’ or ‘white list’ mode. In the default deny mode, if a program is not included in an allowed category for which rules are configured and enabled, it will be prohibited from starting. The recommendations for using the default deny mode are provided later in this chapter.

III-30

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.3 Monitoring Startup Control How to find out what a particular user is prohibited from There is the Statistical analysis button next to the list of startup control rules in the KES policy. It opens the window where you can select a user or a group; in the right pane, the list of prohibited categories and blocked files will be displayed.

Local notifications and complaints When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up message notifying that the program was blocked so that the user is not confused about the reason for the program behavior. If the user needs this program for work, the pop-up notification allows for sending the administrator a request for program start permission. The user should click the Complain link in the notification window and then click the Send button. The text of the pop-up notification, as well as the request to allow a program start, can be modified in the Kaspersky Endpoint Security policy. You can use variables there, which provide information about a specific event, for example, the name of the blocked program, the computer where the event was registered, etc.

User requests selection The standard User requests event selection contains the Application startup blockage message to administrator events registered over the last 7 days. The Application startup blockage message to administrator event is registered when a user sends a request to allow program start, and contains the request text along with the information about the computer, username and the program in question: complete information necessary for the administrator to make a decision. It may happen that a user would need a program urgently. That is why, if the administrator rarely opens the User requests selection, it might be worthwhile to configure e-mail notification for the Application startup blockage message to administrator event. This will enable the administrator to process the requests as soon as possible. It is possible to use the request events to modify application categories. The event contains all the relevant information about the blocked file, including the MD5 hash. The administrator can use the Add file to category link to immediately add the blocked file to an existing or a new category either as an inclusion condition or as an exclusion.

III-31 Unit III. Endpoint Control

III-32

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Events Application Startup Control generates five types of events: — — — — —

Application startup prohibited Application startup blockage message to administrator Application startup allowed Application startup prohibited in test mode Application startup allowed in test mode

By default, all the events except for Application startup allowed are transferred to the Administration Server. If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup prohibited in test mode or Application startup allowed in test mode events, because these events are not included in the report about blocked starts.

Report on blocked runs Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on blocked runs, which shows the distribution of the number of blocked starts on the client computers by applications. Click the program name in the Summary table to open another report in the browser, which contains information about all computers where start of this program was blocked.

2.4 Default Deny Policy As we mentioned earlier, the list of Application Startup Control rules includes a rule allowing all users to start all programs. The administrator can add rules prohibiting the start of the specified application categories to the specified users. Programs that are not included in any category will be allowed. In most cases, the described approach is optimal and helps prevent unwanted activity, without causing serious inconvenience to the users. However, the security policy may prescribe that all programs are prohibited except for those that are absolutely necessary for work. For example, there can be a policy for using programs on the computers that are used as point-of-sale (POS) terminals. Only special programs must be allowed to start on them, and all unknown programs must be prohibited. In this case, it is necessary to configure allowing rules according to the security policy and disable the Allow all rule. After this, all programs that do not meet the allowing rules will be blocked. The main difficulty when working in the white list mode (when the start of uncategorized programs is prohibited by default) is operating system malfunction, because the system files that are not explicitly allowed will be blocked along with other programs.

III-33 Unit III. Endpoint Control

III-34

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Various configurations of allowing rules are possible; it will be necessary to create one or several categories for system executable files and configure allowing rules for them using one of the following methods: — Use a “reference” computer with the operating system and allowed programs installed for creating an automatically filled category — Use a directory with distributions of allowed programs for creating an automatically filled category — Use the Golden Image | Operating Systems & Utilities KL category—this category is used, for example, if you enable the standard Golden Image rule that is available in the list of rules initially, but is disabled by default Under Windows Vista and later versions, you can allow starting all programs on behalf of the System account, because a non-system application cannot receive system service rights in these operating systems. For those programs for which allowing rules are configured not to be blocked after upgrades, use the Trusted updaters standard rule. This rule exists by default in the list and cannot be deleted; but it is disabled by default. When enabled, the programs downloaded and installed by the applications included in the Trusted updaters category will not be blocked even if the corresponding allowing rules are not configured. The administrator can also manually assign the Trusted updaters flag to a category in the properties of an allowing rule.

III-35 Unit III. Endpoint Control

III-36

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 3. Application Privilege Control 3.1 Operation Principles The main purpose of the Application Privilege Control is to regulate the activities of the running programs, namely, access to the file system and registry as well as interaction with other programs. Application Privilege Control separates applications into categories (trust groups) for which limitations are specified. Every program receives one of the four trust levels: — — — —

Trusted Low Restricted High Restricted Untrusted

For each category, standard activity limits are pre-defined. The administrator can change these restrictions within the categories. Additionally, individual limitations can be configured for every program in the policy. Application Privilege Control can be compared with the Firewall. It uses the same trust groups and similar operation principles. If individual restrictions are specified for a specific program in the policy, they are used. If individual restrictions are not specified, Kaspersky Endpoint Security uses KSN, heuristic algorithms and administrator’s settings to define the program trust group, and then applies the restrictions specified for this trust group. It should be noted that Application Privilege Control and Firewall not only use similar operation principles, but also are inseparably connected. If settings are specified for a program in the Firewall policy, this program will also appear as an individual element in the Application Privilege Control policy, and vice versa. The trust groups in Firewall and Application Privilege Control are also the same. General program trust groups are defined in Kaspersky Endpoint Security, and each component applies its own restrictions to the programs comprising these groups.

3.2 Automatic Categorization Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time; and the start is suspended until the analysis is over. The main categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings: — Use heuristic analysis to define group—if this check box is selected, Kaspersky Endpoint Security defines the program status using a special heuristic algorithm that emulates the program start. Emulation and analysis require time. By default, the time for assigning a trust group is limited to 30 seconds. There is a separate setting named Maximum time to define group for this purpose. After the specified time, the analysis is finished and the program gets placed into a trust group

III-37 Unit III. Endpoint Control

— Automatically move to group—an alternative to using heuristics. This setting allows assigning one of the 3 trust levels (High Restricted, Low Restricted, or Untrusted) to all unknown programs without the analysis — Trust applications that have a digital signature—if this parameter is enabled, the programs having a valid digital signature are automatically placed in the Trusted group The defined trust group is saved and used at each start of the program. The saved data may be revised or deleted depending on the following settings: — Update control rules for previously unknown applications from KSN databases—program trust group will be changed automatically if it appears in the KSN — Delete rules for applications that are not started for more than 60 days—allows wiping out the trust group information for the programs that have not been started for a long time. The lifetime is adjustable Also note that if the administrator explicitly specifies the trust group for an executable file in the policy, the value from the policy will be used. The trust group is defined locally only for the programs that are not explicitly specified in the policy. The Application Privilege Control component, which is installed on server operating systems, is responsible only for program categorization. Access rules cannot be configured on server systems

III-38

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.3 Application Control Rules Application Privilege Control allows limiting a program’s interaction with other programs and operating system services depending on its trust group. The limitations can be configured both at the trust group level and for separate programs. Control rules include a wide list of various interactions, for each of which the Allow or Block value is specified. The list of controlled interactions is hard-coded. Generally, the default restrictions for trust categories are as follows: — Trusted—no limitations and no logging — Low Restricted—everything is allowed except for building into operating system modules — High Restricted—interaction with operating system modules and other programs are prohibited. A program is allowed to work only with its own segment of system memory — Untrusted—a program is prohibited even from starting Note: Application Privilege Control, just like Application Startup Control, can block an application start. There is no contradiction here: if a program must be blocked according to the settings of one of the components, it is blocked regardless of the other component settings

III-39 Unit III. Endpoint Control

III-40

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.4 Protected Resources Application Privilege Control helps limit access to files, folders and registry keys on the hard drives. Files and registry keys are organized into groups and subgroups, for which the rights of programs belonging to different trust categories are specified. The restrictions specified for a group of resources can be changed at the subgroup level, or individually for a file or registry key. Initially, the list of protected resources contains groups of most important files and registry keys. The administrator can modify and create the categories. Access rights can be specified both in the list of protected resources, and in the program properties within the trust categories. Rights to access a group of resources are defined independently for four operation types: — — — —

Read Write Delete Create

Generally, the default limitations for the trust groups are as follows: — Trusted—no restrictions — Low Restricted—everything is allowed except for changing important system files (boot.ini, system.ini, autoexec.bat, executable files within the system directory, etc.) — High Restricted—only Read access is allowed to the data from the operating system directories and registry branches — Untrusted—the program is prohibited even from starting Note: The limitations configured for a program are inherited by all its child processes, even if their executable files are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions using the privileges of programs having higher trust levels.

III-41 Unit III. Endpoint Control

III-42

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.5 Policy Specifics You can see that Application Privilege Control uses the same trust levels as the Firewall. It is not just a similarity; these components actually use the same trust levels. A program trusted by Firewall is trusted by Application Privilege Control, too, and vice versa. Similar to the Firewall, Application Privilege Control defines access rights for the trust groups in the policy. On the client computer, Kaspersky Endpoint Security assigns a trust group to every specific application. Meanwhile, the administrator can also manually assign a trust level to a particular program in the policy. If necessary, individual restrictions different from those set for the trust group can be specified for a particular program. New programs are added in the list the same way as in the Firewall: the executable file of an application is selected from the list of files ever started on the client computers. The policy has a higher priority than the locally assigned trust group.

III-43 Unit III. Endpoint Control

III-44

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.6 Configuring Exclusions If the limitations set by the Application Privilege Control still block a necessary program, you can configure the corresponding exclusion. There are two types of exclusions in Application Privilege Control: — Exclusions for resources—allow any program to perform any operation with the specified group of resources — Exclusions for programs—allow the specified program to perform any operation Exclusions for resources are configured in the properties of the Application Privilege Control, on the Protected resources tab. You can configure exclusions for folders, files and registry keys. Exclusions for programs are configured in the General protection settings section (Exclusions and trusted zone), and provide several additional capabilities: — Do not monitor application activity—disable all restrictions for the specified program — Do not inherit restrictions of the parent process (application)—disable the limitations inherited from the process that started the program and the parent processes of higher levels — Do not monitor child application activity—disable the restrictions for the processes started by the program for which the exclusion is created

III-45 Unit III. Endpoint Control

III-46

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 4. Device Control The main purpose of the Device Control is clear from its name. It enables the administrator to monitor various devices in the corporate network and, if necessary, prohibit using some of them. The most popular use case for this component is blocking USB flash drives. The users can bring infected files on them or, for example, their children’s homework and end up devoting a workday to it. Accidentally or deliberately, the user can take away files that are of commercial value for the company on a USB drive. Various restrictions help prevent such problems. The Device Control component in Kaspersky Endpoint Security allows the administrator to enforce the corporate security standards, by specifying who, when and which devices can use on the computers. The rules may be applied to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc. Device Control can be installed only under non-server operating systems.

4.1 What Can Be Blocked and How Almost all peripheral devices can be blocked. They can be blocked by types (removable drives, CD/DVD, Wi-Fi, portable devices (MTP), etc.), or by buses: for example, you can entirely disable all USB devices. Some devices can be allowed, but with limitations: you can explicitly specify the prohibition schedule, restrict only writing operations or make exclusions for some users but not others. You can do that for: — Hard drives — Removable drives — Floppy disks All other device types you can only disable completely: — — — — — — — — — — — —

Printers CD/DVD drives Modems Tape devices Multifunctional devices Smart card readers Windows CE USB ActiveSync devices Wi-Fi Cameras and scanners Smart card readers Portable devices (MTP) Bluetooth

Mobile phones, tablets, players and other portable devices may be treated either as portable devices (MTP) or as removable drives, if connected as external data carriers.

III-47 Unit III. Endpoint Control

III-48

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only by blocking their connection buses. Kaspersky Endpoint Security allows blocking connected devices by interface type (bus): — — — — — —

USB FireWire Infra Red Serial Port Parallel Port PCMCIA

The administrator can totally block, for example, all USB devices. Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a USB flash drive will work correctly. By default, all devices work in the “Depends on bus” mode, and all buses are allowed.

4.2 Advanced Settings Kaspersky Endpoint Security allows blocking only those types of devices that are included in the list. This list cannot be edited to add new devices. You can partially restrict the use of removable drives, hard drives, and floppy disks by specifying: — The list of accounts that are allowed to use the device type. You can select accounts from the domain to which the computer where the Administration Console is started belongs, or among local users if there is no domain. The rule will work on any computer where the policy is enforced The Everyone universal account is always available. — Operation types and access schedule. You can manage Read and Write permissions separately. The schedule is specified by hours and days of the week. For example, you can allow Read operations for removable drives each working day from 8-00 to 21-00 to Everyone, and Write operations only to the Administrators and only during business hours If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means “always allow everyone to perform any operation.” You can combine the rules. For example, prohibit USB devices and removable drives, but make an exclusion for the administrators: allow them using USB flash drives during business hours. The changed policy comes into operation as soon as it is enforced. If, for example, removable data carriers are blocked while the user has plugged in a USB flash drive and has copied something there, it will become unavailable as soon as the policy is enforced and the next operation will be blocked.

III-49 Unit III. Endpoint Control

III-50

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.3 Trusted Devices If there are removable drives in the company that must be allowed always and everywhere, it might be worthwhile to make them trusted. Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device Control | Trusted devices section. Devices can be made trusted by their ID, a mask of ID or by model. When you click the Add button above the list of trusted devices, it expands into a list of three options: — Devices by ID — Devices by model — Devices by ID mask The first two options allow you to select the device that you want to make trusted and its ID or model will be added to the list. ‘Select’ means that the Administration Server should have the device it its database. If the Administration Server is unaware of this particular device you can’t make it trusted. The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on the Administration Server knowledge of the device, only on the administrator’s knowledge of the device ID. Device ID can be found in the Windows Device Manager in the device properties on the Details tab. Look for the value of the Device Instance Path property. It looks somewhat like USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0 When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple devices, e.g., ‘NEC*CDR??’. This helps when a company has a lot of devices with similar IDs that should be trusted. Adding a device by model can also help in this case, if all devices are from the same vendor and of the same type. There is also a Comment filed when adding a trusted device, which the administrator can fill in to describe why this trusted device (or a group) is added. To add a device by model or by ID without typing it, connect the device to a managed computer with Kaspersky Endpoint Security installed. The Device Control component must be installed too. Then you need to wait for some time till the information about the device makes it to the Administration Server. To simplify the search for the necessary device, you can choose the device type and also specify the name of the computer where it is or was connected. Then click the Refresh button to display the filtered results. Before adding the device, you can also restrict the list of users that will have access to it. You may want to have trusted devices, but you may not necessarily want everybody to have access to them. Perhaps only administrators should be able to use them.

III-51 Unit III. Endpoint Control

III-52

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.4 Configuring Interaction with User When the user attempts to connect a blocked device, a pop-up notification is displayed. If notifications are disabled, the user might think that there is a hardware problem, contact the technical support, or even worse, try to “fix” it without assistance. The administrator can modify the notification text, for example, add the contact information of the person responsible for device access. To open the notification template, click the Templates button in the Device Control section of Kaspersky Endpoint Security policy. You can use variables in the notification text, for example, the name of the device or the blocked operation. If pop-up notification about blocking is enabled, it contains the Complain link, which can be neither disabled nor hidden. If the user sends a complaint, it will be sent to the server as an event having the Warning severity level. Similar to the other control components, complaints are displayed in a special selection named User requests. The administrator does not have to react to a complaint; but if they want to, they can, for example, configure the corresponding e-mail notifications in the Kaspersky Endpoint Security policy.

III-53 Unit III. Endpoint Control

III-54

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.5 Temporary Access Kaspersky Endpoint Security enables users to request temporary access to blocked devices. The procedure is as follows: 1.

The user finds out that the necessary device is blocked

2.

Generates a request key for it in the Kaspersky Endpoint Security local interface

3.

