Kaspersky Endpoint Security

Kaspersky Endpoint Security for Windows (hereinafter also referred to as “the application” or as “Kaspersky Endpoint Security”) gives corporate users all-in-one protection against known digital threats.

WHAT'S NEW IN KASPERSKY ENDPOINT SECURITY

Kaspersky Endpoint Security 11.5.0 for Windows offers the following features and improvements:

1. Support for Windows 10 20H2. For details about support for the Microsoft Windows 10 operating system, please refer to the Technical Support Knowledge Base.
2. Updated application interface. Also updated the application icon in the notification area, application notifications, and dialog boxes.
3. Improved interface of the Kaspersky Endpoint Security web plug-in for the Application Control, Device Control, and Adaptive Anomaly Control components.
4. Added functionality for importing and exporting lists of rules and exclusions in XML format. The XML format allows you to edit lists after they are exported. You can manage lists only in the Kaspersky Security Center Console. The following lists are available for export/import:
   • Behavior Detection (list of exclusions).
   • Web Threat Protection (list of trusted web addresses).
   • Mail Threat Protection (list of attachment filter extensions).
   • Network Threat Protection (list of exclusions).
   • Firewall (list of network packet rules).
   • Application Control (list of rules).
   • Web Control (list of rules).
   • Network port monitoring (lists of ports and applications monitored by Kaspersky Endpoint Security).
   • Kaspersky Disk Encryption (list of exclusions).
   • Encryption of removable drives (list of rules).
5. Object MD5 information was added to the threat detection report. In previous versions of the application, Kaspersky Endpoint Security showed only the SHA256 of an object.
6. Added capability to assign the priority for device access rules in Device Control settings. Priority assignment enables more flexible configuration of user access to devices. If a user has been added to multiple groups, Kaspersky Endpoint Security regulates device access based on the rule with the highest priority. For example, you can grant read-only permissions to the Everyone group and grant read/write permissions to the administrators group. To do so, assign a priority of 0 for the administrators group and assign a priority of 1 for the Everyone group. You can configure the priority only for devices that have a file system. This includes hard drives, removable drives, floppy disks, CD/DVD drives, and portable devices (MTP).
7. Added new functionality:
   • Manage audio notifications.
   • Cost-Aware Networking Kaspersky Endpoint Security limits its own network traffic if the Internet connection is limited (for example, through a mobile connection).
   • Manage Kaspersky Endpoint Security settings via trusted remote administration applications (such as TeamViewer, LogMeIn and RemotelyAnywhere). You can use remote administration applications to start Kaspersky Endpoint Security and manage settings in the application interface.
   • Manage the settings for scanning secure traffic in Firefox and Thunderbird. You can select the certificate storage that will be used by Mozilla: the Windows certificate storage or the Mozilla certificate storage. This functionality is available only for computers that do not have an applied policy. If a policy is being applied to a computer, Kaspersky Endpoint Security automatically enables use of the Windows certificate storage in Firefox and Thunderbird.
8. Added capability to configure the secure traffic scan mode: always scan traffic even if protection components are disabled, or scan traffic when requested by protection components.
9. Revised procedure for deleting information from reports. A user can only delete all reports. In previous versions of the application, a user could select specific application components whose information would be deleted from reports.
10. Revised procedure for importing a configuration file containing Kaspersky Endpoint Security settings, and revised procedure for restoring application settings. Prior to importing or restoring, Kaspersky Endpoint Security shows only a warning. In previous versions of the application, you could view the values of the new settings before they were applied.
11. Simplified procedure for restoring access to a drive that was encrypted by BitLocker. After completing the access recovery procedure, Kaspersky Endpoint Security prompts the user to set a new password or PIN code. After setting a new password, BitLocker will encrypt the drive. In the previous version of the application, the user had to manually reset the password in the BitLocker settings.
12. Users now have the capability to create their own local trusted zone for a specific computer. This way, users can create their own local lists of exclusions and trusted applications in addition to the general trusted zone in a policy. An administrator can allow or block the use of local exclusions or local trusted applications. An administrator can use Kaspersky Security Center to view, add, edit, or delete list items in the computer properties.
13. Added capability to enter comments in the properties of trusted applications. Comments help simplify searches and sorting of trusted applications.
14. Managing the application through the REST API:
    • There is now the capability to configure the settings of the Mail Threat Protection extension for Outlook.
    • It is prohibited to disable detection of viruses, worms, and Trojans.

