Limitations of Kaspersky Endpoint Agent 3.16

Kaspersky Endpoint Agent 3.16 has the following known limitations:

Installation limitations:

• Kaspersky Endpoint Agent requires SHA-2 support in Windows in order to run properly. If you try to install Kaspersky Endpoint Agent on an operating system that does not support SHA-2, a warning about it will be displayed and further installation will be impossible.
• When creating an installation package using Kaspersky Security Center 12 and later in order to install Kaspersky Endpoint Agent on devices running Windows XP, use the installation startup file (setup.exe) from the installation package created using Kaspersky Security Center 10.5.
• To install Kaspersky Endpoint Agent on computers running Windows XP by means of Kaspersky Security Center 13.2 and later, use the standard Kaspersky Endpoint Agent 3.16 distribution package, rather than the installation package created in Kaspersky Security Center.
• The installer cannot stop the soyuz service until the service is initialized. For example, the installer returns the "Invalid password" error when trying to remove or modify the configuration of the application immediately after installation is completed, since initialization of the soyuz service is not completed and the service cannot be stopped.
• Kaspersky Endpoint Agent cannot be restored or uninstalled from the device if the integrity of the agent.exe module (Kaspersky Endpoint Agent command line utility) is violated.
• Kaspersky Endpoint Agent installer cannot be launched on a device with the operating system to which the active CodeIntegrity policy is applied.
• After installing, restoring, or uninstalling Kaspersky Endpoint Agent, it is recommended to reboot the operating system as soon as possible. It is necessary because configuration of some application settings can be completed only at the moment when the operating system starts.
• When trying to launch Kaspersky Endpoint Agent installer with the permissions of a user whose account contains Chinese characters, the installer fails. It is recommended to install the application with the Local System account permissions, for example, start installation using Kaspersky Security Center.
• The capability to run and execute Kaspersky Endpoint Agent service (soyuz.exe) with the PPL (Protected Process Light) flag is implemented. This functionality is provided by the klelaml.sys driver. Violation of the klelaml.sys driver integrity results in the operating system loading failure. In this case, it is recommended to use Windows system recovery utilities. The absence of the klelaml.sys driver when the PPL flag is enabled for the soyuz.exe process does not lead to the operating system failure, but results in Kaspersky Endpoint Agent crash. In this case, it is recommended to run the application installer and perform recovery in the quiet mode with the REINSTALL=Drivers.klelam key.
• In Kaspersky Endpoint Agent properties, in the General section of the Administration Console, data about the application installation status is displayed incorrectly.
• If the operating system is activated under a commercial license (Volume License), then after installation of Kaspersky Endpoint Agent it may be necessary to reactivate the operating system due to installation of the application's network drivers.
• When removing or updating Kaspersky Endpoint Agent with the L2 sniffer driver installed, network connections may be interrupted.

Functional limitations:

• The component that prohibits opening of documents does not prevent a document that meets the applicable rule criteria from opening, if the document is opened using OLE Automation.
• If more than one application is specified as the value of the Application criterion when configuring the settings of network isolation exclusions, Kaspersky Endpoint Agent allows connection only for the first application in the list. Network connections for other applications specified in the list will be ignored. This limitation is reproduced when isolating devices with Windows 7 or Windows Server 2008 R2 operating systems.
• Objects quarantined by Kaspersky Endpoint Agent cannot be sent from Kaspersky Security Center quarantine to Kaspersky for analysis.
• The check boxes corresponding to the "Read" and "Perform operations with device selections" permissions that are displayed in the group of settings for role-based access control (RBAC) in the Administration Console, in the section with permissions for managing Kaspersky Endpoint Agent plug-in, do not apply to the group of settings in Kaspersky Security Center. If you select these check boxes, the "Read" and "Perform operations with device selections" permissions will not be restricted for the specified users.
• When generating event selections, the filters are not applied to some of Kaspersky Endpoint Agent events published in Kaspersky Security Center Administration Console.
• The name of the workgroup, not the name of the user, is displayed in the User field in the properties of an object quarantined to the Administration Server repository.
• If the start schedule for a group task is set to On application launch, the task execution status is updated with a delay in the task execution history. For this reason, in some cases, the task execution history will not display the task execution statuses.
• The Security Audit task can only be run if you have an active license key for Kaspersky Industrial CyberSecurity for Nodes with a licensed ICS Audit object.