E-mails the key to the administrator

4.

The administrator examines the request, and in the case of an affirmative answer, creates and sends the user a special access code

5.

The user activates the received code. After this, the selected device (and only that device) becomes accessible for the time span specified by the administrator. The user cannot pause temporary access to use it later; and the administrator cannot remotely revoke temporary access

It goes without saying that many users may believe that their devices are blocked by mistake, and will ask the administrator for temporary access. To avoid numerous requests, you can disable this capability: in the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for temporary access check box.

How to send a request The user opens Kaspersky Endpoint Security interface on the Protection and Control tab, and on the shortcut menu of Device Control clicks Access to device. A window opens with the list of devices ever connected to the computer, including those blocked. Find the device for which the access is necessary, select it and click Get access code. So as not to make a mistake when selecting the device, switch the device representation mode from For the entire runtime to Currently. Note: If the administrator prohibits requesting temporary access, the button appears dimmed The only configurable parameter is the desirable access duration (24 hours by default). The value entered by the user is only a wish. The administrator can either use the offered value or change it when generating the access code. The user is to send the generated .akey file to the administrator.

III-55 Unit III. Endpoint Control

III-56

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

How to create activation code Temporary access is granted to a specific user for the specified device on the specified computer. That is why the code is generated using the client computer’s shortcut menu, neither in the policy nor in the group properties. A client computer can be conveniently found in the Administration Console by the Search utility. Then the administrator should open its shortcut menu and select the Grant access to devices and data in offline mode command. In the window that opens, switch to the Device Control tab and click the Browse button to select the received .akey file. The Administration Server checks the file integrity and whether it belongs to the selected computer, and then displays the request. If necessary, the administrator can change the access duration and activation window. Both periods cannot be less than an hour or more than 999 hours. The default value for both is 24 hours. Then the administrator is to save the generated code into an .acode file and send it back to the user. So, the code is generated for the exact device and the computer where the user generated the key. Any other devices will still be blocked; also, the device for which the access was granted will be blocked on other computers. The code is also bound to the username. Another user will not be able to access the same device on the same computer using this access code. If temporary access is activated by the user who requested it and another user logs on to the computer during the allowed period, they will not be able to use the device.

How to activate temporary access In the same window where the request key was generated, the user clicks the Activate access code button, and specifies the received .acode file. The device can be used immediately. Neither restart, nor synchronization with the Administration Server is necessary. The code must be activated before the specified activation window expires, and the access duration countdown starts at the moment of activation. The device may be connected at any time (or even several times) during this period, or not connected at all. The access countdown cannot be paused. When temporary access is activated, a notification is sent to the Administration Server, but it is not included either in the selection of user requests, or in the report on Device Control events.

III-57 Unit III. Endpoint Control

III-58

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.6 Monitoring Device Control Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It contains the time, name of the computer where the attempt was registered, bus or type of the device, its ID, operation and the account that initiated it. The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of Critical events. If necessary, the administrator can make a separate selection for blocked device access attempts. The Operation with the device allowed event having the Info severity will be sent if a non-prohibited device is connected. The number of such events shows the use frequency of USB flash drives, local printers, scanners, removable drives, etc. All events, including complaints, are stored on the server for 30 days by default. The Report on Device Control events provides the general view of the device control work. It displays a chart with the distribution of its responses by user names. By default, the report includes all actions—device connecting, disconnecting and blocking. To generate a report about device blocking only, leave only the Connection is blocked check box selected in the Settings section of the report properties. If necessary, the administrator can configure receiving daily e-mail statistics about who and when tried to connect, for example, USB flash drives. Deliver reports task serves this purpose, which is described in Unit IV Maintenance.

III-59 Unit III. Endpoint Control

III-60

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 5. Web Control The task of web control is to filter Internet access according to the internal policy of the organization. Usually it is used to block social networks, music, video, non-corporate web e-mail, etc. during business hours. If a user tries to open such a site, either a notification that the access is blocked or a warning about an unwelcome site can be displayed, depending on the settings in the policy. Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules. The rule properties include the user accounts, schedule, connection and content-specific conditions, and the action. The rules are applied in the order specified by the administrator, and a page is processed according to the first applicable rule. The Default rule that allows everything to everyone takes the last place on the list and acts as a ‘catch all’ rule. Only HTTP and HTTPS traffic is scanned.

5.1 Blocking Criteria First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs to be blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*. Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the following categories: — — — — — — — — — — — — — — —

Adult content Software, audio, video Alcohol, tobacco, narcotics Violence Profanity, obscenity Weapons, explosives, pyrotechnics Gambling, lotteries, sweepstakes Internet communication media Electronic commerce Job search HTTP query redirection Computer games Religions, religious associations News media Banners

The content can also be categorized by data types: — — — — — —

Video Sound Office files Executable files Archives Graphic files

As far as secure connections (HTTPS) are concerned, Kaspersky Endpoint Security has no access to the traffic contents. Therefore, HTTPs traffic is filtered only be addresses, for example, if social networks are blocked, https://facebook.com will also be blocked, as this address is included in the signature databases as pertaining to social networks.

III-61 Unit III. Endpoint Control

III-62

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The administrator can restrict access to any category or data type, but cannot edit or add the lists of categories and data types. Filtering by category and data type can be combined within a rule: for example, you can block office files and archives received by web mail. Sites are categorized using the database of known addresses (pc*.dat files in the updates folder), and heuristic analysis of page content (for non-secure connections only). URL reputation can also be requested from Kaspersky Security Network.

III-63 Unit III. Endpoint Control

III-64

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Data types are hard-coded in Kaspersky Endpoint Security and include the following file types: Category

Category contents

Executable files

— — — — —

Win32 PE—exe, dll, ocx, scr, drv, vdx, and other extensions of Win32 PE files Visual Basic Script—vbs, vb Executable files (not PE) MS-DOS, Win-16, OS/2—exe, dll, com Command Line Script—cmd, bat Microsoft Installer Archive—msi

Video

— — — — — — — — — — —

Adobe Flash Video—flv, f4v Audio/Video Interleave—avi MPEG4 ISO format—3gp, 3g2, 3gp2, 3p2 MPEG4—divx, mp4, m4a Matroska—mkv Apple Quicktime—mov, qt Microsoft Container—asf, wma, wmv RealMedia CB/VB—rm, rmvb MPEG2 (DVD) format—vob VCD (MPEG 1)—dat, mpg Bink Video—bik

Sound

— — — — — — — — — — —

MPEG-1 Layer 3—mp3 Lossless Audio—flac, ape OGG Vorbis Audio—ogg Advanced Audio Coding—aac Windows Media Audio—wma AC3 multichannel audio—ac3 Microsoft Wave—wav Matroska Audio—mka RealAudio—rm, ra, ravb MIDI—mid, midi CD digital Audio—cdr, cda

Office files

— — — —

Open XML documents—docx, xlsx, pptx, dotx, potx, and others Office 2007 macro enabled docs—docm, xlsm, pptm, dotm MS Office documents—doc, xls, ppt, dot, pot Adobe Acrobat—pdf

Archives

— — — — — — —

ZIP archive—zip, g-zip 7-zip archive—7z, 7-z RAR archive—rar ISO-9660 CD Disk—iso Windows Cabinet—cab Java (ZIP) archive—jar BZIP2 archive—bzip2, bz

Graphic files

— — — — — — — — —

JPEG/JFIF—jpg, jpe, jpeg, jff GIF—gif Portable Graphics—png Windows Bitmap (DIB)—bmp Targa Image File Format—tif, tiff Windows Meta-File—emf, wmf Post-Script Format—eps Adobe Photoshop—psd Corel Draw—cdr

III-65 Unit III. Endpoint Control

Let’s mention some specifics of Kaspersky Endpoint Security types and categories: — The type is defined by file format. Therefore, this does not work for secure connections; but it is possible to use the address filter to block files by extensions. For example, to block .key files, specify the *.key mask — Data types inside archives are not checked—if executable files are prohibited while archives are not, archived executable files will be allowed — PDF documents are included in the Office files category. Therefore, if this category is blocked, some sites that use pdf may display incorrectly — In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate component. In Kaspersky Endpoint Security, you can block banners with the corresponding content category in Web Control — Flash videos in SWF format can be blocked only by extension mask—usually it is *.swf The rules may be applied depending on the account and access time.

III-66

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

5.2 Configuring Exclusions and Trusted Servers Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as a social network, or online trainings can be blocked because of video files. In this case, it is easier to create an allowing rule instead of creating a separate group with a special policy. You can configure an allow rule giving access to some categories or data types located on the specified servers. To have such a rule applied before the blocking rules, place it higher on the list. In extreme cases, the organization policy can prohibit the Internet during business hours and allow only the corporate site. An exclusion can be made only for the IT department. In this case, the administrator creates the general rule: during business hours, deny everything to everybody. Then adds two allowing rules above it: the first allowing any content to the accounts of IT department employees, and the second allowing everybody to access the corporate site. By default, in addition to the universal rule allowing everything to everybody, there is another rule in web control, Scripts and Stylesheets, which explicitly allows files with .css, .js, and .vbs extensions. Usually these files contain style sheets, java scripts and visual basic scripts saved as separate files. This rule is necessary because sometimes such files are located on separate servers and their URLs differ from the main site address. If a site is allowed while its scripts and style sheets are blocked, it will be displayed incorrectly. To avoid this, keep the rule allowing .css, .js, and .vbs higher than the prohibiting rules.

5.3 Diagnostics and Testing When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For this purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control. To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security interface on that workstation. Then switch to the Settings tab, select Web Control, and click the Diagnostics button. It opens the window where you can specify the conditions of a presumed request: — — — — —

Select categories Select data types Specify day and time Select accounts Type site address (the * wildcard is allowed)

and get the web control verdict with the list of rules applicable to these conditions. For example, the administrator can check whether access to a personal home mail server of an employee is blocked by the rule that blocks web mail. On the other hand, if users complain that they cannot access an allowed site, you can find out which rule causes the disorder.

III-67 Unit III. Endpoint Control

III-68

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

5.4 Configuring Interaction with User If web control blocks a part of page contents, the user may overlook it. If the page is completely forbidden, a replacement page with the Web Control message will be displayed: either a warning that access is undesired, or a message about blocking. If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by clicking one of the links in the warning message: the link to the specific page that was requested, or the link that enables access to all pages on the web site, or all pages on the web site and its sub sites (e.g. access *.amazon.com/* as opposed to www.amazon.com/*) If the site is blocked, there are no links to proceed, access is completely denied.

III-69 Unit III. Endpoint Control

III-70

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Note: Notifications are displayed only for non-secure connections. If the HTTPS protocol is used to open a Web site, the user will see only the browser message about inability to display the page in both cases There is also a Complain link in all types of messages to disagree with the policy and request a policy change to be able to access the blocked web site freely. Complaints are sent to the Administration Server as events and fall into the User requests selection. You can edit both warning and blocking notifications, as well as the complaint template: in the Kaspersky Endpoint Security policy, switch to the Web Console section and click the Templates button.

III-71 Unit III. Endpoint Control

III-72

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

5.5 Web Control Statistics When Web Control blocks access or warns that the access is unwanted, it simultaneously sends the corresponding event to the Administration Server: Access blocked with Critical severity, or Warning about unwanted content with Warning severity, respectively. In both cases, an event contains the access time, site URL, applied rule, computer name, user account and Web Control verdict. If the rule was created for a category or data type, they are also specified. Note: Web Control independently processes each object of which the site consists. That is why, for example, when graphic files are prohibited, blockage of each little image generates a separate event. Therefore, an attempt to access a forbidden site can result in sending hundreds of events, which does not necessarily signify that the user browses the Internet day and night. That is why these events are not transferred to the Administration Server by default. If a user ignores the warning about undesired access and opens the site, the Access to unwanted content successfully attempted after warning event having the Warning severity is sent to the server.

5.6 Web Control Report For regular control and general information, a report can be used. It provides aggregate statistics on the number of warnings and blockages for each rule. Allowing rules are not included.

III-73 Unit III. Endpoint Control

III-74

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

IV-1 Unit IV. Maintenance

Unit IV. Maintenance Introduction .................................................................................................................... 4 Chapter 1. License Management ................................................................................... 5 1.1 What Is This Chapter About ................................................................................................................................... 5 1.2 Licensing Basics ..................................................................................................................................................... 6 License concept ...................................................................................................................................................... 6 License prolongation.............................................................................................................................................. 6 Licensing of Kaspersky Endpoint Security for Business (KESB) ........................................................................... 8 Kaspersky Endpoint Security 10 licensing ............................................................................................................. 8 Kaspersky Security Center 10 licensing ............................................................................................................... 10 1.3 Activation ............................................................................................................................................................. 10 General ................................................................................................................................................................ 10 Activation key ....................................................................................................................................................... 12 Activation code..................................................................................................................................................... 12 Activation proxy ................................................................................................................................................... 12 1.4 License Expiration ................................................................................................................................................ 14 Key expiration ...................................................................................................................................................... 14 Additional keys ..................................................................................................................................................... 16 1.5 Activation of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 ............................................. 16 Kaspersky Security Center 10 activation ............................................................................................................. 16 Activation of Kaspersky Endpoint Security 10 via Kaspersky Security Center 10 ............................................... 18 Key installation task ............................................................................................................................................. 20 Activating Kaspersky Endpoint Security 10 ......................................................................................................... 20 1.6 Information About Licenses ................................................................................................................................. 22 Licenses in the Administration Console ............................................................................................................... 22 Functionality limitation data................................................................................................................................ 22 Key usage report .................................................................................................................................................. 24 Computer statuses ................................................................................................................................................ 24 Kaspersky Endpoint Security 10 events................................................................................................................ 26 Kaspersky Security Center 10 events ................................................................................................................... 26 1.7 Subscription Licenses ........................................................................................................................................... 28 Chapter 2. Updates ....................................................................................................... 30 2.1 Overview............................................................................................................................................................... 30 Update types......................................................................................................................................................... 30 Update management ............................................................................................................................................ 32 2.2 Updating Server Repository .................................................................................................................................. 34 Schedule ............................................................................................................................................................... 34 Sources ................................................................................................................................................................. 34

IV–2

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Connection parameters ........................................................................................................................................ 34 Updates list........................................................................................................................................................... 36 Network Agent module updates ............................................................................................................................ 36 2.3 Updating Client Computers................................................................................................................................... 38 Group tasks .......................................................................................................................................................... 38 Schedule ............................................................................................................................................................... 40 Sources ................................................................................................................................................................. 40 Module updates .................................................................................................................................................... 42 Kaspersky Seamless Update Service .................................................................................................................... 42 2.4 Monitoring Updates .............................................................................................................................................. 44 Updates repository ............................................................................................................................................... 44 Computer statuses ................................................................................................................................................ 44 Global status ........................................................................................................................................................ 46 Statistics and reports ............................................................................................................................................ 46 2.5 Rollback ................................................................................................................................................................ 48 Chapter 3. Interaction with the User............................................................................ 48 3.1 Password Protection .............................................................................................................................................. 48 Password protection in Kaspersky Endpoint Security .......................................................................................... 50 Configuring password protection for Network Agent .......................................................................................... 52 3.2 Local and Group Task Management via KES Interface ........................................................................................ 52 3.3 Local Notifications ................................................................................................................................................ 56 3.4 Technical Support Information ............................................................................................................................. 58 3.5 Concealing Kaspersky Endpoint Security ............................................................................................................. 58 Chapter 4. Out-Of-Office Computer Management......................................................... 60 4.1 Out-of-Office Policy Settings ............................................................................................................................... 62 4.2 Conditions of Switching into Out-of-office Mode ................................................................................................ 62 4.3 Update Settings in Mobile Mode .......................................................................................................................... 64 Chapter 5. Backup and Restore .................................................................................... 66 5.1 Backup Considerations.......................................................................................................................................... 66 5.2 Creating a Backup Copy ....................................................................................................................................... 68 How backup works in Kaspersky Security Center ................................................................................................ 68 Backup task settings ............................................................................................................................................. 68 5.3 Restoring Data from Backup Copy ....................................................................................................................... 70 Chapter 6. Statistics and Reports ................................................................................ 72 6.1 Introduction ........................................................................................................................................................... 72 Overview .............................................................................................................................................................. 72 Interconnection of monitoring tools ..................................................................................................................... 72 6.2 Computer Statuses and Selections......................................................................................................................... 73 Computer statuses ................................................................................................................................................ 73 Searching for computers ...................................................................................................................................... 74 Standard selections .............................................................................................................................................. 76 Custom selections ................................................................................................................................................. 76 6.3 Events and Event Selections ................................................................................................................................. 78 Local events .......................................................................................................................................................... 78 Events on the Administration Server .................................................................................................................... 80 Database maintenance ......................................................................................................................................... 82 Event notifications ................................................................................................................................................ 84 E-mail notification settings .................................................................................................................................. 84