MINIMUM HARDWARE AND SOFTWARE REQUIREMENTS

To ensure proper operation of Kaspersky Endpoint Security, your computer must meet the following requirements:

Minimum general requirements:

• 2 GB of free disk space on the hard drive
• CPU:
  • Workstation: 1 GHz
  • Server: 1.4 GHz
  • Support for the SSE2 instruction set
• RAM:
  • Workstation (x86): 1 GB
  • Workstation (x64): 2 GB
  • Server: 2 GB
• Microsoft .NET Framework 4.6.1 or later.

Supported operating systems for workstations:

• Windows 7 Home / Professional / Ultimate / Enterprise Service Pack 1 or later;
• Windows 8 Professional / Enterprise;
• Windows 8.1 Professional / Enterprise;
• Windows 10 Home / Pro / Education / Enterprise.

The SHA-1 module signature algorithm is deprecated by Microsoft. Update KB4474419 is required for successful installation of Kaspersky Endpoint Security on a computer running the Microsoft Windows 7 operating system. For more details about this update, visit the Microsoft technical support website.

For details about support for the Microsoft Windows 10 operating system, please refer to the Technical Support Knowledge Base.

Supported operating systems for servers:

• Windows Small Business Server 2011 Essentials / Standard (64-bit);

  Microsoft Small Business Server 2011 Standard (64-bit) is supported only if Service Pack 1 for Microsoft Windows Server 2008 R2 is installed.

• Windows MultiPoint Server 2011 (64-bit);
• Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter Service Pack 1 or later;
• Windows Server 2012 Foundation / Essentials / Standard / Datacenter;
• Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter;
• Windows Server 2016 Essentials / Standard / Datacenter;
• Windows Server 2019 Essentials / Standard / Datacenter.

The SHA-1 module signature algorithm is deprecated by Microsoft. Update KB4474419 is required for successful installation of Kaspersky Endpoint Security on a computer running the Microsoft Windows Server 2008 R2 operating system. For more details about this update, visit the Microsoft technical support website.

For details about support for the Microsoft Windows Server 2016 and Microsoft Windows Server 2019 operating systems, please refer to the Technical Support Knowledge Base.

Supported virtual platforms:

• VMWare Workstation 15.5.2 Pro
• VMWare ESXi 7.0, Patch Release ESXi 7.0b
• Microsoft Hyper-V 2019 Server
• Citrix Virtual Apps and Desktops 7 2009
• Citrix Provisioning 2009
• Citrix Hypervisor 8.2 LTSR

Server platform support limitations:

• The ReFS file system is supported with limitations.
• The Server Core and Cluster Mode configurations are not supported.
• File Level Encryption (FLE) and Kaspersky Disk Encryption (FDE) technologies are not supported on server platforms.
• Microsoft Windows Server 2008 was excluded from support. Installing the application on a computer running the Microsoft Windows Server 2008 operating system is not supported.

The limitations on support for virtual platforms are presented in the user documentation.

APPLICATION COMPATIBILITY WITH THE KASPERSKY SECURITY CENTER REMOTE ADMINISTRATION SYSTEM

Kaspersky Endpoint Security supports operation with the following versions of Kaspersky Security Center:

• Kaspersky Security Center 11
• Kaspersky Security Center 12
• Kaspersky Security Center 12 Patch A
• Kaspersky Security Center 12 Patch B

The administration web plug-in for Kaspersky Endpoint Security for Windows version 11.5.0 is compatible with Kaspersky Security Center Web Console version 12.

To manage the application remotely via Kaspersky Security Center:

1. Install Network Agent on the computer.

   For more details on installing Network Agent, please refer to the Kaspersky Security Center 12 Help Guide.

2. Install the Management Plug-in for Kaspersky Endpoint Security for Windows in the Kaspersky Security Center Administration Console.

   The installation package for the Kaspersky Endpoint Security Management Plug-in is included in the distribution package.

   The web plug-in installation package is available for download in the plug-in management window of the Kaspersky Security Center Web Console or on the Kaspersky website. To install the web plug-in version 11.5.0, you should first remove the previous version of the web plug-in.

