Installation and recovery settings, and Windows Installer command-line options

This section describes the settings for installing Kaspersky Embedded Systems Security for Windows, the settings for uninstalling Kaspersky Embedded Systems Security for Windows, and the default options. The section also contains the keys for changing the installation settings and possible key values. These keys can be used in conjunction with standard keys for the Windows Installer service's msiexec command when installing Kaspersky Embedded Systems Security for Windows from the command line.

Installation settings and command line options in Windows Installer

• Acceptance of the terms of the End User License Agreement.

  The possible values for EULA=<value> command line option are as follows:

  • 0 – you reject the terms of the End User License Agreement (default value).
  • 1 – you accept the terms of the End User License Agreement.
• Acceptance of the terms of the Privacy Policy.

  The possible values for PRIVACYPOLICY=<value> command line option are as follows:

  • 0 – you reject the terms of the Privacy Policy (default value).
  • 1 – you accept the terms of the Privacy Policy.
• Consent to the provisions of the Disclaimer: you must accept the terms to install Kaspersky Embedded Systems Security for Windows patches if included in the distribution kit.

  DISCLAIMER=<values> can take the following values.

  • 0: you reject the terms of the Disclaimer (default).
  • 1: you accept the provisions of the Kaspersky Embedded Systems Security for Windows patching Disclaimer.
• Allow installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update not installed. For detailed information about the KB4528760 update please visit Microsoft website.

  The possible values for SKIPCVEWINDOWS10=<value> command line option are as follows:

  • 0 – cancel the installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update is not installed (default value).
  • 1 – allow the installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update is not installed.

  The KB4528760 update fixes the CVE-2020-0601 security vulnerability. For detailed information about the CVE-2020-0601 security vulnerability please visit the Microsoft website.

• Installation of Kaspersky Embedded Systems Security for Windows with preservation of the settings of the previous version during the upgrade.

  The possible values for RESTOREDEFSETTINGS=<value> command line option are as follows:

  • 0 – All data from the previous version is migrated to the new version during the upgrade (default value).
  • 1 – Only the file with activation data and private keys is migrated to the new version during the upgrade ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Data\product.dat). All other data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, are deleted.
• Installation of Kaspersky Embedded Systems Security for Windows with preservation of the reports from previous versions during the upgrade.

  The possible values for KEEP_REPORTS=<value> command line option are as follows:

  • 0 – all data from the previous version, except for reports ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Reports), is migrated to the new version during the upgrade. The reports are deleted.
  • 1 – all data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, are migrated to the new version during the upgrade (default value).
• Installation of Kaspersky Embedded Systems Security for Windows with a preliminary scan of active processes and the boot sectors of local disks.

  The possible values for PRESCAN=<value> command line option are as follows:

  • 0 – do not perform a preliminary scan of active processes and the boot sectors of local disks during the installation (default value).
  • 1 – perform a preliminary scan of active processes and the boot sectors of local disks during the installation.
• Destination folder where Kaspersky Embedded Systems Security for Windows files will be saved during installation. A different folder can be specified.

  The default values for INSTALLDIR=<full path to the folder> command line option are as follows:

  • Kaspersky Embedded Systems Security for Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security
  • Administration tools: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools
  • On the x64-bit version of Microsoft Windows: %ProgramFiles(x86)%
• Start of the Real-Time File Protection task immediately after Kaspersky Embedded Systems Security for Windows starts.

  The possible values for the RUNRTP=<value> command line option are:

  • 1 – start (default value).
  • 0 – do not start.
• Run mode for the Real-Time File Protection task.

  The possible values for the RUNRTP=<value> command line option are:

  • 1 – Recommended (default value).
  • 0 – Notify only.
• Objects excluded from the protection scope according to Microsoft Corporation recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Microsoft Corporation recommends to exclude. Some applications on the protected device may become unstable when an anti-virus application intercepts or modifies the files they use. For example, Microsoft Corporation includes some domain controller applications in the list of such objects.

  The possible values for ADDMSEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Objects excluded from the protection scope according to Kaspersky recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Kaspersky recommends to exclude.

  The possible values for ADDKLEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Connect to the Application Console remotely. By default, you cannot connect remotely to an Application Console installed on the protected device. During the installation, you can allow connection. Kaspersky Embedded Systems Security for Windows creates allowing rules for the process kavfsgt.exe using the TCP protocol for all ports.

  The possible values for ALLOWREMOTECON=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Path to the key file (LICENSEKEYPATH). By default, the Windows Installer attempts to find the file with .key extension in the \exec folder of the distribution kit. If the \exec folder contains several key files, the Windows Installer will select the key file whose expiration date is the farthest into the future. A key file can be saved beforehand in the \exec folder or at another path that you can specify in the LICENSEKEYPATH parameter.

  LICENSEKEYPATH can take the following values.

  • Full path to the key file and key name.
  • Path to the folder where key files are stored.

  You can add a key after Kaspersky Embedded Systems Security for Windows is installed using an administrative tool of your choice: for example, the Application Console. If you do not add a key during installation of the application, Kaspersky Embedded Systems Security for Windows will not function.