IV-3 Unit IV. Maintenance

SMS notification settings ...................................................................................................................................... 86 Executable file start ............................................................................................................................................. 86 Notification limits ................................................................................................................................................. 86 SNMP notification ................................................................................................................................................ 88 Event selections .................................................................................................................................................... 88 6.4 Reports and Statistics ............................................................................................................................................ 90 Reports ................................................................................................................................................................. 90 Statistics ............................................................................................................................................................... 94

IV–4

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Introduction This unit covers the following aspects of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 operation: — Licensing and license management—most functions of the products in question are inaccessible without a license; that is why license installation is an important part of deployment. Since a license expires sooner or later, if the company decides to prolong the license, the administrator should quickly and efficiently distribute the new license to the computers — Updates— the products can operate without updates, but protection efficiency declines quickly. That is why regular updating is an important part of endpoint protection maintenance — Interaction with user—users don’t interact with Kaspersky Security Center (and even with the Network Agent), they only interact with Kaspersky Endpoint Security. Or rather Kaspersky Endpoint Security may interact with the user. How much of Kaspersky Endpoint Security is exposed depends on the administratordefined settings. There can be too much of exposure when users are overwhelmed with messages they don’t understand. Or there can be too little interaction, when users are confused about hidden actions taken by Kaspersky Endpoint Security. That’s why various options, their values and trade-offs are worth discussing. — Out-of-office mode—when computers are outside the network, some of the protection settings need to be changed. E.g., none of the networks can be trusted; the users cannot rely upon the administrator and must depend on themselves if security incidents occur; the update settings that are optimal within the network are not optimal outside, etc. Automation of the configuration change depending on the computer location is an important aspect of protection management — Backup and recovery—we need not to explain what backup copying is necessary for and why it is important. Deployment and setup of the protection management system is a time-consuming process. The built-in backup copying tools of Kaspersky Security Center protect your time and effort — Customizing monitoring tools—usually, the administrator cannot afford looking through events and reports in the Administration Console all day long. In practice, the administrator opens the console occasionally and for a short time. They need to quickly evaluate the network protection status and whether they need to take some actions. Customizing the presentation of the monitoring tools may increase efficiency of the administrator’s work

IV-5 Unit IV. Maintenance

Chapter 1. License Management 1.1 What Is This Chapter About This chapter covers various aspects of product licensing: What is a license, and what are the attributes it has In which cases does a company have to purchase or update a license Licensing schema for Kaspersky Lab products—Kaspersky Security for Business (KES4B) Specifics of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 licensing Product activation concept, activation methods of Kaspersky Lab products, keys and activation codes Work with the keys and activation codes in Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 — Gathering information about license use — Events and statuses concerning the license use — — — — — —

IV–6

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

1.2 Licensing Basics License concept License is the limited right of the user (buyer, customer) to use the product. The limitations may include: — Licensing period—1 year usually, but may be a month, 6 months, 3 years, etc. Subscription licenses may not have a definite licensing period and assume continuous prolongation until the subscription is cancelled by either party — The number of computers—or, more precisely, the number of licensed objects, which are computers for Kaspersky Endpoint Security 10, but could also be mailboxes, megabytes of traffic, or non-computer devices for other products and license types — Types of licensed objects—for example, servers, workstations, mobile devices (smartphones, tablets); a license may allow using the product on workstations, but not on servers — Functionality—for example, anti-malware protection, encryption, mobile devices management; Kaspersky Endpoint Security 10 and Kaspersky Security Center 10 include various functions, and a license may allow using some functions and prohibit others

License prolongation Initially, a license is purchased together with the product to entitle its use. Later, another license can be purchased to overcome one of the following license limitations: — Prolong—the most typical situation, when the company is satisfied with the product and it is necessary to renew the license to keep using it — Increase the number of computers—if the company grows and the number of computers is about to exceed the license limit — Extend functionality—if the necessity to use additional product functions has appeared in the company, for example, Encryption or automatic installation of Windows updates

IV-7 Unit IV. Maintenance

IV–8

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Licensing of Kaspersky Endpoint Security for Business (KESB) Simultaneously with the release of Kaspersky Endpoint Security 10 and Kaspersky Security Center 10, Kaspersky Lab adopted a licensing schema called Kaspersky Endpoint Security for Business (or KESB for short). This licensing schema is designed to organize and structure licensing options depending on the customer’s needs. KESB supports the following license bundles: — — — —

KESB Core KESB Select KESB Advanced Kaspersky Total Security for Business

A license bundle can be used on several different products, e.g., Kaspersky Endpoint Security 10 and Kaspersky Security Center 10, and allows a customer to use a specific set of functions within each product. In addition to license bundles, licenses for individual products or functional areas (such as Mobile Devices Management) can be purchased according to the Kaspersky Targeted Security licensing schema.

Kaspersky Endpoint Security 10 licensing KESB license bundles allow using Kaspersky Endpoint Security 10 features as follows. — Core—the right to use the following functionality of Kaspersky Endpoint Security 10 only on workstations: — — — — — — — — — — — —

Virus Scan File Anti-Virus Mail Anti-Virus Web Anti-Virus IM Anti-Virus System Watcher Firewall Network Attack Blocker Vulnerability Scan Vulnerability Monitor Application Privilege Control BadUSB Attack Prevention

— Select—the right to use the following functionality of Kaspersky Endpoint Security 10 on servers and workstations (considering system requirements): — — — —

Core functionality Application Startup Control Device Control Web Control

— Advanced—the right to use all functions of Kaspersky Endpoint Security 10 (including encryption) on servers and workstations The Kaspersky Total Security license bundle allows a customer to use the same functions of Kaspersky Endpoint Security 10 for Windows as KESB Advanced. Kaspersky Endpoint Security 10 for Windows is licensed by the number of protected devices.

IV-9 Unit IV. Maintenance

IV–10

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Kaspersky Security Center 10 licensing With regard to Kaspersky Security Center 10, the bundles include: — Core—the right to use typical protection and computer management functionality. The complete list of functions provided by the Core license is too large. We would rather list the capabilities that need wider licenses — Select—the right to use mobile device management functionality of Kaspersky Security Center 10, including Kaspersky Endpoint Security 10 for Mobile management and creation of mobile device management servers based on Exchange ActiveSync and Apple MDM — Advanced—the right to use Systems Management functionality, such as: — — — — —

Vulnerability assessment and patch management (reduced functionality is available in the Core license) Creation and deployment of operating system images Hardware and software inventory (reduced functionality is available in the Core license) Network access control License monitoring for applications by other manufacturers

In the context of Kaspersky Security Center 10, the Kaspersky Total Security license bundle does not add anything to the KESB Advanced functionality. Kaspersky Total Security additionally allows customers to use Kaspersky Lab products for perimeter protection and collaboration products. The Core functionality is available in Kaspersky Security Center without an activation. Using the Select or Advanced features requires activating the Administration Server with a key or a code. Kaspersky Security Center 10 is licensed by the number of managed devices.

1.3 Activation General A license formally allows a customer to use the product, but to actually start using it, you need to confirm this in the product interface. This procedure is called activation. When selling a license, the manufacturer passes a unique object to the customer: a special file or code, which technically confirms the right to use the product. The Kaspersky Lab products described in our course can be activated either with a file (so-called key) or with an activation code to the same result: the product will start performing the functions covered by the license. There are some differences in practical use of keys and codes.

IV-11 Unit IV. Maintenance

IV–12

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Activation key A key file is almost self-sufficient from the activation point of view. License functionality limitations are specified in the key file itself. The key file is digitally signed, so any attempts to modify the license parameters will be detected. Key activation works on computers that rarely (or never) connect to the Internet. On the other hand, changing the license parameters (renewal, extending the number of nodes, expanding functionality) requires a new key that has to be redeployed to all computers. When Kaspersky Lab suspects that a license key is used improperly (is found publicly available on the Internet, or product instances connecting to the update server are widely geographically distributed), the key is black-listed. The black list is distributed with regular signature updates. If the product finds its activation key in the black list, it deletes the key and requires re-activation with another key (or code).

Activation code A code does not contain any information about the license limitations. Kaspersky Endpoint Security activated with a code sends the code to Kaspersky Lab activation servers, where the code is matched to the issued licenses. The activation server finds the license restrictions for the code, forms a so-called ‘ticket’ and sends this ticket back to Kaspersky Endpoint Security. A ‘ticket’ contains information about the license and allows Kaspersky Endpoint Security to function within the license limitations. Kaspersky Endpoint Security renews its ticket once every 24 hours. Activation servers keep track of the number of issued tickets and when the license limit is reached, stop issuing new tickets 1. This way, Kaspersky Lab ensures that keys are used properly. Any instance of Kaspersky Endpoint Security that tries to get a ticket over quota will not get it and will not protect the computer. Starting with Kaspersky Endpoint Security 10 Service Pack 1, subscription licenses are supported. More details about that will be given later in this chapter. With regards to keys and codes, subscription licensing is exclusively based on codes, but not every activation code is designed for subscription licensing. The difference between ordinary and subscription licenses is in how Kaspersky Endpoint Security and activation servers treat the code.

Activation proxy To support activation with codes, the activation proxy service is implemented in Kaspersky Security Center. This service redirects activation requests from the client computers running Kaspersky Endpoint Security 10 for Windows to the Kaspersky Lab activation servers. So, if Kaspersky Security Center 10 is used for managing protection, only the Administration Server requires access to the Internet.

1

In fact, the threshold slightly exceeds the number of purchased licenses. This is done on purpose, to prevent maintenance issues.

IV-13 Unit IV. Maintenance

IV–14

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

By default, Kaspersky Endpoint Security 10 for Windows tries to connect to the activation servers directly. However, if KSC Network Agent 10 is installed on the computer, the behavior of Kaspersky Endpoint Security 10 for Windows changes: Kaspersky Endpoint Security 10 first tries to send activation requests to the Administration Server, and only if the Administration Server is inaccessible, contacts the activation servers directly. The activation proxy server accepts Kaspersky Endpoint Security 10 for Windows connections on port 17000. The port can be modified in the Administration Server properties.

1.4 License Expiration Key expiration How does the product behave after the license expires? The answer depends on how it was activated. If a commercial key expires, updates and KSN stop working. As a result, Kaspersky Endpoint Security keeps working as before, but its databases gradually become obsolete and protection efficiency decreases considerably. The control components also suffer, because categorization data for programs and web sites is also loaded together with the updates or from KSN. License expiration does not influence Device control. This way there is no abrupt change in the protection level even if the new license is deployed several hours or days after the old one expires. If a trial key expires, all Kaspersky Endpoint Security functions stop working. Also, a trial key can be used only for the first activation of the product. If the product was activated previously (regardless of the key type, commercial or trial), it will not allow trial activation any more. Before the first product activation, File Anti-Virus and Firewall work. The product can update once without an activation. Afterwards, the databases will gradually become obsolete.

IV-15 Unit IV. Maintenance

IV–16

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Additional keys When a license is soon to expire, the company can purchase a new license. The problem is how to switch from one license to another without a time gap and without reducing the effective license period of any of the licenses. You would rather not replace the old license when there still several days left of the licensing period. However, you want to activate the new license before the old one expires. Adding the new license as an additional one solves the problem. Additional keys and codes can be added in almost all products by Kaspersky Lab. Once the active key expires, the product is automatically activated with the additional key or code. This approach guarantees smooth transition from the old key to the new one. An alternative to installing keys or codes as additional is using the automatic license distribution feature, which will be described later in this chapter.

1.5 Activation of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 Kaspersky Security Center 10 activation Only the extended functions of Kaspersky Security Center Administration Server 10 available in KESB Select and KESB Advanced licenses require activation. The Administration Server functions supported by the KESB Core license do not need activation, it is sufficient to activate the managed products. The Administration Server can be activated in the Quick Start wizard. If you specify a code or key intended for the Administration Server (for example, a KESB Select license), it will automatically activate the corresponding server functionality. If you specify a KESB Core license, the server will not be activated, because the server does not need activation to use the functionality available within the framework of this license. While the Quick Start wizard can be repeatedly started at any time, it is not the preferred method for adding a new license. To activate the Administration Server, you can use the Keys section in the server properties window. You can specify the active and additional license in this section. You can also replace or delete licenses as necessary. The license for server activation via its properties can be selected among the licenses registered on the server. The list of registered licenses is always available in the Advanced | Application management | Kaspersky Lab licenses node. Licenses can be added to this list both by key and by code. When looking through the list of registered licenses, you may wonder which one is intended for the Administration Server. To find out, read the key’s Application attribute up to the end. There is usually a descriptor there: Security Center or Kaspersky Endpoint Security that indicates the key purpose.

IV-17 Unit IV. Maintenance

IV–18

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Activation of Kaspersky Endpoint Security 10 via Kaspersky Security Center 10 Kaspersky Endpoint Security 10 can be activated automatically via Kaspersky Security Center. If there is an appropriate code or key with automatic distribution enabled in the Advanced | Application management | Kaspersky Lab licenses node, and the activation number limit has not been exceeded, the Administration Server will automatically transfer this code or key to all managed computers where Kaspersky Endpoint Security 10 is not activated. Unmanaged Kaspersky Endpoint Security 10 would prompt the user if not activated. Managed instances will suppress local prompts and send activation information via Network Agents to the Administration Server. The key or code to be distributed can be added in the Quick Start wizard. To add keys later, in the Advanced | Application management | Kaspersky Lab licenses node, click the Add key button. The key adding wizard prompts the administrator whether to add code or key. Licenses can be automatically distributed to the client computers where Kaspersky Endpoint Security 10 is not activated. Newly added licenses have this option disabled by default. When several registered licenses are marked for automatic installation, the earliest added license will be distributed first, and so on up to the latest. Note that this refers to the time when the license was added to the repository, and has nothing to do with the license expiration date. Automatically deployed keys are sent to all computers. If a computer does not have an active license, the automatically distributed key will be activated on it. If an active license is already available, the automatically distributed key will be deployed as an additional one. If a computer has both an active and a backup license, the automatically distributed key will not be installed. When you specify a code in the wizard, the wizard tries to connect to Kaspersky Lab activation servers to verify the code and download the license information. Depending on the license parameters on the Activation Servers, the Administration Server may automatically download the license keys associated with the license. As a result, the repository will contain the code item and possibly one or several key items, all linked to the same license. The administrator can then choose whether to use the code or a key for Kaspersky Endpoint Security activation. If the administrator chooses to use the code for client computer activation, then each instance of Kaspersky Endpoint Security will need to connect to the Activation Servers to receive a ‘ticket’. Kaspersky Endpoint Security will try to use Activation proxy on the Administration Server or connect to the Activation Servers directly if the proxy is unavailable (if the computer is out of office). Note that when a code is registered in the repository and verified via Kaspersky Lab Activation Servers, tickets are not yet issued. They are handed out only when the code is used for activating either Kaspersky Endpoint Security or Kaspersky Security Center Administration Server. Also note that the Administration Server has no information from the Activation Servers about the number of issued tickets. The Administration Server tracks license use by the license information received from the managed computers. There can be a mismatch in the license use data if the same code is also utilized on unmanaged computers. Registered keys and codes can be imported from the storage as key files or text files with the code. These can be used for local activation, if necessary, or for backup purposes.