The Kaspersky Endpoint Security for Windows Management Plug-in for version 11.5.0 is installed over the Kaspersky Endpoint Security for Windows Management Plug-in for versions 11.X.X. To continue using the previous version of Management Plug-in, you should first remove the Management Plug-in version 11.5.0.

Limitations on compatibility with Kaspersky Security Center:

• You can manage the Adaptive Anomaly Control component only in Kaspersky Security Center version 11 or later.
• The Kaspersky Security Center 11 threat report might not display information about the action taken on threats that were detected by the AMSI Protection.
• The operating status of the AMSI Protection and Adaptive Anomaly Control components is available only in Kaspersky Security Center version 11 or later. You can view the operating status in the Kaspersky Security Center Console within the computer properties in the Tasks section. Reports for these components are also available only in Kaspersky Security Center version 11 or later.

INSTALLATION

To install the application locally, run the setup_kes.exe file from the full distribution package and follow the Setup Wizard instructions. You can read more about how to install the application in the user documentation.

During installation, Kaspersky Endpoint Security for Windows detects applications on the computer that, when used together, could potentially reduce computer performance or lead to other compatibility problems (even resulting in complete inoperability). The full list of incompatible software is available in the user documentation.

You can upgrade the following applications to Kaspersky Endpoint Security for Windows version 11.5.0 when installing from the full distribution package:

• Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 4 for Windows (build 10.2.6.3733).
• Kaspersky Endpoint Security 10 Service Pack 2 for Windows (build 10.3.0.6294).
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 1 for Windows (build 10.3.0.6294).
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 2 for Windows (build 10.3.0.6294).
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 3 for Windows (build 10.3.3.275).
• Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 4 for Windows (build 10.3.3.275).
• Kaspersky Endpoint Security 11.0.0 for Windows (build 11.0.0.6499).
• Kaspersky Endpoint Security 11.0.1 for Windows (build 11.0.1.90).
• Kaspersky Endpoint Security 11.0.1 for Windows SF1 (build 11.0.1.90).
• Kaspersky Endpoint Security 11.1.0 for Windows (build 11.1.0.15919).
• Kaspersky Endpoint Security 11.1.1 for Windows (build 11.1.1.126).
• Kaspersky Endpoint Security 11.2.0 for Windows (build 11.2.0.2254).
• Kaspersky Endpoint Security 11.2.0 for Windows CF1 (build 11.2.0.2254).
• Kaspersky Endpoint Security 11.3.0 for Windows (build 11.3.0.773).
• Kaspersky Endpoint Security 11.4.0 for Windows (build 11.4.0.233).

The following considerations should be taken into account when upgrading Kaspersky Endpoint Security for Windows version 10 Service Pack 2 or later:

• If the Full Disk Encryption (FDE) or File Level Encryption (FLE) components are installed on the computer, you must use the distribution package with the same key length to upgrade the application to version 11.5.0:
  • keswin_11.5.0.<XXXX>_<localization>_aes256 if you are upgrading an application that was installed from the AES256 distribution package.
  • keswin_11.5.0.<XXXX>_<localization>_aes56 if you are upgrading an application that was installed from the AES56 distribution package.

  Upgrading the application using a distribution package with a different key length is not supported.

• If data encryption components (FDE or FLE) are not installed on the computer, you can use a distribution package with any key length to upgrade the application to version 11.5.0.
• Upgrading Kaspersky Endpoint Security for Windows from beta versions to version 11.5.0 is not supported.

UPDATING VIA THE KASPERSKY UPDATE SERVICE

Kaspersky Endpoint Security 11.5.0 for Windows can be installed via the Kaspersky update service.

Through the Kaspersky update service, you can update the following applications:

• Kaspersky Endpoint Security 11.0.1 for Windows (build 11.0.1.90).
• Kaspersky Endpoint Security 11.0.1 for Windows SF1 (build 11.0.1.90).
• Kaspersky Endpoint Security 11.1.0 for Windows (build 11.1.0.15919).
• Kaspersky Endpoint Security 11.1.1 for Windows (build 11.1.1.126).
• Kaspersky Endpoint Security 11.2.0 for Windows (build 11.2.0.2254).
• Kaspersky Endpoint Security 11.2.0 for Windows CF1 (build 11.2.0.2254).
• Kaspersky Endpoint Security 11.3.0 for Windows (build 11.3.0.773).
• Kaspersky Endpoint Security 11.4.0 for Windows (build 11.4.0.233).