• Path to the configuration file. Kaspersky Embedded Systems Security for Windows imports settings from the specified configuration file created in the application. Kaspersky Embedded Systems Security for Windows does not import passwords from the configuration file, for example, account passwords for starting tasks, or passwords for connecting to a proxy server. Once the settings are imported, you will have to enter all passwords manually. If the configuration file is not specified, the application will start to work with the default settings after setup.

  The default value for CONFIGPATH=<configuration file name> is not specified.

• Scan at Operating System Startup mode (SCANSTARTUP_BLOCKING) If you install Kaspersky Embedded Systems Security for Windows in the install mode without the SCANSTARTUP_BLOCKING key, the Scan at Operating System Startup task has the following parameters assigned to the Scan scope setting:
  • Action to perform on infected and other objects: Notify only
  • Action to perform on probably infected objects: Notify only

  If you install Kaspersky Embedded Systems Security for Windows in the install mode using the SCANSTARTUP_BLOCKING key, the Scan at Operating System Startup task has the following parameters assigned to the Scan scope setting:

  • Action to perform on infected and other objects: Perform recommended action
  • Action to perform on probably infected objects: Perform recommended action

  A Scan at Operating System Startup task is created automatically. By default, the Notify only mode is applied. In this case, after you deploy Kaspersky Embedded Systems Security for Windows on the devices, you can enable the Scan at Operating System Startup task if no issues with system services were discovered during scan. If the application detects critical system services as infected or probably infected objects, the Notify only mode gives you time to figure out the reason and solve the issue. If the application is running in Perform Recommended Action mode, a Disinfect action is performed. Remove, if disinfection fails action. Disinfection or removal of the system files may result in critical issues with operating system startup.

• Enables network connections to manage Kaspersky Embedded Systems Security for Windows remotely from another device where the Application Console is installed. Port 135 (TCP) is opened in Microsoft Windows Firewall, network connections are allowed for the executable file kavfsrcn.exe for remote management of Kaspersky Embedded Systems Security for Windows, and access is granted to DCOM applications. When installation is complete, add users to the ESS Administrators group to let them remotely manage the application, and allow network connections to the Kaspersky Security Management Service (kavfsgt.exe file) on the protected device. You can read more about additional configuration when the Kaspersky Embedded Systems Security for Windows Console is installed on another device.

  The possible values for ADDWFEXCLUSION=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Disabling the check for incompatible software. Use this setting to enable or disable the check for incompatible software during background installation of the application on the protected device. Regardless of the value of this setting, during installation of Kaspersky Embedded Systems Security for Windows, the application always warns about other versions of the application installed on the protected device.

  The possible values for SKIPINCOMPATIBLESW=<value> command line option are as follows:

  • 0 – The check for incompatible software is performed (default value).
  • 1 – The check for incompatible software is not performed.
• Set up individual application components: ADDLOCAL=<semicolon-delimited application component codes>.
• Register Kaspersky Security as a protected process using the ELAM driver.

  The NOPPL=<value> command-line option can take the following values.

  • 0: Kaspersky Security service is registered in the operating system as a protected process.
  • 1: Kaspersky Security service is not registered in the operating system as a protected process.
• Enables/disables Kaspersky Security Center Network Agent (klnagent) power saving mode.

  SKIP_KLNAG_FLAG_TEST_VM_PERF=<value> can take the following values.

  • 0: after the Kaspersky Embedded Systems Security for Windows setup is complete, Kaspersky Security Center Network Agent (klnagent) will run in power saving mode—no information about local users will be sent to the Kaspersky Security Center server. You will be able to specify local users in the Kaspersky Embedded Systems Security for Windows policies and tasks settings only manually, and you will not be able to use the Kaspersky Security Center Administration Server list for this.
  • 1: after Kaspersky Embedded Systems Security for Windows installation is complete, Kaspersky Security Center Network Agent (klnagent) will send information about local users to the Kaspersky Security Center server. You will be able to specify local users in the Kaspersky Embedded Systems Security for Windows policies and tasks settings manually or with the help of the Kaspersky Security Center Administration Server list.

  A SKIP_KLNAG_FLAG_TEST_VM_PERF=<value> command-line option is not specified, which corresponds to a SKIP_KLNAG_FLAG_TEST_VM_PERF=0 command-line option.

Recovery settings and Windows Installer command-line options

• Restoring quarantined objects.

  The possible values for RESTOREQTN=<value> command line option are as follows:

  • 0 – Remove quarantined content (default value).
  • 1 – Restore quarantined content to the folder specified by the RESTOREPATH parameter into the \Quarantine subfolder.
• Restoring the content of backup.

  The possible values for RESTOREBCK=<value> command line option are as follows:

  • 0 – Remove backup content (default value).
  • 1 – Restore backup contents to the folder specified by the RESTOREPATH parameter into the \Backup subfolder.
• Enter the current password to confirm the uninstallation (if password protection is enabled).

  The default value for UNLOCK_PASSWORD=<specified password> is not specified.

• Folder for restored objects. Restored objects will be saved to the specified folder.

  The default value for the RESTOREPATH=<full path to the folder> command line option is %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Restored

• Remove individual application components: ADDLOCAL=<semicolon-delimited application component codes>.

See also Kaspersky Embedded Systems Security for Windows software components Registering Kaspersky Security as a protected service

Page top