[Topic 147896]

About Kaspersky Embedded Systems Security for Windows

Kaspersky Embedded Systems Security for Windows protects computers and other embedded systems under Microsoft Windows (hereinafter also referred to as protected devices) against viruses and other computer threats. Kaspersky Embedded Systems Security for Windows users are corporate network administrators and specialists responsible for anti-virus protection of the corporate network.

The application is not intended to be used in technological processes that involve automated control systems. To protect devices in such systems, it is recommended to use Kaspersky Industrial CyberSecurity for Nodes application.

You can install Kaspersky Embedded Systems Security for Windows on a variety embedded systems under Windows, including the following devices types:

• ATM (automated tellers machines).
• POS (points of sales).

Kaspersky Embedded Systems Security for Windows can be managed in the following ways:

• Via the Application Console installed on the same protected device as Kaspersky Embedded Systems Security for Windows, or on a different device
• Using commands in the command line
• Via the Kaspersky Security Center Administration Console

The Kaspersky Security Center application can also be used for centralized administration of multiple protected devices running Kaspersky Embedded Systems Security for Windows.

It is possible to review Kaspersky Embedded Systems Security for Windows performance counters for the "System Monitor" application, as well as SNMP counters and traps.

Kaspersky Embedded Systems Security for Windows components and functions

The application includes the following components:

• Real-Time File Protection. Kaspersky Embedded Systems Security for Windows scans objects when they are accessed. Kaspersky Embedded Systems Security for Windows scans the following objects:
  • Files.
  • Alternate file system streams (NTFS streams)
  • Master boot records and boot sectors on local hard and removable drives
• On-Demand Scan. Kaspersky Embedded Systems Security for Windows runs a single scan of the specified area for viruses and other computer security threats. The application scans files, RAM, and autorun objects on a protected device.
• Applications Launch Control. The component monitors user attempts to start applications and regulates application launches on the protected device.
• Device Control. The component controls registration and usage of external devices in order to protect the device against computer security threats that may arise while exchanging files with USB-connected flash drives or other types of external device.
• Firewall Management. This component provides the ability to manage the Windows Firewall: configure settings and operating system firewall rules and block any possibility of external firewall configuration.
• File Integrity Monitor. Kaspersky Embedded Systems Security for Windows detects changes in files within the monitoring scopes specified in the task settings. These changes may indicate a security breach on the protected device.
• Log Inspection. This component monitors the integrity of the protected environment based on the results of an inspection of Windows event logs.

The following functions are implemented in the application:

• Database Update and Software Modules Update. Kaspersky Embedded Systems Security for Windows downloads updates of application databases and modules from Kaspersky's FTP or HTTP update servers, Kaspersky Security Center Administration Server, or other update sources.
• Quarantine. Kaspersky Embedded Systems Security for Windows quarantines probably infected objects by moving such objects from their original location to the Quarantine folder. For security purposes, objects in the Quarantine folder are stored in encrypted form.
• Backup. Kaspersky Embedded Systems Security for Windows stores encrypted copies of objects classified as Infected in Backup before disinfecting or deleting them.
• Administrator and user notifications. You can configure the application to notify the administrator and users who access the protected device about the events related to the operation of Kaspersky Embedded Systems Security and the anti-virus protection status of the device.
• Importing and exporting settings. You can export Kaspersky Embedded Systems Security for Windows settings to an XML configuration file and import settings into Kaspersky Embedded Systems Security for Windows from the configuration file. You can save all application settings or only settings for individual components to a configuration file.
• Applying templates. You can manually configure the security settings of a node in the tree or in a list of the protected device's file resources, and save the configured setting values as a template. This template can then be used to specify the security settings of other nodes in Kaspersky Embedded Systems Security for Windows protection and scan tasks.
• Managing access permissions for Kaspersky Embedded Systems Security for Windows functions. You can configure the rights to manage Kaspersky Embedded Systems Security for Windows and the Windows services registered by the application, for users and groups of users.
• Writing events to the Windows Event Log. Kaspersky Embedded Systems Security for Windows logs information about software component settings, the current status of tasks, events that occur while tasks run, events associated with Kaspersky Embedded Systems Security for Windows management, and information required to diagnose errors in Kaspersky Embedded Systems Security for Windows.
• Trusted Zone. You can generate a list of exclusions from the protection or scan scope, that Kaspersky Embedded Systems Security for Windows will apply in the On-Demand and Real-Time Computer Protection tasks.
• Exploit Prevention. You can protect process memory from exploits using a Protection Agent injected into the process.

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the program in the U.S.

[Topic 239673]

What's new

The new version of Kaspersky Embedded Systems Security for Windows introduces the following new features and improvements:

• The Device Control task has the following new expanded capabilities:
  • More types of devices can now be monitored. Added USB keyboards and USB mice, Bluetooth devices, SD card readers connected via USB or to the PCI bus.
  • Added the capability to specify multiple users or user groups with different levels of access to removable drives and SD card readers connected via USB or to the PCI bus.
• Added the Certificate Monitor component, which implements the functionality of notifications about untrusted signatures of applications and scripts being launched, as well as notifications about the approaching expiration date of signature certificates for applications and scripts.
• Implemented the capability to update password-protected Kaspersky Embedded Systems Security for Windows using the remote installation task of Kaspersky Security Center.
• A setting has been added to the Installation Wizard of application so that you can choose automatic installation of patches (if any) during installation or upgrade of the application.
• Added support for desktop operating systems: Windows 11 24H2 Home / Pro / Education / Enterprise.
• Added support for embedded operating systems: Windows 11 24H2 IoT Enterprise.
• Added support for server operating systems: Windows Server 2003 SP2 Standard / Enterprise, Windows Server 2003 R2 SP2 Standard / Enterprise, Windows Server 2008 SP2 Standard / Enterprise, Windows Server 2008 R2 SP1 Standard / Enterprise.
• It is forbidden to use certain characters to specify paths and file names when creating or editing Firewall rules.
• Expanded the list of application status parameters on the host, returned via the WMI API, with the following information: whether the logging of debug information is enabled and the name of the folder for saving trace files, whether the generation of memory dumps is enabled and the name of the folder for saving dump files.
• Added the display of information about integrated patches within the name of the installed application.
• When installing the application, you can exclude the Applications Launch Control component from the list of installation components.
• Issues from the previous versions are resolved: this application version includes fixes from earlier versions.

[Topic 147892]

Sources of information about Kaspersky Embedded Systems Security for Windows

This section lists sources of information about the application.

You can select the most suitable information source, depending on the importance level and urgency of the issue.

[Topic 147893]

Sources for independent retrieval of information

You can use the following sources to find information about Kaspersky Embedded Systems Security for Windows:

• Kaspersky Embedded Systems Security for Windows page on the Kaspersky website.
• Kaspersky Embedded Systems Security for Windows page on the Technical Support website (Knowledge Base).
• Manuals.

If you did not find a solution to your problem, contact Kaspersky Technical Support.

An Internet connection is required to use online information sources.

Kaspersky Embedded Systems Security for Windows page on the Kaspersky website

On the Kaspersky Embedded Systems Security for Windows page, you can review general information about the application and its functions and features.

The Kaspersky Embedded Systems Security for Windows page contains a link to the online store. There you can purchase the application or renew your license.

Kaspersky Embedded Systems Security for Windows page in the Knowledge Base

The Knowledge Base is a section of the Technical Support website.

On the Kaspersky Embedded Systems Security for Windows page in the Knowledge Base, you can find articles that provide useful information, recommendations, and answers to frequently asked questions about how to purchase, install, and use the application.

Knowledge Base articles can answer questions relating to not only Kaspersky Embedded Systems Security for Windows but also other Kaspersky applications. Knowledge Base articles can also include Technical Support news.

Kaspersky Embedded Systems Security for Windows documentation

The Kaspersky Embedded Systems Security for Windows Administrator's Guide contains information about installing, uninstalling, configuring, and using the application.

[Topic 147894]

Discussing Kaspersky applications on the Forum

You can discuss questions related to Kaspersky applications with other users and Kaspersky experts on our Forum.

On the Forum, you can view existing topics, leave comments, and create new discussion topics.

[Topic 147895]

Kaspersky Embedded Systems Security for Windows

This section describes the functions, components, and distribution kit of Kaspersky Embedded Systems Security for Windows, and provides a list of hardware and software requirements of Kaspersky Embedded Systems Security for Windows.

[Topic 147898]

Distribution kit

The distribution kit includes the welcome application that lets you do the following:

• Start the Kaspersky Embedded Systems Security for Windows application Installation Wizard.
• Start the Kaspersky Embedded Systems Security for Windows Console Installation Wizard.
• Start the Installation Wizard, which will install Kaspersky Embedded Systems Security for Windows Administration Plug-in for managing the application via Kaspersky Security Center.
• Go to Kaspersky Embedded Systems Security for Windows page on the Kaspersky website.
• Visit the Technical Support website.
• Read information about the current version of Kaspersky Embedded Systems Security for Windows.

The distribution kit files are stored in the different folders depending on their intended use (see table below).

Kaspersky Embedded Systems Security for Windows distribution kit files

Page top

[Topic 239674]

Software and hardware requirements

Before installing Kaspersky Embedded Systems Security for Windows, you must uninstall other anti-virus applications from the device.

Software requirements for the protected device

You can install Kaspersky Embedded Systems Security for Windows on a device running a 32-bit or 64-bit Microsoft Windows operating system.

Windows Installer 3.1 is required for proper installation and operation of the application on a protected device running Microsoft Windows XP.

To install and use Kaspersky Embedded Systems Security for Windows on protected devices with embedded operating systems, the Filter Manager component is required.

For correct operation of Kaspersky Embedded Systems Security for Windows, SHA-2 support is required in Windows. For detailed information, see: https://support.kaspersky.com/15728.

You can install Kaspersky Embedded Systems Security for Windows on a device running one of the following 32-bit or 64-bit Microsoft Windows operating systems:

• Workstations:
  • Windows XP Professional SP2 32-bit / 64-bit
  • Windows XP Professional SP3 32-bit
  • Windows 7 Home/Professional/Enterprise/Ultimate SP1 32-bit / 64-bit
  • Windows 8 Pro/Enterprise 32-bit / 64-bit
  • Windows 8.1 Pro/Enterprise 32-bit / 64-bit
  • Windows 10 version 1507 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 LTSC 2015 version 1507 32-bit / 64-bit
  • Windows 10 RS1 version 1607 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 LTSC 2016 version 1607 32-bit / 64-bit
  • Windows 10 RS2 version 1703 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 RS3 version 1709 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 RS4 version 1803 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 RS5 version 1809 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 LTSC 2019 version 1809 32-bit / 64-bit
  • Windows 10 19H2 version 1909 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 21H2 version 21H2 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 10 LTSC 2021 version 21H2 32-bit / 64-bit
  • Windows 10 22H2 version 22H2 Home / Pro / Education / Enterprise 32-bit / 64-bit
  • Windows 11 21H2 version 21H2 Home / Pro / Education / Enterprise 64-bit
  • Windows 11 22H2 version 2H2 Home / Pro / Education / Enterprise 64-bit
  • Windows 11 23H2 version 23H2 Home / Pro / Education / Enterprise 64-bit
  • Windows 11 24H2 version 24H2 Home / Pro / Education / Enterprise 64-bit
• Servers:
  • Windows Server 2003 SP2 Standard / Enterprise 32-bit / 64-bit
  • Windows Server 2003 R2 SP2 Standard / Enterprise 32-bit / 64-bit
  • Windows Server 2008 SP2 Standard / Enterprise 32-bit / 64-bit
  • Windows Server 2008 R2 SP1 Standard / Enterprise 64-bit
• Embedded systems:
  • Windows XP Embedded SP2 (WEPOS) 32-bit / 64-bit
  • Windows XP Embedded SP3 (POS Ready 2009) 32-bit
  • Windows 7 Embedded SP1 (POSReady 7) 32-bit / 64-bit
  • Windows 8.0 Embedded Industry Pro 32-bit / 64-bit
  • Windows 8.1 Embedded Industry Pro 32-bit / 64-bit
  • Windows 10 version 1507 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 1607 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 1703 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 1709 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 1803 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 1809 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 1909 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 21H2 IoT Enterprise 32-bit / 64-bit
  • Windows 10 version 22H2 IoT Enterprise 32-bit / 64-bit
  • Windows 11 version 21H2 IoT Enterprise 64-bit
  • Windows 11 version 22H2 IoT Enterprise 64-bit
  • Windows 11 version 23H2 IoT Enterprise 64-bit
  • Windows 11 version 24H2 IoT Enterprise 64-bit.

Supported versions of Kaspersky Security Center

Kaspersky Embedded Systems Security for Windows is compatible with the following versions of Kaspersky Security Center:

• Kaspersky Security Center Windows versions 10.5, 11. Management of Kaspersky Embedded Systems Security for Windows installed on computers running the Microsoft Windows XP SP2 operating system is supported via Administration Console using the Administration Plug-in and via Web Console using the Web Plug-in.
• Kaspersky Security Center Windows versions 13.2, 14.2. Management of Kaspersky Embedded Systems Security for Windows is supported via Administration Console using the Administration plug-in and via Web Console using the Web Plug-in.
• Kaspersky Security Center Linux versions 15, 15.1. Management of Kaspersky Embedded Systems Security for Windows via Web Console is supported using the Web Plug-in.

To manage Kaspersky Embedded Systems Security for Windows via Kaspersky Security Center, Kaspersky Security Center Network Agent is required.

Kaspersky Security Center Network Agent is not included in the Kaspersky Embedded Systems Security for Windows distribution kit. You can download it on the applications download page in the Kaspersky Security Center section.

Hardware requirements for the protected device

Hardware requirements for the protected device

Limiting functionality on outdated Windows versions

• When creating an installation package in Kaspersky Security Center version 12 and later, to install Kaspersky Embedded Systems Security for Windows on devices running Windows XP or Windows Server 2003, you must use the setup.exe executable file from the installation package created in Kaspersky Security Center version 10.5.
• To manage Kaspersky Embedded Systems Security for Windows via Kaspersky Security Center:
  • on a computer running Windows XP SP2 Professional (32-bit/64-bit), Windows Server 2003 or Windows Server 2003 R2, you must use Kaspersky Security Center Network Agent (klnagent) version 10.5.1781.
  • on a computer running Windows XP SP3 Professional (32-bit) and Windows XP Embedded SP3 (32-bit), you must use Kaspersky Security Center Network Agent (klnagent) version 14.0.0.20023.

[Topic 161707]

Functional requirements and limitations

This section describes additional functional requirements and existing limitations for Kaspersky Embedded Systems Security for Windows components.

[Topic 161813]

Installation and uninstallation

Following is the list of installation and uninstallation limitations:

• For correct operation of Kaspersky Embedded Systems Security for Windows, SHA-2 support is required in Windows.
• When you install the application, a warning may appear on the screen If the specified path to the Kaspersky Embedded Systems Security for Windows installation folder contains more than 150 characters. The warning does not affect the installation process: you can install and run Kaspersky Embedded Systems Security for Windows.
• If you want to install the SNMP protocol support component, make sure to restart the SNMP service if the SNMP service is running.
• If you want to install and run Kaspersky Embedded Systems Security for Windows on a device running on an embedded operating system, make sure to install the Filter Manager component.
• You cannot install Kaspersky Embedded Systems Security for Windows Administration Tools via Microsoft Active Directory group policies.
• If you exclude the Anti-virus Protection node from the list of installed application components, this node disappears from the list of available components after the installation is completed. To install the components of the Anti-virus Protection node, start the Installation Wizard from the installation package since the installation package contains a full list of components.
• If Kaspersky Embedded Systems Security for Windows Administration Console is installed, the Installation Wizard may prompt to restart the computer. In this case, reboot is not mandatory. It is sufficient to end the session of the user who installed the Administration Console and log in to the system again.
• If you install the application on the protected devices running on older operating systems unable to receive regular updates, ensure that the following root certificates are installed:
  • DigiCert Assured ID Root CA
  • DigiCert_High_Assurance_EV_Root_CA
  • DigiCertAssuredIDRootCA

  If the specified root certificates are not installed, the application may function improperly. We recommend that you install the certificates as soon as possible.

Page top

[Topic 161815]

File Integrity Monitor

By default, the File Integrity Monitor does not monitor changes in the system folders or the file system's housekeeping files to not clutter task reports with information about routine file changes performed constantly by the operating system. You cannot include such folders in the monitoring scope.

The following folders and files are excluded from the monitoring scope:

• NTFS housekeeping files with file id from 0 to 33
• %SystemRoot%\Prefetch\
• %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\
• %SystemRoot%\System32\LogFiles\Scm\
• %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\
• %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\
• %SystemRoot%\Microsoft.NET\
• %SystemRoot%\System32\config\
• %SystemRoot%\Temp\
• %SystemRoot%\ServiceProfiles\LocalService\
• %SystemRoot%\System32\winevt\Logs\
• %SystemRoot%\System32\wbem\repository\
• %SystemRoot%\System32\wbem\Logs\
• %ProgramData%\Microsoft\Windows\WER\ReportQueue\
• %SystemRoot%\SoftwareDistribution\DataStore\
• %SystemRoot%\SoftwareDistribution\DataStore\Logs\
• %ProgramData%\Microsoft\\Windows\AppRepository\
• %ProgramData%\Microsoft\Search\\Data\Applications\Windows\
• %SystemRoot%\Logs\SystemRestore\
• %SystemRoot%\System32\Tasks\Microsoft\\Windows\TaskScheduler\

The application excludes top-level folders.

The component does not monitor files changes that bypass the ReFS/NTFS file system (file changes made through BIOS, LiveCD, and more).

[Topic 161825]

Firewall Management

Following is the list of limitations for Firewall Management:

• You should specify more than one address. Otherwise, working with IPv6 is unavailable.
• Preset Firewall policy rules support basic scenarios of interaction between protected devices and Administration Server. To make full use of Kaspersky Security Center functions, you need to configure port rules. You can find information about port numbers, protocols and their functions in the Kaspersky Security Center Knowledge Base.
• After the application is installed and rules for the task are configured, the application monitors changes to Windows Firewall rules and rule groups when the Firewall Management task is started. To update the status and add the required rules, make sure to restart the Firewall management task.
• When the Firewall Management task is started, denying rules and rules monitoring outgoing traffic are automatically removed from the operating system firewall settings.
• Characters "*" and "?" can not be used in the application path and in firewall rule name for application.