IV-19 Unit IV. Maintenance

IV–20

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Key installation task Sometimes it is necessary to install a specific key on a specific computer or a group of computers. Automatic distribution would not serve this purpose. Instead, you can create an Add key task. This task can be created using the typical task creation wizard in a group or in the Tasks node. You can also click the Deploy key to managed computers button in the Advanced | Application management | Kaspersky Lab licenses node—in this case, the wizard displays fewer steps. If two products require different Console plugins to be managed, they would require different Add key tasks as well. For example, Kaspersky Endpoint Security 10 Service Pack 1 and Kaspersky Endpoint Security 10 Maintenance Pack 1 have independent plugins. Therefore, a task to add key to Kaspersky Endpoint Security 10 SP1 wouldn’t run on Kaspersky Endpoint Security 10 MR1 and vice versa. In the task creation wizard or later in the task properties, you can select a license either from the list of registered keys and codes (in the Advanced | Application management | Kaspersky Lab licenses node) or from a file. There is an option in the task that allows installing the selected key or code as an additional key. This option is enabled by default, because the main license is supposed to be installed through the automatic installation feature (an option in the key or code properties).

Activating Kaspersky Endpoint Security 10 Kaspersky Endpoint Security 10 automatically prompts the user for a license after an interactive installation. If this step is postponed, the license can be added or replaced later via Kaspersky Endpoint Security 10 interface—in the lower part of the program main window, there is the License link, which opens the window for managing keys and codes. The use of interactive installation and local Kaspersky Endpoint Security 10 interface is not a common scenario within a corporate network. The administrator is supposed to use Kaspersky Security Center 10 management system tools both for the installation of Kaspersky Endpoint Security 10 and for its activation.

IV-21 Unit IV. Maintenance

IV–22

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

1.6 Information About Licenses Licenses in the Administration Console All keys used on the network computers are displayed in the Advanced | Application management | Kaspersky Lab licenses storage. Select a key or code to view its characteristics in the lower-right pane: — — — — — — —

License type: commercial, not for resale, trial, for beta-testing, etc. The products covered by the license Licensing period Node limitation Expiration date The number of computers where the license is used as the main The number of computers where the license is used as the reserve

In the properties of each key, you can find names of the hosts where the key is installed. The key icon informs about the following:

—

(gray icon, no stripes)—this key is used on client computers, but is not registered on the Administration Server, i.e. this key cannot be installed from the Administration Server onto other network computers or exported into a file

—

(colored icon, no stripes)—this key is registered on the Administration Server and can be installed on other client computers, but is not marked for automatic installation

—

(colored icon, three green stripes)—this key is registered on the Administration Server and marked for automatic installation on client computers

The information about used keys and codes represented in Kaspersky Security Center is calculated based on the data received from the Network Agents. If a license is used on a computer that is not connected to the server, this information will not be available in the Administration Console.

Functionality limitation data Since the release of Kaspersky Security Center 10 and Kaspersky Endpoint Security 10, the functionality that the license activates in the product became an important parameter. Previously, product functionality was not limited by licenses. The key for Kaspersky Endpoint Security 8 for Windows typically activates all functions of Kaspersky Endpoint Security 8 for Windows. Core, Select and Advanced licenses activate different sets of functions in Kaspersky Endpoint Security 10 and Kaspersky Security Center 10. Also, targeted licenses are available that may activate a specific set of functions in a product. You can view the license’s functionality limitations in the properties of the corresponding key or code in the Advanced | Application management | Kaspersky Lab licenses node of the Administration Console, or in the Keys section of the application properties (Administration Server or Kaspersky Endpoint Security).

IV-23 Unit IV. Maintenance

IV–24

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Key usage report Most of the information about the keys that the administrator would ever need is available in the Advanced | Application management | Kaspersky Lab licenses node. However, sometimes this information should be presented to the managers in a readable report. Such a report can be found on the Reports tab of the Administration Server node. Alternatively, you can click the Additional actions button in the Advanced | Application management | Kaspersky Lab licenses node. The Key usage report contains structured data on the number of used keys and the complete list of computers with detailed information on each key (their installation and expiration dates). The report template can be modified to limit the report scope to any group of computers or simply to remove irrelevant or less important details from the tables.

Computer statuses If the license is about to expire or has expired on a computer, the administrator should pay attention. The computer statuses configured in the administration group properties are designed to attract the administrator’s attention. Two status conditions relate to licenses: — License term expired—sets the computer status to Critical. By default, the condition is triggered in 0 days, meaning, right after the license expires. It can be configured to trigger several days after the license expiration so that the license could update automatically and not waste the administrator’s time — License term expires soon—sets the computer status to Warning. By default, is displayed 7 days before the expiration, but this parameter is adjustable When the license that activates the Administration Server is about to expire, a pop-up message is displayed to the administrator every time the Administration Console starts. Upcoming expiration is also indicated in the Deployment area of the Monitoring tab of the Administration Server node.

IV-25 Unit IV. Maintenance

IV–26

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Kaspersky Endpoint Security 10 events In addition to statuses, there are licensing events, which you can see in the client computer properties, or in the event selections. The events are generated by client computers and Administration Server. Storage and notification settings of client computer events are configured in the Kaspersky Endpoint Security policy. The following events relate to licenses: — License agreement violated—a critical event that means that the current key is blacklisted and blocked — License has almost expired—a critical event generated shortly before the license expiration — Black list of keys corrupted or not found—a functional failure (error) event that means that the product cannot validate the license because the black list of keys is absent, and all functions except for updates are temporarily inoperative — License expires soon—a warning event

Kaspersky Security Center 10 events Administration Server events inform about exceeding the node limitation: — License restriction has been exceeded—there are two events with this name, critical and warning. The critical event is generated when the number of installations constitutes 110% of the license limit. The warning informs of reaching the limit (100%) — Over 90% of this key is used up—an information message In an informal sense, all of these events are informational, since the Administration Server does not take any measures if the license limit reaches either 100% or 110%. If keys are used for activation, the administrator can distribute them with a key installation task to any number of computers. However, if the Automatically deploy key to managed computers check box is selected in the key properties, the Administration Server will not only distribute it to computers, but also remove the key from excessive computers if the license limit is surpassed. If activation codes are used, the activation server will stop issuing tickets for the product after the license limit is reached. The administrator cannot find out how many tickets have been issued by the activation server, but he or she can view how many of the managed computers use the code. This code can potentially be used on unmanaged computers, too; and if 90% of the key is used up, it means that at least 90% of tickets have been issued. The event informing about reaching the 100% limit on the managed computers means that some computers having this code have already failed to receive the ticket to use Kaspersky Endpoint Security 10.

IV-27 Unit IV. Maintenance

IV–28

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

1.7 Subscription Licenses Starting with Service Pack 1 of Kaspersky Endpoint Security 10 and Kaspersky Security Center 10, subscription licenses are supported. The key idea is that license parameters can be changed without reinstalling the license. E.g., there is no effective license expiration and the number of nodes as well as the supported functionality can be changed in the license properties on the Activation Server side. Another important aspect of the subscription licensing is reduced payment intervals. With traditional licenses, payments are typically made once a year to renew the license. With subscription licenses, there is no effective end date for the license2, it remains active as long as the customer pays and until either of the parties (the customer, or the partner who sold the subscription license, or Kaspersky Lab) decides to cancel the subscription. The payment period can be as small as a month, or a quarter. The background mechanics of subscription licensing is essentially the same as described for activation codes. The difference is in the license properties on the Activation Servers. With traditional licensing, the properties are fixed, whereas with subscription licensing they are flexible. The customer can request changing the subscription parameters as necessary: — Increase or reduce the number of nodes — Increase or reduce the functionality level — Suspend or renew the subscription These changes are displayed in the license properties on the Activation Servers and the next time Kaspersky Endpoint Security renews its ticket it will receive the new license restrictions. This can result in additional components becoming active or inactive. In the Administration Console, information about subscription licenses is displayed the same way as about traditional ones. If the subscription is unlimited, there would be no expiration date. License limitations (nodes and functionality) are automatically synchronized with the Activation Servers once every 24 hours. There is also a link in the Advanced | Application management | Kaspersky Lab licenses node that allows synchronizing this information manually (click the Additional actions button and then follow the corresponding link). A subscription can have a grace period. This is a space of time officially allowed for payment when the product keeps functioning after the previous paid period is over. For example the customer pays monthly and the last paid month is July. If there is a grace period of say 14 days, then Kaspersky Endpoint Security will work with full (licensed) functionality till the 14th of August. After the grace period expires (and if there is still no payment for the August), Kaspersky Endpoint Security stops updating and disables the control components, but keeps the protection components running. Subscription licenses presume that there is a 3rd party between the customer and Kaspersky Lab. This can be a Service Provider who manages the customer’s network, or an Internet Service Provider who additionally delivers anti-malware services to their customers, or even a supermarket chain that sells licenses along with boxed products. Let us call all of them Service Providers. The customer is supposed to negotiate all the subscription-related questions with the Service Provider, who will be able to update the subscription’s parameters on the Activation Servers (indirectly, though the exact details are not actually important here). It would be possible to switch from traditional licensing to subscription and back, if necessary. Switching to subscription licensing is a matter of installing the corresponding activation codes. To switch back to normal licenses, install an ordinary code or key as an additional license. Once the grace period of the subscription license expires, the computers will switch to the new license.

2

To be more precise, there can be one, but not necessarily. Subscriptions may have a time limit.

IV-29 Unit IV. Maintenance

IV–30

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 2. Updates 2.1 Overview The version 10 of Kaspersky Security Center and Kaspersky Endpoint Security constitute a multifunctional program complex solving numerous distinct types of tasks. During its operation, much data is transferred from the Administration Server to the client computers, a large part of which can be considered as updates. These include traditional malware signature updates, KL categories for application startup control, module updates of Kaspersky Security Center and Kaspersky Endpoint Security, Windows Updates, updates for 3rd-party applications, and latest information from the KSN database. This chapter considers only some of these update types: signature updates of Kaspersky Endpoint Security, and module updates of Kaspersky Endpoint Security and Kaspersky Security Center. Windows updates and updates of 3rd-party programs are described in course KL 009.10 Systems Management, and KSN in Unit II of this course. In other words, this chapter is devoted to two tasks: — Download updates to the repository—Kaspersky Security Center — Update—Kaspersky Endpoint Security In this chapter, the term “update” means updates downloaded and distributed by these two tasks.

Update types Kaspersky Endpoint Security, which uses the majority of updates, requires two types of updates: — Signature database updates, which include malware signatures, network attack descriptions, databases of suspicious and phishing web addresses, banner database, Anti-Spam databases, etc., are issued regularly, hourly on average, and their installation does not require a restart. Crucial for protection, they must always be up to date. The major part of the database is downloaded during the first update or if updates have not been downloaded for a long time: for example, if an employee was on vacation for a month and the computer was powered off. Later, only the changes will be downloaded. The typical volume of an hourly update can be from several hundreds of kilobytes to a couple of megabytes. Usually, the computer does not need to be restarted to be able to use new signature databases. If the necessity arises, the Restart required to complete the task event will be sent to the Server, and the user will see the corresponding notification in the local interface. This event is not critical, that is why the computer is not restarted automatically, and Kaspersky Endpoint Security just waits for the restart.

IV-31 Unit IV. Maintenance

IV–32

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

— Module updates are updates to program modules meant to improve performance and fix the problems discovered in the product. These updates are released less frequently. In other words, these are fixes for Kaspersky Endpoint Security, Network Agent, and Administration Server program modules. Sometimes module updates can introduce changes to components’ behavior and even new functionality A module update is a more risky intervention than signature updates. In some companies, any update that involves executable code requires testing and approval. Kaspersky Endpoint Security 10 SP1 and Kaspersky Security Center 10 SP1 support this practice by allowing the administrator to mark updates as Approved (the options include Approved, Declined and, by default, Undefined) and to configure update tasks to deploy only the approved updates. Older versions of Kaspersky Endpoint Security and Kaspersky Security Center don’t support this mechanism. To test module updates prior to installing on older versions, the administrator can make separate tasks for signature updates and module updates, and run the module update task manually only after the updates have been tested and approved. Kaspersky Endpoint Security 10 Service Pack 1 module updates can be either critical or non-critical. This classification is applied at Kaspersky Lab and reflects the update’s importance for computer protection. Updates that fix severe bugs or help protect against new threats are critical.

Update management In a centralized protection system, updates are distributed centrally. This helps to decrease external traffic since updates are downloaded only once into the network. Also, administrators have more control over the update process. The simplest scenario is where updates are downloaded to the repository on the Administration Server and then distributed to client computers. More complex scenarios, with intermediate distribution sources, are described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills. Centralized updates in Kaspersky Security Center 10 and Kaspersky Endpoint Security 10 are based on two tasks, one of which downloads updates to the repository, and the other which distributes them to the endpoints: — Download updates to the repository—is a task of Kaspersky Security Center Administration Server; only one task of this type can be configured on the server — Install update—is a task of Kaspersky Endpoint Security, there may exist any number of such tasks, but usually one or two tasks per group are configured

IV-33 Unit IV. Maintenance

IV–34

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.2 Updating Server Repository The task that updates the Administration Server repository is named Download updates to the repository. The Quick Start wizard automatically creates this task. It can be found in the Administration Console in the Tasks node. You can have only one task of this type. If it is present already, the task creation wizard doesn’t allow creating another one. However, it is possible to delete the automatically created Download updates to the repository task and create a new one for troubleshooting. The settings of that task include the schedule, the update sources, connection parameters, the list of updates to be downloaded and a few additional options.

Schedule Since there can only be one such task, it is recommended to schedule it to run regularly at small intervals ranging from 15-20 minutes to several hours. The default value is 1 hour.

Sources The following update sources are possible: — Kaspersky Lab update servers—a list of FTP and HTTP servers officially maintained by Kaspersky Lab. These servers are located in various countries worldwide to help ensure a high reliability of the updating procedure. If the task cannot connect to a server, it will try contacting the next one in the list. The list of servers is downloaded together with the other updates — Master Administration Server—this option is used if there are several Administration Servers and they are connected in a hierarchy (described in detail in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills) — Local or network folder—an update source created by administrators. You may specify not only a network folder, but also an FTP or HTTP address The task can have several different sources organized in a list. If the first source turns out to be inaccessible 3, the task will attempt to download updates from the next.

Connection parameters You may need to specify the proxy server parameters for the update sources. All sources would share the same proxy server. If some sources are accessed without it, enable the Do not use proxy server option in their properties.

3

The Kaspersky Lab update servers source is considered to be inaccessible if none of known servers are available.

IV-35 Unit IV. Maintenance

IV–36

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Proxy server address, port and authentication parameters: user name and password can be specified in the Administration Server properties, in the Advanced | Configuring Internet access section. These settings will be used for downloading updates and for KSN requests.

Updates list Administrators can choose the types of updates to be downloaded in the Updates content window. By default, Kaspersky Security Center detects the required updates automatically, depending on the products installed on the client computers, and the products for which it has installation packages. This behavior is determined by the Autodetect updates list option. Alternatively, administrators can manually select the updates for downloading. This may be necessary if the server updates folder functions as an update source for both managed computers and, for example, Kaspersky Anti-Spam for Linux Mail Servers. In this case, enable the Force downloading of the following types of updates option and select the corresponding update types. Some update types available in this list relate to obsolete products and are not currently used.

