To prevent the users from weakening or stopping protection, configure the policy and make the crucial settings required (that is, close the padlock). Kaspersky Endpoint Security self-defense will block attempts to stop its processes or delete its files from the disk.
Please note, the default settings allow users at least two methods to disable the protection. The first method is to click the Exit command on the shortcut menu of the Kaspersky Endpoint Security 8.0 icon in the notification area. The second method is to uninstall Kaspersky Endpoint Security 8.0.
Another, a less evident way of disabling the protection is to uninstall the Network Agent. Once the Network Agent is removed, Kaspersky Endpoint Security 8.0 will no longer be controlled by the policy and the user will be able to change any settings.
Password protection prevents destructive user activity.
Password protection for Kaspersky Endpoint Security
Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its settings, exiting, and uninstalling.
To enable password protection, open the policy in the Advanced settings / Interface section and select the Enable password protection checkbox. Then click the Settings button next to the option, enter the password and specify the operations to be protected:
Configure application settings—all Kaspersky Endpoint Security settings are protected, including selection of the components to run; the opportunity to stop components via their shortcut menu still remains
Exit the application—the password window is displayed whenever the Exit command is selected. Meanwhile, self-protection of Kaspersky Endpoint Security will prevent attempts to terminate its processes or files
Disable protection components and stop scan tasks—the user can start protection components and local tasks (if they are displayed); the password window appears only if the user attempts to stop them. The update tasks lack this protection
Disable control components—the password is necessary to disable the Device Control, Application Startup Control, or Web Control
Disable Kaspersky Security Center policy—the option to temporarily disable the policy is added in the shortcut menu of Kaspersky Endpoint Security icon which will prompt for the password
Delete the license—the user cannot stop protection by deleting the license unless the password is entered
Remove the application—the password prompt is added in the uninstall wizard of Kaspersky Endpoint Security
The advantage of password protection is that it remains active even when the policy is disabled. Once the password protection settings are applied to Kaspersky Endpoint Security, the users will be unable to manage the product without a valid password even if the administrator disables the policy
By default, the password protection is not enforced—the corresponding lock is opened. To put password protection into effect, close the lock first, and then enforce the policy.
Password protection settings for Network Agent
The Network Agent is less noticeable within a host system as compared to Kaspersky Endpoint Security. The list of installed programs is one of the few places where it can be found. “Kaspersky” in the product name may be sufficient for some users to attempt uninstalling the Network Agent. If a user has administrator privileges, their attempt will succeed.
Administrators can set a password for uninstallation within the Network Agent policy. The Quick Start wizard creates the policy automatically when you select the network size larger than 1000 hosts while installing the Kaspersky Security Center. If you selected a smaller network size, you can create the Network Agent policy manually.
There is a special wizard that creates policies. To start it, click Create a new policy on the task pane of the Policies tab in the desired group.
The wizard will prompt you for the name of the policy being created, the product that the policy will control, and the initial status of the policy (active or inactive). Then you may configure the settings of the selected product.
The password required for Network Agent uninstallation is set in the Settings section. By default, it is not specified. Enable the Use uninstall password option, click the Modify button to enter the password and lock that group of settings.
Once the policy is applied, the password prompt is added in the Network Agent uninstallation wizard. An attempt to uninstall the Network Agent using the command line without the password will also fail.