[Topic 161823]

Other limitations

Limitations of On-Demand Scan and Real-Time File Protection:

• Scanning of connected MTP-devices is not available.
• Archive scanning is unavailable without SFX-archive scanning: if archive scanning is enabled in the protection settings of Kaspersky Embedded Systems Security for Windows, the application automatically scans objects in both archives and SFX-archives. SFX-archive scanning is available without archive scanning.
• If Deeper analysis of launching processes (process launch is blocked until the analysis ends) checkbox and KSN Usage are enabled simultaneously, any launched process that receives URL web-address as an argument will be blocked, even if Statistics only mode was chosen. To avoid blocking the process, please choose one of the options:
  • Disable KSN Usage.
  • Disable Deeper analysis of launching processes (process launch is blocked until the analysis ends) checkbox

  Recommended option: Disable Deeper analysis of launching processes checkbox

• When an attempt is made to run the On-Demand Scan task on a host without the On-Demand Scan component installed, the application displays a message about task execution internal error, rather than an explicit indication of the absence of the On-Demand Scan component.

Licensing:

• You cannot activate the application with a key via the Setup wizard if the key was created using the SUBST command, or if the path to the key file is a network path.
• If you plan to use a Kaspersky Security Center proxy server to activate the product on a client device, disable VDI optimization on that device when installing Kaspersky Security Center Network Agent.

Updates:

• By default, the application icon is hidden after Kaspersky Embedded Systems Security for Windows critical modules updates are installed.
• KLRAMDISK is not supported on protected devices running the Windows XP or Windows Server 2003 operating system.

Interface:

• In the Application Console, filtering in the Quarantine, Backup, System audit log or Task log is case sensitive.
• When configuring a protection or scan scope in the Application Console, you can use only one mask and only at the end of the path. Following are the examples of correct masks: "C:\Temp\Temp*", or "C:\Temp\Temp???.doc", and "C:\Temp\Temp*.doc". This limitation does not affect configuration of the Trusted Zone.

Security:

• If the operating system’s User Account Control feature is enabled, a user account must be part of the ESS Administrators group to be able to open the Application Console by double-clicking the application icon in the tray notification area. Otherwise, it will be necessary to login as a user who is allowed to open the Compact Diagnostic Interface or Microsoft Management Console snap-in.
• If User Account Control is enabled, you cannot uninstall the application via the Microsoft Windows Programs and Features window.

Integration with Kaspersky Security Center:

• When update packages are received, Administration Server verifies database updates before sending the updates to protected devices on the network. Administration Server does not verify software module updates.
• Make sure that the required check boxes are selected in the Interaction with the Administration Server settings when you use the components that transmit dynamic data to Kaspersky Security Center using network lists (Quarantine, Backup).

Exploit prevention:

• Exploit Prevention is unavailable if the apphelp.dll libraries are not loaded in the current environment configuration.
• The Exploit Prevention component is incompatible with the EMET utility from Microsoft on protected devices running the Microsoft Windows 10 operating system. Kaspersky Embedded Systems Security for Windows blocks EMET if the Exploit Prevention component is installed on a protected device with the EMET utility installed.
• The Exploit Prevention component is incompatible with the SQL Server 2012 Database Engine. If you install Kaspersky Embedded Systems Security for Windows on the computer with installed MS SQL Server 2012, you must add the sqlos.dll library of the database server to the list of exclusions in the Exploit Prevention task.

[Topic 147900]

Installing and removing the application

This section provides step-by-step instructions for installing and removing Kaspersky Embedded Systems Security for Windows.

[Topic 256204]

About Kaspersky Embedded Systems Security for Windows update

An upgrade to Kaspersky Embedded Systems Security for Windows version 3.4 is available for application versions 2.3, 3.1, 3.2 and 3.3. To update from another version, remove the installed version and install version 3.4.

The update is performed by installing the new version of the application over the installed version of the application and does not require a computer restart.

By default, the application creates a new installation folder with the name of the new application version based on the path to the existing application installation folder. You can manually specify a new path for the application installation folder.

When upgrading Kaspersky Embedded Systems Security for Windows to version 3.4, the previously installed version of the application is automatically deleted.

If your version of Kaspersky Embedded Systems Security for Windows is earlier than 2.3, you must first uninstall the installed application before installing the new version.

When updating a password-protected installation of Kaspersky Embedded Systems Security for Windows version 2.3 or later, pass the password to the installer in one of the following ways:

• If installing locally via the Installation Wizard interface or in interactive CLI mode, specify the password when requested.
• If installing locally in non-interactive CLI mode, specify the password in the UNLOCK_PASSWORD key.
• If installing remotely via Kaspersky Security Center, pass the current password in the installation package settings.
• When installing application via Active Directory group policies, specify the value of UNLOCK PASSWORD key in the install_props.json configuration file.

When updating the application, the current license is automatically applied to Kaspersky Embedded Systems Security for Windows version 3.4, and the use of the new application components and tasks is fully available. The license term remains unchanged.

If an application is updated with an expired license, the new version of the application runs in limited functionality mode after installation (for example, application database updates are not available).

[Topic 256650]

Migrating settings values of the updated application version

The following settings remain unchanged during application update:

• application and task settings
• task logs and system audit logs
• contents of Quarantine and Backup
• accounts under which tasks are started
• user access permissions for application management
• settings for notifications about the operation of tasks
• KAVFS service continues execution with PPL attribute if the attribute was assigned to it in the previous version of the application

The following settings are reset or changed to the default values for the new version of the application during application upgrade:

• all counters, including anti-virus database statuses
• data about installed updates of application modules and anti-virus databases
• task statuses
• application and task settings configured through the registry
• application and task settings that were changed during the installation of critical fixes.

Migrating the list of blocked network sessions

The list of blocked network sessions of client computers is not migrated during an application update.

The settings for automatically unblocking access to blocked network file resources remain unchanged during an application update.

Migrating Applications Launch Control settings and rules

During an application upgrade, Applications Launch Control rules are migrated without changes.

When updating the application, we recommend that you stop the Applications Launch Control task if it is running in active mode, or change the task to Statistics only mode.

After completing an update of the application, we recommend checking the migrated Applications Launch Control rules and their operation in Statistics only mode.

Migrating values of Firewall Management settings and rules

During an application upgrade, the rules for the Firewall Management task are migrated without changes.

If the Firewall Management component was not installed in a previous version of the application, after the application upgrade, the Firewall Management task runs in Monitor Windows Firewall status mode.

If the Firewall Management component was installed in a previous version of the application, the Firewall Management task runs in Control Windows Firewall mode after the application upgrade.

Updating the application with configuration modification

When you install the "Protect computer with Anti-Virus Bases" configuration of application from /exec folder over an application version that does not use signature analysis and anti-virus databases to protect your computer ("Protect computer with Default Deny technology"), the set of application components will be automatically expanded by adding the following components:

• Real-Time File Protection
• On-Demand Scan
• Network Threat Protection

The archive containing the anti-virus databases is unpacked automatically.

If you do not want to use these components and tasks to protect your device, restart the application installation from the /product_long_term folder.

When you install the "Protect computer with Default Deny technology" configuration of application from /product_long_term folder over an application version that uses signature analysis and anti-virus databases to protect your computer ("Protect computer with Anti-Virus Bases" configuration), the set of application components will be automatically reduced by removing the following components:

• Real-Time File Protection
• On-Demand Scan
• the components enabling updates

This configuration is recommended for protecting devices with limited resources. In this case, you can activate the application for a long term, and the Applications Launch Control component provides computer protection.

Kaspersky Security Network Statement and Kaspersky Managed Protection Statement

After application update to version 3.4, the KSN usage task is stopped. To continue usage of KSN cloud infrastructure and KMP Service after application update, you must read and accept the terms of Kaspersky Security Network Statement and Kaspersky Managed Protection Statement.

[Topic 256690]

About Kaspersky Embedded Systems Security for Windows Administration Tools update

Any version of Application Console can be updated to Kaspersky Embedded Systems Security Console for Windows version 3.4.

Additionally:

• Settings values of the updated Application Console remain unchanged.
• Аny previous version of Kaspersky Embedded Systems Security for Windows can be managed by Application Console version 3.4.
• Kaspersky Embedded Systems Security for Windows version 3.4 can be managed by Application Console of any previous version.

The following Administration Plug-in versions can be updated to version 3.4:

• 2.3.0.xxx;
• 3.1.0.xxx;
• 3.2.0.xxx.
• 3.3.0.xxx.

Additionally:

• The values of the Administration Plug-in settings of any afore mentioned versions remain unchanged after an upgrade to version 3.4.
• The following versions of Kaspersky Embedded Systems Security for Windows can be managed by Administration Plug-in version 3.4: 2.3.0.754, 3.1.0.461, 3.2.0.200, 3.3.0.87.
• Kaspersky Embedded Systems Security for Windows version 3.4 can be managed by Administration Plug-in of any of the afore mentioned versions.

During the update a new version of the Administration Plug-in or Application Console is installed over the previously installed version and does not require a computer restart.

[Topic 147609]

Kaspersky Embedded Systems Security for Windows software component codes for the Windows Installer service

Expand all | Collapse all

The \product_long_term\ess_x86.msi and \product_long_term\ess_x64.msi files are designed to install the Protect computer with Default Deny technology configuration of Kaspersky Embedded Systems Security for Windows, and the \product\ess_x86.msi and \product\ess_x64.msi files are designed to install the Protect computer with Anti-Virus Bases configuration of Kaspersky Embedded Systems Security for Windows.

The \console\esstools_x86.msi and \console\esstools_x64.msi files install all software components that are part of the Administration Tools.

The following sections list the Kaspersky Embedded Systems Security for Windows component codes for the Windows Installer service. These codes can be used to define a list of components to be installed when installing Kaspersky Embedded Systems Security for Windows from the command line.

[Topic 147610]

Kaspersky Embedded Systems Security for Windows software components

The following table contains codes and descriptions of Kaspersky Embedded Systems Security for Windows software components.

Description of Kaspersky Embedded Systems Security for Windows software components

Page top

[Topic 147611]

"Administration tools" software component

The following table contains the code and the description of the "Administration tools" software component.

Description of the "Administration tools" software component

Page top

[Topic 147612]

System changes after Kaspersky Embedded Systems Security for Windows installation

When Kaspersky Embedded Systems Security for Windows and the set of "Administration Tools" (including the Application Console) are installed together, the Windows Installer service will make the following modifications on the protected device:

• Kaspersky Embedded Systems Security for Windows folders are created on the protected device and on the device where the Application Console is installed.
• Kaspersky Embedded Systems Security for Windows services are registered.
• Kaspersky Embedded Systems Security for Windows user group is created.
• Kaspersky Embedded Systems Security for Windows keys are registered in the system registry.
• Kaspersky Embedded Systems Security OS Upgrade Detect system task that is displayed in the Windows Task Scheduler is created.

These changes are described below.

Kaspersky Embedded Systems Security for Windows folders on a protected device

When Kaspersky Embedded Systems Security for Windows is installed, the following folders are created on a protected device:

• Kaspersky Embedded Systems Security for Windows default installation folder containing the Kaspersky Embedded Systems Security for Windows executable files depend on the operating system bit set. Therefore, the default installation folders are as follows:
  • For the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security
  • On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded Systems Security
• Management Information Base (MIB) files containing a description of the counters and hooks published by Kaspersky Embedded Systems Security for Windows via the SNMP protocol:
  • %Kaspersky Embedded Systems Security%\mibs
• 64-bit versions of Kaspersky Embedded Systems Security for Windows executable files (this folder will be created only during installation of Kaspersky Embedded Systems Security for Windows on the 64-bit version of Microsoft Windows):
  • %Kaspersky Embedded Systems Security%\x64
• Kaspersky Embedded Systems Security for Windows service files:
  • %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Data
  • %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Settings
  • %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Dskm

  For Windows XP the path to the Kaspersky Lab folder is %ALLUSERSPROFILE%\Application Data

• Files with settings for update sources:

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Update

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Update

• Updates of databases and software modules downloaded using the Copying Updates task (the folder will be created the first time updates are downloaded using the Copying Updates task).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Update\Distribution

• Task logs and system audit log.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Reports

• Set of databases currently in use.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Bases\Current

• Backup copies of databases; they are overwritten each time the databases are updated.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Bases\Backup

• Temporary files created during execution of update tasks.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Bases\Temp

• Quarantined objects (default folder).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Quarantine

• Objects in backup (default folder).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Backup

• Objects restored from backup and quarantine (default folder for restored objects).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Restored

Folder created during installation of Application Console

The Application Console default installation folders containing the "Administration Tools" files depend on the operating system bit set. Therefore, the default installation folders are as follows:

• For the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools
• For the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools

Kaspersky Embedded Systems Security for Windows services

The following Kaspersky Embedded Systems Security for Windows services start using the local system (SYSTEM) account:

• Kaspersky Security Service (KAVFS) – essential Kaspersky Embedded Systems Security for Windows service that manages Kaspersky Embedded Systems Security for Windows tasks and workflows.
• Kaspersky Security Management Service (KAVFSGT) – this service is intended for Kaspersky Embedded Systems Security for Windows application management through the Application Console.
• Kaspersky Security Exploit Prevention Service (KAVFSSLP) – this service acts as an intermediary to communicate security settings to external security agents, and to receive data about security events.

Kaspersky Embedded Systems Security for Windows group

ESS Administrators is a group on the protected device whose users have full access to the Kaspersky Security Management Service and all Kaspersky Embedded Systems Security functions.

System registry keys

When Kaspersky Embedded Systems Security for Windows is installed, the following system registry keys are created:

• Properties of the Kaspersky Embedded Systems Security for Windows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFS]
• Kaspersky Embedded Systems Security for Windows event log settings (Kaspersky Event Log): [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Kaspersky Security]
• Properties of the Kaspersky Embedded Systems Security for Windows management service: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFSGT]
• Performance counter settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security\Performance]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security x64\Performance]
• SNMP Protocol Support component settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.4\SnmpAgent]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.4\SnmpAgent]
• Dump file settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.4\CrashDump]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.4\CrashDump]
• Trace file settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.4\Trace]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.4\Trace]
• Settings for application tasks and functions: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.4\Environment]

Kaspersky Embedded Systems Security OS Upgrade Detect system task

The Windows Installer service creates a Kaspersky Embedded Systems Security OS Upgrade Detect task during application installation. The task is started immediately after it is created and later at every OS startup. The task checks the version of the drivers used by the application: if an operating system version is updated, the application updates the drivers for the corresponding version of the operating system.

The task does not affect the application and can be deleted. We recommend to keep operating system upgrade scenario in mind.

Page top

[Topic 147901]

Kaspersky Embedded Systems Security for Windows processes

Kaspersky Embedded Systems Security for Windows starts processes described in the table below.

Kaspersky Embedded Systems Security for Windows processes

Page top

[Topic 147618]

Installation and recovery settings, and Windows Installer command-line options

This section describes the settings for installing Kaspersky Embedded Systems Security for Windows, the settings for uninstalling Kaspersky Embedded Systems Security for Windows, and the default options. The section also contains the keys for changing the installation settings and possible key values. These keys can be used in conjunction with standard keys for the Windows Installer service's msiexec command when installing Kaspersky Embedded Systems Security for Windows from the command line.

Installation settings and command line options in Windows Installer

• Acceptance of the terms of the End User License Agreement.

  The possible values for EULA=<value> command line option are as follows:

  • 0 – you reject the terms of the End User License Agreement (default value).
  • 1 – you accept the terms of the End User License Agreement.
• Acceptance of the terms of the Privacy Policy.

  The possible values for PRIVACYPOLICY=<value> command line option are as follows:

  • 0 – you reject the terms of the Privacy Policy (default value).
  • 1 – you accept the terms of the Privacy Policy.
• Consent to the provisions of the Disclaimer: you must accept the terms to install Kaspersky Embedded Systems Security for Windows patches if included in the distribution kit.

  DISCLAIMER=<values> can take the following values.

  • 0: you reject the terms of the Disclaimer (default).
  • 1: you accept the provisions of the Kaspersky Embedded Systems Security for Windows patching Disclaimer.
• Allow installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update not installed. For detailed information about the KB4528760 update please visit Microsoft website.

  The possible values for SKIPCVEWINDOWS10=<value> command line option are as follows:

  • 0 – cancel the installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update is not installed (default value).
  • 1 – allow the installation of Kaspersky Embedded Systems Security for Windows if the KB4528760 update is not installed.

  The KB4528760 update fixes the CVE-2020-0601 security vulnerability. For detailed information about the CVE-2020-0601 security vulnerability please visit the Microsoft website.

• Installation of Kaspersky Embedded Systems Security for Windows with preservation of the settings of the previous version during the upgrade.

  The possible values for RESTOREDEFSETTINGS=<value> command line option are as follows:

  • 0 – All data from the previous version is migrated to the new version during the upgrade (default value).
  • 1 – Only the file with activation data and private keys is migrated to the new version during the upgrade ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Data\product.dat). All other data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, are deleted.
• Installation of Kaspersky Embedded Systems Security for Windows with preservation of the reports from previous versions during the upgrade.

  The possible values for KEEP_REPORTS=<value> command line option are as follows:

  • 0 – all data from the previous version, except for reports ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Reports), is migrated to the new version during the upgrade. The reports are deleted.
  • 1 – all data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, are migrated to the new version during the upgrade (default value).
• Installation of Kaspersky Embedded Systems Security for Windows with a preliminary scan of active processes and the boot sectors of local disks.

  The possible values for PRESCAN=<value> command line option are as follows:

  • 0 – do not perform a preliminary scan of active processes and the boot sectors of local disks during the installation (default value).
  • 1 – perform a preliminary scan of active processes and the boot sectors of local disks during the installation.
• Destination folder where Kaspersky Embedded Systems Security for Windows files will be saved during installation. A different folder can be specified.

  The default values for INSTALLDIR=<full path to the folder> command line option are as follows:

  • Kaspersky Embedded Systems Security for Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security
  • Administration tools: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools
  • On the x64-bit version of Microsoft Windows: %ProgramFiles(x86)%
• Start of the Real-Time File Protection task immediately after Kaspersky Embedded Systems Security for Windows starts.

  The possible values for the RUNRTP=<value> command line option are:

  • 1 – start (default value).
  • 0 – do not start.
• Run mode for the Real-Time File Protection task.