Network Agent module updates Before we proceed to the tasks that distribute Kaspersky Endpoint Security updates to the client computers, let’s complete the overview of the Download updates to the repository task settings. Specifically, the Network Agent update download parameters, which are located in the Settings section, Other settings area. The Update Network Agent modules parameter controls updating Network Agents up to version 10 SP1 inclusive. Unlike Kaspersky Endpoint Security updates, which are distributed by special tasks, Network Agent updates are distributed automatically as soon as the Agents connect to the Server. If automatic installation of module updates is unwanted (for example, on the servers) for Network Agents (up to version 10 SP1 inclusive), disable the corresponding parameter in the properties of the Download updates to the repository task. Since only one task of this type exists, module updates of Network Agents up to version 10 SP1 inclusive will or will not be installed in the whole network. You cannot enable installation of these updates in some groups and disable in others. Other settings in that category pertain to the organization of updates in the hierarchy; they are described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills. Update settings for Network Agents version 10 SP2 and later are located in the Settings section of the Network Agent policy. The parameter is named Install applicable updates with Undefined approval. If this check box is selected, the Administration Server will automatically distribute updates to Network Agents. If cleared, the Administration Server will distribute only the updates approved by the administrator. The check box is selected by default. To approve an update, find it in the Advanced | Application management | Software updates node, open, and in the Update approval drop-down list, select Approved. The administrator can always prohibit installing an update even if automatic updates are configured in the policy. Open the update properties and set the Update approval parameter to Declined.

IV-37 Unit IV. Maintenance

IV–38

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.3 Updating Client Computers Group tasks Updates from the Administration Server repository are distributed to the client computers by group update tasks. To ensure coverage of all managed computers, an update task must be a group task created within the Managed computers node. The Quick Start wizard creates this type of task: Install update. If computers are combined into groups and the optimal updating procedure is different for various groups, you can create a customized update task for each group4. Keep in mind that if both parent and child groups have tasks of the same type, the computers of the child group will run both tasks. This will most likely result in errors, since if an update task is already running, another one cannot start. To avoid that, either delete the task in the parent group or disable its scheduled start or exclude the subgroups that have their own tasks from the parent group task scope. Note: If earlier or other Kaspersky Endpoint Security versions (for example, Kaspersky Endpoint Security for Mac or Kaspersky Endpoint Security 8 for Windows) are used in your network, they need separate update tasks. Each product update task has a specific schedule and settings, including: — — — —

4

The list of update sources The list of updates The settings used to copy updates to a specified folder The list of subgroups on whose computers the task will not run

The simplest method is to copy a task and then modify its settings.

IV-39 Unit IV. Maintenance

IV–40

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Schedule The standard schedule for the Kaspersky Endpoint Security update tasks is When new updates are downloaded to the repository. Unlike a periodical schedule when Kaspersky Endpoint Security defines the start time and starts the task regardless of whether the Administration Server can be reached or not, the When new updates are downloaded to the repository schedule means that the task is always started by the Administration Server command. The Administration Server sends a ‘wake up’ call to UDP port 15000 of all affected client computers that there are new settings for them. The port is listened to by the Network Agents, and upon receiving the call the Agents connect to the Administration Server and download whatever new settings are available. In this particular example, the Agents will receive the update task start command and pass it to Kaspersky Endpoint Security. If the ‘wake up’ call doesn’t reach some computers, they will receive the command during a planned synchronization performed every 15 minutes (the period is defined in the Network Agent policy). The When new updates are downloaded to the repository schedule guarantees that the client computers will receive updates as soon as possible and without calling the server every now and then. Alternatively, a simple periodical schedule can be used (for example, once an hour). To prevent serious peak loads on the update source and the network at the moment of task start, randomization of the task launch within a certain interval is used. E.g., if the 5-minute interval is selected, the computer will begin the next scheduled update after a random delay ranging from 0 to 5 minutes. By default, the Administration Server automatically defines the randomization interval depending on the number of computers in the group. The administrator can also specify it manually.

Sources To specify the list of sources, open the Properties section of the task properties and click the Settings button. Updates can be retrieved from the following sources: — Kaspersky Security Center—the recommended source for all managed computers. Moreover, the most natural source for the When new updates are downloaded to the repository schedule — Kaspersky Lab update servers—the recommended source for the computers outside the corporate perimeter or a backup source if the specified Administration Server is not accessible. However, the administrators often prefer the computers to wait for the Administration Server connection rather than create extra Internet traffic — Local or network update folder—another option for backup update sources. An HTTP or FTP address may be specified instead of a network folder. For example, if there are several Administration Servers in the network (which is described in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills), HTTP addresses of update folders located on other servers can be used as backup sources Updates are retrieved from the Administration Server by the Network Agents. With the update servers of Kaspersky Lab or other FTP or HTTP locations, updates are downloaded over standard network protocols. If a proxy server is required for accessing the source, its parameters are specified in the policy of Kaspersky Endpoint Security (in the Advanced Settings | Application Settings section). By default, an automatically detected proxy server is used. In the update task properties you can configure copying updates into a separate folder. This mode can be used for creating an update source in small networks or subnets without their own Administration Server. In larger networks, update agents are used to create intermediate update sources. Update agents are created automatically for every group that contains more than 100 computers (for more details, refer to course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills.)

IV-41 Unit IV. Maintenance

IV–42

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Module updates Signature updates are always downloaded by an update task. There is no way to disable this as there is little sense in doing so. Module updates are more configurable. Kaspersky Endpoint Security can do without module updates. Unless there is a critical issue that needs to be fixed, you can keep using Kaspersky Endpoint Security without updating its modules until a new major version comes out. Still, module updates can be useful. They can improve computer performance, increase protection efficiency and add new functionality to the product. Often benefits outweigh the risks. And the risks can be mitigated by testing the updates and installing only approved ones. The possible choices regarding the module updates include: — Download updates of application modules—enabled by default. Can be disabled in the groups where computers are extremely sensitive to changes, e.g., groups with important servers — Install critical and approved updates—installs the updates marked as approved by the administrator and the updates marked as critical by Kaspersky Lab without the administrator’s approval. Installing unapproved updates may be risky because unforeseen issues might arise — Install only approved updates (the default choice) How does the administrator approve an update? All available updates can be found in the Advanced | Application management | Software updates node. It contains a lot of updates, including Windows updates and updates to 3 rdparty applications. Use filters to find Kaspersky Lab application modules updates. To approve an update, select it in the list and scroll down the description on the right until you see the Actions area. There is the Update approved parameter there, which can be set to Undefined (default), Approved or Declined. You can find it in the update’s properties too. Also, you can select several updates on the list and approve them all at once. Now, why would the administrator decide to approve an update? Generally, there should be a process of installing an update on a small number of computers (representative of the entire network) and monitoring these computers for some time. If no problems are detected, the update gets approved and is automatically installed on other computers.

Kaspersky Seamless Update Service Starting with Service Pack 1, a non-restart update mechanism is implemented in Kaspersky Endpoint Security 10 for Windows. Kaspersky Seamless Update Service is a part of it. This service watches Kaspersky Endpoint Security operation and recovers protection after failures.

IV-43 Unit IV. Maintenance

IV–44

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

2.4 Monitoring Updates Updates repository When being downloaded, updates are first placed into a temporary folder located in the data directory of the Administration Server. When the download completes, all files are moved into a subfolder of the Administration Server shared folder. The folder is accessible over the network via SMB. Though SMB is not used for distributing updates to the managed computers; Network Agent receives the data from the server on port 13000. In Kaspersky Security Center Administration Console, the available updates are displayed in the Advanced | Repositories | Updates node. The Updates repository displays, in a table, all the databases and lists of threat signatures stored on the Server. Each object has the following attributes: — Name indicates the type of update and hints which component or product this update is intended for, say, Anti-phishing databases or Autorun objects scanner — Description specifies for which version of which product the database is intended for, or, if a component uses a few different bases, the types of threats described in this particular database — Created—the date when the update was published on Kaspersky Lab’s official servers — Received—the date when the database was downloaded into the Server repository — Size—the complete database size. If updated regularly, client computers download just the difference between their current database version and the version available in the repository. So, the actual traffic is considerably smaller than the specified size Note: When the repository is updated, the following information is downloaded in addition to the databases: vulnerability data and KL category conditions for Application Control. The data in the repository tells you the age of the updates distributed to the client computers. Updates on the computers can’t be newer than in the repository, so if the updates in the repository are several days old, it is a problem to be solved. You have to be careful not to jump to wrong conclusions, though. Some updates are OK to be several days old. Not every update type is released hourly. For a reliable indicator of how recent the updates are overall, look at the date of the Anti-virus databases. You can open update properties to find out the location of the relevant files. All update files end up in the Updates subfolder of the Administration Server’s shared folder. Thus, updates can be accessed through a Windows share if necessary. Using the links within the Repositories | Updates node, you can view the database version report, modify the repository update settings, or start the task that downloads updates to the repository.

Computer statuses If for some reason a computer uses old databases, the risk of infection increases. Moreover, if the latest databases are missing, a virus can remain unnoticed and, for example, steal valuable data. That is why computers with old databases receive a Warning or Critical status depending on how old their databases are. The status criteria are configured in the group properties. By default, the Warning status is given to the computers whose databases are 7 or more days old, and Critical is assigned after 14 days.

IV-45 Unit IV. Maintenance

IV–46

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

You can identify that the computer status changed from OK due to outdated databases by the status description in the Protection section of computer properties, or in the panel displaying computer characteristics in the lower-right part of the Administration Console. To view detailed information about the databases and, specifically, the last update date, open the properties of the Kaspersky Endpoint Security program in the Applications section of computer properties.

Global status The Monitoring page also provides the information about the databases in use. If everything is fine, the Update area displays the time when the latest updates were downloaded to the server repository. If there is a problem, the light will turn yellow or red and a problem description will appear, which also acts as a link to remediation (run a task) or troubleshooting (check a computer selection) tools. The Databases in the repository not updated for a long time link opens the properties of the Download updates to the repository task. The Databases are out of date: N computers link opens the selection of hosts that have the Databases are outdated status. The Go to Updates folder link in the Update area of the Monitoring page opens the Advanced | Repositories / Updates node, which contains links to the settings of the default update tasks and the database version report.

Statistics and reports More detailed information about the databases in use and computers with problems is available on the statistics screen and also within the appropriate reports. In addition to the report on the databases being used, you may be interested in the report on versions of the program module updates of the Kaspersky Lab applications. It is not available by default, but can be created manually. This data is also available on the Statistics tab of the Administration Server node. The charts concerning updates are displayed on the Update page. Unlike reports, statistic charts are updated in real time.

IV-47 Unit IV. Maintenance

IV–48

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

If the databases became obsolete on the computer not because it was off, but because of update task errors, the administrator would need to view update task events to find out the reason. The events sent to the Administration Server are often insufficient for thorough analysis of the situation. The local update report of Kaspersky Endpoint Security usually contains more events.

2.5 Rollback Although rare, sometimes the latest updates may result in false positives. The Rollback task is designed to deal with this. It is not created by default, but the administrator can easily create it using the task creation wizard. The update rollback task has no settings, except for the schedule. It makes little sense to roll back updates periodically. The rollback is typically performed when the administrator needs it, and the best schedule for such a task is Manually. During the rollback, new database files are replaced with their previous version. For this purpose, the database files of the previous version are stored in a special folder locally on every computer where Kaspersky Endpoint Security is installed. When new databases are downloaded, the old copy for rollback is deleted and a new one is created. Only one copy of databases for rollback is stored always—the previous one. KSN has an important role in decreasing false positive risk. Even if a file seems to be infected according to the databases, KSN’s verdict has a higher priority. If according to KSN the file is trusted, Kaspersky Endpoint Security ignores the false positive. Thus the introduction of Kaspersky Security Network reduced the need for running the rollback task considerably.

Chapter 3. Interaction with the User In this chapter we will describe the local interface of Kaspersky Endpoint Security: what the users see on their workstations. Using Kaspersky Endpoint Security policy, the administrator can configure the local interface of Kaspersky Endpoint Security, set a password for removing or editing protection settings, enable or disable pop-up notifications for various actions and incidents.

3.1 Password Protection The default settings provide the users with at least two methods to disable the protection. The first method is to click Exit on the shortcut menu of the Kaspersky Endpoint Security icon in the notification area. This action doesn’t even ask for elevated permissions, any user can do this. The second method is to uninstall Kaspersky Endpoint Security and this requires the user to have administrator rights. But some users may have them, especially on laptops.

IV-49 Unit IV. Maintenance

IV–50

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

To prevent the users from weakening or stopping Kaspersky Endpoint Security, the administrator can configure password protection for the mentioned actions in the policy and make these settings required (‘locked’). Though a user with administrator rights has enough power to disrupt the operation of Kaspersky Endpoint Security one way or another, the most direct attempts of doing so will be blocked by Kaspersky Endpoint Security self-defense, which doesn’t allow deleting or modifying Kaspersky Endpoint Security files and registry entries, protects its service and processes in the memory. Together, password protection and self-defense are mostly able to prevent any damage a user might try to inflict on Kaspersky Endpoint Security. However, self-defense is enabled by default, whereas password protection is not. Another, a less evident way of disabling the protection is to uninstall the Network Agent. Some 10 to 20 minutes after the Network Agent is removed, Kaspersky Endpoint Security will no longer be controlled by the policy and the user will be able to change any settings. There is password protection for the Network Agents too, and it is not enabled by default either.

Password protection in Kaspersky Endpoint Security Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its settings, exiting, and uninstalling, changing license, etc. To enable password protection, open the policy in the Advanced settings | Interface section and select the Enable password protection checkbox. Then click the Settings button next to the option and enter the password. By default, the password protects all possible actions, but the administrator can switch to protecting only some of them and select from the list: — Configure application settings—protects against any attempts to modify the settings, including the options that enable and disable the components (e.g. Enable File Anti-Virus); the user still has an option to disable components via a shortcut menu command — Exit the application—protects the Exit command on the shortcut menu of the product's icon. Meanwhile, self-defense of Kaspersky Endpoint Security will prevent attempts to terminate its processes or files — Disable protection components and stop scan tasks—the user can start protection components and local tasks (if they are displayed); the password window appears only if the user attempts to stop them. The update tasks lack this protection — Disable control components—the password is necessary to disable the Device Control, Application Startup Control, or Web Control — Disable Kaspersky Security Center policy—adds the option to temporarily disable the policy via the shortcut menu of Kaspersky Endpoint Security icon after entering the password. The option is only available when password protection is enabled. This capability is useful for local troubleshooting. When a policy is active, the administrator can’t change Kaspersky Endpoint Security parameters to see which component or which particular setting is causing troubles for the user. Moving a problem computer to a special group for diagnostics and then returning it back after the problem is solved is an awkward solution, especially if different IT units are responsible for centralized protection management and local diagnostics. The capability to temporarily disable a policy using a special password on a computer allows carrying out diagnostics without changing the settings on the Administration Server. — Remove key—the user cannot stop protection by deleting the key unless the password is entered — Remove/Modify/Restore the application—the password prompt is added in the uninstall wizard of Kaspersky Endpoint Security5

5

To uninstall the product from the command line, the password will also be necessary.

IV-51 Unit IV. Maintenance

— Restore access to data on encrypted drives—prevents the user from starting the data recovery tool. It is the administrator’s job to recover data, not user’s — View reports—prompts for a password prior to displaying events in the local KES interface The advantage of password protection is that it remains active even when the policy is disabled. Once the password protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product without a valid password even if the administrator disables the policy.