Telemetry limitations:

• Before sending telemetry events to KATA Central Node, Kaspersky Endpoint Agent saves data to the event queue. Kaspersky Endpoint Agent stops placing events in the queue if the size of the pending event queue reaches 1 GB.
• If Kaspersky Endpoint Agent is running on devices with the Windows 7 operation system, the application excludes data about network connections related to processes with PID=4 and PID=0 from telemetry.
• If Kaspersky Endpoint Agent is used on the same device as Kaspersky Endpoint Security and the file system level encryption (FLE) component is installed in Kaspersky Endpoint Security, Kaspersky Endpoint Agent does not register telemetry events about loading modules (LoadImage) and does not send these events to KATA Central Node.
• On the Windows XP and Windows Vista operating systems, telemetry events sent to a telemetry collection server may be missing some file information. This is because the ability to get certain file information appeared in later versions of Windows operating systems.
• In Windows 11 22H2 and later operating systems, the Virtualization-based Security feature is enabled by default, which may prevent console input telemetry from being sent to the Kaspersky Anti Targeted Attack Platform server.

IOC scan limitations:

• If search of compromise indicators involves parsing text strings, the "is" condition takes into account the spaces, and the indicator description in the IOC file must be screened with CDATA characters. For example, to detect an object with the copyright "Copyright (C) 1998-2017 John Smith" by the "is" condition, the indicator description must be specified in the following format: <Content type="string"><![CDATA[Copyright (C) 1998-2017 John Smith]]></Content>. To simplify description of the indicators, the "contains" condition can also be used.
• Kaspersky Endpoint Agent can double-display data about a triggered object when displaying the results of IOC Scan task.
• When scanning objects using the FileItem IOC document, Kaspersky Endpoint Agent skips objects with restricted access, for example, files that are used by other applications at the time of scanning. Kaspersky Endpoint Agent returns a false negative scan result for such objects.
• When searching for indicators in the modules loaded into the address space, Kaspersky Endpoint Agent skips cases when the system loads x64 modules into x32 processes. For example, the following cases will not be detected: loading wowcpu64.dll into system32 or loading ntdll into system32. This limitation is reproduced in Windows Server 2008 R2 and Windows 7 x64 operating systems.

Localization limitations:

• If localization of Kaspersky Endpoint Agent differs from localization of Kaspersky Endpoint Agent management plug-in for Kaspersky Security Center, some settings may not be displayed correctly in the outputs of the "show" commands in the command console.
• The agent.exe command line utility does not support operation with Cyrillic characters. For example, if a node whose address contains Cyrillic characters is specified in the list of Kaspersky Sandbox nodes in Kaspersky Endpoint Agent settings, the output of the --sandbox=show command may contain errors.
• The installer of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent management plug-in automatically selects the application localization based on the operating system regional settings on the device where the application or management plug-in is installed:
  • If the operating system uses the RU-RU locale, the Russian version of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent management plug-in is installed.
  • If the operating system uses any locale other than RU-RU, the English version of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent management plug-in is installed.

  Application localization affects the language of texts used to describe application modules in the system and when publishing application events to the Windows Event Log, as well as texts of Kaspersky Security Center reports. Kaspersky Endpoint Agent management plug-in localization affects the language of texts used in the application interface of Administration Console (interface of policies, group tasks, and application properties). The application localization cannot be configured manually.

  Please note that if regional settings on managed devices and on the device with Kaspersky Endpoint Agent management plug-in do not match, localization of Kaspersky Endpoint Agent interface in the Administration Console and localization of events published by the application to Kaspersky Security Center reports may not match. Also, the localization of the application interface in the Administration Console and the localization of events published by the application to Kaspersky Security Center reports may differ from the localization of Administration Console interface and the compatible EPP interface in the Administration Console.

• In the interface of Kaspersky Security Center Administration Console and Kaspersky Security Center Web Console, the text for some control elements may be truncated in the sections related to management of Kaspersky Endpoint Agent.