  The possible values for the RUNRTP=<value> command line option are:

  • 1 – Recommended (default value).
  • 0 – Notify only.
• Objects excluded from the protection scope according to Microsoft Corporation recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Microsoft Corporation recommends to exclude. Some applications on the protected device may become unstable when an anti-virus application intercepts or modifies the files they use. For example, Microsoft Corporation includes some domain controller applications in the list of such objects.

  The possible values for ADDMSEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Objects excluded from the protection scope according to Kaspersky recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Kaspersky recommends to exclude.

  The possible values for ADDKLEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Connect to the Application Console remotely. By default, you cannot connect remotely to an Application Console installed on the protected device. During the installation, you can allow connection. Kaspersky Embedded Systems Security for Windows creates allowing rules for the process kavfsgt.exe using the TCP protocol for all ports.

  The possible values for ALLOWREMOTECON=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Path to the key file (LICENSEKEYPATH). By default, the Windows Installer attempts to find the file with .key extension in the \exec folder of the distribution kit. If the \exec folder contains several key files, the Windows Installer will select the key file whose expiration date is the farthest into the future. A key file can be saved beforehand in the \exec folder or at another path that you can specify in the LICENSEKEYPATH parameter.

  LICENSEKEYPATH can take the following values.

  • Full path to the key file and key name.
  • Path to the folder where key files are stored.

  You can add a key after Kaspersky Embedded Systems Security for Windows is installed using an administrative tool of your choice: for example, the Application Console. If you do not add a key during installation of the application, Kaspersky Embedded Systems Security for Windows will not function.

• Path to the configuration file. Kaspersky Embedded Systems Security for Windows imports settings from the specified configuration file created in the application. Kaspersky Embedded Systems Security for Windows does not import passwords from the configuration file, for example, account passwords for starting tasks, or passwords for connecting to a proxy server. Once the settings are imported, you will have to enter all passwords manually. If the configuration file is not specified, the application will start to work with the default settings after setup.

  The default value for CONFIGPATH=<configuration file name> is not specified.

• Scan at Operating System Startup mode (SCANSTARTUP_BLOCKING) If you install Kaspersky Embedded Systems Security for Windows in the install mode without the SCANSTARTUP_BLOCKING key, the Scan at Operating System Startup task has the following parameters assigned to the Scan scope setting:
  • Action to perform on infected and other objects: Notify only
  • Action to perform on probably infected objects: Notify only

  If you install Kaspersky Embedded Systems Security for Windows in the install mode using the SCANSTARTUP_BLOCKING key, the Scan at Operating System Startup task has the following parameters assigned to the Scan scope setting:

  • Action to perform on infected and other objects: Perform recommended action
  • Action to perform on probably infected objects: Perform recommended action

  A Scan at Operating System Startup task is created automatically. By default, the Notify only mode is applied. In this case, after you deploy Kaspersky Embedded Systems Security for Windows on the devices, you can enable the Scan at Operating System Startup task if no issues with system services were discovered during scan. If the application detects critical system services as infected or probably infected objects, the Notify only mode gives you time to figure out the reason and solve the issue. If the application is running in Perform Recommended Action mode, a Disinfect action is performed. Remove, if disinfection fails action. Disinfection or removal of the system files may result in critical issues with operating system startup.

• Enables network connections to manage Kaspersky Embedded Systems Security for Windows remotely from another device where the Application Console is installed. Port 135 (TCP) is opened in Microsoft Windows Firewall, network connections are allowed for the executable file kavfsrcn.exe for remote management of Kaspersky Embedded Systems Security for Windows, and access is granted to DCOM applications. When installation is complete, add users to the ESS Administrators group to let them remotely manage the application, and allow network connections to the Kaspersky Security Management Service (kavfsgt.exe file) on the protected device. You can read more about additional configuration when the Kaspersky Embedded Systems Security for Windows Console is installed on another device.

  The possible values for ADDWFEXCLUSION=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Disabling the check for incompatible software. Use this setting to enable or disable the check for incompatible software during background installation of the application on the protected device. Regardless of the value of this setting, during installation of Kaspersky Embedded Systems Security for Windows, the application always warns about other versions of the application installed on the protected device.

  The possible values for SKIPINCOMPATIBLESW=<value> command line option are as follows:

  • 0 – The check for incompatible software is performed (default value).
  • 1 – The check for incompatible software is not performed.
• Set up individual application components: ADDLOCAL=<semicolon-delimited application component codes>.
• Register Kaspersky Security as a protected process using the ELAM driver.

  The NOPPL=<value> command-line option can take the following values.

  • 0: Kaspersky Security service is registered in the operating system as a protected process.
  • 1: Kaspersky Security service is not registered in the operating system as a protected process.
• Enables/disables Kaspersky Security Center Network Agent (klnagent) power saving mode.

  SKIP_KLNAG_FLAG_TEST_VM_PERF=<value> can take the following values.

  • 0: after the Kaspersky Embedded Systems Security for Windows setup is complete, Kaspersky Security Center Network Agent (klnagent) will run in power saving mode—no information about local users will be sent to the Kaspersky Security Center server. You will be able to specify local users in the Kaspersky Embedded Systems Security for Windows policies and tasks settings only manually, and you will not be able to use the Kaspersky Security Center Administration Server list for this.
  • 1: after Kaspersky Embedded Systems Security for Windows installation is complete, Kaspersky Security Center Network Agent (klnagent) will send information about local users to the Kaspersky Security Center server. You will be able to specify local users in the Kaspersky Embedded Systems Security for Windows policies and tasks settings manually or with the help of the Kaspersky Security Center Administration Server list.

  A SKIP_KLNAG_FLAG_TEST_VM_PERF=<value> command-line option is not specified, which corresponds to a SKIP_KLNAG_FLAG_TEST_VM_PERF=0 command-line option.

Recovery settings and Windows Installer command-line options

• Restoring quarantined objects.

  The possible values for RESTOREQTN=<value> command line option are as follows:

  • 0 – Remove quarantined content (default value).
  • 1 – Restore quarantined content to the folder specified by the RESTOREPATH parameter into the \Quarantine subfolder.
• Restoring the content of backup.

  The possible values for RESTOREBCK=<value> command line option are as follows:

  • 0 – Remove backup content (default value).
  • 1 – Restore backup contents to the folder specified by the RESTOREPATH parameter into the \Backup subfolder.
• Enter the current password to confirm the uninstallation (if password protection is enabled).

  The default value for UNLOCK_PASSWORD=<specified password> is not specified.

• Folder for restored objects. Restored objects will be saved to the specified folder.

  The default value for the RESTOREPATH=<full path to the folder> command line option is %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\Kaspersky Embedded Systems Security\3.4\Restored

• Remove individual application components: ADDLOCAL=<semicolon-delimited application component codes>.

[Topic 147902]

Kaspersky Embedded Systems Security for Windows install and uninstall logs

If Kaspersky Embedded Systems Security for Windows is installed or uninstalled using the Installation (Uninstallation) Wizard, the Windows Installer service creates an install (uninstall) log. A log file named ess_v3.4_install_<uid>.log (where <uid> is a unique 8-character log identifier) will be saved in the %temp% folder for the user whose account was used to start the setup.exe file.

If you run the Modify or Remove option for the Application Console or Kaspersky Embedded Systems Security for Windows from the Start menu, a log file named ess_v3.4_install_<uid> is automatically created in the %temp% folder.

If Kaspersky Embedded Systems Security for Windows is installed or uninstalled from the command line, the install log file will not be created by default.

To install Kaspersky Embedded Systems Security for Windows and create a log file on disk C:\:

• msiexec /i ess_x86.msi /l*v C:\ess.log /qn EULA=1 PRIVACYPOLICY=1
• msiexec /i ess_x64.msi /l*v C:\ess.log /qn EULA=1 PRIVACYPOLICY=1

[Topic 147622]

Installation planning

This section describes the set of Kaspersky Embedded Systems Security for Windows administration tools, and special aspects of installing and uninstalling Kaspersky Embedded Systems Security for Windows using a wizard, command line, using Kaspersky Security Center and via an Active Directory group policy.

Before starting installation of Kaspersky Embedded Systems Security for Windows, plan the main stages of the installation.

1. Determine which administration tools will be used to manage and configure Kaspersky Embedded Systems Security for Windows.
2. Select the necessary application components for installation.
3. Select the installation method.

[Topic 147623]

Selecting administration tools

Determine the administration tools that will be used to configure Kaspersky Embedded Systems Security for Windows settings and to manage the application. Kaspersky Embedded Systems Security for Windows can be managed using the Application Console, command-line utility, and Kaspersky Security Center Administration Console.

Kaspersky Embedded Systems Security for Windows Console

Kaspersky Embedded Systems Security for Windows Console is a standalone snap-in added to the Microsoft Management Console. Kaspersky Embedded Systems Security for Windows can be managed via the Application Console installed on the protected device or on another device on the corporate network.

Multiple Kaspersky Embedded Systems Security for Windows snap-ins can be added to one Microsoft Management Console opened in author mode to use it to manage the protection of multiple device with Kaspersky Embedded Systems Security for Windows installed.

The Application Console is included in the set of "Administration Tools" application components.

Command line utility

You can manage Kaspersky Embedded Systems Security for Windows from the command line of a protected device.

The command line utility is included in the Kaspersky Embedded Systems Security for Windows software components group.

Kaspersky Security Center

If Kaspersky Security Center is used for centralized management of anti-virus protection of devices at your company, you can manage Kaspersky Embedded Systems Security for Windows via the Kaspersky Security Center Administration Console.

The following components must be installed:

• Module for integration with Kaspersky Security Center Network Agent. This component is included in the Kaspersky Embedded Systems Security for Windows software components group. It allows Kaspersky Embedded Systems Security for Windows to communicate with the Network Agent. Install the module for integration with Kaspersky Security Center Network Agent on the protected device.
• Kaspersky Security Center Network Agent. Install this component on each protected device. This component supports interaction between Kaspersky Embedded Systems Security for Windows installed on the protected device and Kaspersky Security Center Administration Console. The Network Agent installation file is included in the Kaspersky Security Center distribution kit folder.
• Kaspersky Embedded Systems Security 3.4 for Windows Administration Plug-in. Additionally, install the Administration Plug-in for managing Kaspersky Embedded Systems Security for Windows via the Administration Console on the protected device where the Kaspersky Security Center Administration Server is installed. This provides the interface for application management via Kaspersky Security Center. The Administration Plug-in installation file, \exec\klcfginst.exe, is included in the Kaspersky Embedded Systems Security for Windows distribution kit.

[Topic 147624]

Selecting the installation type

After specifying the software components for installation of Kaspersky Embedded Systems Security for Windows, you need to select the application installation method.

Select the installation method depending on the network architecture and the following conditions:

• Whether you need special Kaspersky Embedded Systems Security for Windows installation settings, or the recommended installation settings.
• Whether the installation settings will be the same for all protected devices or specific to each protected device.

Kaspersky Embedded Systems Security for Windows can be installed interactively using the Setup Wizard or in silent mode without user involvement, and can be invoked by running the installation package file with installation settings from the command line. A centralized remote installation of Kaspersky Embedded Systems Security for Windows can be performed using Active Directory group policies or using the Kaspersky Security Center remote installation task.

Kaspersky Embedded Systems Security for Windows can be installed and configured on a single protected device with its settings saved to a configuration file; the file can then be used to install Kaspersky Embedded Systems Security for Windows on other protected devices. Note that this ability does not exist when the application is installed using Active Directory group policies.

Starting the Setup Wizard

The Setup Wizard can install the following:

• Kaspersky Embedded Systems Security for Windows components on the protected device, by clicking the link in the welcome application, which can be started by opening setupui.exe or directly using \exec\setup.exe file in the distribution kit.
• Kaspersky Embedded Systems Security for Windows Console on the protected device or other device on the LAN, by clicking the link in the welcome application, which can be started by opening setupui.exe or directly using \console\setup.exe file in the distribution kit.

Running the installation package file from the command line with the necessary installation settings

If the installation package file is started without command-line options, Kaspersky Embedded Systems Security for Windows will be installed with the default settings. Kaspersky Embedded Systems Security for Windows options can be used to modify the installation settings.

The Application Console can be installed on the protected device and / or administrator's workstation.

You can also use sample commands for the installation of Kaspersky Embedded Systems Security for Windows and the Application Console.

Centralized installation via Kaspersky Security Center

If Kaspersky Security Center is used in your network for managing networked devices' anti-virus protection, Kaspersky Embedded Systems Security for Windows can be installed on multiple devices by using the remote installation task.

The protected devices on which you want to install Kaspersky Embedded Systems Security for Windows using Kaspersky Security Center may be in the same domain as Kaspersky Security Center in a different domain, or in no domain at all.

Centralized installation using Active Directory group policies

Active Directory group policies can be used to install Kaspersky Embedded Systems Security for Windows on the protected device. The Application Console can be installed on the protected device or administrator's workstation.

Kaspersky Embedded Systems Security for Windows can be installed using just the recommended installation settings.

The protected devices on which Kaspersky Embedded Systems Security for Windows is installed using Active Directory group policies must be located in the same domain and the same organizational unit. Installation is performed at protected device start before logging in to Microsoft Windows.

[Topic 147629]

Installing and uninstalling the application using a wizard

This section describes the installation and uninstallation of Kaspersky Embedded Systems Security for Windows and the Application Console by means of the Setup Wizard, and contains information about additional configuration of Kaspersky Embedded Systems Security for Windows and actions to be performed upon installation.

[Topic 147630]

Installing using the Setup Wizard

The following sections contain information about installation of Kaspersky Embedded Systems Security for Windows and the Application Console.

To install and proceed to use Kaspersky Embedded Systems Security for Windows:

1. Install Kaspersky Embedded Systems Security for Windows on the protected device.
2. Install the Application Console on the devices from which you intend to manage Kaspersky Embedded Systems Security for Windows.
3. If the Application Console has been installed on any device in the network other than the protected device, perform additional configuration to allow Application Console users to manage Kaspersky Embedded Systems Security for Windows remotely.
4. Perform actions after installation of Kaspersky Embedded Systems Security for Windows.

[Topic 147631]

Kaspersky Embedded Systems Security for Windows installation

Expand all | Collapse all

Before installing Kaspersky Embedded Systems Security for Windows, do the following:

1. Make sure no other anti-virus programs are installed on the protected device.
2. Make sure that the account you use to run the Setup Wizard belongs to the administrators group on the protected device.

After completing the actions described above, proceed with the installation procedure. Following the Setup Wizard instructions, specify the installation settings for Kaspersky Embedded Systems Security for Windows. The Kaspersky Embedded Systems Security for Windows installation process can be stopped at any step of the Setup Wizard. To do so, click the Cancel button in the Setup Wizard window.

You can read more about the installation (uninstallation) settings.

To install Kaspersky Embedded Systems Security for Windows using the Setup Wizard:

1. Run the setupui.exe file on the protected device.
2. In the window that opens, in the Installation section, click the Protect computer with Default Deny technology link or Protect computer with Anti-Virus Bases link.

   If the "Protect computer with Anti-Virus Bases" configuration is selected, all Kaspersky Embedded Systems Security for Windows components are included by default except the Firewall Management and Performance Counters components.

   When you install the "Protect computer with Anti-Virus Bases" configuration of application over an application version that does not use signature analysis and anti-virus databases to protect your computer, the set of application components will be automatically expanded by adding the following components:

   • Real-Time File Protection
   • On-Demand Scan
   • Network Threat Protection

   The components enabling updates are not included in the Protect computer with Default Deny technology configuration.

   If the Protect computer with Default Deny technology configuration is selected, the following components are included by default:

   • Core
   • Exploit Prevention
   • Applications Launch Control
   • System Tray Icon

   When you install the "Protect computer with Default Deny technology" configuration of application over an application version that uses signature analysis and anti-virus databases to protect your computer, the set of application components will be automatically reduced by removing the following components:

   • Real-Time File Protection
   • On-Demand Scan
   • the components enabling updates

   This configuration is recommended for protecting devices with limited resources. In this case, you can activate the application for a long term, and the Applications Launch Control component provides computer protection.

3. In the welcome screen of the Kaspersky Embedded Systems Security for Windows Setup Wizard, click the Next button.

   The End User License Agreement and Privacy Policy window opens.

4. Review the terms of the License Agreement and Privacy Policy.
5. If you agree to the terms and conditions of End User License Agreement and Privacy Policy, select the I confirm that I have fully read, understood, and accept the terms and conditions of this End User License Agreement and I am aware and agree that my data will be handled and transmitted (including to third countries) as described in the Privacy Policy. I confirm that I have fully read and understand the Privacy Policy check boxes in order to proceed with the installation.

   If you do not accept the End User License Agreement and/or Privacy Policy the installation will be aborted.

6. Click the Next button.

   If the distribution kit contains patches, a Limited warranty Statement window opens.

7. Please read the Disclaimer. This is a requirement for subsequent patching.
8. If you accept the terms of the Disclaimer, select I confirm that I have fully read, understand, and accept the terms and conditions of this Limited warranty Statement check box.
9. Click the Next button.

   The Custom installation window opens.

10. Select the components to be installed.

    The SNMP Protocol Support component of Kaspersky Embedded Systems Security for Windows will only appear in the list of components suggested for installation if the Microsoft Windows SNMP service is installed on the protected device.

11. To cancel all changes, click the Custom installation button in the Reset window.
12. Click the Next button.
13. In the Select a destination folder window:
    • If required, specify a folder to which Kaspersky Embedded Systems Security for Windows files will be copied.
    • If required, review the information about available space on local drives by clicking the Disk button.

    Click the Next button.

14. In the Advanced installation settings window, configure Real-Time File Protection.
15. Click the Next button.
16. To import Kaspersky Embedded Systems Security for Windows settings from an existing configuration file created in a compatible earlier version of the application, specify the path to the configuration file in the Import settings from configuration file window.
17. Click the Next button.
18. In the Activation of the application window, do one of the following:
    • If you want to activate the application, specify a Kaspersky Embedded Systems Security for Windows key file for application activation.
    • If you want to activate the application later, click the Next button.
    • If a key file was previously saved in the \exec folder of the distribution kit, the name of this file will be displayed in the Key field.

      To add a key using a key file stored in another folder, specify the key file.