If Kaspersky Endpoint Security version 11.3.0 or later is deployed in the infrastructure along with older versions of the application, Kaspersky Security Center will be able to install two updates of Kaspersky Endpoint Security to version 11.5.0: one for updating Kaspersky Endpoint Security versions 11.0.1–11.2.0 CF1, and the second for updating version 11.3.0 or later.

Upgrading Kaspersky Endpoint Security for Windows from beta versions to version 11.5.0 is not supported.

The following special considerations should be taken into account when updating through the Kaspersky update service:

• After installing the update, you cannot roll back to the previous version of the program.
• This update is available only for applications with valid license.
• Management of Kaspersky Disk Encryption technology (FDE) is unavailable until installation of the application update is complete.
• To complete the update installation, you must restart your computer.
• To complete the update on a computer with hard drives that were encrypted using Kaspersky Disk Encryption (FDE), you will need to restart the computer twice.
• During installation, Kaspersky Endpoint Security for Windows detects applications on the computer that, when used together, could potentially reduce computer performance or lead to other compatibility problems (even resulting in complete inoperability). The full list of incompatible software is available in the user documentation.
• Installing and updating Kaspersky Endpoint Agent (also referred to as "Endpoint Agent") through the Kaspersky update service is not supported.
• If you are using Kaspersky Update Utility to update application modules and databases, enable support for Kaspersky Endpoint Security 11.5.0 in the utility settings.

APPLICATION COMPATIBILITY WITH AES ENCRYPTION MODULES AND DETAILS ON UPDATING DATA ENCRYPTION COMPONENTS

Starting with Kaspersky Endpoint Security 10 Service Pack 2, the AES Encryption Module is included in the application distribution package. Therefore, installation of a separate encryption module is not required.

All libraries required for data encryption will be automatically installed in the following cases:

1. During installation of the application, provided that the Full Disk Encryption (FDE) or File Level Encryption (FLE) components are selected.
2. When upgrading Kaspersky Endpoint Security for Windows version 10 Service Pack 2 or later, provided that the upgrade is performed using an application distribution package with the appropriate key length and that the Full Disk Encryption (FDE) or File Level Encryption (FLE) components are selected.
3. When upgrading Kaspersky Endpoint Security for Windows version 10 Service Pack 1 Maintenance Release 3 with AES Encryption Module version 1.1.0.73 installed, provided that the upgrade is performed using the application distribution package with the appropriate key length.
4. When upgrading Kaspersky Endpoint Security for Windows version 10 Service Pack 1 Maintenance Release 4 with AES Encryption Module version 1.1.0.73 installed, provided that the upgrade is performed using the application distribution package with the appropriate key length.

Other configurations of Kaspersky Endpoint Security and AES encryption modules are not supported.

Before updating Kaspersky Endpoint Security, you must remove the AES Encryption Module or update the module to version 1.1.0.73. Before removing or updating the AES Encryption Module, you must decrypt all hard drives that have been encrypted using Kaspersky Disk Encryption technology. After removing the AES Encryption Module, access to encrypted files will be blocked.

If you want to switch from your encryption method to encryption with a different key length, prior to updating the application to version 11.5.0 you must decrypt all encrypted objects and remove the AES Encryption Module that was used. After switching to encryption with a different key length, access to encrypted files will be blocked.

COMPATIBILITY WITH KASPERSKY ENDPOINT AGENT

Kaspersky Endpoint Security is compatible with the following versions of Kaspersky Endpoint Agent: 3.7, 3.8 and 3.9.

The Kaspersky Endpoint Agent 3.9 distribution package is included in the Kaspersky Endpoint Security for Windows version 11.5.0 distribution kit. Kaspersky Endpoint Agent will be automatically installed if the Endpoint Agent component is selected during Kaspersky Endpoint Security installation.

If you selected the Endpoint Sensor component when installing Kaspersky Endpoint Security and Kaspersky Endpoint Agent version 3.7 or 3.8 is installed on the computer, the application will be automatically updated to version 3.9.

LIST OF BUGS FIXED AND PRIVATE PATCHES INCLUDED IN THE RELEASE

The list of fixed issues and private patches included in the release is available on the Technical Support website.

MAIN KNOWN ISSUES

The list of limitations and known issues is available in the user documentation.

© 2020 AO Kaspersky Lab