IV–52

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Configuring password protection for Network Agent The Network Agent is less likely to be noticed by the local user than Kaspersky Endpoint Security. The list of installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges, the attempt will succeed. Administrators can set a password for uninstallation within the Network Agent policy. The Quick Start wizard creates the policy automatically in the Managed computers node. The password required for Network Agent uninstallation is set in the Settings section. By default, it is not specified. Enable the Use uninstall password option, click the Modify button to enter the password and don’t forget to lock that group of settings. It’s not locked by default and setting the password while leaving the option ‘unlocked’ has zero effect on the local Network Agent settings. Once the policy is applied, the password prompt is added in the Network Agent uninstallation wizard. An attempt to uninstall the Network Agent using the command line without the password will also fail.

3.2 Local and Group Task Management via KES Interface By default, when the settings are controlled by a policy, the local interface provides access to only one local task— Custom Scan. It can be started from the Kaspersky Endpoint Security window or via the shortcut menu of any file or folder. Also, the user can see the group tasks, two by default: Quick Virus Scan and Install update. These are created on the Administration Server by the Quick Start wizard, and by default are displayed in the local interface. The user can do nothing with them: neither edit their settings, nor run, nor stop them. The user can only view their reports. These limitations are true only if the client computer is under a Kaspersky Security Center policy. If no such policy is present or enforced, the local user is able to configure and manage local versions of update and scan tasks. But as soon as a policy is enforced, the local tasks Full scan, Critical Areas Scan, Update, and Integrity check are disabled and hidden. They are supposed to be replaced with similar group tasks, which can only be managed from the Administration Server. When local tasks are concealed, they keep their settings, but can’t be started neither manually nor on schedule. Otherwise, local tasks would interfere with group tasks. If a local update task were running, the start of the group update task would fail. Execution of a local virus scan task would not obstruct starting the group task, but would waste computer resources. The custom scan task and names of the group tasks displayed within the interface are typically enough for the user to feel protected. However, some users may need more control. They may need to postpone scheduled starts or initiate updates and scans manually. This can be achieved by configuring the Kaspersky Endpoint Security policy. There are two relevant options in the Advanced Settings | Application settings: — Allow management of group tasks—this gives the user the power to stop group tasks when they are running and start them manually. If a task is stopped by the user, the result in the Kaspersky Security Center will be Completed, but the preceding event will be a warning that the task was stopped while running. The user still can’t modify the group task settings.

IV-53 Unit IV. Maintenance

— Allow local tasks to be displayed and managed (except custom scan) 6—this makes the local tasks visible and their settings and control commands available to the user. Moreover, local tasks will start running on schedule which most of them have by default. Typically, you wouldn’t want users tinkering with the task settings, but if they need to, this option gives them this power. There is no way to allow managing group task settings via the local interface. If representation of local tasks is enabled, they will start on the specified schedule with all the negative consequences described earlier. You cannot make local tasks displayed but started only manually. That is why local tasks should be used only in very special cases, e.g., on roaming computers while they cannot connect to the management system.

6

The Custom scan is never hidden; what you allow to be displayed are all the other local tasks in addition to the Custom scan.

IV–54

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Below you can find the default settings and schedules of the local tasks: Task Update

Full scan

Critical areas scan

Custom scan Integrity check Vulnerability scan

Settings Sources: — Kaspersky Lab update servers — Kaspersky Security Center Download updates of application modules Install critical and approved updates Security level: Recommended7 Select action automatically Scan scope: — System memory — Startup objects — Disk boot sectors — System Backup Storage — All hard drives — All removable drives Security level: High8 Select action automatically Scan scope: — System memory — Startup objects — Disk boot sectors Security level: Recommended Select action automatically Scan scope: Not defined Checks integrity of Kaspersky Endpoint Security files Vulnerability types: — Microsoft — Other vendors Scan scope: — %SystemRoot% — %ProgramFiles% — %ProgramFiles(x86)%

Schedule Automatically (translates to every two hours)

On Mondays at 7:00 PM

Every day at 6:00 PM

Manually Manually Manually

There are also two tasks that are never visible in the local interface but can still run and can be controlled by a policy (see the Advanced Settings | Protection Settings section): — Idle Scan—a special task that starts when the screensaver is on or the computer is locked and scans startup objects, system memory and the system partition of the hard drive. Scanning is performed at the Recommended security level. In the policy, it can be controlled by the Perform idle scan check box — Scan removable drives on connection—another special scan task. It starts when a removable drive is connected to the computer. The scan task scope includes boot sectors and the files located on the removable drive. Two scanning variants are available: Full—the scanning is performed with the same settings as in the local Full Scan task. Quick—the scanning is performed with the same settings as the local Critical Areas Scan task (in particular, archives and installation packages are not scanned). Scanning large drives may take a long time. To avoid lengthy delays, you can select to scan only small removable drives. In the policy, the task is controlled by the Action on removable drive connection option, which is set to Do not scan by default, but can be changed to either Full scan or Quick scan. When scanning is enabled, you can also adjust the Maximum removable drive size option.

7 8

Scan all files, including archives, installation packages and OLE objects; heuristics level: medium scan Scan all files, including OLE objects and mail formats, excluding archives and packages, heuristics level: deep scan

IV-55 Unit IV. Maintenance

IV–56

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.3 Local Notifications It is the administrator who is supposed to react to Kaspersky Endpoint Security events. That is why the events are transferred to the Administration Server and displayed in the Console. The corresponding settings can be found in the Event notification section of the Kaspersky Endpoint Security protection policy. Note that many events are not sent to the Administration Server to avoid creating unnecessary traffic. This mostly concerns informational events, and their sending can be easily enabled if necessary. These same events can be displayed to computer users as pop-up messages. Local users do not need to see the majority of events, for example, the events pertaining to Kaspersky Endpoint Security maintenance: outdated databases, required restart, upcoming license expiration, etc. Maintenance tasks are performed by the administrators who receive this information from the Console. However, it does make sense to inform the users about blocked operations. When a user attempts to open a phishing web site or download a malware program, it is recommended not only to block the action, but also explain the reason it was blocked. Otherwise, the user may suppose that the computer is not working properly and contact administrators with wrong assumptions. Besides, in a large organization where different departments are responsible for security and maintenance, a lot of time may pass before the blocking reason becomes clear. By default, only the notifications about blocked access or dangerous content are enabled. The user will see a pop-up window in the following cases only: — Application startup prohibited—Application Startup Control blocked the program start — Operation with the device prohibited—a restriction has been imposed by the Device Control or BadUSB Attack Prevention component — Temporary access to the device activated—Device Control temporarily allows access — Previously opened phishing link detected—Web Anti-Virus considers the link to be phishing — Previously opened malicious link detected—Web Anti-Virus considers the link to be infected — File access blocked—refers to encryption of files and folders (see course KL 008.10 Encryption) When the user attempts to access an infected object (open, copy, receive by e-mail or download using a web browser), a notification is displayed—either a system warning about inability to open the file (because Kaspersky Endpoint Security blocked it), or the message which Kaspersky Endpoint Security displays, for example, instead of an infected web page. Such notifications cannot be disabled via the Kaspersky Security Center policy. Also, when a threat is detected, the Kaspersky Endpoint Security icon changes its appearance for a couple of seconds while the problem is being solved, and then the user will be able to learn about the incident from the statistics shown in the main window of the program (if the policy allows the local interface to be displayed) or from the report (unless it is password-protected).

IV-57 Unit IV. Maintenance

If the administrator believes that more or fewer notifications should be displayed to the users, they can be configured in the protection policy. In the Advanced settings | Interface section, in the Notifications area, there is the Settings button that opens the list of events and local notification methods9. For example, you can enable pop-up notification for malware detection by File Anti-Virus. Here you can also configure sending e-mail notifications from the client computer. Typically, it is not required, because events are sent to the server and the server sends e-mail notification when necessary. But it makes sense for computers out of office that can’t connect to the Administration Server.

9

In the lower-left corner of the Notifications window, a drop-down list is located that enables the administrator to quickly revert to the default settings.

IV–58

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

3.4 Technical Support Information If users will be working with the Kaspersky Endpoint Security interface, the administrators can change the standard text and links displayed in the Support window of the local interface. By default, they contain the links that enable and disable system tracing, and open the Technical Support web site of Kaspersky Lab (http://www.kaspersky.com/support), the knowledgebase, and the user forum of Kaspersky Lab, where answers to many questions can be found. The administrator can replace the three links to Kaspersky Lab web resources with some other text that, for example, specifies the local or internal support department information—for all user questions to be sent to the internal support, for example, to the appropriate e-mail address. The text and links are specified in the protection policy, in the Advanced settings | Interface section. Click the Settings button in the User support area. Once the administrator fills in at least one new field, all three default links to Kaspersky Lab site will be hidden. Note: By default, this setting is not enforced. To apply it, close the lock and enforce the policy.

3.5 Concealing Kaspersky Endpoint Security The majority of users’ attempts to disable protection can be prevented if the product is hidden. The hiding of notifications is described above. The Kaspersky Endpoint Security icon in the notification area and shortcuts in the Start menu also reveal the products’ presence.

IV-59 Unit IV. Maintenance

IV–60

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

These features can be hidden using the options in the Advanced settings | Interface section: — Display Kaspersky Endpoint Security 10 for Windows interface—when deselected, removes the icon from the notification area, all shortcuts from the Start menu, and the entry for Kaspersky Endpoint Security from the list of installed applications in the Control panel. To a cursory glance it may appear that Kaspersky Endpoint Security is not installed However, a more attentive user will notice Kaspersky-related entries on the shortcut menu of files and folders, the folder in the Program files, and the service in the list of services. A user with local administrator rights will find even more traces. But still there is self-defense and password protection to safeguard Kaspersky Endpoint Security against the user — Display “Protected by Kaspersky Lab” on Microsoft Windows logon screen—when this option is disabled, the sign is not displayed in the upper right corner of the logon screen in Windows XP/2003. In other version of Windows, this sign is never displayed. The presence of Kaspersky Network Agent is less apparent, but it will be listed among other installed applications in the Control Panel. There is no way to hide this.

Chapter 4. Out-Of-Office Computer Management The risk of computer infection is lower within a corporate network than outside of one. Thus, applying different settings once computers move out of office seems reasonable. If the Administration Server is accessible from outside the network, and out-of-office computers can connect to it, they usually can be distinguished by their IP addresses. Therefore, you can create a rule to relocate such computers to a separate group with a special policy assigned to it. Ensuring connection to the Administration Server from outside is a complex task, though (explained in KL 302.10 course). And some out-of-office computers may fail to connect anyway. They could be behind a restrictive firewall that blocks connections to port 13000. Or they can be disconnected from any network but still vulnerable to infections from USB drives. In such cases, you have to rely on Kaspersky Endpoint Security and the user.

IV-61 Unit IV. Maintenance

IV–62

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

4.1 Out-of-Office Policy Settings A policy for out-of-office computers must take into account the fact that the host is outside the corporate network and that Kaspersky Endpoint Security maintenance tasks have to be performed by the user. Consequently, the policy must allow the user access to the information about the protection status and to the product management tools. The user should at least be allowed to scan suspicious files/drives and start updates. For this purpose, it is necessary to allow the user managing group or local tasks, or both. See the previous chapter for details. To help the user make rational decisions about protection, it is necessary to provide them with more information about incidents. The user should be warned about detected threats, the need for advanced disinfection and about outdated databases. The default policy assumes that 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 are local networks, which need fewer restrictions. This may not be a safe assumption out of office. These can be networks in hotels, cafes or other public places which cannot be trusted. The out-of-office policy should treat the abovementioned addresses as public. On the other hand, Device control and Web control settings could be less strict than in the office. The user on a business trip might need to connect removable devices to exchange data with colleagues, etc. And it is only reasonable to allow the user to browse the Internet more or less freely at least during non-working hours.

4.2 Conditions of Switching into Out-of-office Mode For those situations when a client computer cannot contact the Administration Server, Kaspersky Security Center supports special Out-of-office policies and also mobile mode in update task settings. This is the third possible policy status, in addition to the Active and Inactive status. The policy for out-of-office computers and the mobile mode in update tasks are applied simultaneously if at least one of the following conditions is met: 1.

Network Agent cannot synchronize with the Administration Server three times in a row. In practice, this means that the computer is disconnected from the corporate network. By default, the synchronization period is 15 minutes. Therefore, the client will switch into the mobile mode in 30-45 minutes In large networks or networks with unstable connections, three consecutive failures may be considered to be normal and switching into the mobile mode may be undesirable. In this case, it makes sense to disable automatic switching and configure connection profiles instead. This can be done in the Network | Connection section of the Network Agent policy. Connection profiles are described in detail in course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills

2.

All network adapters are disabled or disconnected on the client computer—in this case synchronization is impossible, and Kaspersky Endpoint Security immediately switches to out-of-office settings

3.

According to connection profiles (see course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills)

IV-63 Unit IV. Maintenance

IV–64

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

An out-of-office policy may be created for any group. A group may have only one policy for out-of-office computers. That policy is propagated in exactly the same manner as an active policy. However, while an active policy is enforced immediately, a policy for out-of-office computers starts working only when the computer meets the specified conditions (see above). If a child group has no out-of-office policy, it will use the out-of-office policy of its parent group. However, if an out-of-office policy exists in both parent and child groups, they are not related in any way. Regardless of mandatory settings in the parent group policy, they do not restrict the policy of the child group. In other words, individual settings of an out-of-office policy are not inherited, unlike those of an active policy, where the required settings are inherited by the policies of child groups. Out-of-office policies are inherited only completely by those subgroups where out-of-office policy is not configured. You can switch a policy into the Out-of-office policy status in its properties window, in the General section, Policy status area. Note: The Out-of-office policy status only exists in the policies of Kaspersky Endpoint Security for Windows and Kaspersky Anti-Virus for Windows Workstations. Policies of the Network Agent or, for example, Kaspersky AntiVirus for Windows Servers Enterprise Edition do not have such an option.

4.3 Update Settings in Mobile Mode The default update source and schedule settings are intended for computers connected to the corporate network. If a computer is outside the corporate perimeter, it cannot receive a signal from the Administration Server informing that new updates are downloaded in the repository and it may not be able to connect to the Administration Server to download the updates. That is why the parameters of the update task include a separate set of settings for the mobile mode. The mobile mode settings include the list of sources, module update settings and parameters for update copying into a folder. The default update source is the update servers of Kaspersky Lab which makes the most sense for out-ofoffice conditions. Since proxy server parameters are specified in the policy, it is reasonable to configure the-out-of office policy to automatically determine proxy server settings. The mobile mode does not explicitly include schedule parameters. Meanwhile, the usual schedule of the group update tasks, 'When new updates are downloaded into the repository', makes little sense for out-of-office computers. Though there is no cause for concern, because in the mobile mode, the update tasks start every two hours regardless of their schedule parameters.