      Once the key file is added, license information will be shown in the window. Kaspersky Embedded Systems Security for Windows displays the license's calculated expiration date. The license term runs from the time when you add a key and expires no later than the expiration date of the key file.

19. Click the Next button to apply the key file in the application.
20. In the Ready to install window, click the Install button.

    The wizard will start the installation of Kaspersky Embedded Systems Security for Windows components.

21. The Installation complete window opens when installation is complete.
22. Click the Finish button.

The Setup Wizard closes. Once installation is complete, Kaspersky Embedded Systems Security for Windows is ready to use if you have added an activation key.

[Topic 147647]

Kaspersky Embedded Systems Security for Windows Console installation

Follow the instructions of the Setup Wizard to configure installation settings for the Application Console. The installation process can be stopped at any step of the wizard. To do so, click the Cancel button in the Setup Wizard window.

To install the Application Console:

1. Make sure that the account you use to run the Setup Wizard belongs to the administrators group on the device.
2. Run the setupui.exe file on the protected device.

   The welcome window opens.

3. Click on the Install Kaspersky Embedded Systems Security for Windows Console link.

   The Setup Wizard's welcome window opens.

4. Click the Next button.
5. In the window that opens, review the terms of the End User License Agreement and Privacy Policy, and select the check boxes under the I confirm that I have fully read, understood, and accept the terms and conditions of this End User License Agreement caption in order to proceed with the installation.
6. Click the Next button.

   The Advanced installation settings window opens.

7. In the Advanced installation settings window:
   • If you intend to use the Application Console to manage Kaspersky Embedded Systems Security for Windows installed on a remote device, select the Allow remote access check box.
   • To open the Custom installation window and select components:
     1. Click the Advanced button.

        The Custom installation window opens.

     2. Select the "Administration Tools" components from the list.

        By default, all the components are installed.

     3. Click the Next button.

   You can find more detailed information about Kaspersky Embedded Systems Security for Windows components.

8. In the Select a destination folder window:
   1. If required, specify a different folder to which the files being installed should be saved.
   2. Click the Next button.
9. In the Ready to install window, click the Install button.

   The wizard will begin installing the selected components.

10. Click the Finish button.

The Setup Wizard closes. The Application Console will be installed on the protected device.

If Administration Tools has been installed on any device in the network other than protected device, configure the advanced settings.

[Topic 147650]

Advanced settings after installation of the Application Console on another device

If the Application Console has been installed on any device in the network, other than a protected device, perform the following actions to allow users to manage Kaspersky Embedded Systems Security for Windows remotely:

• Add Kaspersky Embedded Systems Security for Windows users to the ESS Administrators group on the protected device.
• Allow network connections for the Kaspersky Security Management Service (kavfsgt.exe), if the protected device uses Windows Firewall or a third-party firewall.
• If the Allow remote access check box is not selected during installation of the Application Console on a device running Microsoft Windows, manually allow network connections for the Application Console via the device's firewall.

The Application Console on the remote device uses the DCOM protocol to receive information about Kaspersky Embedded Systems Security for Windows events (such as objects scanned, tasks completed, etc.) from the Kaspersky Security Management Service on the protected device. You need to allow network connections for the Application Console in the Windows Firewall settings in order to establish connections between the Application Console and the Kaspersky Security Management Service.

On the remote device, where the Application Console is installed, do the following:

• Make sure that anonymous remote access to COM applications is allowed (but not remote start and activation of COM applications).
• In Windows Firewall, open TCP port 135 and allow network connections for kavfsrcn.exe, the executable file of the Kaspersky Embedded Systems Security for Windows remote management process.

  The device where the Application Console is installed uses TCP port 135 to access the protected device and to receive a response.

• Configure an outbound rule for Windows Firewall to allow the connection.

  Unlike the traditional TCP/IP and UDP/IP services where a single protocol has a fixed port, DCOM dynamically assigns ports to remote COM objects. If a firewall exists between the client (where the Application Console is installed) and the DCOM endpoint (the protected device), a large range of ports must be opened.

The same steps should be applied to configure any other software or hardware firewall.

If the Application Console is open while you configure the connection between the protected device and the device on which the Application Console is installed:

1. Close the Application Console.
2. Wait until the Kaspersky Embedded Systems Security for Windows remote management process kavfsrcn.exe is finished.
3. Restart the Application Console.

   The new connection settings will be applied.

[Topic 181675]

Allowing anonymous remote access to COM applications

The names of settings may vary depending on the installed Windows operating system.

To allow anonymous remote access to COM applications:

1. On the remote device with the Kaspersky Embedded Systems Security for Windows Console installed, open the Component Services console.
2. Select Start → Run.
3. Enter the command dcomcnfg.
4. Click the OK button.
5. Expand the Computers node in the Component Services console on your protected device.
6. Open the context menu on the My Computer node.
7. Select Properties.
8. On the COM Security tab of the Properties window, click the Edit Limits button in the Access permissions settings group.
9. Make sure that the Allow Remote Access check box is selected for the ANONYMOUS LOGON user in the Allow Remote Access window.
10. Click the OK button.

[Topic 181676]

Allowing network connections for the Kaspersky Embedded Systems Security for Windows remote management process

The names of settings may vary depending on the installed Windows operating system.

To open TCP port 135 in Windows Firewall and to allow network connections for the Kaspersky Embedded Systems Security for Windows remote management process:

1. Close the Kaspersky Embedded Systems Security for Windows Console on the remote device.
2. Do one of the following:
   • On Microsoft Windows XP SP2 or later:
     1. Select Start > Windows Firewall.
     2. In the Windows Firewall window (or Windows Firewall settings), click the Add port button on the Exclusions tab.
     3. In the Name field, specify the port name RPC (TCP/135) or enter another name, for example Kaspersky Embedded Systems Security for Windows DCOM, and specify the port number (135) in the Port name field.
     4. Select the TCP protocol.
     5. Click the OK button.
     6. Click the Add button on the Exclusions tab.
   • On Microsoft Windows 7 or later:
     1. Select Start > Control Panel > Windows Firewall.
     2. In the Windows Firewall window, select Allow a program or feature through Windows Firewall.
     3. In the Allow programs to communicate through Windows Firewall window click the Allow another program button.
3. Specify the kavfsrcn.exe file in the Add Program window. It is located in the destination folder specified during installation of Kaspersky Embedded Systems Security for Windows Console using Microsoft Management Console.
4. Click the OK button.
5. Click the OK button in the Windows Firewall (Windows Firewall settings) window.

[Topic 181677]

Adding outbound rule for Windows Firewall

The names of settings may vary depending on the installed Windows operating system.

To add the outbound rule for Windows Firewall:

1. Select Start > Control Panel > Windows Firewall.
2. In the Windows Firewall window, click the Advanced settings link.

   The Windows Firewall with Advanced Security window opens.

3. Select the Outbound Rules child node.
4. Click the New Rule option in the Actions pane.
5. In the New Outbound Rule Wizard window that opens, select the Port option and click Next.
6. Select the TCP protocol.
7. In the Specific remote ports field specify the following ports range for allowing outgoing connections: 1024-65535.
8. In the Action window, select the Allow the connection option.
9. Save the new rule and close the Windows Firewall with Advanced Security window.

The Windows Firewall will now allow network connections between the Application Console and Kaspersky Security Management Service.

[Topic 148295]

Actions to perform after Kaspersky Embedded Systems Security for Windows installation

Kaspersky Embedded Systems Security for Windows starts protection and scan tasks immediately after installation if you have activated the application. If Enable Real-Time File Protection after installation of application (recommended) (default option) is selected during installation of Kaspersky Embedded Systems Security for Windows, the application scans the device's file system objects when they are accessed. Kaspersky Embedded Systems Security for Windows will run the Critical Areas Scan task every Friday at 8:00 P.M.

We recommend that you take the following steps after installing Kaspersky Embedded Systems Security for Windows:

• Start the application database update task. After installation Kaspersky Embedded Systems Security for Windows will scan objects using the database included in the application distribution kit.

  We recommend updating Kaspersky Embedded Systems Security for Windows databases immediately since they may be out of date.

  The application will then update the databases every hour according to the default schedule configured in the task.

• Run a Critical Areas Scan of the device if no anti-virus software with real-time file protection was installed on the device before installation of Kaspersky Embedded Systems Security for Windows.
• Configure administrator notifications about Kaspersky Embedded Systems Security for Windows events.

[Topic 148032]

Starting and configuring Kaspersky Embedded Systems Security for Windows Database Update task

To update the application database after installation:

1. In the Database Update task settings, configure a connection to an update source – Kaspersky HTTP or FTP update servers.
2. Start the Database Update task.

Web Proxy Auto-Discovery Protocol (WPAD) may not be configured on your network to detect proxy server settings automatically in the LAN. At that, your network may require authentication when accessing the proxy server.

To specify the optional proxy server settings and authentication settings for accessing the proxy server:

1. Open the context menu of the Kaspersky Embedded Systems Security for Windows node.
2. Select Properties.

   The Application settings window is displayed.

3. Select the Connection settings tab.
4. In the Proxy server settings section, select the Use the specified proxy server check box.
5. Enter the proxy server address in the Address field, and enter the port number for the proxy server in the Port field.
6. In the Proxy server authentication settings section, select the necessary authentication method in the drop-down list:
   • Use NTLM authentication, if the proxy server supports the built-in Microsoft Windows NTLM authentication. Kaspersky Embedded Systems Security for Windows will use the account specified in the task settings to access the proxy server. By default, the task is started under the Local System (SYSTEM) account.
   • Use NTLM authentication with user name and password, if the proxy server supports the built-in Microsoft Windows NTLM authentication. Kaspersky Embedded Systems Security for Windows will use the specified account to access the proxy server. Enter a user name and password or select a user from the list.
   • Apply user name and password, to select basic authentication. Enter a user name and password or select a user from the list.
7. Click the OK button in the Application settings window.

To configure the connection to Kaspersky's update servers, in the Database Update task:

1. Start Application Console in one of the following ways:
   • Open the Application Console on the protected device. To do this, select Start > All Programs > Kaspersky Embedded Systems Security for Windows > Administration Tools > Kaspersky Embedded Systems Security 3.4 for Windows Console.
   • If the Application Console has been started on a device other than the protected one, connect to the device:
     1. Open the context menu of the Kaspersky Embedded Systems Security for Windows node in the Application Console tree.
     2. Select the Connect to another computer item.
     3. In the Select protected device dialog, select Another device and in the text field indicate the network name of the protected device.

     If the account you used to sign in to Microsoft Windows does not have access permissions for the Kaspersky Security Management Service, indicate an account with the required permissions.

   The Application Console window opens.

2. In the Application Console tree, expand the Update node.
3. Select the Database Update child node.
4. Click the Properties link in the results pane.
5. In the Task settings window that opens, open the Connection settings tab.
6. Select Use proxy server settings to connect to Kaspersky update servers.
7. Click the OK button in the Task settings window.

The settings for connecting to the update source in the Database Update task will be saved.

To run the Database Update task:

1. In the Application Console tree, expand the Update node.
2. In the context menu on the Database Update child node, select the Start item.

The Database Update task starts.

After the task has successfully completed, you can view the release date of the latest database updates installed in the results pane of the Kaspersky Embedded Systems Security for Windows node.

[Topic 148053]

Critical Areas Scan

After you have updated the Kaspersky Embedded Systems Security for Windows databases, scan the protected device for malware using the Critical Areas Scan task.

To run the Critical Areas Scan task:

1. Expand the On-Demand Scan node in the Application Console tree.
2. In the context menu of the Critical Areas Scan child node, select the Start command.

The task starts; the Running task status is displayed in the results pane.

To view the task log,

in the results pane of the Critical Areas Scan node, click the Open task log link.

[Topic 147680]

Modifying the set of components and repairing Kaspersky Embedded Systems Security for Windows

Kaspersky Embedded Systems Security for Windows components can be added or removed. You need to stop the Real-Time File Protection task before you can remove the Real-Time File Protection component. In other circumstances there is no need to stop the Real-Time File Protection task or Kaspersky Security Service.

If application management is password protected, Kaspersky Embedded Systems Security for Windows requests the password when you attempt to remove components or modify the set of components in the Setup Wizard.

To modify the set of Kaspersky Embedded Systems Security for Windows components:

1. In the Start menu, select All programs > Kaspersky Embedded Systems Security for Windows > Modify or Remove Kaspersky Embedded Systems Security for Windows.

   The Setup Wizard's Modify, repair or remove installation window opens.

2. Select Modify components set. Click the Next button.

   The Custom installation window opens.

3. In the Custom installation window, in the list of available components, select the components that you want to add or remove from Kaspersky Embedded Systems Security for Windows. To do this, perform the following actions:
   • To change the set of components, click the button next to the name of the selected component. Then in the context menu, select:
     • Component will be installed on local hard drive, if you want to install one component;
     • Component and its subcomponents will be installed on local hard drive, if you want to install a group of components.
   • To remove previously installed components, click the button next to the name of the selected component. Then in the context menu, select Component will be unavailable.

   Click the Next button.

4. In the Ready to install window, confirm the change to the set of software components by clicking the Install button.
5. In the window that opens when installation is complete, click the OK button.

The set of Kaspersky Embedded Systems Security for Windows components will be modified based on the specified settings.

If problems occur during the operation of Kaspersky Embedded Systems Security for Windows (Kaspersky Embedded Systems Security for Windows crashes; tasks crash or do not start), you can perform a repair for Kaspersky Embedded Systems Security for Windows. You can perform a repair while saving the current Kaspersky Embedded Systems Security for Windows settings, or you can select an option to reset all Kaspersky Embedded Systems Security for Windows settings to their default values.

To repair Kaspersky Embedded Systems Security for Windows after the application or a task crashes:

1. In the Start menu, select All programs.
2. Select Kaspersky Embedded Systems Security for Windows.
3. Select Modify or Remove Kaspersky Embedded Systems Security for Windows.

   The Setup Wizard's Modify, repair or remove installation window opens.

4. Select Repair installed components. Click the Next button.

   This opens the Repair installed components window.

5. In the Repair installed components window, select the Restore recommended application settings check box if you want to reset the application settings and restore Kaspersky Embedded Systems Security for Windows with its default settings. Click the Next button.
6. In the Ready to repair window, confirm the repair operation by clicking the Install button.
7. In the window that opens when the repair operation is complete, click the OK button.

Kaspersky Embedded Systems Security for Windows will be repaired using the specified settings.

[Topic 147685]

Uninstalling using the Setup Wizard

This section contains instructions on removing Kaspersky Embedded Systems Security for Windows and the Application Console from a protected device using the Setup / Uninstallation Wizard.

[Topic 147686]

Kaspersky Embedded Systems Security for Windows uninstallation

Dump and trace files are not deleted on uninstalling Kaspersky Embedded Systems Security for Windows. You can manually delete dump and trace files from the folder specified during the configuration of dump and trace files writing.

The names of settings may vary depending on the installed Windows operating system.

Kaspersky Embedded Systems Security for Windows can be uninstalled from the protected device using the Setup / Uninstallation Wizard.

After uninstalling Kaspersky Embedded Systems Security for Windows from a protected device a restart may be required. The restart can be postponed.

Uninstallation, repair and installation of the application is not available via the Windows Control Panel if the operating system uses the UAC feature (User Account Control) or access to the application is password protected.

If application management is password protected, Kaspersky Embedded Systems Security for Windows requests the password when you attempt to remove components or modify the set of components in the Setup Wizard.

To uninstall Kaspersky Embedded Systems Security for Windows:

1. In the Start menu, select All programs.
2. Select Kaspersky Embedded Systems Security for Windows.
3. Select Modify or Remove Kaspersky Embedded Systems Security for Windows.

   The Setup Wizard's Modify, repair or remove installation window opens.

4. Select Remove software components. Click the Next button.

   The Advanced application uninstallation settings window opens.

5. If necessary, in the Advanced application uninstallation settings window:
   1. Select the Export quarantine objects check box to make Kaspersky Embedded Systems Security for Windows export objects that have been quarantined. By default, the check box is cleared.
   2. Check the Export Backup objects check box to export objects from Kaspersky Embedded Systems Security for Windows Backup. By default, the check box is cleared.
   3. Click the Save to button and select the folder to which you want to export the objects. By default, the objects will be exported to %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\Uninstall.

      Click the Next button.

6. In the Ready to uninstall window, confirm the uninstallation by clicking the Uninstall button.
7. In the window that opens when the uninstallation is complete, click the OK button.

Kaspersky Embedded Systems Security for Windows will be uninstalled from the protected device.

[Topic 147690]

Kaspersky Embedded Systems Security for Windows Console uninstallation

The names of settings may vary depending on the installed Windows operating system.

You can uninstall the Application Console from the protected device using the Setup / Uninstallation Wizard.

After uninstalling the Application Console, you do not need to restart the protected device.

To uninstall the Application Console:

1. In the Start menu, select All programs.
2. Select Kaspersky Embedded Systems Security for Windows.
3. Select Modify or Remove Kaspersky Embedded Systems Security for Windows.

   The wizard's Repair or remove installation window opens.

4. Select Remove software components and click the Next button.
5. The Ready to uninstall window opens. Click the Uninstall button.

   The Uninstallation complete window opens.

6. Click the OK button.

Uninstallation is now complete, and the Setup Wizard closes.

Page top

[Topic 147691]

Installing and uninstalling the application from the command line

This section describes the particulars of installing and uninstalling Kaspersky Embedded Systems Security for Windows from the command line and contains examples of commands to install and uninstall Kaspersky Embedded Systems Security for Windows from the command line, and examples of commands to add and remove Kaspersky Embedded Systems Security for Windows components from the command line.

[Topic 147692]

About installing and uninstalling Kaspersky Embedded Systems Security for Windows from command line

Dump and trace files are not deleted on uninstalling Kaspersky Embedded Systems Security for Windows. You can manually delete dump and trace files from the folder specified during the configuration of dump and trace files writing.

You can install or uninstall Kaspersky Embedded Systems Security for Windows and add or remove its components by running the \exec\ess_x86.msi or \exec\ess_x64.msi installation package file from the command line after you specify the installation settings using command-line options.

The "Administration Tools" set can be installed on the protected device or on another device on the network to work with the Application Console locally or remotely. To do this, use the \console\esstools.msi installation package.

Perform the installation using an account included in the administrators group on the protected device where the application is installed.

If the \exec\ess_x86.msi or \exec\ess_x64.msi file is run on the protected device without additional command-line options, Kaspersky Embedded Systems Security for Windows will be installed with the default installation settings.

