If the Central Node component is installed on a virtual server, before you upgrade the application, make sure that BIOS boot mode is selected for the virtual machine. If EFI boot mode is selected for the virtual machine, an error will occur if you try to install the upgrade.
Restrictions that apply when deploying the Central Node component:
Restrictions that apply when deploying the Central Node component as a cluster:
A Central Node cluster must include at least 4 servers: 2 storage servers and 2 processing servers. You can scale the cluster to increase the amount of traffic handled or the number of connected hosts in accordance with the Sizing Guide.
It is recommended to add servers with the same hardware configuration to the cluster. Otherwise, a proportional increase in performance is not guaranteed.
Adding an extra server to the cluster does not speed up the processing of objects that are already in the scan queue.
The web interface of the program can be unavailable for some time if the server on which it is located fails.
If the processing server fails, you may lose ICAP, POP3, and SMTP traffic data as well as the copies of emails that are waiting to be processed and the detections associated with them.
If one of the cluster servers fails or the connection between the server and the Kaspersky Endpoint Agent program is temporarily lost, temporary data synchronization in the event database is still possible.
If the configuration of the cluster servers is changed, traffic and events from hosts with Kaspersky Endpoint Agent may be temporarily slowed down.
Restrictions that apply to the Sandbox component:
If the set of operating systems installed on the Sandbox server does not match the set selected on the Central Node server, Kaspersky Anti Targeted Attack Platform does not send objects to be scanned by the Sandbox server. If multiple Sandbox servers are connected to the Central Node server, the program sends objects to those Sandbox servers whose installed operating systems match the set selected on Central Node.
Limitations that apply when integrating with the Kaspersky Endpoint Agent for Windows:
The task of scanning hosts using YARA rules can only be assigned to hosts with Kaspersky Endpoint Agent for Windows versions 3.12 or later. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent version 3.12 or later, and to hosts with earlier versions of the program, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12 or later.
If autorun points are selected as the scan scope, the task is run only on hosts with Kaspersky Endpoint Agent 3.13 or later.
Limitations that apply when integrating with Kaspersky Endpoint Agent 3.12 for Linux:
Hosts with Kaspersky Endpoint Agent for Linux program cannot use the following functions:
No notifications are created about the unsuccessful application of a prevention rule on hosts with Kaspersky Endpoint Agent for Linux program.
Finding indicators of compromise on hosts using IOC files.
No notifications are created about the unsuccessful search of indicators of compromise on hosts with the Kaspersky Endpoint Agent for Linux program.
Searching the event database using the OSVersion criterion displays only hosts with the Kaspersky Endpoint Agent for Linux program. Hosts with the Kaspersky Endpoint Agent for Windows program are not displayed in search results.
The OS name field in the event information is only filled in for events that are logged in the event database by Kaspersky Endpoint Agent for Linux. Event information logged in the event database by Kaspersky Endpoint Agent for Windows does not have this field filled in.
The list of events that Kaspersky Endpoint Agent for Linux logs in the event database is limited to the following types:
When you create the task, the program does not attempt to verify the path to the executable file or the file that you want to receive.
In information about events registered in the event database by Kaspersky Endpoint Agent for Linux, the Time created field displays file modification time.
Kaspersky Endpoint Agent 3.14 for Windows has the following known limitations:
When creating an installation package in Kaspersky Security Center version 12 or later to install Kaspersky Endpoint Agent on Windows XP devices, you must use the installer file (setup.exe) from the installation package created in Kaspersky Security Center version 10.5.
In Kaspersky Security Center 13.2 or later, to install Kaspersky Endpoint Agent on Windows XP devices, you must use the standard Kaspersky Endpoint Agent 3.14 distribution kit instead of the installation package created in Kaspersky Security Center.
The installer cannot stop the soyuz service until the service is initialized. For example, the installer returns the Invalid password error when trying to remove or modify the configuration of the application immediately after installation is completed, since initialization of the soyuz service is not completed and the service cannot be stopped.
Kaspersky Endpoint Agent cannot be restored or uninstalled from the device if the integrity of the agent.exe module (Kaspersky Endpoint Agent command line utility) is violated.
The capability to run and execute Kaspersky Endpoint Agent service (soyuz.exe) with the PPL flag is implemented. This feature is provided by the klelaml.sys driver. Violation of the klelaml.sys driver integrity results in the operating system loading failure. In this case, it is recommended to use Windows system recovery utilities. The absence of the klelaml.sys driver when the PPL flag is enabled for the soyuz.exe process does not lead to the operating system failure, but results in Kaspersky Endpoint Agent crash. In this case, it is recommended to run the program installer and perform recovery in the quiet mode with the REINSTALL=Drivers.klelam key.
After installing, restoring, changing set of components, or removing Kaspersky Endpoint Agent, it is recommended to restart the operating system as soon as possible because changes to some program settings can only be finalized at system startup.