IV-65 Unit IV. Maintenance

IV–66

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 5. Backup and Restore 5.1 Backup Considerations Creating backup copies is a good practice that can save you a lot of trouble should anything happen to the Administration Server or its database server. The administrator will be able to restore the entire management system from a backup copy within about an hour. To ensure a quick recovery, it is important to store backups in a reliable location. A backup copy of the Kaspersky Security Center data includes all visible and invisible configuration settings. This includes the event database (which contains more than just the events), administration group structure, tasks and policies, report templates, installation packages 10, selections of computers and events, the Administration Server certificate, and more. Updates are not included, because they quickly become outdated, and there is no reason to keep an old copy. Since the Encryption functionality has appeared in Kaspersky Endpoint Security, backups have become even more important. The Administration Server configuration now includes the encryption key store that contains master keys for all computers where encryption is used. These keys are necessary for recovering access to encrypted data in case of failures. If the master keys stored on the Administration Server are lost, encrypted data may also be lost irretrievably. Encryption and the risks involved are described in course KL 008.10 Encryption. But even if we leave encryption out of consideration, losing Administration Server data can result in many hours or days or even weeks spent on system recovery. In a large network, even creating a structure of groups can be difficult and may consume much time and effort. If the server is reinstalled, its certificate changes, and it means that Network Agents, even if they use the correct address, will not be able to establish a connection to the new Administration Server. Generally, to recover connection to the computers, all Network Agents will have to be reinstalled. A backup copy relieves the administrators from these issues, because a copy includes the server certificate, all the settings, and the encryption key store. Backup copies can be used as an alternative method of upgrading the Kaspersky Security Center version. A standard upgrade procedure implies installing a new version over the old one. In this case, the installer detects a previous version and upgrades its components, saving old settings if possible. Using the backup mechanism, you can create a backup copy of your old system, uninstall it, then install the new version of the Administration Server, and restore its configuration from the backup. You can use this method when it is necessary to upgrade not only the software components of the Administration Server, but also its hardware configuration. In a similar manner, you can use backups to move the Administration Server to a different computer. First create a backup copy, and then install the Administration Server on another system. Restore the Administration Server settings from the backup copy. In this case, it is important to ensure that the same type of SQL server (Microsoft SQL or MySQL) is used by both new and old instances of the Administration Server. If you move the Administration Server to another system and want to change the Server's name or address, you must make this change before the migration. Refer to course KL 302.10 Kaspersky Endpoint Security and Management: Advanced Skills for more information about changing the Administration Server name or address.

10

Including standalone, but excluding operating system image packages (these packages are described in detail in course KL 009.10 Systems Management).

IV-67 Unit IV. Maintenance

IV–68

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

5.2 Creating a Backup Copy How backup works in Kaspersky Security Center To create backup copies, Kaspersky Security Center has a special task called Backup of Administration Server data. Only one instance of this task can exist on the Administration Server, and the default one is created by the Quick Start wizard. If necessary, you can delete and recreate it as a troubleshooting measure. The actual job of creating backup copies is performed by klbackup.exe, a utility for backup and recovery of the Administration Server. The task launches the utility with the specified options, which then creates a backup copy. To create a backup copy, the klbackup.exe utility stops the Administration Server service (and the Network Agent service) and copies the Server settings and data. When the Administration Server service is stopped, all instances of the Administration Console receive a message that the connection with the Administration Server is lost. Then, the utility commands the SQL server to create a backup copy of the event database. After the backup copy is created, the utility starts the Administration Server and Network Agent services. It is important to realize that backup copies of the Administration Server data are created under the Administration Server account, whereas backups of the database are created under the database server account. If you specify a network path as the target location for backup copies, both the Administration Server and SQL server must have access to this folder. Also, the specified drive must have enough free space.

Backup task settings Only one parameter is required for the backup task: the location of backup copies. This folder will contain subfolders for each backup copy. The names of the subfolders consist of the date and time of creation. The default location of backup copies is the SC_Backup folder in the Administration Server data directory (%ProgramData%\KasperskySC\SC_Backup).

IV-69 Unit IV. Maintenance

IV–70

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

However, it is risky to store backup copies on the same disk with the Administration Server, because in the event of a hardware failure, both the current system and its backup copy might be corrupted. So, it is strongly recommended that you store backup copies separately. The administrator can either specify a network location or use an additional process to move backup copies to a safer place for storage. Since a backup copy can be up to several gigabytes in size (depending on the network and the amount of stored data), it makes sense to limit the number of stored backup copies. By default, the maximum number of backup copies is three. The Administration Server certificate is stored in an encrypted form for security reasons. This security measure prevents intruders from using the certificate to gain control over the client systems. To enable certificate encryption, you need to provide a password. By default, the password is empty. The backup data copying task is scheduled by default to start daily at 2 a.m.; therefore, only three backup copies of the last three days are stored. No matter how often it is explained that creating a backup copy causes the Administration Server to restart and all connected consoles to disconnect, somebody will be confused and will ask why is that they leave the Console connected every night only to find it disconnected the next morning? This is because the default backup task runs every night at 2:00 AM.

5.3 Restoring Data from Backup Copy There is no task in Kaspersky Security Center for restoring data from a backup copy. This is done by design, because an accidental launch of such a task would result in the loss of newly added settings and data. In order to restore the Administration Server data, the klbackup.exe utility is used again, which can be run from the Start menu. When started without command line options, this utility works as a wizard, which prompts you to choose the restore option, enter the path to the backup copy and the password to decrypt the Administration Server certificate. You need to specify the full path to the subfolder that contains the backup copy. For example, if you specified the c:\backups path for the backup task, to restore the system, you need to enter something similar to c:\backups\klbackup2011-12-27#02-00-02 The backup copying utility can not only restore the data from backup copies, but it can also create backup copies. To do so, at the Choose Action step, select Perform backup of Administration Server data. Also, you can enable the mode for only backing up or restoring the Administration Server certificate. This mode can be used, for example, when you only need to restore connection between the Network Agents and the Server, but want to create the structure and settings from scratch. This limited backup is not available in the backup task. The klbackup.exe utility can be launched with the following command line options: — –path—backup copy destination folder, or the source folder during a recovery — –restore—the option that instructs the utility to restore data; without it, the utility will create a backup copy — –use_ts—the option that creates a subfolder with a name consisting of the time and date of creation; without it, the utility will create a backup copy right in the folder specified by the path option — –password—the option that specifies the password for encrypting the Administration Server certificate

IV-71 Unit IV. Maintenance

IV–72

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Chapter 6. Statistics and Reports 6.1 Introduction Overview Almost all monitoring tools available in Kaspersky Security Center: events, statuses, reports, selections, etc., were already mentioned when we described deployment, protection and endpoint control. In the previous chapters, we placed emphasis on which events, statuses, reports, etc. help to monitor components. This chapter is different in that it describes the customizations available in these instruments. For example, Chapter 4 of Unit III of this course describes the events generated by the Device Control component and reports generated from these events. The current chapter, on the contrary, describes the storage settings of all events, notification settings for all events, all report generating settings, etc.

Interconnection of monitoring tools Statistics and reports are created based on the statuses and events sent to the Administration Server, which are generated by all components: Kaspersky Endpoint Security, Network Agents, and the Administration Server itself. By default, the events sent to the Administration Server are stored there for: — One month—Kaspersky Endpoint Security and Network Agent events, as well as information events of the Administration Server — Three months—warning events of the Administration Server — Six months—errors and critical events of the Administration Server The administrator can view the events sent to the Administration Server via the Administration Console—within the component properties. For example, to view Kaspersky Endpoint Security events, find the necessary computer in the Managed Computers node, open its properties, in the Applications section select Kaspersky Endpoint Security and click Events. Aggregate data on all events is available on the Events tab of the Administration Server node. Here they can be grouped, filtered (for example, by registration time), exported into a file, or deleted. The information necessary for defining the computer status is sent from the client computers to the Administration Server separately from the events’ statuses. For example, even if you disable transfer of all events concerning updates, the Databases are out of date computer status will be displayed nevertheless. To disable sending status information, you need to disable using statuses in the group settings. To view all computers having some status, open the corresponding selection in the Computer selections node. Events and statuses stored in the database serve as a basis for creating reports and statistics panes. E-mail notification can be configured for events and reports.

IV-73 Unit IV. Maintenance

6.2 Computer Statuses and Selections Computer statuses Computer statuses help the administrator to quickly understand on which computers issues are encountered. A glance at a list of computers within a group allows identifying such computers by icon color. In practice, many administrators do not pay attention to computer statuses. In a large network, a great part of computers occasionally gets the Warning or Critical status. The administrators usually just have no time to deal with each case. Sometimes, the administrators do pay attention to statuses, but only within a comparatively small category of computers, for example, servers. At the same time, statuses may reflect critical information about computers’ protection. For example, absence of protection tools on a computer is a major security threat.

IV–74

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

To make statuses useful for diagnostics, the administrator can modify their settings to disable less important statuses and the statuses that are not used. For example, the Windows update search has not been performed for a long time status can be disabled if Windows updates are managed by a different department. Generally, which statuses to disable and which to use would depend on the components installed on the computers, and what the administrator believes to be important for network protection. The administrator can also change the status settings. For example, the period after which databases are considered to be obsolete can be changed. For some other statuses, their criteria can be modified. For example, the Restart is required status has seven different conditions in its properties and the administrator can choose which reasons for restart should trigger the status change and which can wait till the computer is restarted in due course. The administrator can even configure different status criteria for different groups if computers in these groups serve different purposes, encounter different threats, or have different components installed. For example, groups with servers can use more statuses than groups with desktop computers. By default, all groups inherit status parameters from the settings of the Managed computers node. The administrator can disable inheritance in any group and adjust the settings. Each status relates to a component or function of Kaspersky Endpoint Security or Kaspersky Security Center. The status settings are described in detail in the respective course sections: deployment statuses in Unit I, protection statuses in Unit II, control statuses in Unit III and some of the rest in this unit. Some statuses related to encryption and other advanced topics are described in the respective courses.

Searching for computers Computer search is a tool that enables the administrator to specify conditions and get the corresponding list of computers. The search window can be opened using the shortcut menu of the following nodes in the Administration Console (notice that the selected node defines the search scope): — Administration Server—the computers will be searched for everywhere, among managed and unassigned computers — Managed computers—the computers will be searched for among the managed computers — Any other group—the computers will be searched for within the group (including the subgroups) — Unassigned devices—the computers will be searched for among the unassigned computers Aside from that, search parameters do not depend on the invocation point and provide vast capabilities: — By network characteristics—computer name, domain name, IP address, location in Active Directory, etc. — By software—operating system, service pack, installed Kaspersky Lab programs, installed programs by other manufacturers, software vulnerabilities, etc. — By protection status—the number of detected viruses, update date, status description (for example, Protection is off) — By equipment—the amount of memory, peripheral devices, virtual platform type, etc. — By role in Kaspersky Security Center—new computers, computers with non-standard connection profiles, Update Agents, etc. — By users — And more

IV-75 Unit IV. Maintenance

Some of the search settings are described in more detail in the sections devoted to the respective components and functions. One of the most frequent search use cases is searching for a computer by its name or IP address to understand in which group it is located and which policy is enforced there. The search results are clickable; for example, you can see computer properties, protection status or events on its shortcut menu. You can also delete the computer from its group or move into a different a group, run a task on the computer, send a message to the active user and more, all in the search window.

IV–76

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Standard selections For many statuses, standard computer selections are available that display computers having this status. For example, the There are unprocessed objects computer selection displays the computers where the There are unprocessed objects status condition is met. When computer statuses change, the contents of computer selections are updated. Computer selections are not limited to statuses, though. They allow viewing computers that meet any specified conditions. Standard selections are hard-coded selections that are initially available in the interface and can be neither modified, nor deleted. If the administrator feels that standard selections are not enough, they can create custom selections of their choice.

Custom selections If you often search for computers with the same parameters, you should consider creating a selection with similar search conditions. Selections are located in the respective node of the console tree. In addition to standard selections, the administrator can create various custom selections using the shortcut menu of the Computer selections node or the Advanced button on the node’s page. The selection scope is specified in the General section and may include all computers, managed or unassigned. Search parameters are specified in the Conditions section. The parameters are the same as in the Search window, however, while in the Search window you can specify only one set of parameters, in a selection you can create several conditions with different search parameters. For example, in the Search window you cannot specify two IP address ranges to search for computers in any of them. Whereas in a selection, you can create two conditions for this purpose and specify different ranges in each of them. If several conditions are specified, a selection displays the computers that meet any of them. Search parameters within a condition (or in the Search window), on the contrary, are superimposed. If both an IP range and a name of an installed program are specified in a condition, only those computers will be displayed where both the program is installed and the IP address belongs to the specified range.

IV-77 Unit IV. Maintenance

IV–78

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

6.3 Events and Event Selections Local events With Kaspersky Endpoint Security, events are registered by the instance installed on the client computer, transferred to the Network Agent on the same computer and then are sent to the Administration Server. A situation may arise when events may fail to reach the Administration Server because of some failures or configuration errors. In this case, it is especially important that Kaspersky Endpoint Security events be saved somewhere in addition to the central database. The administrator can control the local processing of Kaspersky Endpoint Security events using the policy. These parameters are located in the Interface section: click the Settings button in the Notifications area. There are four event processing methods: — — — —

Save in local Kaspersky Endpoint Security log Save in local Windows log Notify on screen Notify by e-mail

All four capabilities may come in handy. Saving in the local Kaspersky Endpoint Security log does not increase the load on the network, the Administration Server or the database. That is why you can safely select to save absolutely all events in the local log, which is actually configured by default. If the complete log of events can always be found on the client computer, the administrator may select to send only most important events to the Administration Server. Also, in the local Kaspersky Endpoint Security interface events are grouped by components. The Kaspersky Security Center console also allows filtering events by the task name, but the filter has to be set up every time, while the local interface provides this filtering out-of-the box. Saving events to the local Windows log has the same advantages as saving to the Kaspersky Endpoint Security log, and one more: Windows log accessibility is independent of Kaspersky Endpoint Security. If Kaspersky Endpoint Security becomes inaccessible as a result of a failure, the administrator can try to understand the failure cause by studying the events stored in the Windows log. On-screen notifications may be handy for out-of-office users. Also, they may be of use for the administrators who study Kaspersky Endpoint Security capabilities, or while testing a new policy. Lastly, e-mail notification allows the administrator to learn about most important events taking place on out-ofoffice computers. Usually, notifications are sent by the Administration Server based on the events received from the managed computers. Out-of-office computers may send events irregularly, or not to send them at all. To remain aware of what is happening on such a computer, the administrator can configure e-mail notifications to be sent by Kaspersky Endpoint Security. For this purpose, open the Kaspersky Endpoint Security policy and in the notification settings window, click the Email notification settings button. In the opened window you can specify all the parameters, including sender address, SMTP server address, name and password for the authentication, and, certainly, the recipient’s address. If we are talking about out-of-office computers, the mail server must be accessible outside the corporate network. It can be a mail gateway located in DMZ, or even (as a last resort) a public mail service, such as Google Mail, Yahoo! Mail, Microsoft Hotmail, etc.

IV-79 Unit IV. Maintenance

IV–80

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Events on the Administration Server The events available in the Administration Console are not that well-organized as in the local interface, but have two major advantages: — In the console, the administrator works with events from all computers rather than from one of them — The administrator has the Kaspersky Security Center console at hand, while the local interface of a client computer is usually not easy to access The administrator is supposed to occasionally open the console to evaluate the situation in the network and pay attention to statuses and reports. He or she can be interested in events of a problem computer. All this can be done in the Administration Console. Only if the problem seems to be significant, and information in the console is scarce, may the administrator need to view events on the local log or collect traces. The events available in the Console, meaning the events stored in the Server database, serve two purposes: — Provide creation of regular informative reports — In case of an issue, help the administrator to evaluate it and understand whether any further investigation is necessary Also, events may help to test new policy settings. For example, special events allow studying the effect of Application Startup Control rules without actually restricting applications’ start. For an event to become available in the console, it needs to be sent from the computer to the Administration Server and then further to the database. In other words, each event increases network traffic and load on the Administration Server and the database server. Also, the more events are stored in the database, the longer it takes to create a report or show a selection. If the administrator feels that the available information is insufficient or encounters performance issues, it’s time to review the event storing parameters. Event storing parameters are specified in the policies of Kaspersky Endpoint Security and Network Agent, and also in the Administration Server properties, in the Event notification section. The events are grouped by four severity levels: Critical event, Functional failure, Warning, and Info. The severity level is a permanent attribute of an event, it cannot be modified. Each program has its own events with their default settings. An event has three storage settings: — On the Administration Server—meaning, in the server database This storing method is enabled for most critical and error events, as well as for many warning and some info events. The default lifetime of Kaspersky Endpoint Security and Network Agent events is 30 days for all events (naturally, except for the events whose storage is disabled). The Administration Server events’ default lifetime depends on their severity levels. For Information events, it is 30 days; for Warning, 90; and for Critical and Error, 180. — In the operating system event log on the Administration Server—similarly to local Kaspersky Endpoint Security events. If the Administration Server becomes inaccessible, the administrator will be able to find information in the Windows log. — In the operating system event log on the client computer—makes sense only for the Network Agent events. Kaspersky Endpoint Security already has this capability in the settings of local event processing. When the specified lifetime is over, events are automatically deleted from the Administration Server database (but not from Windows logs, which have their own settings). The more the lifetime, the more events are stored in the database on average at each specific moment, and the more time will event processing operations take. On the other hand, when the administrator decreases event lifetime, the maximum reporting period also decreases.