You can assign the set of components to be installed using the ADDLOCAL command-line option and listing the codes for the selected components or sets of components.

[Topic 147693]

Example commands for installing Kaspersky Embedded Systems Security for Windows

This section provides examples of commands used to install Kaspersky Embedded Systems Security for Windows.

On protected devices running a 32-bit version of Microsoft Windows, run the files with the x86 suffix in the distribution kit. On protected devices running a 64-bit version of Microsoft Windows, run the files with the x64 suffix in the distribution kit.

Detailed information about the use of Windows Installer's standard commands and command-line options is provided in the documentation supplied by Microsoft.

If you do not accept the End User License Agreement and Privacy Policy (default values EULA=0 and PRIVACYPOLICY=0) the installation will not be completed.

Examples of installing Kaspersky Embedded Systems Security for Windows from the setup.exe file

To install Kaspersky Embedded Systems Security for Windows with the recommended installation settings and included patches, and without user involvement:

\exec\setup.exe /s /p EULA=1 /p PRIVACYPOLICY=1 DISCLAIMER=1

To install components, such as Device Control:

\exec\setup.exe /p ADDLOCAL=DevCtrl /p RUNRTP=0 /p ADDMSEXCLUSION=0

When installing Kaspersky Embedded Systems Security for Windows on computers with network devices and SCSI devices that cause a system crash after installation of application, the following additional options can be used with this command:

/p SKIP_NETWORK_UPPERFILTERS=<1|0>

Enables (1) or disables (0) interception of connections of network adapters.

/p SKIP_SCSIADAPTER_UPPERFILTERS=<1|0>

Enables (1) or disables (0) interception of connections of SCSI adapters.

List of commands used for installation: running an .msi file

To install Kaspersky Embedded Systems Security for Windows with the recommended installation settings without user involvement:

msiexec /i ess_x64(or x86).msi /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security for Windows with the recommended installation settings and display the installation interface:

msiexec /i ess_x64(or x86).msi /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security for Windows with the recommended installation settings and enable trace file rotation when the number of trace files reaches the specified maximum number:

msiexec /i ess_x64(or x86).msi TRACE_FOLDER=C:\Traces TRACE_MAX_ROLL_COUNT=50 /qn EULA=1 PRIVACYPOLICY=1

The TRACE_FOLDER parameter is required.

The following rules apply to the TRACE_MAX_ROLL_COUNT parameter:

• If this parameter is specified, trace file rotation is enabled when the number of trace files reaches the maximum number specified in the parameter. Available range of parameters values: from 1 to 999.
• If the maximum number of trace files is specified as 0, trace file rotation is disabled.
• If a parameter value is specified, but is invalid or outside the range of available values (from 1 to 999), trace file rotation is enabled with the default maximum number of trace files set to 5.
• If the parameter is not specified:
  • If trace file rotation is already configured on the device, its settings are not changed. The application will ignore the entered parameters.
  • If trace file rotation is not configured on the device, the rotation option will be enabled with the default maximum number of trace files set to 5.

To install and activate Kaspersky Embedded Systems Security for Windows using the key file C:\0000000A.key:

msiexec /i ess_x64(or x86).msi LICENSEKEYPATH=C:\0000000A.key /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security for Windows with a preliminary scan of active processes and the boot sectors of local disks:

msiexec /i ess_x64(or x86).msi PRESCAN=1 /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security for Windows in the installation folder C:\ESS:

msiexec /i ess_x64(or x86).msi INSTALLDIR=C:\ESS /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security for Windows and save an installation log file named ess.log in the folder where the Kaspersky Embedded Systems Security for Windows msi file is stored:

msiexec /i ess_x64(or x86).msi /l*v ess.log /qn EULA=1 PRIVACYPOLICY=1

To install Kaspersky Embedded Systems Security for Windows Console:

msiexec /i esstools.msi /qn EULA=1

To install and activate Kaspersky Embedded Systems Security for Windows using the key file C:\0000000A.key and configure Kaspersky Embedded Systems Security for Windows according to the settings in the configuration file C:\settings.xml:

msiexec /i ess_x64(or x86).msi LICENSEKEYPATH=C:\0000000A.key CONFIGPATH=C:\settings.xml /qn EULA=1 PRIVACYPOLICY=1

To install an application patch when Kaspersky Embedded Systems Security for Windows is password-protected:

msiexec /p "<msp file name with path>" UNLOCK_PASSWORD=<password>

[Topic 148298]

Actions to perform after Kaspersky Embedded Systems Security for Windows installation

Kaspersky Embedded Systems Security for Windows starts protection and scan tasks immediately after installation if you have activated the application. If you select the Enable Real-Time File Protection after installation of application (recommended) option during installation of Kaspersky Embedded Systems Security for Windows, the application scans the device's file system objects when they are accessed. Kaspersky Embedded Systems Security for Windows will run the Critical Areas Scan task every Friday at 8:00 P.M.

We recommend that you take the following steps after installing Kaspersky Embedded Systems Security for Windows:

• Start the Kaspersky Embedded Systems Security for Windows Database Update task. After installation Kaspersky Embedded Systems Security for Windows will scan objects using the database included in its distribution kit. We recommend that you update the Kaspersky Embedded Systems Security for Windows database immediately. To do so, you must run the Database Update task. The database will then be updated every hour according to the default schedule.

  For example, you can start the Database Update task by running the following command:

  KAVSHELL UPDATE /KL /PROXY:proxy.company.com:8080 /AUTHTYPE:1 /PROXYUSER:inetuser /PROXYPWD:123456

  In this case, Kaspersky Embedded Systems Security for Windows database updates are downloaded from Kaspersky update servers. Connection to an update source is established via a proxy server (proxy server address: proxy.company.com, port: 8080) using built-in Windows NTLM authentication to access the server under an account (user name: inetuser; password: 123456).

• Run a Critical Areas Scan of the device if no anti-virus software with real-time file protection was installed on the device before installation of Kaspersky Embedded Systems Security for Windows.

To start the Critical Areas Scan task using the command line:

KAVSHELL SCANCRITICAL /W:scancritical.log

This command saves the task log in a file named scancritical.log contained in the current folder.

• Configure administrator notifications about Kaspersky Embedded Systems Security for Windows events.

[Topic 147700]

Adding / removing components. Sample commands

The Applications Launch Control component is installed automatically.

To install the On-Demand Scan component, run the following command:

msiexec /i ess.msi ADDLOCAL=Oas,Ods /qn

or

\exec\setup.exe /s /p ADDLOCAL=Oas,Ods

After you add the components to the list, Kaspersky Embedded Systems Security for Windows reinstalls the existing components and installs the specified components.

To remove installed components run the following command:

msiexec /i ess.msi REMOVE=Firewall,PerfMonCounters EULA=1 PRIVACYPOLICY=1 /qn

To install new components, run the following command:

msiexec /i ess.msi ADDLOCAL=AKIntegration,AVProtection,AntiExploit,AppCtrl,DevCtrl,Fim,Ksn,LogInspector,Oas,Ods,SnmpSupport,TrayApp,IDS,RegMonitor EULA=1 PRIVACYPOLICY=1 /qn

After you list the components that you want to install and remove, Kaspersky Embedded Systems Security for Windows installs and removes the corresponding components.

[Topic 147701]

Kaspersky Embedded Systems Security for Windows uninstallation. Sample commands

To uninstall Kaspersky Embedded Systems Security for Windows from the protected device, run the following command:

• For 32-bit operating systems:

  msiexec /x ess_x86.msi /qn

• For 64-bit operating systems:

  msiexec /x ess_x64.msi /qn

or

• For 32-bit operating systems:

  msiexec /x {A9FCA39D-B6D8-49B2-B65B-5751DDE4B47A} /qn

• For 64-bit operating systems:

  msiexec /x {C73EA50B-F327-4DB0-82C7-FC83035EE66B} /qn

To uninstall Kaspersky Embedded Systems Security for Windows Console, run the following command:

msiexec /x esstools.msi /qn

or

msiexec /x {D9779DB9-91D6-46D0-84D2-ACC3781EC0DB} /qn

To uninstall Kaspersky Embedded Systems Security for Windows from a device on which password protection is enabled, perform the following command:

• For 32-bit operating systems:

  msiexec /x {A9FCA39D-B6D8-49B2-B65B-5751DDE4B47A} UNLOCK_PASSWORD=*** /qn

• For 64-bit operating systems:

  msiexec /x {C73EA50B-F327-4DB0-82C7-FC83035EE66B} UNLOCK_PASSWORD=*** /qn

[Topic 147706]

Return codes

The table below contains a list of command-line return codes.

Return codes

Page top

[Topic 147707]

Installing and uninstalling the application using Kaspersky Security Center

This section contains information about installing Kaspersky Embedded Systems Security for Windows using Kaspersky Security Center, a description of the procedure for installing and uninstalling Kaspersky Embedded Systems Security for Windows through Kaspersky Security Center, and a description of actions to be taken after Kaspersky Embedded Systems Security for Windows is installed.

[Topic 147708]

General information about installing via Kaspersky Security Center

You can install Kaspersky Embedded Systems Security for Windows via Kaspersky Security Center using the remote installation task.

After the remote installation task is complete, Kaspersky Embedded Systems Security for Windows will be installed with identical settings on multiple protected devices.

All protected devices can be combined in a single administration group, and a group task can be created to install Kaspersky Embedded Systems Security for Windows on the protected devices in this group.

You can create a task to remotely install Kaspersky Embedded Systems Security for Windows on a set of protected devices that are not in the same administration group. When creating this task, you must generate the list of individual protected devices that Kaspersky Embedded Systems Security for Windows should be installed on.

Detailed information on the remote installation task is provided in Kaspersky Security Center Help.

[Topic 147709]

Rights to install or uninstall Kaspersky Embedded Systems Security for Windows

The account specified in the remote installation (removal) task must be included in the administrators group on each of the protected devices in all cases except those described below:

• If the Kaspersky Security Center Network Agent is already installed on the protected devices on which Kaspersky Embedded Systems Security for Windows is to be installed (regardless of which domain the protected devices are in or whether they belong to any domain).

  If the Network Agent is not yet installed on the protected devices, you can install it with Kaspersky Embedded Systems Security for Windows using a remote installation task. Before installing the Network Agent, make sure that the account you want to specify in the task is included in the administrators group on each of the protected devices.

• All protected devices on which you want to install Kaspersky Embedded Systems Security for Windows are in the same domain as the Administration Server, and the Administration Server is registered as the Domain Admin account (if this account has local administrator rights on the protected devices within the domain).

By default, when using the Forced installation method, the remote installation task is run from the account running the Administration Server.

When working with group tasks or with tasks for sets of protected devices under forced installation (uninstallation) mode, an account must have the following rights on the protected device:

• Right to execute applications remotely.
• Rights to the Admin$ share.
• Right to Log on as a service.

[Topic 147715]

Installing Kaspersky Embedded Systems Security for Windows via Kaspersky Security Center

Detailed information about generating an installation package and creating a remote installation task is provided in the Kaspersky Security Center Implementation Guide.

If you intend to manage Kaspersky Embedded Systems Security for Windows via Kaspersky Security Center in the future, make sure that the following conditions are met:

• The protected device where the Kaspersky Security Center Administration Server is installed also has the Administration Plug-in installed (\exec\klcfginst.exe file in the Kaspersky Embedded Systems Security for Windows distribution kit).
• Kaspersky Security Center Network Agent is installed on protected devices. If Kaspersky Security Center Network Agent is not installed on protected devices, you can install it together with Kaspersky Embedded Systems Security for Windows using a remote installation task.

Devices can also be combined into an administration group in order to later manage the protection settings using Kaspersky Security Center policies and group tasks.

To install Kaspersky Embedded Systems Security for Windows using a remote installation task via Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console expand the Advanced node.
2. Expand the Remote installation child node.
3. In the results pane of the Installation packages child node, click the Create installation package button.
4. Select the Create installation package for a Kaspersky application installation package type.
5. Enter the new installation package name.
6. Specify the ess.kud file located in Kaspersky Embedded Systems Security for Windows distribution kit \exec folder as the installation package file.

   The End User License Agreement and Privacy Policy window opens.

7. If you agree to the terms and conditions of End User License Agreement and Privacy Policy, select the I confirm that I have fully read, understood, and accept the terms and conditions of this End User License Agreement and I am aware and agree that my data will be handled and transmitted (including to third countries) as described in the Privacy Policy. I confirm that I have fully read and understand the Privacy Policy check boxes in order to proceed with the installation.

   You must accept the License Agreement and the Privacy Policy to proceed.

8. To change the set of Kaspersky Embedded Systems Security for Windows components to be installed and the default installation settings in the installation package:
   1. In Kaspersky Security Center, expand the Remote installation node.
   2. In the results pane of the Installation packages child node, open the context menu of the created Kaspersky Embedded Systems Security for Windows installation package and select Properties.
   3. In the Properties: <name of installation package> window open the Settings section.
   4. In the Components to install settings group, select the check boxes next to the names of the Kaspersky Embedded Systems Security for Windows components you want to install.
   5. If necessary, change the run mode for Real-Time File Protection:
      1. Click the button to the right of the Real-Time File Protection check box.
      2. In the Selecting security level window, select the required option from the Security level drop-down list.
   6. To automatically install patches if included in the application distribution kit:
      1. Click About limited warranty.

         The Limited warranty Statement window opens.

      2. Please read the Disclaimer.
      3. If you accept the terms of the Disclaimer, select I confirm that I have fully read, understand, and accept the terms and conditions of this Limited warranty Statement check box.
      4. Click the OK button.
      5. In the installation package settings section, select Automatically install patches check box.
   7. In order to indicate a destination folder other than the default one, specify the folder name and path in the Destination folder field.

      The path to the destination folder may contain system environment variables. If the folder does not exist on the protected device, it will be created.

   8. In the Advanced installation settings group, configure the following settings:
      • Scan protected device for viruses before installation

        

        Select the Scan protected device for viruses before installation check box to scan system memory and the boot sectors of the protected device local drives for threats.

        .
      • Enable real-time protection after installation of application.
      • Add Microsoft recommended files to exclusions list.
      • Add Kaspersky recommended files to exclusions list.
      • Make KSC Agent use less resources.
      • Perform the recommended action during the scan at OS startup.
   9. To import Kaspersky Embedded Systems Security for Windows settings from an existing configuration file created in a compatible earlier version of the application, specify the path to the configuration file in the Configuration file field.
   10. In the Properties: <name of installation package> window, click OK.
9. In the Installation packages node create a task to remotely install Kaspersky Embedded Systems Security for Windows on the selected protected devices (administration group).
10. Configure the Kaspersky Embedded Systems Security for Windows remote installation task.

    To learn more about creating and configuring remote installation tasks, see the Kaspersky Security Center Help.

11. Run the Kaspersky Embedded Systems Security for Windows remote installation task.

Kaspersky Embedded Systems Security for Windows will be installed on the protected devices specified in the task.

[Topic 148299]

Actions to perform after Kaspersky Embedded Systems Security for Windows installation

After you install Kaspersky Embedded Systems Security for Windows, we recommend that you update Kaspersky Embedded Systems Security for Windows databases on the devices, and perform a Critical Areas Scan of the devices if no anti-virus applications with enabled real-time protection were installed on the devices before installation of Kaspersky Embedded Systems Security for Windows.

If the protected devices on which Kaspersky Embedded Systems Security for Windows was installed are part of the same administration group in the Kaspersky Security Center, you can perform these tasks using the following methods:

1. Create Database Update tasks for the group of protected devices on which Kaspersky Embedded Systems Security for Windows was installed. Set the Kaspersky Security Center Administration Server as the update source.
2. Create an On-Demand Scan group task with the Critical Areas Scan status. Kaspersky Security Center evaluates the security status of each protected device in the group based on the results of this task, not based on the results of the Critical Areas Scan task.
3. Create a new policy for the group of protected devices. In the policy properties, in the Application settings section, deactivate the scheduled start of local system on-demand scan tasks and the Database Update tasks on the administration group's protected devices in the settings of the Run local system tasks subsection.

You can also configure administrator notifications about Kaspersky Embedded Systems Security for Windows events.

[Topic 147726]

Installing the Application Console via Kaspersky Security Center

Detailed information about creating an installation package and a remote installation task is provided in the Kaspersky Security Center Implementation Guide.

To install the Application Console using a remote installation task:

1. In the Kaspersky Security Center Administration Console expand the Advanced node.
2. Expand the Remote installation child node.
3. Create an installation package:
   1. In the results pane of the Installation packages child node, click the Create installation package button.
   2. In the New Package Wizard window, select Create installation package for specified executable file as a package type.
   3. Enter the new installation package name.
   4. Select the \console\setup.exe file from the Kaspersky Embedded Systems Security for Windows distribution kit folder and select the Copy entire folder to the installation package check box.
   5. In the Executable file launch settings (optional) field, set EULA=1. Otherwise, it is impossible to install components.

      /s /p "EULA=1"

   6. If necessary, in the Executable file launch settings (optional) field, you can specify the ADDLOCAL command-line parameter to change the set of components to be installed, and the INSTALLDIR command-line parameter to specify a destination folder other than the default one. For example, to perform a standalone installation of the Application Console in the C:\KasperskyConsole folder, use the following command-line option:

      /s /p "INSTALLDIR=C:\KasperskyConsole EULA=1"

4. In the Installation packages child node, create a task to remotely install the Application Console on the selected protected devices (administration group).
5. Configure the task settings.

   To learn more about creating and configuring remote installation tasks, see the Kaspersky Security Center Help.

6. Run the remote installation task.

The Application Console is installed on the protected devices specified in the task.

[Topic 147729]

Uninstalling Kaspersky Embedded Systems Security for Windows via Kaspersky Security Center

Dump and trace files are not deleted on uninstalling Kaspersky Embedded Systems Security for Windows. You can manually delete dump and trace files from the folder specified during the configuration of dump and trace files writing.

If management of Kaspersky Embedded Systems Security for Windows on network devices is password protected, enter the password when creating a task to uninstall multiple applications. If the password protection is not managed centrally by a Kaspersky Security Center policy, Kaspersky Embedded Systems Security for Windows will be successfully uninstalled from the devices, on which the entered password matched the set value. Kaspersky Embedded Systems Security for Windows will not be uninstalled from other protected devices.