Kaspersky Endpoint Agent installer cannot be launched on a device with the operating system to which the active CodeIntegrity policy is applied.
The component that prohibits opening documents has the following limitation: document blocking rules are not applied to objects that are opened using OLE automation.
Before sending telemetry events to the KATA Central Node server, Kaspersky Endpoint Agent saves data in the event queue. If the event queue exceeds 10,000 unprocessed events, Kaspersky Endpoint Agent does not queue the events until free slots appear in the queue.
If Kaspersky Endpoint Agent is running on devices with the Windows 7 operation system, the program excludes data about network connections related to processes with PID=4 and PID=0 from telemetry.
If Kaspersky Endpoint Agent is used on the same device with Kaspersky Endpoint Security, and the file system level encryption (FLE) component is installed in Kaspersky Endpoint Security, Kaspersky Endpoint Agent does not register telemetry events about loading modules (LoadImage) and does not send these events to KATA Central Node component.
If more than one application is specified as the value of the Application criterion when configuring the settings of network isolation exclusions, Kaspersky Endpoint Agent allows connection only for the first application in the list. Network connections for other applications specified in the list will be ignored. This limitation is reproduced when isolating devices with Windows 7 or Windows Server 2008 R2 operating systems.
When scanning for indicators of compromise, if the search involves parsing text strings, the "is" condition takes into account whitespace, and the need to escape the indicator description in the IOC file with CDATA characters. For example, to detect an object with the copyright Copyright (C) 1998-2017 John Smith by the is condition, the indicator description must be specified in the following format: <Content type="string"><![CDATA[Copyright (C) 1998-2017 John Smith]]></Content>. To simplify description of the indicators, the contains condition can also be used.
Objects quarantined by Kaspersky Endpoint Agent cannot be sent from Kaspersky Security Center quarantine to Kaspersky for analysis.
The check boxes corresponding to the "Read" and "Perform operations with device selections" permissions that are displayed in the group of settings for role-based access control (RBAC) in the Administration Console, in the section with permissions for managing Kaspersky Endpoint Agent plug-in, do not apply to the group of settings in Kaspersky Security Center. If you select these check boxes, the Read and Perform operations with device selections permissions will not be restricted for the specified users.
When generating event selections, the filters are not applied to some of Kaspersky Endpoint Agent events published in Kaspersky Security Center Administration Console.
The installer of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent management plug-in automatically selects the program localization based on the operating system regional settings on the device where the program or management plug-in is installed:
If the operating system uses the RU-RU locale, the Russian version of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent administration plug-in is installed.
If the operating system uses any locale other than RU-RU, the English version of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent administration plug-in is installed.
Program localization affects the language of texts used to describe program modules in the system and when publishing program events to the Windows Event Log, as well as texts of Kaspersky Security Center reports. Kaspersky Endpoint Agent management plug-in localization affects the language of texts used in the program interface of Administration Console (interface of policies, group tasks, and program properties). Configuring the localization of the program manually is not supported.
Please note that if regional settings on managed devices and on the device with Kaspersky Endpoint Agent administration plug-in do not match, localization of Kaspersky Endpoint Agent interface in the Administration Console and localization of events published by the program in Kaspersky Security Center reports may not be the same. Also, the localization of the program interface in the Administration Console and the localization of events published by the program in Kaspersky Security Center reports may differ from the localization of Administration Console interface and the compatible EPP interface in the Administration Console.
After installing, restoring, changing set of components, or removing Kaspersky Endpoint Agent, it is recommended to restart the operating system as soon as possible because changes to some program settings can only be finalized at system startup.
If the start schedule for a group task is set to On application launch, the task execution status is updated with a delay in the task execution history For this reason, in some cases, the task execution history will not display the task execution statuses.
If the operating system is activated under a Volume License, you may need to reactivate the operating system after Kaspersky Endpoint Agent is installed due to the installation of the program network drivers.
In the Windows XP and Windows Vista operating systems, some information about files in telemetry events sent to the Telemetry collection server may be missing. This is due to the fact that the possibility of obtaining some information about files appeared in later versions of MS Windows operating systems.
Kaspersky Endpoint Agent 3.12 for Linux has the following known limitations:
Kaspersky Endpoint Agent for Linux does not support AppArmor and SELinux mandatory access control systems in their enforcing modes. For the program to work correctly, these systems must be switched to permissive mode.
Kaspersky Endpoint Agent for Linux requires installing Linux Audit Daemon 2.8 or later on the device.
For connection of Kaspersky Endpoint Agent for Linux with Kaspersky Endpoint Security for Linux rsyslog service with loaded imuxsock module is used. To check if the module is loaded in the rsyslog service configuration, run the following command: grep -r imuxsock /etc/rsyslog*. If the module loading string is commented, remove the # comment sign before the string and restart rsyslog service to save the changes.