IV-81 Unit IV. Maintenance

IV–82

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

The global event storage parameters are located in the Administration Server properties, in the Events storage section. There are two parameters: — Maximum number of events stored in the database—the default value is 400,000 (four hundred thousand) and the maximum configurable value is 100,000,000 (a hundred million). The optimal value depends on the number of managed computers and the resources available to the SQL server. Too low a limit might lead to a rapid event turnover with new events pushing out older events before the administrator has a chance to see them. Too high a limit might lead to performance issues with the SQL server. You can learn that the limit is reached and events are not saved any more from the Windows event log. — Store events after removal of computers, supplemented with the Maximum storage time (days) option—this parameter was introduced in Kaspersky Security Center 10 MR1. In previous versions of Kaspersky Security Center, if a computer was removed from the Administration Server database, all events associated with this computer were promptly removed too. This is not always a good thing, and now the administrator can keep the events for some time after computer removal. This parameter is disabled by default, which corresponds to the old Kaspersky Security Center behavior.

Database maintenance With time, the Administration Server database may slow down. In particular, the reports may be generated slowly, and lists of events or computers may be displayed only after a noticeable pause. To speed up the console’s work with the events stored in the database, the database is to be optimized. Before Kaspersky Security Center 10 SP2, it could have been done only using the database server tools. Kaspersky Security Center 10 SP2 features a special task named Database maintenance, which can optimize a Microsoft SQL database of the Administration Server. The task does not support MySQL databases. If you use MySQL, optimize the database using the database server tools. To speed up the Administration Server database, the Database maintenance task performs the following: — — — —

Looks for errors in the database and fixes them Rebuilds indexes Updates the database statistics Optionally shrinks the database

The task has few parameters. In addition to the schedule, there is only the Shrink database option, which decreases the database size. The database is recommended to be optimized once a week. You can have only one task of this type. It is created by the Quick Start wizard. By default, the task starts every Saturday, at 1 a.m.

IV-83 Unit IV. Maintenance

IV–84

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

Event notifications In addition to saving events to the database, you can set up event notification. This is configured in the properties of every particular event type that you want to be notified about. Kaspersky Security Center 10 supports four notification channels: — — — —

E-mail SMS Start of an executable file SNMP

Notifications help to draw the administrator’s attention to the most important events. By default, notifications are not sent. To receive notifications, the administrator finds the necessary events and selects the necessary delivery options in their properties. All events are delivered using the general delivery parameters unless the administrator edits the delivery settings of an individual event, for example, specifies another delivery address.

E-mail notification settings At first, e-mail notification delivery parameters are specified in the Quick Start wizard. Later, they can be modified on the Events tab of the Administration Server node. Expand the General settings of selections drop-down list and click Configure notifications. E-mail notification delivery parameters include: — — — —

Recipient’s address SMTP server address SMTP server port Message text

These are the main parameters that are configured in the window that opens when you click the Configure notifications link on the Events page. They are sufficient if the selected SMTP server does not require authorization. The recipient address will also be used for the sender address, and the subject of the sent notifications will be made from the event severity level and its type, for example, Critical event: Threats have been detected To view additional e-mail notification settings, click the Settings link. Then you will be able to modify: — Message subject — Authorization username and password — Sender’s address When configuring the notification subject and text, you can use macros, which will be replaced by the corresponding event attributes in the notifications: — — — — — — — — — — —

%SEVERITY%—event severity level %COMPUTER%—sender computer %DOMAIN%—domain %EVENT%—event %DESCR%—event description %RISE_TIME%—event time %KLCSAK_EVENT_TASK_DISPLAY_NAME%—task name %KL_PRODUCT%—program %KL_VERSION%—version number %HOST_IP%—IP address %HOST_CONN_IP%—connection IP address

IV-85 Unit IV. Maintenance

The macros can be added using the special buttons located next to the fields where notification text and subject are edited.

IV–86

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

SMS notification settings SMS notification tends to draw the administrator’s attention the best, and should be used for the most important events only. SMS delivery parameters are configured in the same window as the global notification parameters. To open SMS settings, in the Notification section, select the SMS tab. Kaspersky Security Center can send SMS-messages through: — Mail gateway — A special Android application by Kaspersky Lab installed on one or several corporate phones SMS sending via a mail gateway works as follows. The notification is sent to a special mail server as a typical email message. The recipient’s phone number is a part of the recipient’s e-mail address on this server. Special software installed on the mail server obtains the phone number from the e-mail address and sends an SMS there. Such mail gateways are sometimes provided by mobile operators and by other organizations. They may be paid or free. There are commercial solutions that allow a company to organize their own mail gateway for SMS. Kaspersky Lab does not offer such a mail gateway. Instead, Kaspersky Lab offers an Android application named Kaspersky SMS Broadcaster. This application is a part of the Kaspersky Security 10 for Mobile distribution and can be installed on any Android phone. To use Kaspersky SMS Broadcaster, the 'Mobile devices support' component must be installed on the Administration Server and the port for interaction with mobile devices (13292 by default) must be open. In the SMS Broadcaster settings on the phone, specify the Administration Server address, connection port and the synchronization interval. After that, the phone can be selected in the SMS delivery settings on the Administration Server, in the corresponding section of the global notification parameters. Interaction of the Kaspersky Security Center with mobile devices is described in detail in course 010.10.

Executable file start Executable file start parameters consist of the path to the file and optional command line parameters. Event details can be passed to the launched application via the command line parameters using the abovementioned macros. This notification method may come in handy in various situations. The administrator can write a script that will automatically react to an event. For example, the Administration Console does not allow configuring settings’ modification or task start in response to an event. Such a capability is available only for the virus outbreak event. However, the administrator can use Kaspersky Security Center automation interface (not covered in this course) to create a script that will activate a policy or start a task and bind execution of this script to an event. In the above example, you should configure the script start in the properties of a particular event instead of general notification parameters. However, a script can receive event type as a parameter and react differently to different events. This can be configured in the general settings. In any case, the script or executable file configured for an event will start on the Administration Server. Don’t expect the file to start on the computer which generated the event. Starting a file on the computer can also be configured, but it is not straightforward.

Notification limits Some events (including important) may occur too frequently to send a notification for each of them. For example, the Threats have been detected event during a virus outbreak may invoke tens and hundreds of notifications. To avoid this, the administrator can limit the number of notifications: follow the General settings of selections |

IV-87 Unit IV. Maintenance

Configure notifications link on the Events page, and in the Notification section, click the Configure numeric notification limit link. The limit is set up as the maximum number of notifications over a time span. As soon as the limit is reached, notifications are suppressed until the specified period is over. If new events are received afterwards, the limit is counted anew. The same limit is used for all notification types, but applies individually to each event type. E.g., if notifications for the Threats have been detected event hit the limit, notifications for other event types will not be affected.

IV–88

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

SNMP notification SNMP or Simple Network Management Protocol is a protocol that allows receiving standardized information about various network devices. This protocol is used in numerous industry systems management solutions, such as HP OpenView (HP BTO). The SNMP information can be delivered as notifications (so-called SNMP traps) or retrieved on demand. Kaspersky Security Center Administration Server can also be regarded as a device information about which can be received over SNMP. The following requirements must be met for this purpose. First, the Windows component named 'SNMP service' must be installed on the computer with the Administration Server. Second, the Kaspersky Security Center component named 'SNMP agent' must be installed among other Administration Server components. SNMP agent interacts with SNMP service to provide the Administration Server statistics on demand and for sending notifications (SNMP traps). SNMP-specific parameters are configured in the properties of the SNMP service. The settings are standard for SNMP protocol and should not be difficult for an administrator acquainted with the protocol. Statistics and notifications are standardized in SNMP. Special files in MIB (Management Information Base) format are used for their interpretation. MIB files for interpreting the Administration Server notifications become available in the SNMP subfolder of the Administration Server program files after the SNMP agent component is installed. The administrator should take these files and import them into the SNMP console they use.

Event selections The events stored in the Administration Server database can be viewed in the Administration Console as event selections located on the Events tab of the Administration Server node. By default, there are seven predefined event selections: — — — — — — —

Recent events Critical events Functional failures Warnings Audit events Informational events User requests

The name of the current selection is displayed next to the Selection events text. To view another selection, click the name of the current selection or the arrow beside it. The drop-down list of all available selections will open. Predefined selections support some limited configuration, such as time period, but mostly their filtering parameters are fixed. To see events with some other properties, for example, events related to license use, the administrator should create a custom event selection. There is no special search tool for events (similar to the computer search window), which you could use for a quick lookup.

IV-89 Unit IV. Maintenance

IV–90

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

In the selection properties, the administrator can also restrict the number of displayed events or the number of records to search. Both options affect the time it takes the Console to display the events. The larger the database is, the more time-consuming the process can be. In custom selections, the administrator can filter events by the properties of the computers they originated from (computer names, IP ranges, and management groups), by the event types and severity levels, by the product and component name and by the time period. It is also possible to include task results in the search scope. Alternatively (or in addition to filtering by computer or event attributes), there is a simple search field where a word or several words can be typed. All events that contain any of the typed words 11 anywhere in their attributes (event name, description, component name, etc.) will be displayed. For example, if Web Control warns that visiting social networks during business hours is undesirable, but a user opens such a site nevertheless, the corresponding notification is sent to the Administration Server. The administrator can create a selection of such events and filer it, for example, by twitter.com.

6.4 Reports and Statistics Notifications provide urgency, events provide the details, and if the administrator needs a summary of some activity, they have reports and statistics. Both are located on the respective tabs of the Administration Server node.

Reports Select the Reports tab of the Administration Server node to view the list of all available report templates. They contain report generating parameters. To generate a report to the template, either double-click it, or select it and click the Show report link. The report will open in a new window. When the Administration Server is installed, there are more than 20 pre-created templates in the console, all for different report types. All in all, Kaspersky Security Center 10 supports 42 report types and the administrator can have multiple templates for the same report type if they want to. These templates can give reports for different time periods or different parts of the network. Pre-created templates are not hard-coded and can be modified or removed as necessary.

11

To search for the whole phrase, enclose it in quotation marks.

IV-91 Unit IV. Maintenance

IV–92

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

A report consists of a header (which contains a phrase, Kaspersky Security Center by default, and a picture, the Kaspersky Lab logo by default), report name and description, then a chart, a summary table, some statistics and a details table. The chart usually represents the contents of the summary table. If the summary table contains the Number of computers column (for example, the number of computers having the Protection is off status), the figure displayed in the column is a link that takes you to the list of these computers. Click the link to open the window where you will be able to manage these computers similarly to a selection or search results. Everything in the report can be configured to various extents via the template properties or global report parameters. Template settings include the reporting period, computers or groups whose information is included in the report, and also the list of information fields that comprise the summary and details tables. Some fields contain insignificant information and can be deleted not to overload the report. For example, the Virtual server field makes little sense in a report if virtual Administration Servers are not used in the network12. The administrator can use information field settings in a report template to create complex filters for the events to be included in the report. Allowed values can be specified in the field properties. For example, for the Detected object field, you can specify the malware name. As a result, you will get a report based on the events related to the specified malware only. Similarly, the administrator can view protection status or virus activity on the computers with the specified version of the protection software, even if these computers belong to different groups. In addition to filtering by field value, you can change sort order: ascending, descending, or unsorted. Starting with version 10 Service Pack 1, you can do it in the generated report too, by clicking the column titles in the tables. Click again to reverse the sort order. The report header can also be modified. By default, Kaspersky Lab logo is displayed in the upper-right corner of the report, and on the left, Kaspersky Security Center is written. If necessary, the administrator can replace the text and the logo, for example, with the logo and name of their company. These settings are general for all reports and are specified using the Edit report presentation settings link on the Reports page. Reports can be saved in the following formats: HTML, XML and PDF. You can use the XML format to import the summary or details table of a report into a spreadsheet application, for example, Microsoft Excel. Alternatively, you can schedule the automatic generation of reports, their e-mailing destinations or which directory they will be stored in. The 'Deliver reports' task serves this purpose. The easiest way to create it is to carry out the Deliver reports command from the context menu of the selected report.

12

The ‘Virtual Administration Server’ or ‘Virtual server’ terms that may be encountered in the reports should not be confused with Administration Servers running inside a virtual machine. These two usages of the word “virtual” have almost nothing in common. If your Administration Server runs in a virtual machine, it is still just a normal Administration Server, not a virtual server. And virtual servers in the reports and other parts of the Console are something else entirely. Virtual Administration Servers are described in course 302.10.

IV-93 Unit IV. Maintenance

IV–94

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

You can choose the report format (html, xml or pdf) in the task parameters. You can create several tasks to send different reports to different administrators or managers. A task can send any reports configured in the Administration Console. Note: The Quick Start wizard automatically creates a deliver reports task for the Protection status report, if the administrator fills in the e-mail notification parameters. Later, you can edit this task or create more of them.

Statistics To get a general idea of the overall protection status, open the Monitoring page of the Administration Console. Indicators are colored icons and short descriptions which provide general information: how many computers are protected, when the updates were last downloaded, how many clients have the Critical status. Detailed statistics are available on the Statistics tab of the Administration Server node, on the statistics pages and panes. Usually, a pane contains a chart with a legend or a table. By default, they represent events from all managed computers over the last 24 hours. The administrator can narrow the scope or change the period in the Properties window, which opens with the button. A statistics page consists of several panes. By default, Statistics includes 6 pages devoted to various network status aspects: Protection status, Deployment, Update, Anti-virus statistics, General information, Updates for applications. Each page represents 3 to 4 information panes. All this can be customized. The administrator can re-arrange the panes on a page at their wish. Or add more panes or more statistics pages, or remove some. The statistics is configurable at three levels. The administrator can add, delete and move statistics pages, add, delete and move panes on a page, and can also modify settings and representation of the panes. Overall, there are 50 types of panes grouped into six categories for the administrator to choose from. To rearrange the pages, click the Customize view button to the right of the page tabs. The administrator can add as many pages as they wish and name them as they wish. They can also delete the default pages, or re-order them. The tabs are always lined up in a single row. To modify page contents, click the button to the right of the page name in its tab. This button is displayed only for the active page. In the page properties, you can draw up the list of the panes to be displayed and their layout on the page: one column, two columns (the default choice), 3 columns, etc. In the pane settings, depending on its type, you can modify the time interval for the displayed data and select the computers whose data will be shown. There are only two options for the computers: either all computers, or computers from a specified selection. You cannot specify a group of computers or draw up an arbitrary list of computers, as in reports. As far as the pane layout settings are concerned, you can modify the height for the panes to better fit in the console window. You can also modify chart type, axle orientation, chart appearance (gradient, transparency). Depending on the pane type, the following chart types can be available: Pie chart, Column chart (the columns can be displayed either vertically or horizontally), Table, and Graph. The information panes’ capability to display the history of parameter changes over the specified period can be useful. For example, you can view how many viruses were detected during each hour of the last day. This data may help to select the threshold for the Virus outbreak event. Reports lack this capability.

IV-95 Unit IV. Maintenance

IV–96

KASPERSKY LAB™ KL 002.10. Kaspersky Endpoint Security and Management. Fundamentals

v1.0.1