To uninstall Kaspersky Embedded Systems Security for Windows:

1. In the Kaspersky Security Center Administration Console, create and start an application removal task.
2. In the task, select the uninstallation method (similar to selecting the installation method; see the previous section) and specify the account that Administration Server will use to access the protected devices. You can uninstall Kaspersky Embedded Systems Security for Windows with only the default uninstallation settings.

[Topic 147730]

Installing and uninstalling via Active Directory group policies

This section describes how to install and uninstall Kaspersky Embedded Systems Security for Windows through Active Directory group policies, as well as information on the actions that must be performed after installing Kaspersky Embedded Systems Security for Windows through group policies.

[Topic 147731]

Installing Kaspersky Embedded Systems Security for Windows via Active Directory group policies

You can install Kaspersky Embedded Systems Security for Windows on several protected devices via the Active Directory group policy. You can install the Application Console the same way.

The protected devices on which you want to install Kaspersky Embedded Systems Security for Windows or the Application Console must be in the same domain and a single organizational unit.

The operating systems on the protected devices on which you want to install Kaspersky Embedded Systems Security for Windows using the policy must be of the same bitness (32-bit or 64-bit).

You must have domain administrator rights.

To install Kaspersky Embedded Systems Security for Windows, use the ess_x86.msi or ess_x64.msi installation package. To install the Application Console, use the esstools.msi installation package.

Detailed information about the use of Active Directory group policies is provided in the documentation supplied by Microsoft.

To install Kaspersky Embedded Systems Security for Windows or the Application Console:

1. Save ess_x64(or x86).msi to a shared folder on the domain controller.
2. Save the key file in the same public folder on the domain controller.
3. In the same shared folder on the domain controller, create an install_props.json file that contains the lines below. This signifies that you agree to the terms of the End User License Agreement and Privacy Policy.

   {

   "EULA": "1",

   "PRIVACYPOLICY": "1"

   }

4. On the domain controller create a new policy for the group that the protected devices belong to.
5. Using the Group Policy Object Editor, create a new installation package in the Computer Configuration node. Specify the path to the msi file for Kaspersky Embedded Systems Security for Windows (or Application Console) in UNC (Universal Naming Convention) format.
6. Select the Windows Installer's Always install with elevated privileges check box in both the Computer Configuration node and in the User Configuration node of the selected group.
7. Apply the changes using the gpupdate / force command.

Kaspersky Embedded Systems Security for Windows will be installed on the protected devices of the group after they have been restarted.

[Topic 147666]

Actions to perform after Kaspersky Embedded Systems Security for Windows installation

After installing Kaspersky Embedded Systems Security for Windows on the protected devices, it is recommended that you immediately update the application databases and run a Critical Areas scan. You can perform these actions from the Application Console.

You can also configure administrator notifications about Kaspersky Embedded Systems Security for Windows events.

[Topic 147732]

Uninstalling Kaspersky Embedded Systems Security for Windows via Active Directory group policies

Dump and trace files are not deleted on uninstalling Kaspersky Embedded Systems Security for Windows. You can manually delete dump and trace files from the folder specified during the configuration of dump and trace files writing.

If you used an Active Directory group policy to install Kaspersky Embedded Systems Security for Windows (or the Application Console) on the group of protected devices, you can use this policy to uninstall Kaspersky Embedded Systems Security for Windows (or the Application Console).

You can uninstall the application only with the default uninstallation parameters.

Detailed information about the use of Active Directory group policies is provided in the documentation supplied by Microsoft.

If application management is password protected, you cannot uninstall Kaspersky Embedded Systems Security for Windows using Active Directory group policies.

To uninstall Kaspersky Embedded Systems Security for Windows (or the Application Console):

1. On the domain controller, select the organizational unit from whose protected devices you want to uninstall Kaspersky Embedded Systems Security for Windows or the Application Console.
2. Select the policy created for the installation of Kaspersky Embedded Systems Security for Windows and in the Group Policies Object Editor, in the Software installation node (Computer Configuration > Software Settings > Software installation) open the context menu of the Kaspersky Embedded Systems Security for Windows (or the Application Console) installation package and select the All tasks > Remove command.
3. Select the uninstallation method Immediately uninstall the software from users and computers.
4. Apply the changes using the gpupdate /force command.

Kaspersky Embedded Systems Security for Windows is removed from the protected devices after they are restarted and before logging in to Microsoft Windows.

[Topic 147733]

Checking Kaspersky Embedded Systems Security for Windows functions. Using the EICAR test virus

This section describes the EICAR test virus and how to use the EICAR test virus to check the Real-Time File Protection and On-Demand Scan features of Kaspersky Embedded Systems Security for Windows.

[Topic 147734]

About the EICAR test virus

This test virus is designed to verify the operation of anti-virus applications. It was developed by the European Institute for Computer Antivirus Research (EICAR).

The test virus is not a malicious object and does not contain executable code for your device, but most vendors' anti-virus applications identify it as a threat.

The file containing this test virus is called eicar.com. You can download it from the EICAR website.

Before saving the file in a folder on the device's hard drive, make sure that Real-Time File Protection is disabled on that drive.

The eicar.com file contains a line of text. When scanning the file Kaspersky Embedded Systems Security for Windows detects the test threat in this line of text, assigns the Infected status to the file, and deletes it. Information about the threat detected in the file will appear in the Application Console and in the task log.

You can use the eicar.com file to check how Kaspersky Embedded Systems Security for Windows disinfects the infected objects and how it detects probably infected objects. To do this, open the file using a text editor, add one of the prefixes listed in the table below to the beginning of the line of text in the file, and save the file with a new name, such as eicar_cure.com.

To make sure that Kaspersky Embedded Systems Security for Windows processes the eicar.com file with a prefix, in the Objects protection security settings section, set the All objects value for the Real-Time Computer Protection tasks and Default On-Demand Scan tasks of Kaspersky Embedded Systems Security for Windows.

Prefixes in EICAR files

Page top

[Topic 147735]

Checking the Real-Time File Protection and On-Demand Scan features

After installing Kaspersky Embedded Systems Security for Windows, you can confirm that Kaspersky Embedded Systems Security for Windows detects objects containing malicious code. To do this, use the EICAR test virus.

To check the Real-Time File Protection feature:

1. Download the eicar.com file from the EICAR website. Save it in a shared folder on the local drive of any device on the network.

   Before you save the file to the folder, make sure that Real-Time File Protection is disabled for the folder.

2. If you want to check that network user notifications are working, make sure that the Microsoft Windows Messenger Service is enabled both on the protected device and on the device where you saved the eicar.com file.
3. Open the Application Console on the protected device.
4. Copy the saved eicar.com file to the local drive of the protected device using one of the following methods:
   • To test notifications through a Terminal Services window, copy the eicar.com file to the protected device after connecting to the protected device using the Remote Desktop Connection utility.
   • To test notifications through the Microsoft Windows Messenger Service, use the device's network places to copy the eicar.com file from the device where you saved it.

Real-Time File Protection is working correctly if the following conditions are met:

• The eicar.com file is deleted from the protected device.
• In the Application Console, the task log gets the Critical status. The log has a new line with information about a threat in the eicar.com file.
• The following Microsoft Windows Messenger Service message appears on the device from which you copied the file: Kaspersky Embedded Systems Security for Windows blocked access to <path to file on the device>\eicar.com on computer <network name of the device> at <time that event occurred>. Reason: Threat detected. Virus: EICAR-Test-File. User name: <user name>. Computer name: <network name of the device from which you copied the file>.

  Make sure that the Microsoft Windows Messenger Service is running on the device from which you copied the eicar.com file.

To check the On-Demand Scan feature:

1. Download the eicar.com file from the EICAR website. Save it in a shared folder on the local drive of any device on the network.

   Before you save the file to the folder, make sure that Real-Time File Protection is disabled for the folder.

2. Open the Application Console and expand the On-Demand Scan node in the Application Console tree.
3. Select the Critical Areas Scan child node.
4. On the Scan scope settings tab, open the context menu on the Network node and select Add network file.
5. Enter the network path to the eicar.com file on the remote device in UNC (Universal Naming Convention) format.
6. Select the Path to object check box to include the added network path in the scan scope.
7. Run the Critical Areas Scan task.

The On-Demand Scan is working as it should if the following conditions are met:

• The eicar.com file is deleted from the device's hard drive.
• In the Application Console, the task log gets the Critical status. The Critical Areas Scan task log has a new line with information about a threat in the eicar.com file.

[Topic 147904]

Application interface

You can control Kaspersky Embedded Systems Security for Windows using the following interfaces:

• Local Application Console.
• Kaspersky Security Center Administration Console.
• Kaspersky Security Center Web Console.
• Kaspersky Security Center Cloud Console.

Kaspersky Security Center Administration Console

Kaspersky Security Center lets you remotely install and uninstall, start and stop Kaspersky Embedded Systems Security for Windows, configure application settings, change the set of available application components, add keys, and start and stop tasks.

The application can be managed via Kaspersky Security Center using the Kaspersky Embedded Systems Security for Windows Administration Plug-in. See detailed information about the Kaspersky Security Center interface in the Kaspersky Security Center Help.

Kaspersky Security Center Web Console and Cloud Console

Kaspersky Security Center Web Console (hereinafter also referred to as Web Console) is a web application intended for centrally performing the main tasks to manage and maintain the security system of an organization's network. Web Console is a Kaspersky Security Center component that provides a user interface. For detailed information about Kaspersky Security Center Web Console, please refer to the Kaspersky Security Center Help.

Kaspersky Security Center Cloud Console (hereinafter also referred to as the Cloud Console) is a cloud-based solution for protecting and managing an organization's network. For detailed information about Kaspersky Security Center Cloud Console, please refer to the Kaspersky Security Center Cloud Console Help.

Web Console and Cloud Console let you do the following:

• Monitor the status of your organization's security system.
• Install Kaspersky applications on devices within your network.
• Manage installed applications.
• View reports on the security system status.

[Topic 147905]

Application licensing

This section provides information about the main concepts related to licensing of the application.

[Topic 147752]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Carefully review the terms of the End User License Agreement before you start using the application.

You can read the terms of the End User License Agreement and the Privacy Policy, that describes processing and transmission of data, in the following ways:

• During the installation of Kaspersky Embedded Systems Security for Windows Console.
• From the Start menu (All programs > Kaspersky Embedded Systems Security for Windows > EULA and Privacy Policy) after the installation.
• During the installation of Kaspersky Fraud Prevention Cloud.
• By reading the file license.txt document included in the distribution kit.
• On the Kaspersky web site (https://www.kaspersky.ru/business/eula).

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

[Topic 147755]

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement.

A valid license entitles you to receive use of the application in accordance with the terms of the End User License Agreement as well as receive technical support when necessary.

The scope of service and the period of application use depend on the type of license used to activate the application.

You can activate the application in two ways:

• Using a key file, which grants you the usage under the commercial license
• Using an activation code to purchase a commercial license.

You can purchase a Kaspersky Embedded Systems Security for Windows standard license or Kaspersky Embedded Systems Security for Windows Compliance Edition extended license, which includes two additional system inspection components: File Integrity Monitor and Log Inspection.

When a commercial license expires, the application continues to run, but the following features become unavailable:

• Integrating with Kaspersky Security Network
• Kaspersky Embedded Systems Security for Windows database update.

If the license key is removed, the application will continue to run. If you remove a license, the application continues to run; the On-Demand Scan and Real-Time File Protection tasks remain available, but all other tasks and Kaspersky Embedded Systems Security for Windows database updates will be unavailable. The same happens if Kaspersky adds your license to the denylist.

To continue using all Kaspersky Embedded Systems Security for Windows features, you must renew your the license.

To ensure maximum protection of your device, we recommend that you renew the license before it expires.

Make sure that the expiration date for the additional key is later than for the active one

[Topic 147760]

About license certificate

A license certificate is a document that you receive along with a key file or an activation code (if applicable).

A license certificate contains the following information about the current license:

• Order number
• Information about the user who has been granted the license
• Information about the application that can be activated under the license provided
• Limit of the number of licensing units (e.g., devices on which the application or individual software components can be used under the license provided)
• License validity start date
• License expiration date or license term
• License type

[Topic 147906]

About the key

A key is a sequence of bits with which you can activate and subsequently use the application in accordance with the terms of the End User License Agreement. A key is generated by Kaspersky.

You can add a key to the application by using a key file. After you add a key to the application, the key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky can add a key to the denylist due to violations of the License Agreement. If your key is blocked, a different key must be added in order for the application to work.

A key may be an "active key" or an "additional key".

An active key is the key that the application currently uses to function. A key for a commercial or trial license may be added as the active key. The application can have no more than one active key.

An additional key is a key that confirms the right to use the application but is not currently in use. An additional key automatically becomes active when the license associated with the current active key expires. An additional key may be added only if there is an active key.

[Topic 69431]

About the key file

A key file is a file with the .key extension, provided to you by Kaspersky. Key files are designed to add a key that activates the application.

You receive a key file via email after purchasing Kaspersky Embedded Systems Security for Windows or ordering the trial version of Kaspersky Embedded Systems Security for Windows.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can restore a key file if it has been accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To recover a key file, you should perform any of the following actions:

• Contact the license vendor.
• Obtain a key file from the Kaspersky website based on the available activation code.

[Topic 176582]

About activation code

An activation code is a unique sequence of 20 letters and numbers. You have to enter an activation code in order to add a key for activating Kaspersky Embedded Systems Security for Windows. You receive the activation code at the email address that you provided when you bought Kaspersky Embedded Systems Security for Windows or ordered the trial version of Kaspersky Embedded Systems Security for Windows.

To activate the application with an activation code, you need Internet access in order to connect to Kaspersky activation servers.

If you have lost your activation code after installing the application, it can be recovered. You may need the activation code to register a Kaspersky CompanyAccount, for example. To recover your activation code, contact the Kaspersky Lab partner from whom you purchased the license.

[Topic 147908]

About data provision

The License Agreement for Kaspersky Embedded Systems Security for Windows, specifically the section entitled "Terms of data processing", specifies the terms, liability, and procedure for sending and processing the data indicated in this Guide. Before accepting the License Agreement, carefully review its terms as well as all documents linked to by the License Agreement.

The data Kaspersky receives from you when you use the application is protected and processed in accordance with the Privacy Policy available at www.kaspersky.com/Products-and-Services-Privacy-Policy.

The terms of the License Agreement and Privacy Policy are available during installation of Kaspersky Embedded Systems Security for Windows as a part of distribution kit and from the Start menu (All programs > Kaspersky Embedded Systems Security for Windows > EULA and Privacy Policy) after the installation.

During the Kaspersky Embedded Systems Security for Windows uninstallation, all the data stored by Kaspersky Embedded Systems Security for Windows on the protected device is deleted.

By accepting the terms of the End User License Agreement, you agree to automatically send the following data to Kaspersky:

• To support the mechanism for receiving updates – information about the installed application and its activation: identifier of the application being installed and its full version, including build number, type, and license identifier, installation identifier, update task identifier.
• To use the ability to navigate to Knowledge Base articles when application errors occur (Redirector service) – information about the application and link type: the name, locale, and full version number of the application, type of redirecting link, and error identifier.
• To manage confirmations for data processing – information about the status of acceptance of license agreements and other documents, that stipulate data transferring terms: identifier and version of the License Agreement or other document, as a part of which the data processing terms are accepted or declined; an attribute, signifying the user’s action (confirmation or recall of the terms acceptance); date and time of status changes of the data processing terms acceptance.

Local data processing

While executing the application's primary functions described in this Guide, Kaspersky Embedded Systems Security for Windows locally processes and stores a set of data on the protected device.

The table below contains information about local processing and storing by Kaspersky Embedded Systems Security for Windows of data contained in reports.

Processing and storing of data contained in reports

Kaspersky Embedded Systems Security for Windows does not delete events in the Windows Event Log including events that occur when uninstalling Kaspersky Embedded Systems Security for Windows.

In order to provide event registration functionality, Kaspersky Embedded Systems Security for Windows processes the following data locally:

• Names, checksums (MD5, SHA-256) and attributes of processed files and full paths to them on the scanned media.
• Actions taken on scanned files by Kaspersky Embedded Systems Security for Windows.
• User actions taken on scanned files on the protected device.
• Information about accounts of users performing any actions on the protected network or protected device.
• Device Instance Path values for devices added to the Device Control rules.
• Information about processes and scripts running on the system: checksums (MD5, SHA-256) and full paths to executable files, information about digital certificates.
• Windows Firewall settings.
• Windows Event Log entries.
• Names of user accounts taking actions on scanned files on the protected device.
• Instances of executable files being started, and the types, names, checksums, and attributes of these files.
• Information about network activity:
  • The IP addresses of blocked external devices.
  • Processed IP addresses.
• Information about the Windows USN Journal status.

The following table contains information about the service data processed by the Kaspersky Embedded Systems Security for Windows. The service data includes: program parameters, quarantined and backup files, information in the program’s service databases, license data.

The table below contains information about local processing and storing by Kaspersky Embedded Systems Security for Windows of data about parameters specified by a user.

Processing and storing of data about parameters specified by a user

For the specified purposes, Kaspersky Embedded Systems Security for Windows processes the following data locally:

• Objects placed in Quarantine or Backup.
• Information about user accounts (usernames and passwords) under which Kaspersky Embedded Systems Security for Windows runs tasks.
• Kaspersky Embedded Systems Security for Windows password.
• IP addresses and identifiers of blocked logon sessions.
• Windows Firewall settings and Windows Firewall rules settings.
• Checksums (MD5, SHA-256) and paths to executable files added to the Application Launch Control task rules.
• Device Instance Path values for devices added to the Device Control rules.
• Information about files and folders included in scopes of Kaspersky Embedded Systems Security for Windows tasks.
• IP addresses included or excluded from the protection scope.
• Information about events in the Windows Event Log.
• Information about detections with the use of iSwift or iChecker technology.
• Checksums (MD5, SHA-256), full paths and masks specified in exclusions settings.
• Information about processes added to the Trusted Zone.
• Information about added license keys.
• Information about digital certificates.
• Files unpacked from an archive or other composite object during the scan.

Kaspersky Embedded Systems Security for Windows processes and stores data as part of the application's basic functionality, including to log application events and receive diagnostic data. Locally processed data is protected in accordance with the configured and applied application settings.

Kaspersky Embedded Systems Security for Windows lets you configure the level of protection for data processed locally (Managing access permissions for Kaspersky Embedded Systems Security for Windows functions, Event registration. Kaspersky Embedded Systems Security for Windows logs). You can change user privileges to access processed data, change data retention periods for such data, entirely or partially disable functionality that involves data logging, and change the path and attributes of the folder on the drive where data is logged.

The data processed by the application locally is not automatically sent to Kaspersky or other third-party systems.

By default, all data locally processed by the application during operation is removed after Kaspersky Embedded Systems Security for Windows is uninstalled from the protected device.

Files with diagnostic information (trace and dump files), application events in the Windows Event Log, and files with exported Kaspersky Embedded Systems Security for Windows settings are an exception. We recommend that you delete these files manually.

You can find the detailed information about working with files containing diagnostic data of the application in the corresponding sections of this Guide.

You can delete Windows Event Log files containing Kaspersky Embedded Systems Security for Windows application events using standard operating system tools.

Local data processing by means of the application auxiliary components

The Kaspersky Embedded Systems Security for Windows installation package comprises the application auxiliary components, which can be installed on your device even if Kaspersky Embedded Systems Security for Windows is not installed on it. Such auxiliary components are:

• The Application Console. This component is included as part of Kaspersky Embedded Systems Security for Windows Administration Tools and is a Microsoft Management Console snap-in.
• The Administration Plug-in. This component provides a full integration with Kaspersky Security Center application.

While performing the main functions of the application described in this Guide, the application auxiliary components locally process and store a set of data on the protected device where they are installed, even if they are installed separately from Kaspersky Embedded Systems Security for Windows.

The application components locally process and store the following data:

• The Application Console: the name of the protected device with Kaspersky Embedded Systems Security for Windows installed (IP address or domain name) to which the Application Console last connected remotely; display parameters configured in the Microsoft Management Console snap-in; data about the last folder in which the user selected objects via the Application Console (using a system dialog opened by clicking the Browse button). The Application Console trace files can also contain the following data: the name of the protected device with Kaspersky Embedded Systems Security for Windows installed to which the remote connection was established, the name of the user account under which the remote connection was established.
• The Administration Plug-in can process and temporarily store data processed by Kaspersky Embedded Systems Security for Windows; for example, configured settings of application tasks and components, settings of Kaspersky Security Center policies, data sent in network lists.

The table below contains information about local processing and storing by Kaspersky Embedded Systems Security for Windows of data written in dump and trace files.

Kaspersky Embedded Systems Security for Windows locally processes and stores the following data written in dump and trace files:

• Information about actions performed by Kaspersky Embedded Systems Security for Windows on the protected device.
• Information about objects processed by Kaspersky Embedded Systems Security for Windows.
• Information about activity on the protected device that is processed by Kaspersky Embedded Systems Security for Windows.
• Information about errors that occurred during the running of Kaspersky Embedded Systems Security for Windows.

The data processed by the auxiliary components is not automatically sent to Kaspersky or other third-party systems.

By default, all data locally processed by the application auxiliary components during the operation is deleted after removal of these components.

The exception is trace files of auxiliary application components. We recommend that you delete these files manually.

Data in trace and dump files

Kaspersky Embedded Systems Security for Windows can, in accordance with the settings, write debug information to trace files for the purposes of technical support during the operation of Kaspersky Embedded Systems Security for Windows.

Kaspersky Embedded Systems Security for Windows dump files are generated by the operating system during application crashes and are overwritten by the next crash.

Trace and dump files can include any personal data of a user or confidential data of your organization.

Do not use Kaspersky Embedded Systems Security for Windows on devices for which data submission is prohibited by the policy of your organization.

By default, Kaspersky Embedded Systems Security for Windows does not record debug information.

Trace and dump files are not automatically submitted beyond the host on which they were generated. The content of trace files can be viewed using standard text file viewers. Trace and dump files are kept indefinitely and are not deleted when uninstalling Kaspersky Embedded Systems Security for Windows.

Debug information can be useful for Technical Support.

No special mechanisms are provided for limiting access to trace and dump files. The administrator can configure this data to be written to a protected folder.

The path to the trace and dump file folder is not configured by default. To use the trace and dump folder, the administrator must specify it.

Data in trace and dump files can contain:

• Information about actions performed by Kaspersky Embedded Systems Security for Windows on the protected device.
• Information about objects processed by Kaspersky Endpoint Agent.
• Errors arising during the operation of Kaspersky Endpoint Agent.

[Topic 147777]

Activating the application with a key file

You can activate Kaspersky Embedded Systems Security for Windows by applying a key file.

If an active key has already been added to Kaspersky Embedded Systems Security for Windows and you add another key as the active key, the new key replaces the previously added key. The previously added key is removed.

If an additional key has already been added to Kaspersky Embedded Systems Security for Windows and you add another key as an additional key, the new key replaces the previously added key. The previously added additional key is removed.

If an active key and an additional key have already been added to Kaspersky Embedded Systems Security for Windows and you add a new key as the active key, the new key replaces the previously added active key; the additional key is not removed.

To activate Kaspersky Embedded Systems Security for Windows using a key file:

1. In the Application Console tree, expand the Licensing node.
2. In the results pane of the Licensing node, click the Add key link.
3. In the window that opens, click the Browse button.
4. Select a key file with the .key extension.

   You can also add a key as an additional key. To add a key as an additional key, select the Use as additional key check box.

5. Click the OK button.

The selected key file will be applied. Information about the added key will be available on the Licensing node.

[Topic 183078]

Activating the application with an activation code

To activate the application using an activation code, the protected device must be connected to the internet.

You can activate Kaspersky Embedded Systems Security for Windows by using an activation code.

When activating the application with this method, Kaspersky Embedded Systems Security for Windows sends data to the activation server to verify the entered code:

• If the activation code verification is successful, the application is activated.
• If the activation code verification fails, the corresponding notification is displayed. In this case, you must contact the software vendor from whom you purchased your Kaspersky Embedded Systems Security for Windows license.
• If the number of activations with the activation code is exceeded, the corresponding notification is displayed. The application activation procedure is interrupted, and the application prompts you to contact Technical Support.

You can activate Kaspersky Embedded Systems Security for Windows with an activation code using the Application Console, or by creating the Activation of the Application group task via the Administration Plug-in or via the Web Plug-in.

To activate Kaspersky Embedded Systems Security for Windows with an activation code using the Application Console:

1. In the Application Console tree, expand the Licensing node.
2. In the results pane of the Licensing node, click the Add activation code link.
3. In the window that opens, enter the activation code in the Activation code field.
   • If you want to use the activation code as an additional key, enable Use as additional key check box.
   • To view information about a license, click the Show license information button. The information will be displayed in the License information block.
4. Click the OK button.

   Kaspersky Embedded Systems Security for Windows sends information about the applied activation code to the activation server.

[Topic 147778]

Viewing information about current license

Viewing licensing information

Information about the status of the current license is displayed in the details pane of the Kaspersky Embedded Systems Security node of the Application Console. A key can have the following statuses:

• Checking the key status – Kaspersky Embedded Systems Security for Windows is checking the applied key file or activation code and waiting for a response about the current key status.
• License expiration date – Kaspersky Embedded Systems Security for Windows has been activated until the specified date and time. The key status is highlighted in yellow in the following cases:
  • The license will expire in 14 days and no additional key has been applied.
  • The added key has been added to the denylist and is about to be blocked.
• License has expired – Kaspersky Embedded Systems Security for Windows is not activated because the license has expired. The status is highlighted in red.
• End User License Agreement has been violated – Kaspersky Embedded Systems Security for Windows is not activated because the terms of the End User License Agreement have been violated. The status is highlighted in red.
• Key is in denylist – The added key has been blocked and added to the denylist by Kaspersky, for example, if the key has been used by third parties to activate the application illegally. The status is highlighted in red.

Viewing information about current license

To view the information about the current license,

in the Application Console tree, expand the Licensing node.

General information about the current license is displayed in the details pane of the Licensing node (see the table below).

General information about the license in the Licensing node

To view the detailed information about license,

on the Licensing node, open the context menu on the line with license data that you want to expand and select Properties.

In the Key properties window, the General tab displays detailed information about the current license, and the Advanced tab displays information about the customer and the contact details of Kaspersky or the retailer from whom you purchased Kaspersky Embedded Systems Security for Windows (see the table below).

Detailed license information in the Properties: <Activation code status or key status> window

Page top

[Topic 158985]

Functional limitations when the license expires

When the current license expires, the following limitations are applied to the functional components:

• All tasks are stopped, except the Real-Time File Protection, On-Demand Scan, Application Integrity Control and Network Threat Protection tasks.
• You cannot start any tasks except for Real-Time File Protection, On-Demand Scan, Application Integrity Control and Network Threat Protection tasks. These tasks continue to run using the old anti-virus databases.
• Exploit Prevention functionality is limited:
  • Processes are protected until they are restarted.
  • New processes cannot be added to the protection scope.

Other functions (repositories, logs, diagnostic information) are still available.

[Topic 147787]

Renewing license

By default, Kaspersky Embedded Systems Security for Windows notifies you when the license has 14 days remaining before expiration. In this case, the License expiration date status is highlighted in yellow in the results pane of the Kaspersky Embedded Systems Security for Windows node.

You can renew the license before the expiration date using an additional key. This ensures that your device remains protected after expiration of the current license and before you activate the application with a new license.

To renew a license:

1. Obtain a new activation code or a key file.
2. In the Application Console tree, select the Licensing node.
3. Perform one of the following actions in the results pane of the Licensing node:
   • If you want to renew a license using a key file:
     1. Click the Add key link.
     2. In the window that opens, click the Browse button.
     3. Select a new key file with the .key extension.
     4. Select the Use as additional key check box.
   • If you want to renew a license using an activation code:
     1. Click the Add activation code link.
     2. Enter the purchased activation code in the window that opens.
     3. Select the Use as additional key check box.

   An Internet connection is required to apply an activation code.

4. Click the OK button.

The additional key will be added and automatically applied upon expiration of the current Kaspersky Embedded Systems Security for Windows license.

[Topic 147797]

Deleting the key

You can remove the added key.

If an additional key has been added to Kaspersky Embedded Systems Security for Windows and you remove the active key, the additional key automatically becomes the active key.

If you delete an added key, you can restore it by re-applying the key file.

To remove a key that has been added:

1. In the Application Console tree, select the Licensing node.
2. In the results pane of the Licensing node in the table containing information on added keys, select the key that you want to remove.
3. In the context menu of the line containing information on the selected key, select Remove.
4. Click the Yes button in the confirmation window to confirm that you want to delete the key.

The selected key will be removed.

[Topic 179987]

Working with the Administration Plug-in

This section provides information about the Kaspersky Embedded Systems Security for Windows Administration Plug-in and describes how to manage the application installed on a protected device or on a group of protected devices.

[Topic 146638]

Managing Kaspersky Embedded Systems Security for Windows from Kaspersky Security Center

You can centrally manage several protected devices that have Kaspersky Embedded Systems Security for Windows installed and are joined to the same administration group via the Kaspersky Embedded Systems Security for Windows Administration Plug-in. Kaspersky Security Center also lets you separately configure the settings of each protected device included in the administration group.

An administration group is created manually via Kaspersky Security Center. The group includes several devices with Kaspersky Embedded Systems Security for Windows installed for which you want to configure the same control and protection settings. For details on using administration groups, see Kaspersky Security Center Help.

Application settings for a single protected device are unavailable if the operation of Kaspersky Embedded Systems Security for Windows on the protected device is controlled by an active Kaspersky Security Center policy.

Kaspersky Embedded Systems Security for Windows can be managed from Kaspersky Security Center in the following ways:

• Using Kaspersky Security Center policies. Kaspersky Security Center policies can be used to remotely configure the same protection settings for a group of devices. Task settings specified in the active policy have priority over task settings configured locally in the Application Console or remotely in the Properties: <Protected device name> window of Kaspersky Security Center.

  Policies can be used to configure general application settings, settings for real-time computer protection tasks, activity control tasks on devices, and settings for starting local system tasks on a schedule.

• Using Kaspersky Security Center group tasks. Kaspersky Security Center group tasks allow remote configuration of common settings of tasks with an expiration period for a group of devices.

  You can use group tasks to activate the application, configure On-Demand Scan task settings, update task settings, and Rule Generator for Applications Launch Control task settings.

• Using tasks for a set of devices. Tasks for a set of devices allow remote configuration of common task settings with a limited execution period for protected devices that do not belong to any administration group.
• Using the properties window of a single device. In the Properties: <Protected device name> window, you can remotely configure the task settings for an individual protected device included in an administration group. You can also configure both general application settings and settings for all Kaspersky Embedded Systems Security for Windows tasks if the selected protected device is not controlled by an active Kaspersky Security Center policy.

Kaspersky Security Center allows you to configure application settings and advanced features, and also work with logs and notifications. You can configure these settings for a group of protected devices and for an individual protected device.

[Topic 146637]

Managing application settings

This section contains information about configuring Kaspersky Embedded Systems Security for Windows general settings in Kaspersky Security Center Web Console.

[Topic 179011]

Navigation

Learn how to navigate to the required task settings via the chosen interface.

[Topic 180111]

Opening general settings via the policy

To open the application settings of the Kaspersky Embedded Systems Security for Windows via the policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure the task.
3. Select the Policies tab.
4. Double-click the policy name you want to configure.
5. In the Properties: <Policy name> window that opens, select the Application settings section.
6. Click the Settings button in the subsection of the setting that you want to configure.

[Topic 180112]

Opening general settings in the application properties window

To open the properties window of the Kaspersky Embedded Systems Security for Windows for a single protected device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure the task.
3. Select the Devices tab.
4. Open the Properties: <Protected device name> window in one of the following ways:
   • Double-click the name of the protected device.
   • Open the context menu of the protected device name and select the Properties item.

   The Properties: <Protected device name> window opens.

5. In the Applications section, select Kaspersky Embedded Systems Security 3.4 for Windows.
6. Click the Properties button.

   The Kaspersky Embedded Systems Security 3.4 for Windows Settings window opens.

7. Select the Application settings section.

[Topic 146639]

Configuring general application settings in Kaspersky Security Center

You can configure Kaspersky Embedded Systems Security for Windows general settings from Kaspersky Security Center for a group of protected devices or for one protected device.

[Topic 146640]

Configuring scalability, interface, and scan settings in Kaspersky Security Center

Expand all | Collapse all

To configure scalability, interface, and scan settings:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. In the Application settings section, in the Scalability, interface and scan settings subsection, click the Settings button.
5. In the Advanced application settings window on the General tab, configure the following settings:
   • In the Scalability settings section, configure the settings that define the number of processes used by Kaspersky Embedded Systems Security for Windows:
     • Automatically detect scalability settings

       

       Kaspersky Embedded Systems Security for Windows automatically controls the number of processes used.

       This is the default value.

     • Set the number of working processes manually

       

       Kaspersky Embedded Systems Security for Windows controls the number of active working processes according to the values specified.

       • Number of processes for real-time protection

         

         Maximum number of processes that are used by the Real-Time Computer Protection task components. The entry field is available if the Set the number of working processes manually option is selected.

       • Number of processes for background on-demand scan tasks

         

         Maximum number of processes used by the On-Demand Scan component when running On-Demand Scan tasks in background mode. The entry field is available if the Set the number of working processes manually option is selected.

   • In the Interaction with user section, configure whether the System Tray Icon will be displayed in the notification area by clearing or selecting the Display System Tray Icon in the taskbar check box.
6. On the Scan settings tab, configure the following settings:
   • Restore file attributes after scanning

     

     When Kaspersky Embedded Systems Security for Windows performs On-Demand Scan and Real-Time File Protection tasks, the time when each scanned file was last accessed is updated. After the scan, Kaspersky Embedded Systems Security for Windows resets the time when the file was last accessed to the initial value.

     This behavior can affect the work of backup systems by causing creation of backup copies for files that haven’t been changed. This can also cause false detections in file change tracking applications.

     By default, this function is enabled.

     

     When Kaspersky Embedded Systems Security for Windows performs On-Demand Scan and Real-Time File Protection tasks, the time when each scanned file was last accessed is updated. After the scan, Kaspersky Embedded Systems Security for Windows resets the time when the file was last accessed to the initial value.

     This behavior can affect the work of backup systems by causing creation of backup copies for files that haven’t been changed. This can also cause false detections in file change tracking applications.

     By default, this function is enabled.

     

     When Kaspersky Embedded Systems Security for Windows performs On-Demand Scan and Real-Time File Protection tasks, the time when each scanned file was last accessed is updated. After the scan, Kaspersky Embedded Systems Security for Windows resets the time when the file was last accessed to the initial value.

     This behavior can affect the work of backup systems by causing creation of backup copies for files that haven’t been changed. This can also cause false detections in file change tracking applications.

     By default, this function is enabled.

   • Limit CPU usage for scanning threads

     

     Kaspersky Embedded Systems Security for Windows limits its use of the protected device CPU during on-demand scan tasks to the value specified in the Upper limit (per cent) field.

     Enabling of this option can negatively affect the performance of Kaspersky Embedded Systems Security for Windows.

     By default, this option is disabled.

     

     Kaspersky Embedded Systems Security for Windows limits its use of the protected device CPU during on-demand scan tasks to the value specified in the Upper limit (per cent) field.

     Enabling of this option can negatively affect the performance of Kaspersky Embedded Systems Security for Windows.

     By default, this option is disabled.

     

     Kaspersky Embedded Systems Security for Windows limits its use of the protected device CPU during on-demand scan tasks to the value specified in the Upper limit (per cent) field.

     Enabling of this option can negatively affect the performance of Kaspersky Embedded Systems Security for Windows.

     By default, this option is disabled.

     • Upper limit (per cent)

       

       Maximum allowable value of CPU utilization by Kaspersky Embedded Systems Security for Windows.

       The entry field is available if the Limit CPU usage for scanning threads option is selected.

       

       Maximum allowable value of CPU utilization by Kaspersky Embedded Systems Security for Windows.

       The entry field is available if the Limit CPU usage for scanning threads option is selected.

   • Folder for temporary files created during scanning

     

     Folder into which Kaspersky Embedded Systems Security for Windows needs to unpack archive files during scanning.

     By default, the C:\Windows\Temp folder is used.

     

     Folder into which Kaspersky Embedded Systems Security for Windows needs to unpack archive files during scanning.

     By default, the C:\Windows\Temp folder is used.

     

     Folder into which Kaspersky Embedded Systems Security for Windows needs to unpack archive files during scanning.

     By default, the C:\Windows\Temp folder is used.

7. On the Hierarchical storage tab, select the option for accessing the hierarchical storage.
8. Click the OK button.

The configured application settings are saved.

[Topic 146641]

Configuring security settings in Kaspersky Security Center

To configure security settings manually:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. In the Application settings section, click the Security and reliability button in the Settings subsection.
5. In the Security settings window, configure the following settings:
   • In the Password protection settings section, enable or disable the Protect application processes from external threats option.
   • In the Password protection settings section, set a password to protect access to Kaspersky Embedded Systems Security for Windows functions.
   • In the Self-defense section, configure the settings for recovery of Kaspersky Embedded Systems Security for Windows tasks when the application returns an error or terminates.
     • Perform task recovery

       

       This check box enables or disables the recovery of Kaspersky Embedded Systems Security for Windows tasks when the application returns an error or terminates.

       If the check box is selected, Kaspersky Embedded Systems Security for Windows automatically recovers Kaspersky Embedded Systems Security for Windows tasks when the application returns an error or terminates.

       If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not recover Kaspersky Embedded Systems Security for Windows tasks when the application returns an error or terminates.

       The check box is selected by default.

     • Reliability settings

       

       The number of attempts to recover an On-Demand Scan task after Kaspersky Embedded Systems Security for Windows returns an error. The entry field is available if the Perform task recovery check box is selected.

   • In the Recover on-demand scan tasks no more than (times) section, specify limitations on protected device load created by Kaspersky Embedded Systems Security for Windows after switching to UPS power:
     • Do not start scheduled scan tasks

       

       This check box enables or disables the start of a scheduled scan task after the protected device switches to a UPS source until the standard power supply is restored.

       If the check box is selected, Kaspersky Embedded Systems Security for Windows does not start scheduled scan tasks after the protected device switches to a UPS source until the standard power supply is restored.

       If the check box is cleared, Kaspersky Embedded Systems Security for Windows starts scheduled scan tasks regardless of the power supply.

       The check box is selected by default.

     • Stop current scan tasks

       

       The check box enables or disables running scan tasks after the protected device switches to a UPS source.

       If the check box is selected, Kaspersky Embedded Systems Security for Windows pauses running scan tasks after the protected device switches to a UPS source.

       If the check box is cleared, Kaspersky Embedded Systems Security for Windows continues running scan tasks after the protected device switches to a UPS source.

       The check box is selected by default.

   • In the Password protection settings section, set a password to protect access to Kaspersky Embedded Systems Security for Windows functions.
6. Click the OK button.

The scalability and reliability settings are saved.

[Topic 146642]

Configuring connection settings using Kaspersky Security Center

The configured connection settings are used to connect Kaspersky Embedded Systems Security for Windows to update and activation servers and during integration of applications with KSN services.

To configure the connection settings take the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. In the Application settings section, click the Connections button in the Settings subsection.

   The Connection settings window opens.

5. In the Connection settings window, configure the following settings:
   • In the Proxy server settings section, select the proxy server usage settings:
     • Do not use proxy server

       

       If this option is selected, Kaspersky Embedded Systems Security for Windows connects to KSN services directly, without using any proxy server.

     • Use the specified proxy server

       

       If this option is selected, Kaspersky Embedded Systems Security for Windows connects to KSN using proxy server settings specified manually.

     • IP address or symbolic name of the proxy server and the port number
     • Do not use proxy server for local addresses

       

       This check box enables or disables the use of a proxy server when accessing devices located in the same network as the protected device with Kaspersky Embedded Systems Security for Windows installed.

       If this check box is selected, devices are accessed directly from the network that hosts the protected device with Kaspersky Embedded Systems Security for Windows installed. No proxy server is used.

       If the check box is cleared, a proxy server is used to connect to local devices.

       The check box is selected by default.

       .
   • In the Proxy server authentication settings section, specify the authentication settings:
     • Select the authentication settings in the drop-down list.
       • Do not use authentication – authentication is not performed. The mode is selected by default.
       • Use NTLM authentication – authentication is performed using the NTLM network authentication protocol developed by Microsoft.
       • Use NTLM authentication with user name and password – authentication is performed with a user name and password using the NTLM network authentication protocol developed by Microsoft.
       • Apply user name and password – authentication is performed using the user name and password.
     • Enter the user name and password, if needed.
   • In the Licensing section, clear or select the Use Kaspersky Security Center as a proxy server when activating the application.
6. Click the OK button.

The configured connection settings are saved.

[Topic 146621]

Configuring scheduled start of local system tasks

You can use policies to allow or block start of the local system On-Demand Scan task and the Update task according to the schedule configured locally on each protected device in the administration group:

• If the scheduled start of a specific type of local system task is prohibited by a policy, these tasks will not be performed on the protected device according to the schedule. You can start local system tasks manually.
• If the scheduled start of a specific type of local system task is allowed by a policy, these tasks will be performed in accordance with the scheduled parameters configured locally for this task.

By default, starting a local system task is prohibited by policy.

We recommend that you do not allow local system tasks to start if updates or on-demand scans are administered by Kaspersky Security Center group tasks.

If you do not use group update or on-demand scan tasks, allow local system tasks to be started in the policy. Kaspersky Embedded Systems Security for Windows will perform application database and module updates, and start all local system on-demand scan tasks in accordance with the default schedule.

You can use policies to allow or block the scheduled start of the following local system tasks:

• On-Demand Scan tasks: Critical Areas Scan, Quarantine Scan, Scan at Operating System Startup, Application Integrity Control, Baseline File Integrity Monitor.
• Update tasks: Database Update, Software Modules Update, Copying Updates.

If the protected device is excluded from the administration group, the local system tasks schedule will be enabled automatically.

To allow or block the scheduled start of Kaspersky Embedded Systems Security for Windows local system tasks in a policy:

1. In the Managed devices node in the Administration Console tree, expand the required group and select the Policies tab.
2. On the Policies tab, in the context menu of the policy for which you want to schedule Kaspersky Embedded Systems Security for Windows local system tasks for the group of protected devices, select Properties.
3. In the Properties: <Policy name> window, open the Application settings section. In the Run local system tasks section, click the Settings button and do one of the following:
   • Select the On-demand scan tasks and Update tasks and Copying Update task check boxes to allow the scheduled launch of the listed tasks.
   • Clear the On-demand scan tasks and Update tasks and Copying Update task check boxes to disable the scheduled launch of the listed tasks.

   Selecting or clearing the check box will not affect the start settings of any local custom tasks of this type.

4. Make certain that the policy you are configuring is active and applied to the selected group of protected devices.
5. Click the OK button.

The configured task schedule settings are applied for the selected tasks.

[Topic 146647]

Configuring Quarantine and Backup settings in Kaspersky Security Center

To configure general Backup settings in Kaspersky Security Center:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. In the Supplementary section, click the Settings button in the Storages subsection.
5. Use the Storages settings tab of the Backup window to configure the following Backup settings:
   • If you want to specify the backup folder, use the Backup folder field to select the required folder on the local drive of the protected device, or enter its full path.
   • To set the maximum Backup size, select the Maximum Backup size (MB) check box and specify the relevant value in megabytes in the entry field.
   • To set the Backup free space threshold:
     • Define the value of the Maximum Backup size (MB) setting.
     • Select the Threshold value for space available (MB) check box.
     • Specify the minimum value of free space in the Backup folder in megabytes.
   • To specify a folder for restored objects, do one of the following:
     • Select the relevant folder on a local drive of the protected device in the Restoration settings section.
     • Enter the name of the folder and the full path to it in the Target folder for restoring objects field.
6. In the Storages settings window on the Quarantine tab, configure the following Quarantine settings:
   • To change the Quarantine folder, in the Quarantine folder entry field specify the complete path to the folder on the local drive of the protected device.
   • To set the maximum Quarantine size, select the Maximum Quarantine size (MB) check box and specify the value of this parameter in megabytes in the entry field.
   • To set the minimum amount of free space in Quarantine, select the Maximum Quarantine size (MB) check box and the Threshold value for space available (MB) check box, and then specify the value of this parameter in megabytes in the entry field.
   • To change the folder to which objects are restored from Quarantine, in the Target folder for restoring objects field specify the complete path to the folder on the local drive of the protected device.
7. Click the OK button.

The configured Quarantine and Backup settings are saved.

[Topic 146617]

Creating and configuring policies

This section provides information on using Kaspersky Security Center policies for managing Kaspersky Embedded Systems Security for Windows on several protected devices.

Global Kaspersky Security Center policies can be created for managing protection on several devices where Kaspersky Embedded Systems Security for Windows is installed.

A policy enforces the specified Kaspersky Embedded Systems Security for Windows settings, functions and tasks on all protected devices for one administration group.

Several policies for one administration group can be created and enforced in turns. The policy currently active for a group has active status in the Administration Console.

Information on policy enforcement is logged in the Kaspersky Embedded Systems Security for Windows system audit log. This information can be viewed in the Application Console in the System audit log node.

Kaspersky Security Center offers one way to apply policies on protected devices: Prohibit changing the settings. After a policy has been applied, Kaspersky Embedded Systems Security for Windows uses the values of settings for which you have selected the icon in the policy properties on protected devices. In this case, Kaspersky Embedded Systems Security for Windows does not use the values of settings in effect before the policy was applied. Kaspersky Embedded Systems Security for Windows does not apply the values of active policy settings for which the icon is selected in the policy properties.

If a policy is active, the values of settings marked with the icon in the policy are displayed in the Application Console but cannot be edited. The values of other settings (marked with the icon in the policy) can be edited in the Application Console.

The settings configured in the active policy and marked with the icon also block changes in Kaspersky Security Center for one protected device in the Properties: <Protected device name> window.

Settings that are specified and sent to the protected device using an active policy are saved in the local task settings after the active policy is disabled.

If a policy defines the settings of a currently running Real-Time Computer Protection task, the settings defined by the policy will change immediately after the policy is applied. If the task is not running, the settings are applied when it starts.

[Topic 146619]

Creating a policy

To create a policy for a group of protected devices where application is installed and running:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree, then select the administration group containing the protected devices for which you wish to create a policy.
2. In the details pane of the selected administration group, select the Policies tab and click the Create a policy link to start the wizard and create a policy.

   The New Policy Wizard window opens.

3. In the Select the application for which you want to create a group policy window, select Kaspersky Embedded Systems Security for Windows and click Next.
4. Enter a group policy name in the Name field.

   The policy name cannot contain the following symbols: " * < : > ? \ | .

5. To apply a policy configuration used in a previous version of the application:
   1. Select the Use settings from policy for previous versions of application check box.
   2. Click the Browse button.
   3. Select the policy you want to apply.
   4. Click the Next button.
6. In the Operation type selection window, in the Policy creation method block, select one of the following options:
   • New, to create a new policy with default settings.
   • Import policy created with previous versions of Kaspersky Embedded Systems Security for Windows, to use the imported policy as a template.
7. In the Real-Time Computer Protection window, configure the application components:
   1. If necessary, change the default settings of the Real-Time Computer Protection components:
      1. Click Settings in the component subsection.
      2. In the window that opens, configure the component settings:
      3. Click the OK button.
   2. Allow or block the application of the settings of Real-Time Computer Protection components on protected devices in the network:
      • Click the button to allow configuration of the application component settings on protected devices in the network and to block the application of the application component settings configured in the policy.
      • Click the button to block the configuration of the application component settings on protected devices in the network and to allow the application component settings configured in the policy to be applied.
   3. Click the Next button.
8. Select one of the following policy statuses in the Create the group policy for the application window:
   • Active policy, if you want to apply the policy immediately after it is created. If an active policy already exists in the group, it is deactivated and a new policy is applied.
   • Inactive policy if you do not want to apply the created policy immediately. In this case the policy may be activated later.
   • Select the Open policy properties immediately after they are created check box to automatically close the New Policy Wizard and configure the newly created policy after clicking the Next button.
9. Click the Finish button.

The created policy appears in the list of policies on the Policies tab of the selected administration group. In the Properties: <Policy name> window, you can configure other settings, tasks and functions of Kaspersky Embedded Systems Security for Windows.

[Topic 181234]

Kaspersky Embedded Systems Security for Windows policy settings sections

General

In the General section, you can configure the following policy settings:

• Indicate the policy status.
• Configure the inheritance settings for parent and child policies.

Event notification

In the Event notification section, you can configure settings for the following event categories:

• Critical event
• Functional failure
• Warning
• Info

  You can use the Properties button to configure the following settings for the selected events:

• Indicate the storage location and retention period for information about logged events.
• Indicate the notification method for logged events.

Application settings

Settings of the Application Settings section

Supplementary

Settings of the Supplementary section

Real-Time Computer Protection

Settings of the Real-Time Computer Protection section

Local activity control

Settings of the Local Activity Control section

Network activity control

Settings of the Network activity control section

System inspection

Settings of the System Inspection section

Logs and notifications

Settings of the Logs and Notifications section

Crash diagnostics

Settings of the Malfunction diagnosis section

Revision history

In the Revision history section, you can manage revisions: compare with the current revision or other policy, add descriptions of revisions, save revisions to a file or perform a rollback.

[Topic 146620]

Configuring a policy

To configure the policy settings:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.
2. Expand the administration group for which you want to configure the associated policy settings, and open the Policies tab in the details pane.
3. Click the policy name you want to configure.
4. Open the Properties: <Policy name> window in one of the following ways:
   • Selecting the Properties option in the policy context menu.
   • Clicking the Configure policy link in the right details pane of the selected policy.
   • Double-clicking the selected policy.
5. On the General tab in the Policy status section, enable or disable the policy. To do so, select one of the options below:
   • Active policy, if you want the policy to be applied on all protected devices within the selected administration group.
   • Inactive policy, if you want to activate the policy later on all protected devices within the selected administration group.

   The Out-of-office policy setting is not available when you manage Kaspersky Embedded Systems Security for Windows.

6. Reconfigure the application in other sections of the policy.

   You can enable or disable the execution of any task on all protected devices within the administration group by means of a Kaspersky Security Center policy.

   You can configure the application of policy settings on all network protected devices for each individual software component.

7. Click the OK button.

The configured settings are applied in the policy.

[Topic 146622]

Creating and configuring tasks using Kaspersky Security Center

This section contains information about Kaspersky Embedded Systems Security for Windows tasks, and how to create them, configure task settings, and start and stop them.

[Topic 146623]

About task creation in Kaspersky Security Center

You can create group tasks for administration groups and sets of protected devices. You can create the following types of tasks via Kaspersky Security Center:

• Activation of Application
• Copying Updates
• Database Update
• Software Modules Update
• Rollback of Database Update
• On-Demand Scan
• Application Integrity Control
• Baseline File Integrity Monitor
• Rule Generator for Applications Launch Control
• Rule Generator for Device Control

You can create local and group tasks in the following ways:

• For one protected device: in the Properties <Protected device name> window in the Tasks section.
• For an administration group: in the details pane of the node of the selected group of protected devices on the Tasks tab.
• For a set of protected devices: in the details pane of the Device selections node.

You can use policies to disable schedules for update and On-Demand Scan local system tasks on all protected devices in the same administration group.

General information on tasks in Kaspersky Security Center is provided in the Kaspersky Security Center Help.

[Topic 146624]

Creating a task using Kaspersky Security Center

To create a new task in the Kaspersky Security Center Administration Console:

1. Start the task wizard in one of the following ways:
   • To create a local task:
     1. Expand the Managed devices node in the Administration Console tree and select the group that the protected server belongs to.
     2. In the results pane of the Devices tab, open the context menu of the protected device and select Properties.
     3. In the window that opens, click the Add button in the Tasks section.
   • To create a group task:
     1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
     2. Select the administration group for which you want to create a task.
     3. In the results pane, open the Tasks tab and select Create a task.
   • To create a task for a custom set of protected devices:
     1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
     2. Select the administration group containing the protected devices.
     3. Select a protected device or a custom set of protected devices.
     4. From the Perform action drop-down list, select the Create a task option.

   The task wizard window opens.

2. In the Select the task type window, under the heading Kaspersky Embedded Systems Security 3.4 for Windows, select the type of the task to be created.
3. If you selected any task type except Rollback of Database Update, Application Integrity Control or Activation of the Application, the Settings window opens. Depending on the task type, the settings may vary:
   • Create an On-Demand Scan task.
   • To create an update task, configure task settings based on your requirements:
     1. Select an update source in the Update source window.
     2. Click the Connection settings button. In the Connection settings window, configure proxy server access settings when connecting to the update source.
   • To create a Software Modules Update task, configure the required application module update settings in the Settings window:
     1. Select whether to copy and install critical software module updates, or only to check for their availability without installation.
     2. If Copy and install critical software modules updates is selected: a protected device restart may be required to apply the installed software modules. If you wish Kaspersky Embedded Systems Security for Windows to restart the protected device automatically upon task completion, select the Allow operating system restart check box.
     3. To obtain information about Kaspersky Embedded Systems Security for Windows module upgrades, select Receive information about available scheduled software modules updates.

        Kaspersky does not publish planned update packages on the update servers for automatic installation; these can be downloaded manually from the Kaspersky website. An administrator notification about the New scheduled software modules update is available event can be configured. This will contain the URL of our website from which scheduled updates can be downloaded.

   • To create the Copying Updates task, specify the set of updates and the destination folder in the Copying updates settings window.
   • To create the Activation of the Application task:
     1. In the Activation Settings window, specify the key file that you want to use to activate the application.
     2. Select the Use as additional key check box if you want to create a task for renewing the license.
   • Create the Rule Generator for Applications Launch Control task.
   • Create the Rule Generator for Device Control task.
4. Configure the task schedule.

   You can configure a schedule for all task types except the Rollback of Database Update task.

5. Click the OK button.
6. If the task is being created for a set of protected devices, select the network (or group) of protected devices on which this task will be executed.
7. In the Selecting an account to run the task window, specify the account you want to use to run the task.
8. In the Define the task name window, enter the task name (no longer than 100 characters) not containing the symbols " * < > ? \ | : .

   We recommend that you add the task type to the task name (for example, "On-demand scan of shared folders").

9. In the Finishing creating the task window:
   1. Select the Run task after Wizard finishes check box if you want the task to start as soon as it is created.
   2. Click the Finish button.